In this blog, I'll walk you through my OSCP journey and also cover some important points that I found crucial for OSCP preparation. I started my preparation in January 2021 and set a target for mid-year to attempt the exam. Well, life happened and it got delayed till October. (better late than never, right?)
#whoami
I am a full-time Security Engineer, where my day job requires me to wear the hat of Vulnerability Management. I like to explore the realms of Network Security, which got me interested in OSCP.
The initial plan of action:
- Jan 2021 - Complete HTB retired machines (TJ Null's list)
- Feb 2021 - Start HTB active machines + Proving Grounds
- March-May 2021 - Buy OSCP voucher and complete PWK labs
- June 2021 - Pass the exam 😎
How my prep actually went:
- Jan - Feb 2021 - solved HTB retired machines and practiced BOF
- March 2021 - completed Tib3rius' Privesc courses (Windows and Linux)
- April 2021 - preparation gap ;-;
- 22 May 2021 - bought PWK labs subscription
- June 2021 - completed PWK labs
- July 2021 - Proving Grounds (OSPG)
- Aug 2021 - preparation gap ;-;
- September 2021 - Mock exams (only on weekends)
- 9 October 2021 - Passed
Initially, I had planned to buy 60 day labs. After skimming through endless blogs and Reddit threads related to OSCP, I decided to buy 30 day labs and spend another 30 days on OSPG.
I started off with HTB retired machines, which were way too daunting for me. So I mostly referred the walkthroughs and watched ippsec videos thereafter. After completing ~30 of them, I was somewhat comfortable with playing around with the boxes.
However, there were 2 things missing:
1. I wasn't confident enough to solve the boxes on my own.
2. I did not have a clear strategy to approach the machines.
These 2 points were covered when I bought the 30 day PWK labs. Why? Because these were more beginner-friendly than HTB, and allowed me to build confidence in solving the machines by myself. I would still look for hints when stuck because I had a lot more to learn and add to my notes. :)
By the end of my PWK lab access, I managed to complete 40 machines and was now confident to go for more advanced machines. Offsec provides detailed walkthroughs for 2 machines (Alpha and Beta). They will help you understand the mindset needed to approach the machines.
Once my lab subscription ended, I went on to Proving Grounds (highly recommended!!!) to further sharpen my skills. The UI and general functionality definitely needs an improvement, but the boxes were worth my time and money. I referred 2 lists for OSPG: TJNull and JSONSec.
Getting comfortable with Note-taking:
I documented ALL machine walkthroughs (PWK labs, OSPG, HTB) in CherryTree (Refer: My template), because I wanted to be comfortable with solving machines along with making notes during the exam. Moreover, note-taking helped improved my pentesting methodology.
Eventually, my notes were resourceful enough to act as a quick reference for the future.
Also, I did not use any automated recon tool and preferred manual enumeration, so just the Nmap service scans were sufficient to get started.
Note: I used this script to perform nmap scans and organise my directory structure.
Next, I configured a shared folder between Kali (VMWare) and my Windows host, and synced the host folder to OneDrive (in case my system crashes).
Steps:
1. Set up folder sync to OneDrive (in Windows)2. Enable shared folder in VmWare settings
3. mkdir /mnt/hgfs (On Kali)
4. sudo mount -t fuse.vmhgfs-fuse .host:/ /mnt/hgfs -o allow_other (On Kali)
Preparation 101:
You can (and should) take breaks, but do not forget that it's a 24-hour exam. The anxiety, frustration (when you're stuck) and constant staring at the screen while you are being proctored can really take a turn for the worse.
I would suggest to take at least 2 mock exams - simulate the exam environment and start at the same time you've booked the exam for. Better to be safe than sorry.
I practiced through the below 3 mock exams (during the weekends), just before my OSCP:
Bucket 1:
Box Name | Estimated Points | Platform |
Lame | 10 | HTB |
Poison | 20 | HTB |
Buff | 20 | HTB |
Remote | 25 | HTB |
BOF | 25 | THM BOF Room |
Bucket 2:
Box Name | Estimated Points | Platform |
Shocker | 10 | HTB |
SecNotes | 20 | HTB |
Slort | 20 | OSPG |
Jarvis | 25 | HTB |
BOF | 25 | THM BOF Room |
Bucket 3:
Box Name | Estimated Points | Platform |
Lampiao | 10 | OSPG |
Lazysisadmin | 10 | OSPG |
NoName | 20 | OSPG |
Walla | 20 | OSPG |
BOF | 25 | THM BOF Room |
Buffer Overflow:
You guessed it right - TryHackMe's BOF prep room! (all 10)
My BOF strategy: I maintained these 4 python scripts because I did not want to keep updating the same script for every step, and I'd have the scripts ready for all steps for the exam report. It also makes troubleshooting easier and quick. I also created a BOF template in CherryTree, to make sure that no step or screenshot is missed. (Refer my CherryTree template)
Thank you for reading, I hope you found this blog helpful! Until next certification ;)
You can reach out to me via Linkedin.
Special thanks to @masquerad3r for being a part of this journey :)
