A BEGINNERS GUIDE TO OSCP 2021
from zero to oscp
Last updated
from zero to oscp
Last updated
Back when I began my journey there were numerous recommendations for different platforms for various reasons — all of which proved to be rather confusing. Newcomers often commented on OSCP reviews — Which platforms did they use to prepare? Which is best? How many machines they completed and how they compare in difficulty to the OSCP? Based on my arduous journey and the mistakes I made along the way, I hope this guide addresses the questions that those who are new to Penetration Testing are asking and also helps to provide a roadmap to take you from zero to OSCP.
This non-technical guide is targeted at newcomers purely with the aim to achieve the OSCP (if you have already started your journey, have a read through and slot in wherever your experience lines up). It is important to mention the actual day to day work of a Penetration Tester differs greatly and online lab environments can only emulate a penetration test to such an extent.
Before we start I want to emphasise that this is a tough programme. The initial learning curve is incredibly steep, going from zero to OSCP demands a great amount of perseverance and will power. However since you are reading this post I am sure you have pondered over this journey many a time and are close to committing. During this process Offensive Security inculcates the TRY HARDER mantra but rest assured when you hit that brick wall after pursuing all avenues you know of, there is no shame in seeking tips/walkthroughs/guidance from others. You will eventually reach your target and look back on it all thinking — ah it wasn’t too bad!
This endeavour will cost in the region of $1,360/£1,000+ (very fairly priced compared to the likes of CEH, GPEN, INE CS Pass). The timeline only acts as a guide and heavily depends on your circumstances and how much time you can commit per day. Some are able to achieve OSCP in 3 months whilst it can take others over a year. The start of this journey will be painfully slow as you overcome that initial learning curve and establish your own methodology but you will soon be able to fly through machines!
Let’s begin!
If you have no prior InfoSec experience I would recommend CompTIA Network+ and CompTIA Security+ to attain a minimum baseline of knowledge & understanding. For instance you should be able to explain the service running on port 22 and less common uses for the port (SCP, port forwarding) & have an understanding of Networking Concepts such TCP/IP and the OSI model.
Experience as a Security Analyst/SysAdmin/Developer/Computer Science Degree will provide a good foundation. Additional certs such as CREST CPSA , CompTIA PenTest+ (more managerial) may help further your knowledge. Whichever you decide, do not pursue CEH 😂.
To organise my notes I used OneNote which I found simple enough to use, plus I could access it from my phone. My layout can be seen here but tailor it to what works best for you.
An understanding of basic scripting will be helpful, you do not need to be able to write a script off the top of your head. Rather, being able to understand and make simple modifications to python exploit scripts is a good starting point. You will quickly improve your scripting skills as you go along so do not be daunted. An online beginner course is sufficient.
If you are still dithering in indecision about pursuing Pen Testing then Metasploitable 2 offers a simple free taster. Follow the attached guide which begins with installing the VMs (Offsec Kali images) and goes through several key exploits (exploit guide).
Whilst working through Metasploitable you can also follow along parts of the Metasploit Unleashed course by Offensive Security.
A more modern alternative to Metasploitable 2 is TryHackMe (£8/pm) which features a fully functioning Kali Linux instance all in your browser (this is great for starting out but once you move to the next stages you will need your own virtual machine). THM offer a Complete Beginner and an Offensive Pentesting (more in line with HTB) pathway with an advertised completion time of 28 and 47 hours respectively. Each path offers a free introduction. You can also browse through their large catalog of machines choosing from walkthroughs or traditional Capture The Flag challenges without requiring a subscription.
Hack The Box is an online lab environment hosting over 150 vulnerable machines. To access the lab you download a VPN pack which connects you to their network hosting the victims. The machines are nicely organised with fixed IP Addresses.
At first, I cycled through 20 of the Easy rated machines using walkthroughs and watching ippsec videos. This quickly got me up to speed with Kali Linux and the command line. After this, I took a month’s break to sit my CREST CPSA and then returned to work a little more on HTB. By this stage, I had completed around 30 HTB machines and I dived into PWK. I do not recommend this as the jump in difficulty was huge. (Offensive Security have since introduced a Learning Path — more on this further down)
After my failed exam attempt I returned to HTB and rooted over 50 machines based on TJnull’s list below (Instead of completing the entire list I opted for a change in service). These machines often have numerous paths to root so don’t forget to check different walkthroughs!
Recommended Walkthroughs:
ippsec John Hammond 0xdf Rana Khalil Hacking Articles
Proving Grounds is a relatively new offering by Offensive Security. The service was born out of their acquisition of VulnHub in mid-2020. Since the buggy introduction of the service I can now vouch for it as it played a crucial role in my success.
PG is split into 2 parts:
Play features machines from VulnHub that are hosted by Offsec and removes the need for you to download the vulnerable Virtual Machines (something I was not keen on when I was starting out)
Practice offers a curated list of Offsec designed boxes that are more aligned to OSCP (I discuss Practice later on in this post).
Despite the Play machines being more CTF-like I still recommend them as they offer a broader experience and at this stage (with over 50 HTB machines under your belt) you should be able to complete the easier machines with little to no hints fairly quickly which will help boost your confidence and I actually found these machines to be enjoyable. I advise completing the majority of the Warm Up and Get To Work machines.
I completed 35 machines on PG Play.
To put it simply Virtual Hacking Labs is my favourite service!
I have left VHL as the fourth step due to its offering and higher price compared to others thus far. I would highly recommend purchasing a 1 month pass for $99 and working on it every day to get your money’s worth.
VHL offers 40+ machines with a varying degree of difficulty that are NOT CTF-like. The service is straight forward to use providing a good selection of target machines which are organised by Beginner, Advanced and Advanced+. Beginner and Advanced machines offer hints whereas you are expected to challenge yourself on the Advanced+ machines. There is a supportive VHL community on Discord full of great professionals willing to help.
VHL also includes an instance of Metasploitable 2 containing DVWA, short for Damn Vulnerable Web App. There are plenty of guides online to help you through this.
Purchasing the one month pass comes with a structured PDF course in which the modules are aligned to lab machines. Essentially it’s a mini PWK. My only dislike was that too many of the easier machines were rooted using kernel exploits. The Advanced and Advanced+ machines are particularly interesting and challenging.
I worked on VHL every day of my access and completed 40 machines and achieved VHL Advanced+ in under three weeks.
VHL offer two certifications. One for completing 20 machines and another for completing 10 Advanced+ machines including two manual exploitation examples. Completing this will help prepare you for the Exam & Lab report as part of your OSCP submission. I highly recommend aiming for the VHL Advanced+ Certificate as it solidifies your understanding of manual exploitation and the exploit process thus reducing your reliance on Metasploit whilst also improving your scripting skills — it takes time but it’s worth it!
To my mind the Advanced+ machines are similar in terms of difficulty to OSCP.
At this stage you will be in a very good position to take the leap to PWK but spending a few weeks here will better align your approach.
Proving Grounds Practice offers machines created by Offensive Security and so the approach and methodology taught is very much in line with the OSCP. For this reason I have left this service as the final step before PWK.
Offsec have recently introduced walkthroughs to all Practice machines allowing you to learn from the more difficult machines that you may get stuck on. You must spend 1.5 hours on a target machine before hints/walkthroughs are unlocked. This is one feature I like in particular that other services lack.
In my opinion these machines are similar/more difficult than OSCP but are well worth it. I completed over 20 PG Practice machines
By now you may have given thought to Buffer Overflows and its significance as it provides a crucial 25 points in the exam. When I first opened immunity debugger it was like navigating through a maze but I promise you it is not that complicated.
I made the mistake of going into PWK with zero understanding of buffer overflows, I simply dreaded it and tried to put it off till the very end. However once you grasp that initial understanding all of the pieces will quickly fall into place.
Prior to enrolling onto PWK I advise spending several hours reading about buffer overflows and watching a few YouTube walkthroughs. A good step by step tutorial can be found here. The general structure that I used to complete Buffer Overflows:
1_crash.py 2_pattern.py 3_eip.py 4_badcharacters.py 5_return.py 6_shell.py
I have read about others doing many different practice buffer overflows from different sources however the OSCP exam’s buffer overflow has a particular structure to it and third party examples may be misaligned. All you need to do is:
Read about buffer overflows and watch this introduction. Get your first exposure by completing this walkthrough (it will be confusing at first but try to follow it along)
Complete the Windows and Linux buffer overflow sections in the PWK PDF (they were updated for PWK 2020 and are simple to follow)
Complete all three Extra Mile Buffer Overflow exercises
Complete the Buffer Overflow machine in the PWK lab
Once the above is done do not turn a blind eye to Buffer Overflows, complete one every week up until your exam.
Complete one or two Buffer Overflows the day before your exam
When you sit your exam you are given a set of objectives and everything is clearly explained (Offsec are not trying to catch you out) . You are provided with a Proof of Concept python script just like in the PDF examples and a debugging machine. You are not required to do any web fuzzing or major scripting.
If you have made it this far Congratulations the end is near!
To Be Or Not To Be We must first address the dilemma that is otherwise known in the underground as the elusive, perpetual Course Exercises…
I found the exercises to be incredibly dry material that I had to force myself to complete. My Lab Report including the exercises came to over 400 pages. However, despite not being dependant on the bonus 5 points for my exam pass, I am glad I went through the ordeal as it offers a good insight into Active Directory and helps to introduce you to topics that you may have otherwise overlooked such as pivoting and client side attacks.
Because of this I recommend documenting the exercises alongside the lab report containing details of how you exploited at least 10 lab machines earning you 5 bonus points in the exam.
If you complete the 25 point buffer overflow, 10 pointer, get a user shell on the two 20 pointers and the 25 pointer, this leaves you with 65 points while 70 is the pass mark. Having the extra 5 bonus points could come in very handy if this is your predicament 😬
The Lab PWK is an expensive lab. I would recommend purchasing at least 60 days access which should be enough time to complete the exercises and work through a significant amount of the machines (depending on your circumstances). Once enrolled you receive a lengthy PDF, a link to download the offline videos that are collated and well presented through your web browser, and one exam attempt ($150 per retake).
Before starting, it will be helpful to read through the Network Guidance on the lab structure and use the recommended Kali Linux VM. Oddly Offensive Security were kind enough to recently provide a structured Learning Path for new students which will hopefully provide you with a far more pleasant experience than I had (it was like being thrown into the deep end without knowing how to swim properly).
The Learning Path offers 2 walkthroughs and hints for 11 machines. For the remainder of the lab you will find bizarrely vague hints in the old Forum — some of them are truly stupendous. The PDF also offers a full guide through the sandbox network.
Offensive Security recently wrote an article discussing pass statistics. The info-graph they show emphasises that the more machines you complete in PWK, the more likely you are to pass (who would have thought). During my lab time I completed over 50 machines.
I remember a user wrote “the client machines have more holes than Swiss cheese.” Perhaps this stuck in my head due to my dry humour but nonetheless do not overlook the client machines nor the sandbox.
My second attempt was first scheduled to be taken back in November 2020 soon after my first. This was pushed back to January after I decided to spend more time on lab services and take a much needed holiday 🏖. Looking back I used the time effectively on VHL, HTB and Proving Grounds to further my knowledge & understanding which most definitely contributed to my pass. With every lab machine you work on you will learn something new!
Buffer Overflow(Live footage of me trying to troubleshoot my Buffer Overflow script 😭)
I began by resetting the machines and running nmapautomator in the background whilst working through the buffer overflow.
The buffer overflow took longer than I anticipated — 2h:15m due to small errors along the way and I had to overcome an error message I had not previously encountered.
10 Pointer The version number for the vulnerable service was nicely advertised. A quick look on searchsploit identified the exploit which granted me a System shell following a few modifications.
20 Pointer #1 Similar to the 10 pointer I soon identified the vulnerable service, found the PoC and gained shell as a low privileged user. Not too long later I found the way to root and secured the flag.
20 Pointer #2 This machine took a while as it was against a service I had not come across before. However diligent enumeration eventually led to a low privileged shell. After around an hour of failed priv esc enumeration I decided to move onto the 25 pointer.
At this stage I had achieved 65 points (+ 5 bonus) so I was potentially at a passing mark.
25 Pointer This machine also offered a completely new type of vulnerability I had not come across before. I spent over an hour enumerating the machine and once I had identified the vulnerability I was able to find a PoC and gain a low privileged shell.
Similar to the second 20 pointer I could not find the way to root. I went down a few rabbit holes full of false hope but nothing came of it.
Nonetheless I had achieved 25 + 10 + 20 + 10(user) + 10(user) + 5 (bonus) = 80
In my remaining time I went back and forth repeatedly between the two privilege escalations and ensured I had the correct Proof Keys and sufficient screenshots.
For my report I used this template. I did not use Metasploit in my exam.
An outline of my progress before I passed:
50+ HTB machines
50+ PWK machines
40+ VHL Machines
30+ PG Play machines
20+ PG Practice machines
The exam itself will not feature exploits you have previously come across. For example you will never face the VSFTPD v2.3.4 RCE in the exam 😂. Instead Offsec will present you vulnerabilities they know you have not exploited before. The purpose of the exam is to test your enumeration and methodology more than anything. OSCP is not like other exams where you do your preparation knowing that there is a chance that something in your prep will directly appear on your exam (e.g. while studying for N+ you know you will get a handful of questions about port numbers), albeit for the buffer overflow.
Based on my personal development if you can dedicate the time to do the above, you will be in a very good position to pass the OSCP on your first attempt.
Looking back on this lengthy post, this pathway is somewhat a modest overkill. You could perhaps remove the PG Play machines as they are more CTF-like but I found those machines to be the most enjoyable. You could well jump straight from HTB to PWK and pass the OSCP but there is still a lot to learn from the other platforms which will help to solidify your methodology. PWK lab extensions are priced at $359 for 30 days so you want to get as close to the top of the learning curve prior to enrolling.
Final thoughts Earlier when I wrote the end is near, this is only the beginning! The OSCP is often spoken of like the Holy Grail but despite all of the efforts you go through to pass this challenging 24 hour exam, it is only a beginner cert in the Offensive Security path (yes I know it hurts to hear that 😁).
Einstein is apparently quoted to have said
Insanity — doing the same thing over and over again and expecting a different result
There were times when I was truly insane throwing the same exploit over and over again hoping for a different outcome but it is one of the many things you will overcome!
If you have any questions or require any tips, I am happy to help on Discord — hxrrvs#2715
To state the obvious, this is my own personal experience and acts as a guide only.
Thank you for taking your time to read this post, I hope it is of benefit to you!
Required scripting experience When I started off I had a core understanding of python scripting learned from a short college class (U.K.) and some experience with bash. Over the course of doing the labs outlined in this guide you will naturally pick up the required skills (ippsec works through scripting excellently). By the time you sit your exam you should be able to read through a script, understand what it does and make the relevant changes. You DO NOT need to be able to write a script off the top of your head (this will be tested in more advanced certifications). This is a beginner course where you are tasked to identify the vulnerability, find the public exploit/path in and make modifications where necessary. If you are fluent in programming languages (Java, .NET, JavaScript, C, etc.) it will be of particular advantage in pursuing the OSWE. The PWK course exercises delve into PowerShell, any prior experience here will be a bonus.
Walkthroughs As I mentioned at the start there is no shame in turning to walkthroughs however it is important that you do not become reliant on them. At first you will be going through ippsec videos and guides but eventually you will transition away from walkthroughs and work through machines on your own. When you hit a dead end first ask yourself if you have truly explored every avenue. If this is the case and you are still stuck, only then read a guide up to the point where you were stuck and no further (e.g. if you are stuck on the foothold, do not read ahead and spoil the priv esc). A key skill that Pen Testers acquire is problem solving — there are no guides when you are running an actual Pen Test.
Manual Exploitation & debugging In most cases where a Metasploit exploit is available, there is an accompanying public exploit script either on ExploitDB or GitHub. As long as the script is EDB verified it should be good to go (at the top of the ExploitDB page). If this is not the case, GitHub may have an updated version of the script.
For example take the vulnerable Centreon v19.04:
First find exploits by searching on Searchsploit, Google and lastly MSF ExploitDB — GitHub — Metasploit (in this case the GitHub script works better than the ExploitDB script)
Configure a new listener on port 8081:
Run the ExploitDB script but set the Interface address as the target IP and port to 8081. Don’t forget to complete the path to the web app.
python 47069.py http://127.0.0.1:8081/centreon/ user pass lhost lport
Step through each request in Burp Suite to identify and resolve any issues. This will help you to break down the script and understand exactly what it does.
Pivoting Pivoting is not required in the exam. However the PWK PDF has a significant module on it and you should definitely go through it and pivot into the different networks. The other mentioned services do not require pivoting. My preferred tool is Chisel.
Active Directory To my surprise almost a year after the major update to PWK, Offensive Security have not incorporated any active directory into the exam. Despite this, I think it would be silly to go through PWK and avoid the AD domains with the intention of saving time. Don’t forget to work through the client and sandbox AD domains.
My Setup Catalina, Fusion, Kali Linux 2020.4 (I changed the desktop environment to GNOME), ZSH and a secondary monitor. I tried using tmux but opted against it 😬 — instead I configured window panes on QTerminal.
Rabbit Holes Throughout this journey you will fall down many rabbit holes and dig deeper in an attempt to avoid the embarrassment of a complete U-turn. This is one of the things you will overcome with practice. Eventually once you have built up a good amount of experience you will be able to run your Nmap scan, probe the services and have a pretty good idea about the way in.
What’s Next In the week following my exam result I enrolled onto PEN-210 — wifu and successfully passed the exam! My next goal is OSWE.
Notable Mentions
TryHackMe — I tested this service briefly but opted to use Proving Grounds instead. Having passed I have now returned to THM and I actually really like their service. You can filter through the different “Rooms” by free or VIP and select from either traditional CTF challenges or guided-walkthrough-like challenges.
Tib3ius’s privilege escalation courses. I did not use these but they are very highly regarded and may provide you with that final push. He also offers three free rooms on Try Hack Me covering Buffer Overflow, Linux Priv Escand Windows Priv Esc.
PortSwigger Web Security Academy — This is a free educational resource made by the creators of Burp Suite. I used it to improve my SQLi skills and highly recommend it (the vast majority is out of scope for OSCP, I completed the SQL Injection module except for the sections named “Blind SQL …”).
“Very many people have asked for a third edition of WAHH. But rather than produce another printed book with non-interactive content that slowly goes out of date, we’ve decided to create the Web Security Academyinstead.”
References
Metasploitable Guide Metasploitable Exploit Guide Metasploit Unleashed ippsec 0xdf Rana Khalil Hacking Articles Tjnull’s List VHL Discord server Buffer Overflow Introduction Buffer Overflow Walkthrough PWK Network Guidance PWK Learning Path PWK Stats PortSwigger Tib3ius PE Report Template
Technical Resources
NmapAutomator SecLists Nishang Impacket Universal php webshell LinPeas WinPeas SUID3NUM pspy PowerSploit PowerUp HackTricks GTFOBins Chisel
This post reflects my honest opinion. I was not endorsed by any of the aforementioned services.