Tips on how to pass the new OSCP exam
$ whoami
I am a 2nd year University student from Singapore Institute of Technology (SIT), majoring in Information Security. Prior to University, I graduated from Singapore Polytechnic with a Diploma in Information Security Management. This article will mention my experience with the new OSCP format, as well as some advice for the Active Directory portion.
BEFORE THE DOOMZ DAY (when Offensive Security changed the exam)
From July 2021 to September 2021, I started active preparation by doing HackTheBox machines from the TJ Null’s list of OSCP-like boxes. Due to school, I paused my preparation and resumed 11 December, one day after my final examinations ended. I activated the PWK course on 10 December, and booked an examination for 15 Jan.
In total, I completed 70+ machines across HackTheBox, Proving Grounds and the PWK labs. Fun fact, I bought Proving Grounds a week before my examination and started grinding as many boxes as I could on that platform. For active directory practice, do see the last section.
These are the boxes (highlighted in bright green and yellow) that I completed from TJ Null’s list. The remaining are from the PWK labs 🙂
ACTUAL D-DAY
I started my examination at 8am, and went in head first for the Active Directory set. As I did not do up a lab report, I required the 40 points to pass the examination. The AD set was similar to what is found in the PWK labs, and took me about 6 hours to finish. In hindsight, it could have been finished in 3 to 4 hours, but I dropped into a few rabbit holes along the way. Tbh, the AD set was the easiest amongst everything.
After finishing the AD set at 3pm, I made sure to grab all my screenshots before proceeding onto the remaining 60 point boxes. I did not get any BOF boxes.
From this point onwards, I had ZERO progress up till 12.30am in the morning. I was contemplating going to take a short nap, but told myself that I had a chance of passing if I did not sleep (a very good choice). At 1.00 am, I managed to break into one of the 20 point boxes. Privilege escalation was not tough, and I finished the box at 1.30am.
Now with 60 points in the bag, I needed just 10 more points to pass. The remaining two 20 pointers were tough as well, but I only continued working on the one that I was the most confident in. I took a short 5 minute break every hour, and watched the clock tick by from 2.00am, to 3.00am, to 4.00am…. and I finally clinched the passing point at 5.45am in the morning. Oh man, I don’t know how I can describe the extreme anxiety I felt when I watched the clock tick by from 2.00am to 5.45am. I almost contemplated breaking down several times, but never thought to gave up :). The reason why it took so long was because I dropped into MANY rabbit holes along the way, but was able to find the privilege escalation vector long before I even got an initial shell.
Privilege escalation was a breeze as well, and I scored my final flag at 6.30am, 1 hour and 15 minutes before my exam was due to end (80 points!). Happy root dance at this point. I used the remaining time to double-check all my screenshots, before heading to bed at 9.00am.
After submitting my report, I received the confirmation email from Offensive Security on 19th January!
Active Directory Advice (for OSCP)
For the new students seeking to tackle this format and are worried for the Active Directory portion, please do the active directory labs in the PWK labs. I cannot stress this enough. In my opinion and experience, the methodology used for the Active Directory machines on HackTheBox and Proving Grounds are quite different from the AD sets in the PWK labs.
The machines on HTB and PG are all standalone domain controllers, and always involve (from my personal experience) enumerating usernames and bruteforcing credentials. There is almost no pivoting required as you are working on a standalone domain controller.
However, the PWK labs contain active directory sets. For AD sets, the methodology involves exploiting a vulnerable domain computer first, before slowly pivoting your way to the domain controller. THIS methodology is what you want to take note of.
Therefore, I found that practicing on the AD boxes in HTB and PG were insightful, but very different from what is expected in the examination. Those boxes are good practice, and are a good starting point, but the most valuable practice you can get are the AD sets on the PWK labs. I re-did the AD sets in the PWK several times and mapped out all possible ways to pivot through and solve the set. So please, do the AD labs in the PWK course!
In Conclusion..
Not much is needed past the AD material in the PWK labs, which I found unnecessarily complicated. Feel free to use other online resources to understand AD attacks better — just make sure you know what is the scope of the AD that will be tested. I have seen some content on Reddit that focused a lot on out-of-scope material for the AD. My main toolkit for AD was Impacket and Mimikatz. Bloodhound might be slightly overkill as enumeration can be done easily using the net command.
For PTT and PTH techniques, the link below provides a very good cheat sheet: https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a.
It would also be good to understand the basics of Active Directory from a sysadmin POV first (e.g. Group Policies; What are domain admins, domain controllers, etc.)
The AD portion (for me) was not extremely unreasonable, and it does provide a lot more strategy when it comes to tackling the exam. Good luck gaiz, ace the AD portion and you will probably do fine 🙂!
