How to (not) fail OSCP twice

2022-02-22

"New" OSCP Exam Overview

I originally gave a little talk on this topic at my cybersecurity club meeting, but I thought I'd write a blog post about it as well! I recently took the new version of the OSCP exam. So your first question might be, why OSCP? Well for me, my previous job was in vulnerability assessments and penetration testing. I'd gotten GPEN already, so I felt ready to tackle the OSCP exam next.

DISCLAIMER: EVERYTHING IN HERE IS FROM MY OWN PERSONAL EXPERIENCES AND IS BY NO MEANS "ONE SIZE FITS ALL" ADVICE.

So, if you weren't aware, OSCP recently changed their exam format, and if you want a more thorough explanation you can check out their blog post. For a quick and dirty on what's changed, the Buffer Overflow machine is no longer guaranteed, and if you do get this box, it will now include a privilege escalation component. Additionally, there is now an Active Directory (AD) component which requires obtaining Domain Admin privileges on that portion of the exam network. A note on the AD section is that full domain compromise is required to get the points for that portion. With these changes, to pass the exam with the minimum score of 70 points, you essentially have to compromise 4 hosts completely (I'm including the AD hosts) and get user on a 5th box.

Unfortunately, I didn't pass yet again... BUT I did complete the AD section and obtain Domain Admin as well as get user on one box. I'm writing this blog in hopes that someone else attempting the new exam style can be more successful than I was!

My Preparation

One of the first things you should set up before attempting any certification exam is some form of consistent note-taking, whether that's just some simple Markdown in a text editor or a note-taking application, like what I use! I'm a fan of Obsidian, which I use for all of my notes.

Additionally, I like using the noraj exam templates for my reports, but the main point is that you should have a template ready to go before your exam and simply paste everything in there as you take the exam. I personally love Obsidian for this because it allows you to just paste images straight into your Markdown file with code snippets for a professional looking report.

I took OSCP once before back in 2021 (and failed...) and my only preparation at that point was my prior knowledge from GPEN as well as the PWK course material & lab environment. I didn't complete every lab exercise since I had prior pen-testing knowledge and had been doing CTFs for about 5 years, but I did complete almost 15 machines in the PWK lab environment.

During my free time, I'm usually always working through TryHackMe (THM) or HackTheBox (HTB) machines, which are great resources for prepping for the stand-alone machines in the OSCP exam network. The one thing I did differently for this attempt was prep for the AD portion, and I decided to do this using the Throwback network on THM & Dante on HTB. I completed the entirety of Throwback, while I casually used Dante throughout the month before my exam attempt. I think Throwback does a great job of allowing someone to walk through an AD pen-test while also giving the freedom to choose your own adventure at points if you feel comfortable with the material. Dante is definitely more of the "black box" menatality which was helpful for practicing enumeration, pivoting, and privilege escalation.

Necessary Tools & Methods

Below is kind of what I'd say are just some general tools or things that I found incredibly helpful on the new exam even though I didn't pass:

Recommended OSCP Tools & Methods

Obviously, take these with a grain of salt if there's something that you're more familiar with, such as for pivoting, but these are the ones I've found to work best during not only during my OSCP prep but in my professional career as well.

Things I would change for next time...

I think one of my biggest downfalls during the exam was that while I had everything in "one" place, I didn't have full cheatsheets built with step-by-steps or every possible tool for enumerating a specific service, etc. I relied too much on being able to search for things in my massive vault of information, where sometimes I was trying to re-engineer something I'd done for a specific use case versus having a general usage line I could copy-paste.

The other piece that I'm clearly weaker on was the stand-alone boxes... I think I got stuck in rabbit holes and didn't manage my time efficiently. An approach I plan to take next time is to take breaks every 2 hours or so, and to pivot off a machine that I'm not making progress on within an hour. I think this last part goes back to me not owning "my" pen-test methdology and sticking to it during the exam versus getting "lost in the sauce" as they say... which during a timed exam is not exactly a step in the right direction.

So yeah, I think the three big things I need to work on during both my prep and my actual exam time are:

  1. Time management
  2. Cheat sheet preparation & resource management
  3. Rinse & repeat my pen-test methodology

Other Good Resources

Last but not least, here are some other good resources I've used throughout my OSCP journey:

  1. HackTricksXYZ
  2. Kerberos Attacks
  3. Chisel Pivoting
  4. AD Attacks
  5. Recon/Enumeration

Is OSCP the right certification for you?

I wanted to end this blog post with a little hot take. I think a lot of the time we say that OSCP is the "intro certification" or the "gateway certification" to get into cybersecurity, but I feel that there's a caveat missing from these statements... OSCP stands for OffSec Certified Professional and is a penetration testing certification, not an introductory cybersecurity certification and certainly not a blue team or security architecture certification. I think when someone asks "What certification should I get to get into the field?" there should be exactly one response in return: "What area of security are you interested in?" Every penetration testing certification in the world isn't going to make you the best exploit developer or the best system administrator because they're not the same. Will they advance your general security knowledge and skills? Of course... but I think the perspective of does this get me closer to my dream job in "X" is sometimes missing from new people coming into security, and it's on those of us in the industry to help newcomers get some perspective in terms of what their true goals are before recommending ours to them.

Thank you for reading!

Want to Contact Me?

You can find me on Twitter or LinkedIn if you have any questions or just want to connect!
If you're curious where I've worked or what skills I've acquired over the years, I've linked my resume.