Considered like a “must have” certification for those who wants to become Penetration testers, the OSCP (Offensive Security Certified Professional) is one of my main goals for 2021 (specially).
This is all more true since the 2020 update of PWK (Penetration Testing with Kali Linux: the preparation course).
Summary
New course trailer:
1. Lab preparation: Vulnerable machines To-Do List
hackthebox.eu (NetSecFocus Trophy Room)
The following list of VM is inspired from TJ_Null’s list of OSCP-like VMs
Linux
| Machine | Difficulty | Status | WU | |
|---|---|---|---|---|
| Lame | Easy | ✅ | link | |
| Beep | Easy | ✅ | ||
| Blocky | Easy | ✅ | link | |
| Mirai | Easy | ✅ | link | |
| Shocker | Easy | ✅ | link | |
| Nibbles | Easy | ✅ | link | |
| Valentine | Easy | ✅ | link | |
| SwagShop | Easy | ✅ | link | |
| Networked | Easy | ✅ | link | |
| Bashed | Easy | ✅ | link | |
| Irked | Easy | ✅ | link | |
| FriendZone | Easy | ✅ | link | |
| Frolic | Easy | ✅ | link | |
| Postman | Easy | ✅ | link | |
| Sense | Easy | ✅ | link | |
| Sunday | Easy | ✅ | link | |
| OpenAdmin | Easy | ✅ | link | |
| Traverxec | Easy | ✅ | link | |
| Admirer | Easy | ✅ | link | |
| Blunder | Easy | ✅ | link | |
| Doctor | Easy | ✅ | link | |
| Tabby | Easy | ✅ | link | |
| Popcorn | Medium | ❌ | ||
| Cronos | Medium | ❌ | ||
| Jarvis | Medium | ❌ | ||
| Node | Medium | ❌ | ||
| Solidstate | Medium | ❌ | ||
| Tartarsauce | Medium | ❌ | ||
| October | Medium | ❌ | ||
| Mango | Medium | ❌ | ||
| Haircut | Medium | ❌ | ||
| Nineveh | Medium | ❌ | ||
| Poison | Medium | ❌ | ||
| Magic | Medium | ❌ |
Windows
| Machine | Difficulty | Status | WU |
|---|---|---|---|
| Legacy | Easy | ✅ | link |
| Blue | Easy | ✅ | |
| Devel | Easy | ✅ | link |
| Optimum | Easy | ✅ | link |
| Granny | Easy | ✅ | link |
| Arctic | Easy | ✅ | link |
| Grandpa | Easy | ✅ | link |
| Bounty | Easy | ✅ | link |
| Jerry | Easy | ✅ | link |
| Forest | Easy | ✅ | link |
| Bastion | Easy | ✅ | link |
| Active | Easy | ✅ | link |
| Buff | Easy | ✅ | link |
| Servmon | Easy | ✅ | link |
| Remote | Easy | ✅ | link |
| Bastard | Medium | ✅ | |
| Silo | Medium | ✅ | TODO |
| Chatterbox | Medium | ❌ | |
| SecNotes | Medium | ❌ | |
| Fuse | Medium | ❌ | |
| Conceal | Hard | ❌ | |
| Bankrobber | Insane | ❌ |
tryhackme.com
There is a machine with a buffer overflow for sure in the exam, so I plan to do both of these THM rooms:
- Windows Buffer Overflow Prep (My WU)
- Intro PoC Scripting
- Attacking Kerberos (My WU)
- Windows Post-Exploitation Basics (My WU)
- Attacktive Directory (My WU)
- Windows PrivEsc Arena
- Windows PrivEsc (Windows Privesc notes)
- Common Linux Privesc
- Linux PrivEsc (Linux Privesc notes and My WU)
- Linux PrivEsc Arena (My WU)
- OWASP Top 10 (My WU)
vulnhub.com
List inspired from abatchy’s blog: OSCP-like Vulnhub VMs
| Machine | Difficulty | Status | WU |
|---|---|---|---|
| FristiLeaks | Beginner | ✅ | link |
| Stapler | Beginner | ✅ | link |
| PwnLab | Beginner | ✅ | link |
| Brainpan | Intermediate | ✅ | link |
| Mr-Robot | Intermediate | ✅ | link |
| Vulnix | Intermediate | ❌ |
2. Exam preparation
Rules reminder
Rules reminder: https://help.offensive-security.com/hc/en-us/articles/360040165632
The exam is proctored in order to avoid cheating.
- First part of the exam: 23 hours and 45 minutes to compromise multiple machines.
- Buffer Overflow machine: 25 points
- Another machine of 25 points
- 1 machine of 10 points
- 2 machines of 20 points each
- Doing the lab report: 5 bonus points
- no less than ten (10) machines in the labs and document course exercises Source
70 points (out of a total of 100) are required to pass the exam.
- Second part of the exam: 24 hours to write a report describing the exploitation process for each target.
- if an exploit was used with no need of source code modifications, only URL should be provided.
- if any modifications to an exploit, should be provided:
- original exploit URL
- modified exploit code
- highlighted changes plus reasons of those changes
- command used to generate any shellcode (if applicable)
- each proof file (local.txt and proof.txt) must be shown in a screenshot:
- within an interactive shell sessions on the target machine with the
typeorcatcommand from their original location - includes the IP address of the target by using
ipconfig,ifconfigorip addrcommand
- within an interactive shell sessions on the target machine with the
The report must be precise enough so that a competent reader can replicate the attacks step-by-step.
- Restrictions:
- Using
MetasploitAuxiliary, Exploit, or Post modules on multiple machines (as well asMeterpreterpayload) - Spoofing (IP, ARP, DNS, NBNS, etc)
- Commercial tools or services (
Metasploit Pro,Burp Pro, etc.) - Automatic exploitation tools (e.g.
db_autopwn,browser_autopwn,SQLmap,SQLninjaetc.) - Mass vulnerability scanners (e.g.
Nessus,NeXpose,OpenVAS,Canvas,Core Impact,SAINT, etc.) - Features in other tools that utilize either forbidden or restricted exam limitations
- Using
“The primary objective of the OSCP exam is to evaluate your skills in identifying and exploiting vulnerabilities, not in automating the process.”
We can use the following against all of the target machines:
exploit/multi/handler,msfvenom,pattern_create.rbandpattern_offset.rbas well asnmap(and its scripting engine),nikto,Burp Free,DirBusteretc.
Dry run
Regarding the exam, practicing a dry run for 24 hours (without reading the writeups) will allow me to get in condition:
- A Pre-Exam for Future OSCP Students
- Vulnhub machines:
- DC 6
- Pinkys Palace
- Symfonos 1
- Troll 1
3. Useful OSCP reviews/resources
- John Hammond: ALL NEW OSCP - REVAMPED 2020
- HTB OSCP Preparation
- Une expérience OSCP plutôt détaillée..
- A Script Kiddie’s guide to Passing OSCP on your first attempt.
- A Pre-Exam for Future OSCP Students
- abatchy: OSCP Prep
- Recommendations of OSCP
- L’Aventure OSCP : Examen
- Cyber Mentor: Networking for Ethical Hackers
- Cyber Mentor: Buffer overflows made easy