7 Things you didn't know about passing the OSCP!

Every time I teach a class, there is always a lot talk about the Offensive Security Certified Professional (OSCP) test and Pentesting with Kali (PWK) class. I passed my OSCP a couple of years ago and still think it's a pretty good cert. I asked a bunch of other OSCP certified folks about tips and tricks to passing the test, not doing well in the labs or doing the classwork! There are lots of details about the test, how many systems there are, points, etc. I'm not going to talk about all that, but just want to talk about how to maximize your chances of passing the exam the first time out, getting your monies worth, and being an efficient pentester. Also, this is just to the best of my knowledge. No guarantees!

7 tricks to passing the OSCP!

1. Get root/admin on every box in the lab. Don't do the classwork.

This is probably a pretty big shock, I know. And maybe it's too black and white. If you are a complete newbie, the videos and pdf are helpful. If you know what metasploit is, basic nmap, and what exploitdb is, you should be fine without. Know that you will have to exploit systems without metasploit in the test, so don't get used to it in the labs!

Why ignore the class/PDF? First, the classwork is not going to be on the test. Second, you will learn far more by going through all the systems in the labs and making good notes on how you hacked the boxes you did and how you figured it out. Third, I know you can get extra points for doing this, but it is barely relevant because it's only a tie breaker if you are close. If you do the math, it almost never makes a difference. Finally, it takes huge amount of time to do the things in the class vs. hacking stuff in the lab. Since this is a practical test where you hack stuff, I say practice hacking!

Bottom line, hack stuff in the lab and go flip through the pdf and watch videos when you get stuck.

2. K.I.S.S (Keep It Simple Stupid), a.k.a. it's probably more straightforward than you think

I see folks over complicating basic exploitation a lot and privilege escalation like crazy. Most of the time, the answer is pretty vanilla. This is excluding some sneaky stuff they pull in the lab that isn't on the test, as far as I know.

3. Post-exploitation is a waste of time

While a critical skill in real-world penetration testing, the lab systems aren't interconnected and neither are the test systems. So, data mining, recovering hashes, passwords etc., don't help much unless you are working on privilege escalation. In which case, they may be handy!

4. Get good at privilege escalation

You will do it on the test and this is where I see folks get stuck really often. Know how to use the command line on the target. It's a critical skill to find the information you need to escalate privileges. This is more than patch based vulnerabilities! You need to know how to identify system misconfigurations and use them to gain additional access.

5. Automated tools won't get you there

This is the other thing I see all the time. People run exploit-suggester, privilege-escalation-suggester, etc. and expect that this will get them root/admin. I'm sure that OffSec is aware of these tools and they make sure that the don't work very well. This is no surprise because they want to see that you understand the problem and not just running someone else's tools. There are no shortcuts here. 

6. Do ALL of the exploit development stuff in the course

I know I said don't do the classwork, but this is the exception. You will have to do exploit development to pass the test. The good news is there is likely nothing exotic about it and it is pretty likely to be a Windows based system . I would recommend that you also do the Windows based exploit development tutorials that Corelan has. If you can do the basic ones on your own, you should be ok on the test. 

7. They won't test you on something they didn't teach

This is pretty basic, but if they didn't teach it, talk about it, or you don't have to do it in the lab you probably don't have to know it. This is stuff like ROP, or ASLR bypass and other stuff like antivirus bypasses. See #2 :)



- Exumbra