10 Tips for Preparing for the OSCP Exam


1. Fully complete ALL the course exercises including the Extra Mile exercises

It is imperative that you fully understand all techniques covered in the Penetration with BackTrack (PWB) course. These techniques form a basis of understanding needed to gain the additional knowledge to succeed as a penetration tester and prepare you for the OSCP challenge. Mastering the Extra Mile exercises provide additional important skills.

2. Be prepared to perform extensive research to build your knowledge

The PWB course materials are designed to get you started. You will need to perform substantial additional research to gain sufficient technical knowledge and skills to pass the OSCP challenge. For example, the course covers the use of PoC code to escalate privileges on a Linux-based system. You will need to research the multiple techniques available for escalating privileges on Windows-based systems which are not covered in the course materials. You will learn A LOT by performing research on-your-own.

3. Become familiar with the multitude of tools installed within BackTrack

The PWB course only covers a few tools that exist within the vast set of tools provided within BackTrack. It is EXTREMELY important that you familiarize yourself with the other tools included in BackTrack, which are plentiful. Experiment with the tools in the virtual lab and make note of those that could provide value; not all will be useful. For example, I started using the nmap scripting engine (NSE) to identify html pages on a server. This technique did not always identify all of the pages. I then discovered the OWASP dirbuster tool and it augmented nmap by identifying other pages not discovered by NSE to greatly assist in my enumeration and exploitation efforts.

4. Exploit as many lab systems as possible

Most of the lab systems provide a unique challenge and a different learning experience. You should pwn as many lab systems as possible to gain the skills needed to successfully complete the OSCP challenge. I was able to pwn about 85% of the lab systems; I was not able to pwn sufferance (ugh, very frustrating) and I ran out of time to exploit the Administrative Department subnet.

5. Remain focused and dedicated

I was determined to attain my OSCP certification. In order to refine my skills and gain the necessary knowledge to pass the OSCP challenge, I needed to dedicate at least 16-20 hours per week on exploiting the lab systems. The time duration will vary depending on your hands-on knowledge of penetration testing/hacking. Individuals with only basic penetation testing knowledge (like me at the start) will need to commit a substantial amount of lab time to gain the required experience to pass the OSCP challenge. I found myself somewhat obsessed with conquering the lab systems, but in a good way, since it focussed my interest and kept me motivated. I would frequently talk to my co-workers and friends about my successes, my challenges, and what I learned. It definitely helped me vent my frustrations, think through new avenues of attack, and brag a little about everything I was learning. I am sure they were tired of me constantly discussing my OSCP trials and tribulations, especially Mintek. Sorry guys, no more OSCP geek stories to bore you with!

6. Keep a detailed log of the steps you took to exploit each lab system

It is imperative that you take the extra time to maintain a detailed set of instructions of the exploits you executed on the lab systems. Be sure to include all unsuccessful attempts. When I decided to move onto another system in the lab before I was able to pwn the current system, I was very thankful that I kept detailed notes so I did not waste time using the same failed exploit when I returned back to the system at a later time. Keeping detailed notes also allows you to review and re-familiarize yourself with exploits to assist in preparing for the OSCP challenge and polishes your skills for compiling the required notes during the OSCP challenge so you can efficiently develop the required OSCP challenge report.

7. Maintain a cheat sheet

As you learn new information, record the information on a cheat sheet. Organize your cheat sheet by category (e.g., enumeration tool commands organized by tool, exploit tool commands organized by tool name, SQL injection cheats organized by database, etc.). Trust me, a tailored cheat sheet will prove invaluable during the OSCP challenge.

8. Use the PWB administrators for hints and advice

The motto of the PWB course is Try Harder. When you have exhausted all options and are on the verge of giving up on pwning a system, do not be reluctant to ask the Offensive Security administrators for advice and guidance. However, realize they are stingy with providing hints or advice if you cannot demonstrate that you "tried harder" and applied sufficient effort on the system you are seeking assistance. Also realize that the administrators will not give away the answer, they will likely only provide subtle or cryptic hints that can be beneficial in guiding you in the right direction for pwning the system. I read blogs that advised not using the administrators. I definitely do not agree with that philosophy. You will likely spend hundreds of hours exploiting the lab systems, not to mention the time required to complete the course materials. It is tremendously gratifying when you pwn a system on your own, but I do not think there is anything wrong with saving precious time by receiving hints and advice from the administrators to help you learn.

9. Select a date and register for the OSCP challenge in advance

This will give you a goal to help you stay focused and dedicated.

10. Develop a draft OSCP Challenge Report before you take the exam challenge

The OSCP challenge is quite grueling. I used the full 24 hour period to take the exam in an attempt to maximize my points accumulation (although I was only productive during the first 18 hours) and then I immediately developed the OSCP Challenge Report. The report must be submitted within 24 hours after completing the challenge. I was exhausted after completing the challenge exam, and I was EXTREMELY thankful that I developed a draft report before I took the challenge instead of having to create it from scratch. At a minimum, establish the outline/structure of the report and create your draft OSCP Challenge Report with the boilerplate information and the trophies you accumulated when working with the lab. It was much more palatable to update an existing report than to start from scratch after taking the exam. This allows you to focus on documenting the exam challenge exploits and not having to spend valuable time on the minutia parts of the report or the lab trophy exploits (which is required within the report).