The Ultimate OSCP Preparation Guide, 2020
Understanding this guide
When I first began my hacking journey, I would bookmark guides and resources like a madman. If you’ve contemplated tackling the OSCP, you know what I’m talking about: You’re browsing google, trying to figure out what the secret sauce is for starting the course, taking the exam, and quite frankly, passing the exam.
There are a ton of issues with the method of bookmarking everything. The most prominent issue is resource overload. I don’t know about you, but, I’ve reviewed my bookmarks at one point and said to myself:
“Oh my God, where do I even start? Do I study commands? Do I learn to code? Do I use TryHackMe or HackTheBox?”
This was the most stressful part of the growing pains that come with the OSCP. I’m going to attempt to take the stress out of this effort for you. Instead of writing some redundant experience of what the exam was like for me, and sprinkling all of my tips throughout the text. I’m going to attempt a much different approach in this guide:
1. Create segmentation between where beginners should start vs. intermediate hackers.
2. Create separate tip sections for beginners and intermediate hackers.
3. Highlight pre-examination tips & tips for taking the exam.
Why would I take the time to create so much segmentation?
Accessibility. You’re not here for me; you’re here for you. Forgive me if I come off as a little philosophical. I believe that my exam attempt will not be like your exam attempt. I don’t want anyone to get stressed out trying to scrape through an exam writeup to get tips or deduce anything that is unfactual based off of my attempt. I would prefer to give you the tools to prepare for your own attempt. You can determine what type of experience I had with this guide.
First and foremost, if you’re new to hacking, welcome to the insanity that is Penetration Testing! (If you’ve been hacking for a while and are looking to get straight into OSCP tips, skip to “Intermediate Hackers”) You may have stumbled upon this guide because you’re new, but you have a mountain to climb. You want to obtain the OSCP…it seems impossible, but I promise you. It’s not.
Hacking is fun! The rush of cracking into a system and getting a reverse shell is priceless. However, If this is you, we have some work to do:
The funniest part about this meme is the sheer amount of truth that it carries. When you’ve been hacking for a bit, you’ll start to understand why this meme exists.
The prerequisites for starting your Penetration Testing journey:
1. A basic understanding of Networking: Everything taught in CompTIA’s Network+ Course
2. Security Practices and Network/Host defense principles: Everything taught in CompTIA’s Security+ Course.
If you were to buy some Udemy courses that go through all of the Network+ and Security+ materials, you would be in a far better place to start hacking. I consistently have been asked by beginners for hacking resources or mentoring. I began to notice a reoccurring theme when lecturing others: I would presume that people who are interested in hacking have this essential skill set. Still, I’ve found that my presumptions were usually wrong.
Money seems to be a common issue. That’s fine; there are workarounds, for instance, here are free YouTube playlists offered by Professor Messer:
Free Network+ Video Series
Free Security+ Video Series
Review the following example:
I spent time mentoring someone who wanted to learn how to hack. I showed them how to set up Metasploitable, and we ran through some basic NMAP commands. They seemed to have the active scanning phase down. We were off to a great start, and it seemed like we were going to get through a lot of material quickly.
Then I asked them to review the ports and services in front of them. They were stuck, I asked them what service was running on the FTP port. They did not understand what I meant by service.
Then I asked them what FTP did. Once again, they did not know. I repeated the same line of questioning with SSH, Telnet, IMAP, etc. The only port they knew was 80 and 443, and still, they did not see the difference between HTTP and HTTPS.
The point of this story is not to rip on them (I spent time going back to the basics and teaching that instead) it’s to let you know this: if these concepts seem foreign to you, then you need to start there. Learning hacking commands and tooling will be pointless if you don’t understand the basics of Windows, Linux, Unix, Networking, Security, Etc.
I can’t stress this enough. Do not start hacking until you understand the basic principles of Security and Networking. If this seems stupid to you, and you want to throw commands at a system until something works, it will likely take you 3 to 4 times longer to get where you could have been if you did the legwork of learning the basics first. Trust me, save your time. It’s valuable.
What to do after Security+ and Network+
Great! So you’ve taken my advice and, at a minimum, learning structured Security and Networking principles? Now you’re ready to learn to hack, let’s begin:
1. Watch Hackersploit’s Ethical Hacking Playlist:
2. Read Georgia Weidman’s Book:
Fair warning, many of the techniques in Georgia’s book are dated, but I managed to work through the material. I liked this book because looking back, it frustrated me, but you’ll realize that hacking is about adapting. I hardly ever use exploits or scripts that work without requiring some form of modification (whether within the code or the dependencies that are downloaded), that’s why I highly recommend working through her book. It will get you in the habit of adapting when things break.
4. Join a hacking group. Google is a hell of a tool. Start looking for hacking discord groups, slack channels, etc. When I started, I found these groups within minutes. If you seriously can’t find any (which would be concerning at this point), message some hackers and get the lowdown. I don’t know a lot of lone-wolf hackers. You will miss out on a lot of resources if you attempt to fly solo.
5. Vulnhub is going to be your bread and butter. By this point, you’ve likely read and watched a lot of material on hacking. Start downloading beginner boxes and practicing. If you get stuck, read some writeups until you can get unstuck. Rinse and repeat. Keep doing this until you get a robust methodology. Watch more hacking videos if you feel like your methods aren’t quite there.
6. Once you’ve cracked open a bunch of Vulnhub boxes, pursue the creation of a HackTheBox account, start reaching out to people in the hacking group you joined in step (4), and look for collaboration on active boxes, proceed to the “Intermediate Hacker” section. Be sure to check out the “Beginner Tips” section first!
The following are tips that I think are valuable to a beginner, crafted for the convenience of not having to spend months struggling:
1. Download Joplin, or utilize Cherrytree to take notes.
2. Segment your notes. For instance, if you’re attacking a single-target, create sub-notes
for Enumeration, Interesting finds, Exploitation, Privilege Escalation, etc.
3. Read everything. Read writeups, read books, read resources about infrastructure, and new hacking methodology.
4. Don’t listen to Gatekeepers. If you want to be a Penetration Tester, do it.
5. Do what you believe is correct, however, don’t be stubborn. I cannot express how many times I’ve educated beginners and watched them ignore everything I was saying to search for an easier way and then realize my advice was the easiest all along.
6. Time is valuable, don’t attack a machine repeatedly using the same failed techniques. If you are certain it should be working, consult with someone, or troubleshoot.
7. Spend as much time building your network as you do hacking. The more hackers you meet, the more techniques and unique styles you’ll observe. This will allow you to develop your own style.
8. Save all of the cheatsheets you stumble across. Reverse shell cheatsheets, privilege escalation cheatsheets, payloads, everything! I consistently refer back to the cheatsheets I have saved.
9. Do NOT quit. I promise you, it gets easier. It does! It takes time. You will have a lot of growing pains. Hang in there.
For Intermediate Hackers
If you’re reading this section, it means you’ve met the following pre-requisites:
1. Basic understanding of Networking and Security
2. Have actively participated and hacked several purposefully vulnerable systems
3. Are actively preparing to start the PWK course
Six months after starting the PWK I passed the OSCP, and you can too! (My total journey was closer to three years because of breaks that I had taken)
Methodology to prepare for the PWK
1. Spend two to three months working together with one or two people to root Active Boxes on HackTheBox. You can find people that are willing to work on boxes all over the place, including LinkedIn, Twitter, and the official HackTheBox discord channel: (https://discord.com/invite/hRXnCFA)
If you find that you’re having difficulty locating people to work with, that’s OK. I spent many hours within those HackTheBox practice months flying solo. When I would get stuck, I would look at the HackTheBox forums or hop on the discord. There’s nothing wrong with getting a nudge, especially at this stage.
You should aim to completely root between 5 to 10 boxes in the two to three month defined period. If you can’t completely hit it, that’s okay, but if you do not at least root 3 boxes, I wouldn’t recommend starting the PWK. The material is geared for teaching someone new to Penetration Testing, but you do not want to burn your lab time learning methodology you should have already known.
During the PWK
1. Before approaching the labs, I consumed the provided PWK PDF workbook. There are videos you can utilize, but I didn’t watch any of them.
2. Plan to read ‘X’ amount of pages in the PDF file every single day. The worst thing you can do to yourself is procrastinate, you’re literally burning your own money.
3. It depends on who you are, but I found the Buffer Overflow material in the PWK to be confusing. That was undoubtedly a technique I needed a better approach to learn, therefore I skipped it and saved it until the end of my lab time.
4. I didn’t do the lab exercises. Personally, I felt like at least half of the exercises were geared towards a complete beginner. I had started the exercises and a quarter of the way through, I did a time analysis of lost time spent documenting and writing and decided to skip them. In a sense, I was overprepared and the PWK material did not help me too much. If this doesn’t sound like you, I would recommend that you do the exercises. In fact, if I had done the exercises, I would have passed the exam the first time instead of the second.
5. If you choose to do the exercises have a plan. Commit to working through the material fast, and efficiently.
6. When I started the labs, my approach was doing a full subnet scan, with a basic Nmap switch of -sS. This will help you quickly identify interesting services on the lab machines, and then you can go deeper into your scanning methodology. I recommend immediately utilizing nmapAutomater or Autorecon to get in the habit of scanning systems quickly, and avoiding the possibility of overlooking enumeration that you should be doing. Additionally, there’s nothing better than having neat folders of the hosts to go back to. Do not utilize automation until you are confident that you know how to utilize and understand all of the commands that the scripts execute.
7. Feel free to attack boxes for a few hours at a time, but don’t spend too much time in a rabbit hole. If you’ve been on a box for more than two hours, and you have gotten nowhere, move on. There are plenty of machines to compromise, and you’ll likely have new ideas when you return to the boxes you were stuck on later.
8. Do not get caught up with “The Big Four” or “Amount of systems compromised”. You’ll learn quickly that it’s nothing more than bragging rights. The number of systems you compromise or the machine difficultly is not indicative of your preparedness for the examination. A lot of the people that compromise all of the systems in the labs live on the forums, and solicit tips from better Penetration Testers. I highly recommend using your lab time to organically compromise host machines. Exploiting one machine without any tips means far more than ten machines compromised because you were bumped in the right direction. Who’s going to pull you out of Rabbit Holes on the exam?
9. When you’re nearing the end of your lab time (the last week or so) consume as many tips as you can. Go back and try to get unstuck and exploit all of your remaining machines.
..You said no tips.
Yes, don’t utilize tips until the end of your lab time. Since you gave up your hard-earned money for this lab time, you’ll want to try and get as much done by any means necessary during that last week of your lab time. Doing so will help you potentially learn more exploitation and privilege escalation techniques.
10. Once you wrap up your labs, go back through the notes you should have taken, and compile some cheatsheets of techniques, things that worked, etc. Having a good runbook will help you on the exam and in your future endeavors.
If you followed my advice word for word, you’re in a fairly good position. You may not have compromised 25+ hosts, but you did what you could with what you had, and that’s what matters.
Imagine being hired to do a Penetration Test for a client. Are you going to visit the [Insert client’s company] Penetration Testing forums? No. That doesn’t exist. You’re going to have to utilize the methodology you built, there will be no tips given to you (unless they are coming from the client). Trust me, it’s stressful to root fewer boxes than others, but walkthrough methodology only goes so far. That’s why Offensive Security consistently tells you to Try Harder.
Now that you’ve completed the labs, you’re going to want more practice. If you use the PWK Material + Labs and take the exam, you’ll likely fail. Okay, Okay - you might pass, but I highly recommend following these steps to fill all of the gaps:
1. Purchase and Complete the Linux and Windows Privilege Escalation courses offered by TheCyberMentor. In my opinion, it’s not optional. Take notes, and utilize them (because you will).
Windows Privilege Escalation
Linux Privilege Escalation
2. Next, get ready to learn Buffer Overflow, the RIGHT way. Go watch TCM’s Buffer Overflow Series, use my Github reference guide for an easy recap of TCM’s playlist and to clone the scripts that you’ll need prior to the start:
TCM’s Buffer Overflow Series
Buffer Overflow Guide
3. By the time you complete the video series, you should have a good idea of Buffer Overflow attacks. You should now move onto TryHackMe. Pay for a one-month subscription and complete the Offensive Security path:
The path has practice lined up for Buffer Overflow attacks, which will be helpful.
4. After completing the Offensive Security Path on THM, you’re going to want to move onto TJ Null’s Retired Box List on HackTheBox. Purchase a VIP HackTheBox subscription, and start working through these.
My methodology recommendation is simple; rotate between Linux and Windows boxes, you do not need to focus on any of the boxes in the red section, but doing so will not hurt. If you get stuck, read a writeup only to the point of being able to get unstuck, and keep pushing.
Do NOT complete these boxes, save them for the dry run!
Sense, Cronos, Chatterbox, Jeeves
5. The Dry Run is the final step of the OSCP practice equation (Thank you Rana for the suggestion). I highly recommend practicing a full exam. Schedule 24 hours where you can hack as if you were taking the OSCP. The night before your practice exam, do the following:
-Setup any Vulnhub buffer overflow machine, preferably something like Brainpan. Don’t set up something overcomplicated, just a simple Stack Based Buffer Overflow Box.
-Use nmapAutomator or Autorecon to scan all of the non-bufferflow machines (4 HTB Retired Boxes total) the reason I’m telling you to do it prior and save the data is because you cannot have everything active at once (HTB Limitations)
Your Practice Environment:
Buffer Overflow Machine (25 Points)
Jeeves (25 Points)
Chatterbox (20 Points)
Cronos (20 Points)
Sense (10 Points)
Practice like you play. Don’t look at writeups, make sure you take breaks, and act as if it was the real exam. If you can acquire 70 points, you’re in a good place. If you don’t hit 70 points it’s okay. You can’t possibly know everything, and the purpose of practicing is to get used to the real exam.
Tips for Intermediate Hackers
1. Take extensive notes on everything. That means everything: important parts of the PWK, the lab, and your overall journey. You will not remember everything you learned, especially without notes.
2. You’ll start to identify what you struggle with throughout your journey. Document this, and be sure to read guides, watch videos, and read writeups pertaining to the methodology that you may be weak in.
3. Don’t worry about learning the Buffer Overflow in the PWK material. Seriously, I cannot recommend TCM’s YouTube video series enough.
4. Once you complete all of the above steps, don’t be afraid to schedule your exam. It’s just an exam, just take it.
5. Practice. Practice on everything. There’s no rush, but if you set some time aside you will be ready.
The OSCP Exam
It’s time. All of your preparation will have paid off at this point, whether you pass or fail. If you’ve made it to the point of feeling confident enough to take the exam, I’m proud of you. It’s a difficult journey attempting to obtain the OSCP, it hurts, but this is what you prepared for.
1. Make sure you get a good night of rest before the exam. You’re going to need it. If you have trouble sleeping, don’t fret. You’ll be fine.
2. The night before the exam, make sure you review the exam guide and all of the provided report submission guidelines and requirements. In addition to that, set up your note-taking space. Personally, I created notebooks with sub-sections in my Joplin note-taking software. It looked something like this:
Target 1 - X.X.X.X (25 Points)
Target 2 - X.X.X.X (25 Points)
Creating target placeholders for notes in Joplin will help you quickly dump screenshots or relevant material directly into the correct sections. This will prevent you from stressing out. Go into the exam prepared. Remember that the guidelines presented on your examination will indicate which boxes have local.txt files, or both a local and a proof. Do not forget to submit these in the control panel and take screenshots for your report.
3. I cannot stress this point enough: turn off your firewall if you’re on Windows! I spent two hours troubleshooting because I had no idea that Windows was dropping my traffic to the proctor. Save yourself the trouble and disable your pesky firewall.
4. You’ll start the exam. Here’s what I recommend:
-Read everything carefully.
-Immediately use nmapAutomator or Autorecon to start scanning the 4 targets you will not be attacking (non-buffer overflow machines)
-Start the buffer overflow machine, by the time you’re finished, all of your scans will be done (unless you’re a mad-person and finish Buff in less than 30 minutes)
-Attack the hosts in descending order, 25 points to 20 points to 20 points to 10 points.
-Profit, you’re going to get the 70 points. Do not stress.
OSCP Exam Tips
1. Forced Time Management. Spend two hours on any given box, use a timer to keep yourself honest. If you manage to get a shell on a box in the two hour period, reset the timer and give yourself another two hours for privilege escalation. If you can’t shell or perform Privilege Escalation in that two hour period, move on. No seriously. Move on. If you feel like you almost have a shell, or that you will have the box rooted close to the two hour period, try whatever you’re going to try and then immediately move on if it doesn’t work.
No, don’t lie to yourself. The most common pitfall I hear from people who fail is: “I spent way too much time trying xyz when I realized I could do xyz on another box”. I’m nowhere near perfect, I did the exact same thing. You have to catch yourself abusing your timer. Move on, you’ll thank me later.
2. No box bouncing. A lot of people will see a port or service on one box, try a bunch of enumeration or exploitation methodology and see another service on another box and keep hammering away from box-to-box until they’ve stressed themselves out and ended up with limited points. Stay methodical, you know how to perform Penetration Tests, stick to the timer, stick to the Penetration Testing framework:
Enumerate, Enumerate some more -> Exploit -> Perform Privilege Escalation
Consider the following example:
-You find credentials for a service, log in, but are stuck
-You quickly decide to instead attempt to exploit ‘X’ on another box, which doesn’t work so you:
-Perform in-depth enumeration on another box and find nothing so you return to the first box you started with.
-That’s stressful and non-methodical. Don’t do it. Use your time to thoroughly enumerate a system, look for an exploit, and abuse the system. If you can’t do it in that two hour period, suck it up, perform the same in-depth enumeration on the next system. If you stick to this method, you will exploit the systems. You’ll have to be dead-lucky to gather enough points by box-bouncing.
3. Forget about time outside of the scope of the Time Management system you set for yourself. I love what Rana Khalil said on Twitter when she gave OSCP tips.
“You’ll run out of ideas before you run out of time.”
This is legitimately the most factual statement that was ever presented. I was nowhere NEAR close to running out of time before I started running out of ideas to exploit the last system I was working on. You can only know what you know.
4. If there’s a Metasploit module for it, a manual exploit exists. Instead of searching an exploit for MySql version 5.x.x try typing in “github mysql version 5.x.x exploit” you’ll be absolutely shook after you see the POCs and scripts that manifest in front of you.
5. Brute Force? Yeah, no. Save that for a hail-mary last effort attempt to exploit a system. I don’t know what all of the OSCP machines look like, but I’m fairly positive that Brute Forcing is the loudest and most disruptive exploitation methodology.
6. Take notes and screenshots as you go along. I think this is the most stressful part for many people, but remember, your time is not limited. 24 hours is quite a bit of time. This was my approach:
-Started a box
-Dumped suspicious or relevant services identified from scans into my Joplin notes
-Took screenshots of suspicious services and dumped it into my Joplin notes
-Attempted exploitation, and if I got it, I would replicate, screenshot, and write about it
-Rinse and repeat for the Privilege Escalation process
You may not be the best note-taker, but I recommend practicing this approach. It was an amazing feeling to get the points I needed to pass the exam, and then throw a bunch of exploits and mess around with my final box because I did not have to go back and document anything (since I already documented everything)
7. Reset boxes. You’re allowed to do so for a reason. If you’re exploiting the Buffer Overflow system or another system and you know your exploit should be working, reset the box and try again. If it doesn’t work, it’s possible that your exploit isn’t as infallible as you may have previously thought.
8. Do what works for you. I’ve heard people say they have slept for ‘x’ hours or didn’t sleep at all. You know your body, and you know what you can handle. If I can recommend anything, it would be at a bare minimum, taking several breaks and stepping away from your computer for some fresh air. Don’t aimlessly attack systems when you’re stressed out. Come back and start attacking again once you reset your approach.
9. Keep track of your points. You need to know where you’re at and what it’s going to take to pass, but don’t stress. It doesn’t matter if 12 hours in you only have 45 points. You could easily root every system in the next couple of hours.
10. Realistically, there are so many great tips. The most important one you need to know is that you could fail the exam or you could pass, but don’t waste any of your time anticipating or projecting the outcome. Just hack.
11. Ending on an odd number irritates people, but I had to throw this last bit in here. Save your Metasploit usage for your last-ditch effort. You won’t need to utilize it if you’ve thoroughly prepared, but it could be a game-changer if you’re 65 points deep and looking for an easy win.
If you fail the exam, it means nothing. There are people who have failed the exam 5+ times, there are people who have passed on their first attempt. None of that really matters. Study, work hard, and take the exam.
If you fail your first attempt, don’t quit. You’ve toiled for this, you’ve paid for the course. Refocus and study, you will get it next go around if you spend the downtime before you can reschedule studying instead of sulking. You will pass, but you need to be honest with yourself and your abilities and work on weak spots.
I’m hoping this guide gave you some visibility and insight. If you like it, follow me on Twitter: @johnjhacking
Thank you for reading!