Skip to content

Category: Hacking

The Offensive Security Certified Professional (OSCP) Exam

The Offensive Security Certified Professional (OSCP) exam is known for being one of the most challenging certification exams in the cybersecurity field. It’s a hands-on test of your ability to identify and exploit vulnerabilities in a live, virtual environment.

The exam is not for the faint of heart. It requires a significant amount of time and effort to prepare, and even experienced security professionals may find it difficult to pass. In fact, the pass rate for the OSCP exam is typically less than 50%.

So, what makes the OSCP exam so challenging? For starters, it’s an extremely hands-on exam. Rather than simply testing your knowledge of security concepts, it requires you to actually demonstrate your skills by completing a series of real-world challenges. This means you need to have a strong foundation in security principles and a practical understanding of how to identify and exploit vulnerabilities.

In addition, the exam is time-limited. You have just 24 hours to complete the challenges and submit your results. This means you need to be able to work quickly and efficiently under pressure.

So, how can you prepare for the OSCP exam and improve your chances of passing? Here are a few tips:

  1. Take the OSCP training course. The OSCP exam is designed to test the skills and knowledge you gain from the Offensive Security Penetration Testing with Kali Linux (PwK) course. This course provides a comprehensive introduction to the tools and techniques used by professional penetration testers, and is an essential foundation for anyone looking to take the OSCP exam.
  2. Practice, practice, practice. The best way to prepare for the OSCP exam is to get hands-on experience with the tools and techniques you’ll be tested on. This means setting up your own lab environment and practicing your skills on a regular basis.
  3. Work through the lab challenges. The OSCP exam includes a series of lab challenges that test your ability to identify and exploit vulnerabilities in a live, virtual environment. Completing these challenges will give you a good idea of the types of tasks you’ll be expected to perform during the exam, and can help you develop the skills and confidence you need to succeed.
  4. Get support from the community. The OSCP exam can be a daunting and isolating experience, but you don’t have to go it alone. There are many online communities and forums where you can connect with other OSCP exam takers and get support, advice, and encouragement.

Overall, the OSCP exam is a challenging but rewarding experience. By preparing thoroughly and staying focused, you can increase your chances of success and earn one of the most respected certifications in the cybersecurity field.

—–

This entire blog post was created by artificial intelligence. Text by ChatGPT. Photo by Midjourney.

Thoughts on OSCP being ‘outdated’

In recent weeks I have been reading comments online about the Penetration Testing with Kali Linux (PWK) course and OSCP exam taking a lot of flak for being “tool old” and using “outdated exploits that don’t even work anymore.”

I believe most of these comments are directed at the lab environment and course materials. It is true that you won’t find many systems in modern pentesting engagements that are exploitable with older things such as EternalBlue (MS17-010).

But that is beside the point.

The PWK and OSCP exam are all about teaching you how to think, solve problems, persevere, and develop a pentesting methodology that works for you.

It is true that Hack The Box (HTB) and other modern online capture-the-flag frameworks are more leading-edge in that regard, which is great, and they can certainly be an excellent way to augment and prepare for the PWK/OSCP journey.

But the point is that it really doesn’t matter if you drive a 2019 Ferrari 488 Spider or a 1996 Honda Accord, it is whether or not you figure out how to get to the destination.

OWASP Attack Surface Detector Project

When I did a short work stint at Secure Decisions in 2018, one of the projects I got to work on was helping to create the Attack Surface Detector plugin for ZAP and Burp Suite. I left that position before the project got published, but I am happy to see that it was a success.

Here it is in all its glory.

From the OWASP description:

The Attack Surface Detector tool uncovers the endpoints of a web application, the parameters these endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won’t find in client-side code, or optional parameters totally unused in client-side code. It also has the capability to calculate the changes in attack surface between two versions of an application.

There is a video that demonstrates the plugin, and yes, that is me doing the voice-over.

I made some shirts

Over the years, I have kept a running list of t-shirt ideas in the back of my mind, thinking that someday “I should make a t-shirt out of that.”

I finally made the effort, and now I have a shop set up where you can buy some silly things I created. Not only are they available as shirts, but you can order them as hoodies, onesies, notebooks, stickers, coffee mugs, and more.

It’s a Festivus miracle!  

Check out the shop, or browse some of the available things below.

A few new resources for pentesting/OSCP/CTFs

Here are a few new resources I’ve run across in the last month or so. I’ve gone back to add these to some of my older posts, such as the Windows Privesc Resources, so hopefully you’ll find them, one way or another.

Windows-Privilege-Escalation-Guide
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

JSgen.py – bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings
https://pentesterslife.blog/2018/06/28/jsgen/

So you want to be a security engineer?
https://medium.com/@niruragu/so-you-want-to-be-a-security-engineer-d8775976afb7

Local and Remote File Inclusion Cheat Sheet
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal

External XML Entity (XXE) Injection Payloads
https://gist.github.com/staaldraad/01415b990939494879b4

Enjoy!

The Unofficial OSCP FAQ

It has been close to a year since I took the Penetration Testing with Kali (PWK) course and subsequently obtained the Offensive Security Certified Professional (OSCP) certification. Since then, I have been hanging out in a lot of Slack, Discord, and MatterMost chat rooms for security professionals and enthusiasts (not to mention various subreddits). When discussing the topic of obtaining the OSCP certfication, I have noticed *a lot* of prospective PWK/OSCP students asking the same questions, over and over.

The OffSec website itself covers some of the answers to some of these questions, but whether its because people don’t read it, or that it wasn’t made very clear, these questions keep coming back. Here, I will attempt to answer them as best I can.

Disclaimer: I am not an OffSec employee, nor do I make the claim that anything that follows is OffSec’s official opinion about the matter. These are my opinions; use them at your own risk.

  1. Do I have enough experience to attempt this?
  2. How much lab time should I buy?
  3. Can I use tool X on the exam?
  4. What note keeping app should I use?
  5. How do I format my reports?
  6. Is the HackTheBox.eu lab similar to the OSCP/PWK lab?
  7. Are VulnHub VM’s similar to the OSCP/PWK lab?
  8. What other resources can I use to help me prepare for the PWK course?

According to the official OffSec FAQ you do need some foundational skills before you attempt this course. You should certainly know your way around the Linux command line before diving in, and having a little bash or python scripting under your belt is recommended. That said, it’s more important that you can read code and understand what it is doing than being able to sit down and write something from scratch.

I see many people asking about work experience, which isn’t really covered by OffSec. For example, people wondering if 3 years of networking and/or 1 year being a SOC analyst is “enough.” These questions are impossible to quantify and just as impossible to answer. What you should focus on is your skills as they relate to what is needed for the course.

To do that, head over to the PWK Syllabus page and go through each section. Take notes about things that you are not sure about, or know that you lack skills and expertise in.

Once you have a list made, start your research and find ways to learn about what you need to get up to speed on. For example, when I was preparing for PWK, I knew very little about buffer overflows. I spent a while watching various YouTube videos, reading up on the methods by which you can use a buffer overflow exploit, and taking notes for future reference. Once I started the course, I was able to dive into the exercises and understand what was going on, at least a little bit beyond the very basics, which helped me save time.

In the same boat? Check out this excellent blog post about buffer overflows for something similar to what you will see in the PWK course. Also, while I haven’t tried it yet, I hear that this is a good buffer overflow challenge you can practice on.

Buy the 90 day course in order to get the most out of the experience and not feel crunched for time — especially if you work full time and/or have a family.

With 90 days, you can complete the exercises in the PWK courseware first, and still have plenty of time left for compromising lab machines.

I see this question a lot, perhaps more than any other. People want to know if it is safe to use a specific tool on the exam, such as Sn1per. The official exam guide from OffSec enumerates the types of tools that are restricted on the exam. It is pretty clear that you cannot use commercial tools or automated exploit tools. Keep this statement in mind when wondering if you can use a certain tool:

The primary objective of the OSCP exam is to evaluate your skills in identifying and exploiting vulnerabilities, not in automating the process.

If a tools helps you enumerate a system (nmap, nikto, dirbuster, e.g.), then it is OK to use.

If a tool automates the attacking and exploiting (sqlmap, Sn1per, *autopwn tools), then stay away from it.

Don’t forget the restrictions on Metasploit, too.

From what I have heard, even though OffSec states that they will not discuss anything about it further, people have successfully messaged the admins to ask about a certain tool and gotten replies. Try that if you are still unsure.

I wrote a lot about this already, so be sure to check out that write-up. In short, these are the main takeaways:

  • Do not use KeepNote (which is actually recommended in the PWK course), because it is no longer updated or maintained. People have lost their work because it has crashed on them.
  • CherryTree is an excellent replacement for KeepNote and is easily installed on the OffSec PWK Kali VM (it is bundled by default on the latest/greatest version of Kali).
  • OneNote covers all the bases you might need, is available via the web on your Kali box, and has clients for Mac and Windows.
  • Other options boil down to personal choice: Evernote, markdown, etc.

Check out the example reports that OffSec provides. From those, you can document your PWK exercises, your 10 lab machines (both of which contribute towards the 5 bonus points on the exam), and your exam notes.

I do not recommend skipping the exercise and 10 lab machine documentation, thus forfeiting your 5 extra exam points. I am a living example of someone who would not have passed the exam had I not provided that documentation. Yes, it is time consuming, but it prepares you for the exam documentation and helps you solidify what you have learned in the course.

There are definitely some worthy machine on Hack The Box (HTB) that can help you prepare for OSCP. The enumeration skills alone will help you work on the OSCP labs as you develop a methodology.

There are definitely some more “puzzle-ish” machines in HTB, similar to what you might find in a Capture The Flag event, but there are also plenty of OSCP-like boxes to be found. It is a good way to practice and prepare.

See the above answer about Hack The Box, as much of it applies to the VulnHub machines too. I used VulnHub to help me pre-study for OSCP, and it was a big help. The famous post by Abatchy about OSCP-like VulnHub VM’s is a great resource. My favorites were:

  • All the Kioptrix machines
  • SickOS
  • FrisitLeaks
  • Stapler

There are a lot of resources that can help you pre-study before you dive into the course. I will post some here.

Books

Online Guides