OSCP Takeaways in 2024

Offensive Security Certificate Professional (OSCP) 2024 Takeaways

After being a full time offensive security consultant for almost three years, I finally decided to take the OSCP. It was a bit different from my day job, and was a challenge in its own right.

This post aims to differ from other OSCP reflection blog posts by discussing challenges and takeaways from the perspective of someone who regularly performs assessments for large corporations. During a real assessment, speed is not the first priority, as forcing speed can result in error, downtime, financial and even life-threatening consequences depending on the environment.

While the OSCP can lay the foundation for a pentesting career, some of the compromise paths required may not be regularly considered when working in a live environment.

This blog post assumes you have some experience with HackTheBox and professional offensive security, but aims to be useful to anyone with a security background considering the OSCP exam.

Preparations

As of 2024, the OSCP required 70 points to pass. Compromise of the entire Active Directory set (3 machines) would yield 40 points and full compromise of a standalone machine would yield 20 points.

I decided to obtain the extra credit of 10 points, which required completing 80% of each section of PEN-200 module labs, and submitting 30 proof flags from the challenge labs. The module labs were not an enjoyable experience to get through, but I appreciated the exposure to OffSec’s methodology prior to taking the exam.

A few problems to keep in mind if you plan to work through the module labs:

  • Should the OffSec VPN disconnect for even a second, the module and challenge labs turned off and reverted. The OSCP A, B, and C challenge labs were the only ones exempt from this practice.
  • When the module labs were shutdown (e.g., from a VPN disconnect), a cooling off period was applied to prevent an immediate reboot.
  • PEN-200 modules included tasks such as installing and running Nessus, which was entirely useless for the exam, as Nessus is not allowed.
  • The labs were built inconsistently - certain labs used credentials hidden away in large text blocks, while other labs explicitly stated them near the lab task.
  • As an M1 Mac user, a number of the labs required that I execute an arbitrary amd64 Linux executable to retrieve the flag. As non-standard proxy tools were used for the labs, I could not simply run qemu-x86_64-static on the binary.

To achieve 80% on the module labs, I had to spin up an amd64 GCP/AWS instance to run the executables provided by OffSec. Additionally, I was allowed only one active VPN connection at a time, meaning that switching between my Windows, Ubuntu, and cloud instance required I restart each challenge from zero. Earning 80% on the module labs was not an enjoyable experience. I am glad I guaranteed myself extra credit on the exam, and was able to practice security testing in a manner expected by OffSec. In retrospect, I could have learned OffSec’s methodology through the challenge labs and skipped the extra credit.

After completing the majority of the challenge lab boxes, I reviewed my notes and outlined each attack path. If there was a stage that resulted in me using the OffSec discord for assistance, I specifically noted actionable enumeration steps and realistic thought considerations for future boxes.

For completeness, I continuously updated my notes with commands used for local enumeration. After obtaining 30 proof flags, I had a list of PowerShell and Unix one-liners to quickly identify potential credentials in user history, locate hidden folders, and similar for pre and post exploitation tasks.

A combination of a cheat sheet and OffSec-specific bullet points served me well. The bullet points acted as my supplementary checklist of critical, primary steps I should prioritize against an OffSec box.

Exam

I began the exam at 8am on a Friday and reached 70 points (AD set and the first standalone box) by 4pm. While reporting, I rooted a second standalone box as an insurance policy for myself, and submitted the report at 7pm.

I made two mistakes during my exam which cost me a combined total of three hours of time (~90 minutes given I did an extra box):

  • I accidentally used Hashcat syntax when using John the Ripper, resulting in John’s default wordlist and mask being used instead of the mask described in my takeaways below.
  • I forgot to attempt default/common credentials on a network-accessible service.

The following list acted as my supplementary, OffSec-specific checklist:

  • Ensure you collect a full port and service scan of every machine. The ratio of non-standard ports on OffSec is significantly higher than a client environment due to the lack of scale.
  • If you have RCE but no shell callback, methodically try every compatible option on revshells.com.
  • It is unlikely to take a machine offline with scans alone. Increase the threading and speed to allow for your default wordlists to include case-sensitive files and directories.
  • Assume that there is a greater than 50% chance that groups of credentials you find will be used on the next “task”. While not guaranteed, many of the tasks were linear.
  • Hash cracking can be done with the rockyou wordlist with a ruleset that (1) changes nothing (2) appends “1” (3) appends “!”.
  • Start from zero when you feel stuck. Restart the machine, take a walk, and come back with a fresh mind to re-configure your proxychains, payload, and reverse shells.
  • Use both impacket-secretsdump and NetExec to quickly perform the majority of AD post-compromise and enumeration.
  • Keep an excel-like checklist of credentials, ports, and services. Each set of credentials should be attempted against each set port and service.
  • If an exploit is failing, search Github for a newer or multi-part version of the same exploit. The most common proof of concept exploit may not work.

Contrary to the negative experience suffered by many of my peers, I did not have any issues with the exam machines or network. My first two proctors were very responsive and personable, while the third was unresponsive until their shift ended.

Reporting

I took a very low-risk approach to the report, and prepared a copy of OffSec’s OSCP example report: https://www.offsec.com/pwk-online/PWKv1-Report.docx

As someone who regularly writes 50-100 page, logically and grammatically correct reports inclusive of an executive summary, story-based technical narrative, and detailed finding blocks, the most difficult part of reporting was throwing all of my habits out the window. The example report had no regard for tense or point of view, and switched between “I”, “We”, and “<NAME>”. For simplicity, I did not go beyond OffSec’s reporting standards.

The goal of this report was to prove I documented my steps and nothing more.

I included all source code used (including a reverse shell), and added a footnote with the link for any tools mentioned. As with the report template above, the structure was chronological, and did not include any information that was not directly relevant to my attack path.

After finishing the boxes on the exam, I kept the exam and proctor session running to allow myself to re-compromise boxes and obtain additional screenshots.