📖 Notes

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1409 more sorted by tag →

OSCP

created Jan 08, 2024updated May 28, 20245 min read

Notes

Resources

Exam Preparation

Materials

  • OSCP Official PDF / OffSec Training Library
  • OSCP Training Labs with lab report (90 days)
  • OSCP Training Exercises (50-80 hours or more, must do within 90-day time window)
    • The exercises help me grasp the material and pass the exam with greater ease (10 bonus points if done with lab report)
    • Although people say that they take a lot of time and should really be done last if time permits, I should still check them out first since I’m still pretty much a novice in Windows.
    • Note that the bonus points will only be granted if the lab report is turned in as well.
  • TCM Security - Hacker Bundle (3 courses)
    • Practical Ethical Hacking
    • Windows Privilege Escalation
  • NetSecFocus boxes
    • OS Proving Grounds Play (free)
    • OS Proving Grounds Practice ($20/mo)
    • HackTheBox boxes (VIP $20/mo)
    • VulnHub VMs (free)
  • VirtualHackingLabs (maybe)
  • Throwback Network Labs - TryHackMe for Windows & AD hand-held practice approach

Timeline

  • OffSec online training modules + traditional exercises + lab report
  • TryHackMe Offensivee Security path machines (for some hand-holding)
  • OffSec Proving Ground Play & Practice machines
  • HackTheBox machines (if time permits)
  • Exam
    • Before the exam
      • Gather all cheatsheet, tools, materials in VM
      • Prepare note-taking template
    • Prepare exam report

Labs

General Info

Each machine contains a proof.txt as a proof of exploitation. The goal is to obtain the highest privilege shell on each machine and obtain proof.txt (and sometimes network-secret.txt). Each txt file contains a flag that can be submitted. Flags in network-secret.txt can be used to unlock the ability to revert machines in the IT Department and Administrative Department.

Lab IPs are in the range of 10.11.1.0/24.

Revert each machine before and after working on it to ensure that you and other users start on a clean slate.

Topic Exercise VMs

Use the following alias to access Topic Exercise VMs to prevent corrupting known-hosts file:

alias sush='ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" '
sush [email protected] -p 2222

Exam Structure

Outdated

OSCP exam content have updated since I took the exam. Please refer to the official website for up-to-date exam structure.

Technical Portion

PointsDescription
40 pointsActive Directory set (1 DC, 2 clients)
60 points3 independent machines
  • 70 points are needed to pass the exam.
  • 23 hours and 45 minutes for the technical portion.
  • Buffer overflow may or may not be a low-priv attack vector.
  • Each machine is worth 20 points: local.txt (low-priv) and proof.txt (priv-esc) grants 10 points each.
  • Note: If no bonus points are granted, the AD set is required to pass the exam.

Possible Passing Scenarios

From OSCP FAQ:

  • 40 pt AD + 3 local.txt flags
  • 40 pt AD + 2 local.txt flags + 1 proof.txt flag
  • 40 pt AD + 2 local.txt flags + bonus points
  • 40 pt AD + 1 proof.txt + 1 local.txt + bonus points
  • 3 fully completed non-AD machines + bonus points

Exam Report

  • The student is given 24 hours after the penetration test to complete the test report.
  • The exam report must include full steps of enumeration and exploitation (enough to reproduce the attack)
  • Capture each proof.txt (you need to be in a certain directory when printing, likely Desktop, but check with exam guide to be sure) with a screenshot of the cat or type output in an elevated shell (root, SYSTEM, Administrator, or likewise) along with the proof of IP address in the output of ifconfig, ip addr or likewise (also check if you need whoami output).

Bonus Points

  • An extra 10 points will be added to the final score if the student completes both the lab report and all exercises (unless the exercise indiccates otherwise).

Lab Report

Lab reports do not need to be overly long. For the PEN-200 lab machines, we only expect our students to show us the exploitation steps. Enumeration steps and any detailed command outputs are not necessary. — OSCP Exam FAQ

  • The lab report should include 10 machines, with at least one full set of AD machines.
  • Every proof.txt in the AD set will count as one machine.
  • Each machine must be exploited using a unique attack vector. In other words, no two machines may share the same exploitation in the lab report.

Exercises

Lab exercises may just contain a screenshot to demonstrate how the exercise was completed. — OSCP Exam FAQ

Exam Strategy

  • Do lab report & exercises to get 10 bonus points (which I ended up not doing)
  • Do a nmap full scan on all machines (all ports, unless timed out).
  • Finish AD set first
  • Note-taking
  • Try to get one proof.txt and two local.txt (one fully compromised and one partial independent machine)

Timeline

  • Be present 15 minutes prior to exam start time
    • Identity verification (scan your ID beforehand in case webcam does not focus properly; happened to me)
    • Other pre-exam tasks
    • Acquire VPN pack
  • Exam: technical portion (23 hours 45 minutes)
  • Post-Exam: reporting portion (24 hours)

Graph View

Backlinks

Cited by