Path to Offensive Security Certified Professional (OSCP)
Introduction
If you’re like me when I was learning and training for the Penetration Testing with Kali Linux (PWK) to earn the coveted Offensive Security Certified Professional (OSCP) certification, then you are most likely here seeking words of wisdom or even that small seed or nugget of knowledge that you’ve been desperately searching for that will magically help you finally understand that one topic you haven’t quite got figured out yet. I can’t promise that learning about my journey will give you all the answers you have been looking for but I sincerely hope at the very least it will give you a better idea of where you need to look next.
I will do my best to explain what I did to prepare for the PWK exam and I will provide as many tools and resources that I can which I either used during the exam or that helped me to prepare for it. With that being said, my goal for this article is for it to live, breathe, and evolve into a resource like the ones that I cherished on my journey.
“What Did You Do First?”
I began seriously studying studying and security roughly three years ago but I have been curious about it for much longer than that. What sparked me to take the first step towards my future in security was Equifax’s data breach in 2017.
After the news, I couldn’t help but wonder how this could happen to such an organization tasked with the security of everyone’s sensitive information. So as I began to perform search after search exploring the vast, mysterious universe of security I found this video by Dr. Mike Pound of the University of Nottingham about buffer overflows and how they work and I was hooked. From then on, I found myself learning everything I could find but at this point I was only able to find what these things were but not how to do them.
The Deep Dive Begins
I had not known that penetration testing was a career choice until the day I discovered Heath Adams’ YouTube channel (more commonly known as The Cyber Mentor), specifically this video explaining cyber career paths. I spent the next few weeks learning as much as I could from his content.
The pivotal point that changed everything for me and set me on my path to OSCP was Heath releasing his Zero to Hero YouTube video series — a series of 11 videos which provided a deep dive into the world of pentesting and security.
Finally! Something I could sink my teeth into and learn how to do these things!
Since then, Heath has greatly expanded his training and has relocated all of his content to TCM Security’s Academy where he offers a wide range of trainings depending on what you want to improve from Open-Source Intelligence (OSINT) to Windows and Linux Privilege Escalation.
His latest academy courses can be found here. Also, be sure to follow him on Twitter because he often offers discounts on his courses and releases new ones!
Although his courses are moved to a new home, some of his courses can still also be found on his Udemy courses if you prefer that format and whenever he offers a discount or coupon code it will typically be valid for both sites!
HTB, PG, & THM Oh My!
It’s no secret that Hack The Box, Offensive Security Proving Grounds, and TryHackMe are super fun because you get to break into computers and networks without getting arrested (if you play by their rules!) but if done efficiently, they can also prove to be essential study tools for the PWK exam.
The important idea to keep in mind when charging through these machines as an OSCP student is to plan your time efficiently and don’t focus on unrelated targets until after you finish your exam.
In order to help keep you laser focused, NetSec Focus continuously curates a list of OSCP-like machines from VulnHub, Hack The Box, and Proving Grounds. These targets are agreed to be of the difficulty and complexity of machines that one would expect to encounter during the PWK exam.
This list of OSCP-like targets can be found here.
Compared to the machines of Hack The Box and Proving Grounds, TryHackMe (THM) offers Learning Paths and individual modules which I found useful in preparation for the PWK exam.
What I found most useful on TryHackMe for the PWK exam is:
Learning Paths
— Complete Beginner
— Web Fundamentals
— Offensive Pentesting
Modules
— Linux Fundamentals
— Windows Fundamentals
— Networking Fundamentals
— Web Hacking Fundamentals
— Cryptography
— Shells and Privilege Escalation
— Basic Computer Exploitation
Rooms
— Buffer Overflow Prep (created by the legendary Tib3rius, provides a complete repeatable methodology as well as 10 unique buffer overflow exercises to practice)
It’s dangerous to go alone! Take this!
The most important advice I can give that I learned during this entire process which I have never really seen often mentioned is prepping for PWK is significantly easier when you study, learn, make connections, and grow with others who are going through the same challenges as you.
It makes a huge difference when you can ask questions, get advice, and learn from fellow students and industry professionals with diverse experiences and backgrounds. Discord is home to popular well-known servers like the InfoSec Prep and the official Offensive Security servers.
Tools, Services, and Resources
If at first you don’t succeed, get a bigger hammer
All resources from this point on should, in my opinion, be in everyone’s toolkit because they are useful in a majority of cases. If you know of any tools or resources that should be on this list but are not, please contact me and I will add them here!
CyberChef
CyberChef is useful for text manipulation. In my experiences, there have been circumstances where something was encrypted with multiple methods (i.e. first MD5'd then base64'd) and CyberChef makes this process easy with “recipes” and the order they are inserted is the order in which the process will run.
GTFOBins
A list of Unix binaries that can be leveraged in various ways to achieve privilege escalation and/or bypass local security restrictions.
Living Off the Land Binaries and Scripts (LOLBAS)
The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques. Living Off The Land (LOL) binaries (executable programs) are binaries that can be used by an attacker to perform actions beyond their original purpose. These actions include the ability to download files, execute arbitrary commands, alternate data streams, encoding, and decoding.
Privilege Escalation Awesome Scripts Suite (PEASS)
A suite of scripts and binaries for Linux and Windows post-exploitation which performs internal enumeration and searches for possible local privilege escalation paths to exploit.
AutoRecon
Created with inspiration from the PWK exam, Tib3rius created this tool which automates your initial recon without violating the rules of the PWK Exam Guide (I never hesitate to recommend this tool — this can easily be attributed to at least 50% of my success on the exam).
pspy
pspy is the go-to tool for inspecting running processes on Linux. I personally love this tool because it detects and visualizes running cronjobs and triggered tasks (i.e. a script running on SSH login) in real-time.
Responder
Responder is considered a poisoning tool for LLMNR, NBT-NS and MDNS and features built-in HTTP, SMB, MSSQL, FTP, and LDAP rogue authentication servers. Have a user shell on a Windows target but want to try to crack the password hash? This is the tool for you!
Rowbot’s Pentest Notes
A nice extensive reference guide covering many aspects of pentesting.
HackTricks
Another great reference guide that I use constantly when I need a reminder of manual port enumeration techniques.
Contact Me
If you have any questions or suggestions of content or resources to add I can be found on Twitter!
