OSCP Preparation 2021 — Learning Path

Lyubomir Tsirkov
5 min readFeb 12, 2021

--

Like a lot of the people who passed the exam, I am also going to share some thoughts about it … I will be brief.

I am happy that I passed the Offensive Security Certified Professional (OSCP) exam on my first attempt. It took me a few months of preparation, cost many sleepless nights and exhausted my brain repeatedly.

Before enrolling in the OSCP, I was focused only on web exploitation. Therefore, one of the biggest challenges for me was to get familiar with Windows/Linux privilege escalation. On the other hand, I had never exploited a buffer overflow vulnerability, but it turned out to be much easier than I thought (At least the BoF covered in the course).

The OSCP exam is proctored, so the anxiousness that I experienced during the first 24 hours was significant … I got stuck once and got panicked as well. It cost me a few hours digging in rabbit holes …

Learning Path

Before undertaking the OSCP journey, I had heard a few times about HackTheBox. As a result, I decided to buy a subscription for it and start to “hack”. During this time I didn’t follow any specific path and I didn’t know what I was doing … So I decided to look for OSCP-like machines and I found the TJNull list.

TJnull list.

You will notice that there is a video write-up created by “ippsec” for almost any machine in the list. I highly recommend watching as many write-ups as you can but strive to open it only if you get stuck with a machine. You have to struggle if you want to learn better.

Even if you are able to root the machines in the list without the write-ups I still recommend watching the ippsec videos.

Terminal: I recommend watching the following video about getting comfortable with Tmux: https://www.youtube.com/watch?v=Lqehvpe_djs

After the HackTheBox, I came across Virtual Hacking LabsVHL.

I would say that VHL is more like “Proving Grounds”, so I liked it a lot. The machines are not CTF oriented, so I recommend doing all of them.

“We are an e-learning company for penetration testers and ethical hackers offering access to over 40 training labs and a full Penetration Testing Course for less than $100,- a month”

Udemy

The following courses will cover most of the materials you need about privilege escalation in OSCP. I would say that it’s more than enough at least for the exam.

Health Adams
https://www.udemy.com/course/linux-privilege-escalation-for-beginners/
https://www.udemy.com/course/windows-privilege-escalation-for-beginners

Tib3rius
https://www.udemy.com/course/windows-privilege-escalation
https://www.udemy.com/course/linux-privilege-escalation/

TryHackMe

TryHackMe helped me a lot to understand Buffer Overflow. The whole process is very well explained and I strongly recommend doing all of the exercises in that room:

Link: https://tryhackme.com/room/bufferoverflowprep

OSPG — Offensive Security Proving Grounds — Practice

https://www.offensive-security.com/labs/individual/

Certainly, OSPG is my favourite lab environment. I learned a lot throughout my time in the lab.

I successfully rooted 72 machines for less than a month.

My focus was primarily on machines that were stated as “OFFSEC” machines.

If you have experience with HackTheBox, you will notice the difference with OSPG. The OSPG machines are not too CTF oriented neither VHL are.

It was my preference to spend more time on OSPG instead of HTB.

PWK

Finally, I started the PWK course. I received an email containing my VPN package and I started exploring the lab almost immediately.

I rooted 33 machines in the public network for a few days. It was easy for me because I already spent a lot of time in HTB, VHL & OSPG before PWK Lab so I was well-prepared.

Exercises — 5 points

If you decide to do the exercises you will learn a lot, but for me, it was waste of time because I had heard it’s very time-consuming. And actually, I don’t think it worth it.

Exam Strategy

I watched a lot of videos on youtube about OSCP Exam strategies, so I noticed that people usually start with the BoF machine. Therefore, I decided to use the same path.

  1. BoF — 25pts
  2. 10 pts
  3. 20 pts
  4. 20 pts
  5. 25 pts

First 24 hours

My exam started at 8 AM and I rooted all the machines for ~12 hours. I got stuck once because I was overthinking the machine. So my advice is to not overthink the machines, the exam is 24 hours long, so you are not going to be presented with any “Insane” machine. Enumeration is the key.

Btw, don’t underestimate the 10pts machine. Be careful.

Later I took some sleep ~5 hours because I started to make a lot of mistakes. After having some sleep, I checked if I got correctly all the screenshots, flags etc …

Note: Taking a screenshot of every command was very time-consuming for me … So keep that in mind.

I used OneNote to keep notes during the exam and ShareX for taking screenshots.

Next 24 hours — Reporting

In six hours I was able to finish the report in total ~70 pages. I used the standard OSCP template with little modifications such as creating “Initial Access” and “Privilege Escalation” sections.

Again, keep in mind that the exam is 24 hours long and you are not going to be presented with any “Insane” machines.

Enumeration is the key and do not overthink the machines.

Result
I received my exam results in 2 days.

Conclusion

Throughout my journey, I successfully got root/administrator/system on 168 machines in total. It’s my opinion that you have to spend time rooting machines in HTB, VHL, OSPG and finally in PWK lab. In this way, you will be prepared enough for PWK.

HackTheBox: 30
VHL: 33
OSPG: 72
PWK: 33

Total: 168

Exam: 5/5

One more thing — Get yourself familiar with SSH tunnels.

Thanks to everyone who contributed to my success in any way.

You can verify my achievement here:

--

--

No responses yet