OSCP Prep: Learning from Writeups and Proving Grounds Practice

The Offensive Security Certified Professional Certification: What You Need to Know

The Offensive Security PEN-200: Penetration Testing with Kali Linux or better known as the OSCP (Offensive Security Certified Professional) certification, there are many reviews out there in the web that talk about what path you should take. I have read through a majority of other people’s reviews some on Medium, Reddit and also Discord hence I will try to summarize those reviews where I came up with my own path.

Understanding the OSCP Certification

The OSCP is the most highly respected cyber security certification in terms of penetration testing and ethical hacking. A lot of ethical hackers out there will tell you that it is the gold standard of cyber security certifications or a ‘must have cert’ as once an individual obtains this cert, it is assumed that this individual knows how and what to do when given a task to conduct a professional penetration test. Unlike many other certifications that rely solely on multiple-choice exams, the OSCP certification requires you to successfully complete a 24-hour hands-on exam. This exam tests your ability to identify vulnerabilities, exploit them, and document your findings. It is a rigorous and intense exam that truly evaluates your practical skills. This is the reason why a majority of compliance or regulators put this certification as a major requirement when conducting a penetration test.

After the PNPT

With the PNPT exam done and dusted in February 2024, it was obvious that the next transition would be the OSCP.

I was not planning to take the OSCP as I looked at it as a very intimidating certification. Just by looking at the mentally needed of which Offensive Security heavily markets it is a ‘Try Harder’ mentality. In addition, the price of the course and certification were reasons to not take it. However this all changed after passing my PNPT exam, in my previous blog I mentioned about being open to challenges are the key characteristics of an ethical hacker. Therefore once I got through with the PNPT, I was hungry for another challenge to look forward to and the OSCP was the obvious choice in terms of reputation and the new exam format included Active Directory.

Research

Pursuing the OSCP certification can be a challenging journey, and it is essential to do some research and read reviews from other people who have taken it. I found a lot of good and bad reviews as they started to compare it with other certifications such as the PNPT by TCM Security and the new CPTS (Certified Penetration Testing Specialist) by Hack The Box. These mixed reviews are a good indication of how popular this certification is. If you look through and have read most of them, there are though a lot of similarities that I have gathered that they have pointed out, I will go through them below;

1. The Price - Its expensive, Yes the obvious one will be that this is not a cheap course or exam. The PEN-200 course is offered in three different bundle sets where the cheapest is USD$1649 for 3-month access to the course and labs with 1 exam attempt.

2. Practice - Before investing into the course, a lot of the reviews have mentioned to practice on other platforms on HackTheBox, TryHackMe, Proving Grounds and VulnHub labs where they are all mentioned as good starting points and warm ups for a similar exam experience. TJ Null’s list gets mentioned plentiful here and indeed it provides a good baseline on what you can expect from the certification. Another list that deserves a mention is by Fabian, he provides a very good list of resources on how to tackle the exam while also showing which Proving Grounds Labs and Hack The Box machines to try out.

3. Fundamentals - Previous pentesting certification experience and professional experience are definitely a must have before you start investing into the OSCP where having a solid background will provide you with a good base.

Practice, Practice, Practice

Success in the OSCP exam requires hands-on experience and practical skills. It is crucial to dedicate a significant amount of time to practice and hone your penetration testing abilities. The more you practice, the more comfortable and confident you will become in identifying vulnerabilities and exploiting them.

I am not a technical person and I only have a decent amount of pentesting experience with platforms on TryHackMe and TCM Security’s PNPT exam. Besides the PNPT, I also have two junior penetration tester certifications. Based on my situation I went for practicing on Offensive Security’s Proving Grounds labs first by going through TJ Null’s list. I did not subscribe to Hack The Box and VulnHub labs.

The Proving Grounds labs on TJ Null’s list provides a nice mixture from easy to hard boxes both on Linux and Windows. The majority of these boxes will teach you on where the vulnerability is to exploit these systems in order to get the initial foothold. Once a foothold is gained usually by getting a reverse shell, the next challenge is doing the privilege escalation. These boxes will have 2 flags or text files, 1 for getting the foothold and the other for privilege escalation. There are about 3 Active Directory Labs too and they were a lot of fun. After lots of practice you will see a pattern on how you would approach a box. Enumeration generally starts with the most common ports while avoiding rabbit holes, finding the exploit, using it to gain a foothold and then find ways to privilege escalation.

It took me about 1 month to complete roughly 98% of the PG boxes based on TJ Null’s list, whereas I am just getting started with Fabian's list. I managed to complete less than ten boxes on my own while the others I had to look at walkthroughs whenever I was stuck.

I truly learned a lot from these walkthroughs where I experienced a lot of ‘aha moments’ or oh I did not know that I will try that next time. Each time I had these moments I included them (commands, exploits and links) in my notes for my reference. I also kept a tracker to keep notes on how I got the initial foothold and privilege escalation. The creation of this tracker was very important in order for me to see the majority of where the foothold was, what was the most common exploit, and the different ways to do privilege escalation. Once again I have noticed that after doing the Proving Grounds boxes, the pattern of the pathway to rooting the machines are more or less quite similar and this can provide you a good mentality of how the OSCP exam will be like.

Conclusion

Before purchasing the OSCP course, it is crucial to conduct thorough research, assess your skills, and choose the right learning path. I will end this blog by saying that to not worry about looking at walkthroughs as it is called practice for a reason. I truly learned a lot from those walkthroughs where in some cases when the same problem arises I was able to overcome it through past mistakes. Learn from your mistakes a true skill that every person, not just pentesters, should have! For now I am not confident to take the OSCP yet but I am building that foundation. The next step will be actually purchasing the PEN-200 course which will supplement my learning even further. I will check back again on my OSCP progress.