The Unofficial OSCP FAQ

It has been close to a year since I took the Penetration Testing with Kali (PWK) course and subsequently obtained the Offensive Security Certified Professional (OSCP) certification. Since then, I have been hanging out in a lot of Slack, Discord, and MatterMost chat rooms for security professionals and enthusiasts (not to mention various subreddits). When discussing the topic of obtaining the OSCP certfication, I have noticed *a lot* of prospective PWK/OSCP students asking the same questions, over and over.

The OffSec website itself covers some of the answers to some of these questions, but whether its because people don’t read it, or that it wasn’t made very clear, these questions keep coming back. Here, I will attempt to answer them as best I can.

Disclaimer: I am not an OffSec employee, nor do I make the claim that anything that follows is OffSec’s official opinion about the matter. These are my opinions; use them at your own risk.

  1. Do I have enough experience to attempt this?
  2. How much lab time should I buy?
  3. Can I use tool X on the exam?
  4. What note keeping app should I use?
  5. How do I format my reports?
  6. Is the HackTheBox.eu lab similar to the OSCP/PWK lab?
  7. Are VulnHub VM’s similar to the OSCP/PWK lab?
  8. What other resources can I use to help me prepare for the PWK course?

According to the official OffSec FAQ you do need some foundational skills before you attempt this course. You should certainly know your way around the Linux command line before diving in, and having a little bash or python scripting under your belt is recommended. That said, it’s more important that you can read code and understand what it is doing than being able to sit down and write something from scratch.

I see many people asking about work experience, which isn’t really covered by OffSec. For example, people wondering if 3 years of networking and/or 1 year being a SOC analyst is “enough.” These questions are impossible to quantify and just as impossible to answer. What you should focus on is your skills as they relate to what is needed for the course.

To do that, head over to the PWK Syllabus page and go through each section. Take notes about things that you are not sure about, or know that you lack skills and expertise in.

Once you have a list made, start your research and find ways to learn about what you need to get up to speed on. For example, when I was preparing for PWK, I knew very little about buffer overflows. I spent a while watching various YouTube videos, reading up on the methods by which you can use a buffer overflow exploit, and taking notes for future reference. Once I started the course, I was able to dive into the exercises and understand what was going on, at least a little bit beyond the very basics, which helped me save time.

In the same boat? Check out this excellent blog post about buffer overflows for something similar to what you will see in the PWK course. Also, while I haven’t tried it yet, I hear that this is a good buffer overflow challenge you can practice on.

Buy the 90 day course in order to get the most out of the experience and not feel crunched for time — especially if you work full time and/or have a family.

With 90 days, you can complete the exercises in the PWK courseware first, and still have plenty of time left for compromising lab machines.

I see this question a lot, perhaps more than any other. People want to know if it is safe to use a specific tool on the exam, such as Sn1per. The official exam guide from OffSec enumerates the types of tools that are restricted on the exam. It is pretty clear that you cannot use commercial tools or automated exploit tools. Keep this statement in mind when wondering if you can use a certain tool:

The primary objective of the OSCP exam is to evaluate your skills in identifying and exploiting vulnerabilities, not in automating the process.

If a tools helps you enumerate a system (nmap, nikto, dirbuster, e.g.), then it is OK to use.

If a tool automates the attacking and exploiting (sqlmap, Sn1per, *autopwn tools), then stay away from it.

Don’t forget the restrictions on Metasploit, too.

From what I have heard, even though OffSec states that they will not discuss anything about it further, people have successfully messaged the admins to ask about a certain tool and gotten replies. Try that if you are still unsure.

I wrote a lot about this already, so be sure to check out that write-up. In short, these are the main takeaways:

  • Do not use KeepNote (which is actually recommended in the PWK course), because it is no longer updated or maintained. People have lost their work because it has crashed on them.
  • CherryTree is an excellent replacement for KeepNote and is easily installed on the OffSec PWK Kali VM (it is bundled by default on the latest/greatest version of Kali).
  • OneNote covers all the bases you might need, is available via the web on your Kali box, and has clients for Mac and Windows.
  • Other options boil down to personal choice: Evernote, markdown, etc.

Check out the example reports that OffSec provides. From those, you can document your PWK exercises, your 10 lab machines (both of which contribute towards the 5 bonus points on the exam), and your exam notes.

I do not recommend skipping the exercise and 10 lab machine documentation, thus forfeiting your 5 extra exam points. I am a living example of someone who would not have passed the exam had I not provided that documentation. Yes, it is time consuming, but it prepares you for the exam documentation and helps you solidify what you have learned in the course.

There are definitely some worthy machine on Hack The Box (HTB) that can help you prepare for OSCP. The enumeration skills alone will help you work on the OSCP labs as you develop a methodology.

There are definitely some more “puzzle-ish” machines in HTB, similar to what you might find in a Capture The Flag event, but there are also plenty of OSCP-like boxes to be found. It is a good way to practice and prepare.

See the above answer about Hack The Box, as much of it applies to the VulnHub machines too. I used VulnHub to help me pre-study for OSCP, and it was a big help. The famous post by Abatchy about OSCP-like VulnHub VM’s is a great resource. My favorites were:

  • All the Kioptrix machines
  • SickOS
  • FrisitLeaks
  • Stapler

There are a lot of resources that can help you pre-study before you dive into the course. I will post some here.

Books

Online Guides

What Note Taking App is Best for PWK and OSCP?

A very common question in OSCP student chat rooms and channels I hang out in is “should I be using something other than Keepnote?”

It is a fair question considering Keepnote is recommended in the PWK course materials. However, you may notice that it hasn’t been updated in over 6 years, and has actually been dropped from recent Kali versions. I have heard tales of OSCP students’ notes getting corrupted and lost, which is not a good situation to face when you are paying for limited time to complete the coursework (and exam).

If you are starting down the PWK/OSCP path, you will soon realize that you will need to take a lot of notes. Not just on the course materials, but on every exercise you do and every machine in the lab that you work on. This includes screenshots, copy-pasted output from nmap and other tools, and the specific steps you took to conquer a box (and hopefully the steps that didn’t work, from which you can reference in the future).

It adds up quickly, and it’s a challenge to keep straight as you hack away at box after box in the lab. Being a person that has kept a keen eye on note taking apps in general, long before I got my OSCP, I have some recommendations, with pros and cons of each.

In no particular order (see my Recommendations at the bottom):

CherryTree

Learn more and download CherryTree here.

The Good

  • Hierarchical (pretty much unlimited depth)
  • Free, open-source software for Linux and Windows. You *can* get this to run on a Mac, but it’s buggy
  • Highly customizable through preferences and templates
  • Imports notes from tons of places, does some good exporting too

The Bad

  • Can’t paste images from the clipboard directly into notes
  • Not the greatest at embedding files in general
  • Not easily synced between devices/VMs
  • No Mac or mobile device support

CherryTree is like KeepNote in many ways, but it is has many more features and is actively maintained. If you are going to be solely storing and referencing your notes on one machine (your host or Kali VM), use this tool. The template feature is really awesome, and it lets you create a new note based on a template of your design. This means you could create a template for Lab VMs that you can quickly populate with data as you work on a given machine. You could do something similar for PWK exercises. It should make reporting much easier.

Evernote

Download Evernote here.

The Good

  • Feature rich app, integrates with Web Clipper browser extension
  • Windows, Mac, iPhone, Android native clients with web version for Linux
  • Is modern and hip, if that matters to you

The Bad

  • Costs $ if you want it to be any good. Free features seem to be waning as they push people into paying for the service
  • Lacks true hierarchical organization (uses tags instead of folders)

My struggles with Evernote have been well documented on this blog in the past, but some people still swear by it, so I thought I’d mention it here. They do make ease-of-access a priority, and you can get to your Evernote stuff from just about anywhere. Using it is easy until you need to organize things with any complexity, and for the PWK labs, you’d have to be OK with using the #tags instead of folders.

Microsoft Onenote

Download Onenote from Microsoft here.

The Good

  • Feature rich app, integrates with Onenote Clipper browser extension
  • Free Windows, Mac, iPhone, Android native clients with web version for Linux
  • Free version is not feature limited (just space, which hasn’t been a problem for me)
  • Excellent hierarchical organization via notebooks > sections > pages > sub-pages

The Bad

  • Some people feel it has a bloated interface
  • Exporting notes can pose challenges with formatting if you stray outside the pre-made lines

After many trials and tribulations, I ended up going all-in with Onenote for PWK/OSCP, and life in general. The ability to create multiple, separate notebooks (and choose which ones you want to see on which devices) has been my favorite feature. I can separate work from life from projects from shared stuff this way, and I still have a good amount of hierarchical ability to organize things.

Your Favorite Markdown Editor

I see people profess their undying devotion to markdown when the note-taking discussion comes up in various OSCP forums/chats, and I respect their decision and desire for simplicity. However, the one feature I used most, and I can’t imagine living without in the OSCP course, is the ability to paste a screenshot into a note. I did this so much that it would have driven me crazy to have to do anything else, and with markdown, you have to do some form of “save image/reference image via text in the note/embed via some other mechanism”. There are extra steps involved, and you can’t easily do the copy/paste thing.

Clippers/Screenshot Tools

Speaking of screenshots and the need to embed them in your notes, there are several options I would recommend depending on your choice of note taking apps and the platforms upon which you use them. Here are my top three:

  • Snap ‘n Drag Pro (Mac only). Awesome customization options, ability to edit captures (add arrows/highlight/blurs), automatically adds to clipboard.
  • Skitch – If you use Evernote, use this (unless you are on a Mac, see above)
  • Shutter – Native Linux screenshot app

For PWK, I found the Evernote and Onenote clipper browser extensions to be limiting in that they only let you clip things from your web browser, when I needed to clip terminal output most frequently.

My Recommendations

Because I am primarily a Mac user, I need good support for screenshot pasting, and I prefer hierarchical note structure for organization, I went with Onenote and Snap ‘n Drag Pro for my PWK and OSCP work. I continue to use these two tools in my personal and professional life, too.

If I were not a Mac user, I’d go with CherryTree and Skitch.

Have any opinions or additional input about all of this? Let me know in the comments.

Windows Privilege Escalation (privesc) Resources

I have obtained a standard user account on Windows. Now what?

This is a common question I see people inquire about frequently on the Discord/Slack/Mattermost servers I hang out on. This includes people working on CTF exercises (Hack the Box), OSCP/PWK studies, and just pentesting in general. The answer, of course, is that you need to enumerate the system and find a way to become Admin.

The methodology for how you actually do this depends on a lot, all depending on your specific environment and circumstances.

Windows Privilege Escalation to the Rescue

Here are some useful resources on what to do next in your given situation, after you have succesfully exploited your way onto a Windows box, but before you have the system administrator role. I collected these links, snippets, and exploits during my OSCP studies, saving them in this massive OneNote notebook. Rather than letting them sit there where no one but me can access them, I thought I’d share.

Some of these get pretty detailed, and some of them have links to yet even more resources on this topic.

Have fun…this rabbit hole runs deep!

Privesc Resources

Elevating privileges by exploiting weak folder permissions
http://www.greyhathacker.net/?p=738/

Encyclopedia of Windows Privesc (video)
https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.be

Windows Privesc Fundamentals
http://www.fuzzysecurity.com/tutorials/16.html

Windows Privesc Cheatsheet
https://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html

Windows Privesc Check
A script that automates the checking of common vulnerabilities that can be exploited to escalate your privileges:
http://pentestmonkey.net/tools/windows-privesc-check

Common Windows Privesc Vectors
https://www.toshellandback.com/2015/11/24/ms-priv-esc/

Windows Post-Exploitation Command List
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf

WCE and Mimikatz in Memory over Meterpreter
https://justinelze.wordpress.com/2013/03/25/wce-and-mimikatz-in-memory-over-meterpreter/

Windows Privesc – includes tips and more resource links, on Github
https://github.com/togie6/Windows-Privesc

Do you have any Windows Privesc resources you think should go here? Comment below and I will add them.

OSCP and PWK Tips, Resources & Tools

Here are some resources and tools I found useful while taking (and passing!) the Pentesting with Kali (PWK) course in preparation for the Offensive Security Certified Professional exam. It has been about two weeks since I passed, and I am still reveling in the satisfaction that has come with it, as it was ultimately a year-long effort to prepare for and take the course in order to pass the exam.

Many people post the usual resources that you can find on various blogs related to the course (g0tmi1k, highoncoffee, pentestmonkey, etc), and those are absolutely useful, but what I have assembled here are less common, and are hopefully useful for those of you about to embark on, or already in, the OSCP journey. They were useful for me.

Enjoy!

How to Pass the OSCP

https://gist.github.com/unfo/5ddc85671dcf39f877aaf5dce105fac3

My favorite part is this, right at the beginning:

1. Recon
2. Find vuln
3. Exploit
4. Document it

However, I would add a step so that it looks more like this:

1. Recon
2. Find vulnerability
3. Exploit
4. Privilege Escalation
5. Document it

Most of the machines in the PWK labs require that additional step. You seldom run across a VM where you run an exploit and get root right away, with no intermediary privilege escalation step needed. In fact, it is an entirely unique skill that you need to develop, practice, and practice again. What’s more, you have to learn “privesc” for both Linux/Unix and Windows machines — two entirely different methodologies.

Path to OSCP

https://localhost.exposed/path-to-oscp/
An interesting ‘trials and tribulations’ story of one man’s path to accomplishing his goal: the OSCP certification. Contains both video logs and various notes and snippets that may be helpful to you.

One Two Punch

https://github.com/superkojiman/onetwopunch
I didn’t discover this script until I had already rooted about 15 of the machines in the PWK labs, but I wish I had learned of it sooner. It runs a unicornscan (UDP) to find open ports, then passes them to nmap for service detection. It also looks at all 65,535 ports, so you don’t miss anything. Set this up as one of the first things you do when you start working on a new machine (it takes a while to run), then come back to check the results after you’ve done some manual exploration.

Reconnoitre

https://github.com/codingo/Reconnoitre
“A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags.”

This tool ended up being a workhorse, both in the labs and in the exam. Being able to check quick nmap results while more in-depth scans were still going was invaluable for getting things rolling along.

General Tips from Techexams

http://www.techexams.net/forums/security-certifications/116262-oscp-starting-13-12-2015-a-6.html#post1028560
This post has a lot of good tips for the OSCP exam. I can’t stress enough the need to be prepared for the exam, having all the things you need at your fingertips so that you don’t have to go digging through notes of files when you are tight on time or limited on brain power because you’ve been working on this for 18 straight hours.

Test Taking Strategy
http://www.hackingtutorials.org/hacking-courses/offensive-security-certified-professional-oscp/

  • The most useful parts of that site for me were:
    Finish your lab report for 5 extra points and optionally the course exercises for an additional 5 points. You might need them to reach the 70 points.
  • You need to write a penetration test report after the exam. Make sure you know how to write it so you know what information to collect during the exam. The lab report is a great practice for this, use it to learn how to document properly.

There were so many people in the NetSec Focus OSCP Slack channel that skipped the exercises, skipped the videos, and skipped documenting the requisite 10 VMs to get the bonus points for the exam. I saw more than a few of them fail the exam as a result. I would likely have failed the exam had I not completed the exercise and 10 lab machine documentation. All I will say is this:

Do not skip the exercise or lab documentation. These are free points. The way the exam scores total up, you may well need these points to pass!

Timing of the Exam

Also from this page, I chose to follow this exact strategy for timing, and it really worked for me. The important thing to consider is being able to have two fresh starts.

“The second attempt I’ve started the exam at 3 PM and planned to work till 3 AM and then sleep till early morning. This way I had 2 ‘fresh’ starts for the exam to utilize more productive hours.”

I ended up sleeping from 2am to 5am, at which point I set an alarm and a full pot of coffee to carry me through until the exam was over. I also had the support of my amazing wife, who kept me fed and hydrated the whole time.

The Offsec PWK Kali VM

Use the provided Kali VM, do not use the latest/greatest Kali version. Offset provides you with a VM that has been customized to contain everything you need to complete the course and the exam. There is no need to update it. There is no need to run the latest version of Kali. In fact, they customize it in certain ways to make sure you don’t run into problems, so don’t try to use something different. I witnessed multiple people having problems with this in the NetSec Focus OSCP Slack channel, and I wisely used the Offset Kali VM the whole course to avoid issues.

The NetSec Focus Slack Channel

I have mentioned it a few times, but this Slack channel was invaluable during my OSCP journey.  It allowed me to ask questions, bounce ideas off others, and chat with folks who were currently in the course or had already passed it. If you are in the OSCP course and you join the group, ask a moderator to add you to that private OSCP channel once you join. Keep in mind that they do not allow spoilers, or even questions about specific lab machines.  This resource is a great asset for those taking the PWK/OSCP course, and I made some good friends from being there and suffering through it all.

Lastly, I have to say it:

Try harder!

OSCP Achieved – Offensive Security Certified Professional

For the past 10 months, I have been entrenched in studying to pass the OSCP exam — a goal that, one year ago, I thought was a distant dream.

What the heck is OSCP? This is from the OffSec description:

The Offensive Security Certified Professional (OSCP) is … the world’s first completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.

An OSCP has demonstrated their ability to be presented with an unknown network, enumerate the targets within their scope, exploit them, and clearly document their results in a penetration test report.

In other words, it means you are pretty good at hacking into computers through various means.

Preparation

I did 6 months of “pre-studying” by reading, researching, learning, and hacking away at vulnerable Virtual Machines offered by vulnhub.com. You may have seen some of my walk-through write-ups on this blog.

Three months ago, the Pentesting With Kali Linux (PWK) course began, which is the immersive, self-guided course offered by Offensive Security in preparation for the OSCP exam. This course consumed me, as it required a lot of time and effort to complete. If you are married and have kids, I cannot stress strongly enough the need to get their buy-in before you take this endeavor. You will not be available much during this process!

Not only do you need to get through the 375 page lessons and exercise workbook, you have to do the 8 hours of training videos that go with it. On top of that, you are given access to a virtual lab filled with 50+ computers for you to practice your hacking skills on.

The lab is designed to emulate a real-world corporation, and you are playing the role of the adversary, attempting to compromise your way into each and every machine you can find. In the end, you have to provide documentation of your efforts and successes as if you were a real-world security penetration testing professional hired to find the weaknesses in the company’s network and systems.

Needless to say, all of this takes a lot of time, effort, research, and patience. The oft-repeated mantra of the OSCP course is, “TRY HARDER!”

The Exam

This past weekend, I took the exam. The exam is a grueling 48 hour test in which you are given 5 computers that you must hack into as far as you can within the first 24 hours. The second 24 hours is for writing up your reports and documenting your efforts with detailed, step-by-step instructions and screenshots on how you did what you did.

Sleep is optional. Sustenance is highly recommended.

I opted to start the exam at 3pm Friday, based on what I had read from others who have taken the test. This gave me enough time that day to gather my thoughts, my notes, and to practice buffer overflow attacks. More importantly, it gave me a chance to nap from about 2am to 5am, which proved to be a much-needed recharge for my brain.

I hacked away for a solid 21 hours with that 3 hour nap in the middle. By the end, I had rooted 3 systems, and had a low-privilege shell on a fourth. I had enumerated the fifth system pretty well, including discovery of some valuable information. Still, I wasn’t entirely sure I had achieved the requisite 70 points (out of 100) to pass the exam.

At 3pm I went back to sleep for a few hours. I woke up about 6, then got to work on the documentation, which I completed around midnight.

Documentation

All in all, my documentation consisted of:

  • All exercises from the PWK course.
  • Documentation of 10 compromised machines from the Lab. I ended up compromising a total of 25 machines, but 10 are required to be documented.
  • Documentation of the exam machines.

All of this ended up being about 230 pages long!

I submitted everything, then spent most of Sunday snoozing and worrying about whether or not I had passed. I felt like a truck had run over me, backed up over me, then ran over me again. Plus, the anticipation was terrible. Thinking that I might have to go through all of that again was not very pleasant.

I woke up this morning (Monday) to find out that they had reviewed everything, and that I had passed!

Lessons Learned

A topic of constant debate on the NetSecFocus Slack channel is whether or not people should do the Exercise and Lab documentation, which earns you 5 points on the Exam, or if they should just skip it and go right into the Labs, do the exam, and hope to get more than 70 points.

I am a shining example of why you should submit that documentation. You might need those 5 points to pass the exam, and you are doing yourself a disservice if you skip all that valuable materials in the course anyway. It really teaches you a lot even though it can get rather dry at times.

Resources

At some point soon, I will update this blog post with resources and tips for those of you thinking about doing this certification course. It was one of the hardest things I have ever done, but also one of the most rewarding.

Update: Check out this post for resources and tips!