May 28, 2024

When Offsec announced the course update, I was nervous. I had no idea what Active Directory was, and now it was the most important section of the exam. Not ideal. Especially because I was one of the first people to attempt the new OSCP exam format, which meant there were very few updated study guides.

How I Recommend Preparing

I only had six weeks to study when I decided to take the OSCP exam. Well, I could’ve had more. But I had never traveled before and wanted to spend the second half of my summer backpacking around Europe. So, I made a novel approach to OSCP studying, which only took six weeks. I share this approach in the “How I prepared – how to prepare in a short amount of time” section.

My new approach worked, but I wouldn’t recommend it. If we share a similar background, I suggest at least ten weeks of full-time (40 hours a week) preparation. This section explains (in order) what I would do to prepare for the OSCP exam given ten weeks.

Preface: Take amazing notes.

The most important part of your preparation is your notes. You should compile a note sheet that can tell you what to do in every scenario you encounter on the exam. Build out your notes by attempting machines and watching or reading detailed walkthroughs.

Ippsec’s videos are vital at the beginning. Take notes and try to emulate how he approaches machines. Study these videos like game film. Invest in learning the basics, especially enumeration, early. They will pay off.

Some videos are very long. I play them at 1.5x speed. As you progress, you may not need to watch entire videos. When you get to that point, switch to reading walkthroughs. Make sure to find writers that explain why they do something rather than blast screenshots of terminal commands. 0xdf.gitlab.io has high-quality walkthroughs.

Take your notes seriously. They will determine if you pass or fail. 

1. Learn Active Directory.

Active Directory is now an essential part of the exam. When I began my preparation, I knew nothing about AD.  If you relate, start by watching some basic youtube videos to get a high-level overview. A search for “Active Directory Introduction” should be sufficient.

Next, complete the HackTheBox Active Directory track. You do not need to be able to root all of these machines, but they will give you a better understanding of AD. At the very least, watch the full Ippsec walkthroughs. And take notes. Obviously. Depending on thoroughness, the HTB AD track should take one to two weeks.

Remember that this alone is not sufficient for AD environments on the exam. The most important AD lessons will come from the OSCP course material, which I will discuss later.

2. Focus on Windows.

When I began my preparation, I avoided Windows machines. Constantly looking up PowerShell commands just isn’t as fun for me as running ‘sudo -l’. Unfortunately, most of the OSCP exam machines are Windows. So prioritize Windows machines, especially regarding privilege escalation. I suggest using the two-thirds rule– for every three machines you look at, two of them should be Windows.

Practice exploiting machines on HTB following TJ Null’s list of OSCP-like HTB machines. Watch or read walkthroughs of every machine on the list to build out your notes, and attempt as many machines as you can. The more machines you attempt, the more prepared you will be for the exam. At a minimum, I suggest rooting 20 machines (hints allowed). This process should take three to six weeks. By the end, your notes should be sufficient to help you complete most machines.

During this period, spend a day doing the buffer overflow section on TryHackme. Practicing buffer overflows for a day is an easy way to receive ten points if you get the buffer overflow machine on the exam. Follow every unit in the TryHackMe room except the “bad chars” and “expanding shellcode sections”– during those parts, refer to this guideMake sure you save the scripts you use so that you can repeat the process on the exam.

3. Begin the OSCP course, and complete the new bonus-point format.

After TJ Null’s list, begin the OSCP course. The most important part of the course is the bonus points. The new bonus point format is challenging but much better than the old version.

Begin by reading through the PDF and completing the bonus point exercises. This takes one to three weeks. Every technique explained in the PDF is in-scope for the exam– even the more complex content like ssh-tunneling. Fully understand every section, and add each technique to your notes. 

The worst part of the course exercises is the bugs. During my preparation, I spent three full days resolving technical issues. It was clear that Offsec had recently developed the bonus point exercises. Offsec does not provide a hotline or online chat for support issues, so you have to wait two days for an email response whenever something doesn’t work. And even then, they may tell you to kick rocks. I was one of the first people to complete the new bonus point format, so hopefully, Offsec will fix the bugs by the time you take the course. If not, prepare to have your patience tested.

After the exercises and PDF are complete, begin the labs. The labs are easier than most machines you faced in TJ Null’s list. By now, your note sheet should contain instructions on how to handle almost every service and configuration. Look at hints if you are stuck on a machine for more than four hours. Being stuck on a machine for a long time is inefficient. Use hints to learn and keep moving. Just don’t rely on them, and remember that you won’t have them on the exam.

Dependencies are another reason to look at hints. Some OSCP lab machines are not vulnerable without information from another machine. These machines are called “dependent machines.” There is no way to tell whether a machine is dependent, so you end up scouring an application for vulnerabilities that don’t exist. Trust me, there is nothing worse than spending five hours on a machine only to check the Offsec discord and realize that it has a dependency.

Ok, dependency rant over. Let’s continue. In the labs, there are two externally exposed AD sets. Complete both of these. Make sure you understand every post-exploitation technique taught in the course PDF, as you will need these to pivot through AD sets. The lab sets are easier than the AD sets on the exam, but they will give you good practice in post-exploitation.

At this point, the lab machines should start to feel pretty easy. If you are still struggling to root lab machines, go back to TJ Null’s list. Try some more machines and make sure you are taking great notes.  If you have done everything up to this point, and the lab machines are becoming easy, you are ready for the exam.

4. Crush the Exam. (OSCP Exam Strategy)

Exam strategy can be the difference between passing and failing. Read my Exam Experience for my full exam day story. Here is what I recommend based on my exam.

  1. The easiest way to pass the exam is with ten bonus points, forty points from the AD set, ten from the buffer overflow, and ten more from wherever you want. When I took the exam, the buffer overflow privilege escalation was very simple, so keep that in mind. If you don’t receive the buffer overflow machine, then it’s replacement should be on the easier side.
  2. Start with the Active Directory set. Some people recommend starting with the buffer overflow, but this will be the easiest part of the exam if you have practiced buffer overflows. Start with the difficult parts and save the overflow for hour 18 when your brain is shutting down.
  3. Treat the AD set like it is its own separate network. From what I have read, there is a lot of variability in the AD exam sets. If you get the difficult one like me, remember that they are connected in more ways than talking to the same domain controller. Start with the machine that looks unique. Don’t get too hung up on one machine before you get a foothold, as you may need to enumerate all of the machines before you can get into one. If you get stuck for more than a few hours, try one of the regular machines and return later.
  4. To escalate privilege within the AD set, look first for normal Windows priv-escs not related to AD. I doubt you will need something like bloodhound to escalate privileges.
  5. Take breaks. Take a break any time you get stuck or get to a good stopping point. Go for a walk, work out, take a cold shower or get some food. Preferably do all of these things throughout the exam. And please drink water constantly.

Finally, don’t give up. It took me six hours to get a single privilege escalation on a machine in the AD set. Keep trying, and don’t get discouraged. You put in the work to be here. Believe in yourself.  Good luck!

How I prepared (how to prepare quickly)

If you need to study for the OSCP in as little time as possible, this section is for you. In six weeks, you do not have enough time to hack all the machines you should. The key to my approach was realizing that the only machines you need to hack are the ones on the exam. I focused on learning and building a methodology over actual hacking. Unfortunately, this approach is much less fun than taking the time to hack more machines. It also likely results in a lower success rate. So use my story at your own risk.

My main focus during preparation was building out my note sheet. I approached AD the same way as I described above. AD is important, so do not skip over it. TJ Null’s list I did differently.

I started TJ Null’s list after completing the HTB AD track. I knew I would not have time to attack even half of the machines on the list. Rather than use these machines as practice, I decided to use them as a reference. I only actually attempted about seven HTB machines. But, for every machine on the list, I watched the video or read the walkthrough and took vigorous notes.

Halfway through TJ Null’s list, I started the OSCP course. At this point, I only had three weeks remaining until I took my test, so I moved quickly. I skimmed most of the PDF, reading a little every morning. During the day, I would attack the lab machines, starting with the learning path. If I got stuck on a machine for more than a few hours, I would look at hints in the Offsec discord and forum.

At first, I needed hints for every machine. Once I had finished reading and watching the write-ups on TJ Null’s list, I had better notes and relied on hints less. After fifteen machines, I rarely needed hints. I rooted 23 lab machines in total.

Included in these machines were the two AD sets. Do not skip these, no matter how rushed you are. I also spent a day doing the buffer overflow machines on TryHackMe. After these six weeks, I felt decently prepared. I took the exam.

And failed after twenty-four hours with only twenty points.

I then forgot about OSCP for a month and went backpacking around Europe.

Upon my return, my first thought was to slow down and spend more time studying. But even though I hadn’t rooted many machines, I believed I had the methodology to pass. I compromised and spent a week completing the new bonus point format. Going through the exercises did not teach me a lot of new material, but they refreshed my skills and earned me ten bonus points.

After completing the bonus, I retook the exam and passed with 100 points. I even received the ‘hard/impossible’ AD set that people were complaining about on r/oscp. The difference between my two attempts was not completing the course exercises. I had already learned that material. The difference was the month-long break I took while traveling. I rushed into my intense six weeks of OSCP preparation two days after college graduation and never let my mind rest. My break traveling gave me the mental clarity to pass the exam.

I proved there is a faster way to study than the traditional approach, but I wouldn’t recommend it. If you have the time, take it, and enjoy the process.