How I Prepared & Passed OSCP in 3 months

Hello Guys 👋👋 , recently I passed OSCP certification in first attempt after preparing for it within 3 months and after my LinkedIn post I got lots of questions regarding resources used to prepare, methodology, etc. So in this write up I am going to share how I prepared and planned for this exam and finished it in 3 months.

Sections to Study & Resources

So in OSCP there are multiple topics regarding which you should have knowledge about, following are the sections and resources I used to prepare for it.

Initial Access

Now for any boot-to-root kind of CTFs, the first and foremost step is to get initial access to the machine, which in many cases might be much harder than you think.

Initial access mostly would be possible either via Web Exploitation or Network Exploitation and in some scenarios via Phishing Attacks as well.

So first of all, you should prepare for Web Pentesting & Network Pentesting to cover for this ares.

Now in my case, due to my professional hands-on experience, I never had to study for these topics differently, I already had confidence on my skills over these topics. But if you are a complete beginner or at intermediate level, I would definitely recommend you to work on these topics, there are already a lot of resources available on the internet. And if you are planning to see through only for OSCP, I would suggest you to completely understand the Server Side Vulnerabilities, as the final goal of initial access would be to gain an RCE on our target machine.

Some of the vulnerabilities which you must know (get hands-on as well) are:

1. OS Command Injection & RCE
2. File Inclusion Vulnerabilities (LFI & RFI)
3. File Upload Vulnerabilties (Bypasses as well)
4. SSRF
5. SSTI
6. SQL Injection (Manual Exploitation of both In band & Blind)
7. Reconnaissance ( Not a vulnerabiltiy, but more like a process of initial enumeration)
8. CVE Hunting (Again, not a vulnerabilty but more like a process of finding the accurate CVEs after identifying the services being used in machine)

Here are some resources you can refer to get started:

Portswigger: https://portswigger.net/web-security/all-labs

For network service exploitation: https://book.hacktricks.xyz/network-services-pentesting

Tool I used tor automating reconnaissance (only suggested to use after you have got enough experience to perform recon manually, so that you understand & remember all basic service exploitation like FTP, HTTP, SMB, etc): https://github.com/Tib3rius/AutoRecon

Lastly, the main thing about this section is Hands-on-Experience, so try to solve as many boxes you can from HTB for starters, as once your mind gets trained, you would be able to find the attack vector for initial access very fast.

Windows & Linux Privilege Escalation

After getting initial access to a machine, our aim is to escalate our privileges to attain root/Administrator level access to the system to successfully compromise it.

Following are the resources which I used for preparing for this section

1. TCM Windows Privesc: https://academy.tcm-sec.com/p/windows-privilege-escalation-for-beginners
2. TCM Linux Privesc: https://academy.tcm-sec.com/p/linux-privilege-escalation
3. Tryhackme Privilege Escalation path: https://tryhackme.com/module/privilege-escalation

Active Directory Pentesting

Active directory pentesting is a required skill if you wish to pass OSCP as 40/100 points are for AD set alone.

Following are the resources I used to prepare for this section:

1. Video by CyberMentor: https://www.youtube.com/watch?v=VXxH4n684HE
2. Compromising Active Directory: https://tryhackme.com/module/hacking-active-directory
3. Internet All Things (AD): https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adcs-certificate-services/

3 Month Task Division

In this section, I will tell you about what are the things I did and how proceeded in each month.

1st Month

In my first month of starting preparation, I used to above resources mentioned to gain knowledge about different sectors required (mentioned above) and making notes for them. Also at the same time, I solved the HTB Boxes from TJNull List ( https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview# ) I made a list of those boxes and sorted them based on Severity & Target OS (Windows pr Linux).

Now as I started learning, I used to aim to solve at least 1–2 boxes per day. For eg, if I am learning Windows Privesc, I will side by side get hands on by solving Windows Boxes. I also made a write up kind of notes for all the boxes I have solved for my personal reference and get skill of solving & documenting at the same time. This is also VERY important as in future , if you encounter a same service in any other box, you can easily search through it and use the same commands and steps.

In the starting of your HTB solving, if you fail to solve the complete boxes, it is completely fine, all of us do. But also keep in mind the steps when you are not able to solve boxes, check write up for those boxes (0xdf preferred) and understand the steps or see ippsec.rocks walk through videos to understand not just the steps taken to solve but also WHY was that step taken. The WHY is really important to make sure you progress further. After understanding, try again to solve them on your own based on the things you have understood from resources.

In the first month I completed around 40 boxes. Here I first focused on Easy boxes of TJNull and once i got comfortable I went to Medium Boxes. I did only few Hard boxes and did not touch a single Insane Box within these 3 months, but I did complete all Easy and Medium Boxes.

2nd Month

In the 2nd month of prep, I bought the Offsec official OSCP Course & Exam Bundle and started with official course content.

Within this month I completed the complete course (both text & videos), made notes for each topic as per my understanding and also completed all Module Labs (Capstone Challenges are must). Remember that notes are important, What you write is what you remember.

While doing this I also continued playing HTB and now after gaining confidence I started playing the Seasonal Competitive machines as well in HTB, but in also that I used to aim to do Easy, Medium & Hard boxes only, didn’t try Insane. By the end of this month, I was done with TJNull Easy & Medium Boxes, many other active boxes & OSCP Course Content & Module Labs.

3rd Month

3rd month is all about practice, there were 2 goals in this month, complete the challenge lab & solve as many boxes from PG Practice.

I started the month by buying the PG Practice subscription & solving the boxes (You can find list of boxes in TJNull list given above). I wrote personal write ups for all box having screenshot steps and commands (As you would do in real exam time) and tracked time for solving each box as well. Here is the database which I made for this

On the weekends & holidays of this month I planned the Challenge Labs & organized them in same manner. Making notes for future reference & tracking the time to complete them, including the time I was not studying or just sleeping as well. As, in real exam, you can sleep, eat and do anything within those 24 hrs, so including that you have to calculate the time it took to solve it.

Many people will tell you to work through course content and challenge labs first as to attain the 10 bonus points, but I followed a diffenrent path. I first practiced a lot on PG Practice and solved Challenge Labs on weekends, so both were going hand-in-hand. Hence, by the end of this month I completed around 38 boxes of PG Practice & all the challenge labs successfully and attained the required practice as well as attained the bonus points as well.

Apart from these two things, I also made shorter compact notes which I would use at the exam time from all the notes I have written till now, rather it be learning from sources I mentioned above or from OSCP course content. This will serve as a checklist during exam time for various methods and also due to this I was able to revise the content.

I completely stopped studying 2 days before exam and had full rest and saw some series for entertainment.

Exam Day

Finally it was exam day and everything went wrong in the starting as it could. A day before I was contracted with viral infection so I already was burning up with fever and had headache during exam and had to take frequent rests due to this.

I first started with AD set, as soon as I got initial access a network outage came of 20 mins around, which led to destruction on my shells until I bring my other internet source. Now when I started again and got initial shell again, there was a blackout in my area for around 3-4 hrs , so had to work as much as I could on laptop battery and stop, In this time I completed the AD set and half standalone machine.

Thankfully the practice paid off and I was able to solve till 90 marks within 8hrs (calculated from exam start time, including all the network outages and blackout duration)

From this instance, take it as a reminder and make sure to confirm that there won’t be any big blackout and also keep your laptop charged and backup internet ready for such cases.

Certificate

Common Q&A

Following are few common question which I was asked over DMs.

How many hrs I used to study a day?

On working days, I used to wake up at 4 and study from 4:30am to 8:00am and in the evening after job, I used to study from 6:00pm to 9:30pm. And on weekends & holidays I used to scale even more, as much as humanely possible to catch up with things faster.

Which app I used to take notes?

In my first month started off with OneNote and eventually discovered Notion and shifted to notion completely as you can check out the above images, I grown accustomed to notion in short amount of time.

Regarding OSCP exam boxes?

I felt like OSCP exam boxes were more closer to Easy-Medium range of HTB as per severity and much more accurately closer to PG practice boxes overall. It is important to understand that most of boxes are straightforward , so no need to over complicate things, which will do more harm than good. With enough practice you will be able to easily find the path to solve the boxes. If you get stuck anywhere, revisit from enumeration section to get different attack vector or path.

I hope this has helped you to pave a path for you to plan out your OSCP journey.

Thanks For Reading 😊

Profile Links:

Twitter: https://twitter.com/SAPT01

LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/

Instagram: https://instagram.com/prajit_01?utm_medium=copy_link

BUG XS Official Website: https://www.bugxs.co/