Outdated
OSCP exam content have been updated since I took the exam. Please refer to the official website for up-to-date exam information.
Notes
- OSINT
- enumeration
- vulnerability scanning
- web application attacks
- stack buffer overflow
- client-side attacks
- upgrading non-interactive shells
- file upload and file download
- antivirus evasion
- host privilege escalation
- common password attacks
- pivoting
- Active Directory
- Metasploit
- PowerShell Empire
Resources
- Exam Requirements
- OSCP guides
- Machine lists
- PEN-200 Labs Learning Path - Offensive Security
- NetSecFocus Trophy Room List
- TryHackMe AD rooms (not necessary but a good refresher)
- Tools
- Checklists
- Red Teaming Experiments (Comprehensive cheatsheets and extensive tutorials)
- kashz-jewels - OSCP notes
- Pentesting Active Directory - XMind
- 740i/pentest-notes
- sushant747 - Total OSCP Guide
- HackTricks
Exam Preparation
Materials
- OSCP Official PDF / OffSec Training Library
- OSCP Training Labs with lab report (90 days)
- OSCP Training Exercises (50-80 hours or more, must do within 90-day time window)
- The exercises help me grasp the material and pass the exam with greater ease (10 bonus points if done with lab report)
- Although people say that they take a lot of time and should really be done last if time permits, I should still check them out first since I’m still pretty much a novice in Windows.
- Note that the bonus points will only be granted if the lab report is turned in as well.
- TCM Security - Hacker Bundle (3 courses)
- Practical Ethical Hacking
- Windows Privilege Escalation
- NetSecFocus boxes
- OS Proving Grounds Play (free)
- OS Proving Grounds Practice ($20/mo)
- HackTheBox boxes (VIP $20/mo)
- VulnHub VMs (free)
- VirtualHackingLabs (maybe)
- Throwback Network Labs - TryHackMe for Windows & AD hand-held practice approach
Timeline
- OffSec online training modules + traditional exercises + lab report
- TryHackMe Offensivee Security path machines (for some hand-holding)
- OffSec Proving Ground Play & Practice machines
- HackTheBox machines (if time permits)
- Exam
- Before the exam
- Gather all cheatsheet, tools, materials in VM
- Prepare note-taking template
- Prepare exam report
- Before the exam
Labs
General Info
Each machine contains a proof.txt
as a proof of exploitation. The goal is to obtain the highest privilege shell on each machine and obtain proof.txt
(and sometimes network-secret.txt
). Each txt
file contains a flag that can be submitted. Flags in network-secret.txt
can be used to unlock the ability to revert machines in the IT Department and Administrative Department.
Lab IPs are in the range of 10.11.1.0/24.
Revert each machine before and after working on it to ensure that you and other users start on a clean slate.
Topic Exercise VMs
Use the following alias to access Topic Exercise VMs to prevent corrupting known-hosts
file:
Exam Structure
Technical Portion
Points | Description |
---|---|
40 points | Active Directory set (1 DC, 2 clients) |
60 points | 3 independent machines |
- 70 points are needed to pass the exam.
- 23 hours and 45 minutes for the technical portion.
- Buffer overflow may or may not be a low-priv attack vector.
- Each machine is worth 20 points: local.txt (low-priv) and proof.txt (priv-esc) grants 10 points each.
- Note: If no bonus points are granted, the AD set is required to pass the exam.
Possible Passing Scenarios
From OSCP FAQ:
- 40 pt AD + 3 local.txt flags
- 40 pt AD + 2 local.txt flags + 1 proof.txt flag
- 40 pt AD + 2 local.txt flags + bonus points
- 40 pt AD + 1 proof.txt + 1 local.txt + bonus points
- 3 fully completed non-AD machines + bonus points
Exam Report
- The student is given 24 hours after the penetration test to complete the test report.
- The exam report must include full steps of enumeration and exploitation (enough to reproduce the attack)
- Capture each proof.txt (you need to be in a certain directory when printing, likely Desktop, but check with exam guide to be sure) with a screenshot of the
cat
ortype
output in an elevated shell (root
,SYSTEM
,Administrator
, or likewise) along with the proof of IP address in the output ofifconfig
,ip addr
or likewise (also check if you needwhoami
output).
Bonus Points
- An extra 10 points will be added to the final score if the student completes both the lab report and all exercises (unless the exercise indiccates otherwise).
Lab Report
Lab reports do not need to be overly long. For the PEN-200 lab machines, we only expect our students to show us the exploitation steps. Enumeration steps and any detailed command outputs are not necessary. — OSCP Exam FAQ
- The lab report should include 10 machines, with at least one full set of AD machines.
- Every proof.txt in the AD set will count as one machine.
- Each machine must be exploited using a unique attack vector. In other words, no two machines may share the same exploitation in the lab report.
Exercises
Lab exercises may just contain a screenshot to demonstrate how the exercise was completed. — OSCP Exam FAQ
Exam Strategy
- Do lab report & exercises to get 10 bonus points (which I ended up not doing)
- Do a nmap full scan on all machines (all ports, unless timed out).
- Finish AD set first
- Note-taking
- Document & screenshot everything in Obsidian
- Use obsidian-git to sync repository to GitHub (private repository)
- Periodically save all scrollback buffer outputs using tmux
- Try to get one proof.txt and two local.txt (one fully compromised and one partial independent machine)
Timeline
- Be present 15 minutes prior to exam start time
- Identity verification (scan your ID beforehand in case webcam does not focus properly; happened to me)
- Other pre-exam tasks
- Acquire VPN pack
- Exam: technical portion (23 hours 45 minutes)
- Post-Exam: reporting portion (24 hours)