It feels like everybody who passes the OSCP has written a blog post about it. And, for a long time I thought I wouldn’t write one, because there is already a long list of excellent resources talking about passing the OSCP out there. I will provide a list of them down at the bottom of this post. But whenever I stumbled across an OSCP guide, I feel like there are some things missing. After I passed my OSCP exam at the end of 2022, some of my coworkers have asked me for advice. Most of the time I pointed them to already available guides on the internet or shared my notes with them, but I always added some personal recommendations about Methodology and Mindset that I rarely see being talked about in other OSCP guides. So this blog post is going to summarize these tips.

General considerations

Before talking about how to approach the OSCP, I want to talk about some general stuff. I know it is written everywhere, but when I started out with the OSCP, I underestimated this part a little: ”Taking this certification will require an EXTENSIVE amount of work and time!”. Coupled with the considerable amount of money it costs and the limited time you have to complete it, you really should consider, f your bank account, your mental state, and your friends and family can endure taking the OSCP. It might be the case that for your current situation, there are other learning resources and certifications that are better suited for you.

Nevertheless, I have to mention the benefits of taking this course and exam:

  • You will get a lot of new knowledge (If you are a beginner to early intermediate in the field of Pentesting)

  • You can verifiably demonstrate knowledge and dedication

  • With the OSCP, you have a 99% job guarantee

How to approach the OSCP course

After purchasing the course, you will have access to labs, video and written course content and exercises. Here is some stuff that helped me to succeed:

  • Do the course material and labs in parallel. There is no point in finishing the course material first. You need to gain PRACTICAL, HANDS-ON experience, as much as you can.

  • Join the Discord asap. I was hesitant at first, because by now everybody has a “Discord community”, but this one is insanely helpful. On the Discord server you will find

  • Nearly instant support (trust me, you will need support)

  • Solutions to the exercises and labs (if you know how to look)

  • You will find out, if a machine is broken or if you are just too stupid to use it (skip the broken ones (looking at you: Compile this exploit with one specific version of Linux), sure you will learn some interesting stuff here, but time is running)

  • If you want the bonus points for the exercises (it saved my a**), do not underestimate the time it takes to solve them. Use the Discord server, if you are stuck (remember sometimes 100% is not needed).

  • Spend most of the time in the labs. Here is what I would recommend:

  • Build a methodology to do Recon and Privilege Escalation and refine it over time.

  • In the beginning start without looking up any solutions in the Discord. That is the situation you will face in the exam.

  • The closer you get to your exam, the more you should seek help in the Discord server (Ctrl+F). Many OSCP machines are quite similar and the more you see, the more you are getting a feeling for them.

  • DOCUMENT, DOCUMENT, DOCUMENT. It doesn’t matter where you take notes (I used OneNote, because you can just throw everything everywhere), but from your notes you should be able to solve any machine you have already cracked in a couple of minutes again. Additionally you should have a quick way to know which machine had the Apache Version x.xx exploit, so you can find it in the exam.

  • Try to form a study group, if you can.

  • Try to get all of the Active Directory machines.

Active Directory

Knowing how to exploit Active Directory (AD) is essential for passing the OSCP. But luckily there are some tricks to help you with doing it. The answer here is checklists. Why? Because for both, Windows Privilege Escalation and Lateral Movement in an AD environment, there is only a limited number of possible ways to do it (at least what they want you to know in the exam).

So how do we do it? Easy (well somewhat), you prepare two checklists, one for PrivEsc, one for Lateral Movement. In the exam there will be be three AD machines: One entry, one internal and one Domain Controller. So now you just need to find the initial exploit and afterwards, you take your checklist for PrivEsc and go through each of the methods and try them. After trying each method you mark it as “Successful”, “Definetly not possible” and “Haven’t found a way yet”. Because sometimes you try the entire checklist and everything fails, now you want to know what to try some more and that is when you try the “Haven’t found a way yet”s. After succeeding do the same with the Lateral Movement checklist and so on and so on.

Additionally, you have to know Pivoting and you have to do it without Metasploit, so I encourage you to look at tools like chisel https://github.com/jpillora/chisel and to understand SSH tunneling in depth.

Recon

This one is not a novel and secret tip, but I wanted to include it anyways: Use AutoRecon by Tib3rius https://github.com/Tib3rius/AutoRecon . Use it from the first day on, this will allow you to get a feeling for how exploitable and none exploitable recon results may look like. If you have the time (medium priority for the OSCP, high priority for real job), learn all of the recon tools by themselves. In a real world Red Team engagement there will be no AutoRecon.

Privilege Escalation

Practice it hard, keep good notes and watch the courses by Tib3rius:

While you watch them take note of all the ways shown and compile them into a checklist.

The Exam

I recommend you do the following preparations:

  • Make a backup of your Kali installation and your notes, have a backup device

  • Prepare meals and sources of caffeine

  • eliminate distractions

  • Get up earlier the day before the exam day, so you will sleep better

  • Read your notes to refresh your memory

But to be honest: All of the above might be useful, but the exam will only be passed, if you have studied and prepared really well. Good luck.

If you liked this article, or you want to have a chat about preparing for the OSCP with me, you can find me over on Twitter @secbyaccident. You can also check out all my other stuff on https://security-by-accident.com/.

Additional resources

https://johnjhacking.com/blog/oscp-reborn-2023/

https://hakluke.medium.com/haklukes-ultimate-oscp-guide-part-1-is-oscp-for-you-b57cbcce7440

https://github.com/0x4D31/awesome-oscp

https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide