Fork me on GitHub

OSCP: Try less harder

A while ago I earned my OSCP certification. Before that I had my GPEN and Pentest+. The Pentest+ I obtained during the beta program for the certification since the test was only $50 and I figured there was not much harm in trying. I took it practically blind (no preparation), and found out I passed in August. Shortly after I was given the opportunity to take the SpectreOps Red Team Training and after that scheduled to take OSCP training.

The SpectreOps Red Team Operations training was by far the best training I've received or seen on modern day pen testing. It covered not only lateral movement and pivoting, but good opsec and trying to stay covert and stealthy to avoid detection. If you did something that would get you caught you might lose your foothold or a machine. This enforced best practices and for me it was my first time getting really familiar with Cobalt Strike.

The OSCP training by comparison, seemed rather dated, and for a while I kind of had a chip on my shoulder about it. It's teaching me all these TTPs that would get get you caught instantly or light up the dashboards at a modern SOC. So I felt I was learning nothing new and what was new was either outdated or useless. The individual computers in the lab aren't really integrated or part of a domain, pivoting and lateral movement isn't emphasized (at least at first). The OSCP labs and training does need to be updated.

But as I got deeper and after I made my exam attempt I realized, its less about the tools and more just testing familiarity with the techniques (even if there is a more modern equivalent), but the most important thing it probably drilled into you was methodology. Or making sure you had a good one, one that could adapt to challenge and tested your time management and priorization. Obviously, the exam also tests if you can document and write a report. Granted, their idea of a report is more in the fashion of a book report where you explain everything even if you know your audience (the teacher) read the same book. This runs counter to everything I was taught in my business courses and have observed in real life with reports I've read and have written. You keep it brief, you know your audience, don't explain something to the audience that they should know. Even the technical portion, you need enough information for another person with a technical background to understand or of similar skills and experience to reproduce. For confidentiality sake, its best to not to be too detailed, only state what needs to be stated to express the risk and impact. In the OSCP, this will literally get you failed if you don't list every step taken. I know this because even though I obtained all but one flag in my first attempt, I failed because my usual method of documenting in reports lacked enough detail. Don't get me wrong I had screenshots, I described what was done, but I didn't write it like a how to, I wrote it with the assumption that I can say what I did and the steps taken to do so were implicit to anyone with a techinical background reading it. I understood later from an exam perspective, they want you to lay it all out for them so they know you have a full understanding. Just like in a book report you explain all the different aspects of the story even though you know the teacher has read the book too, and you should be able to mention something in the book and assume shared context, without explaining the whole plot. You can get dinged for not having enough documentation but I've not heard of someone failing for having too much with the OSCP exam. Also, of course, make sure you include those money shots (the winning screenshot of the flags with the ipconfig/ifconfig in an interactive shell). I like to add in hostname, uid/whoami in the shot as well for good measure.

The second attempt I got all the flags, and since I learned my lesson the first time and over documented the report (about 20-30 pages longer than my prior report) which went against my usual approach, I passed.

So what did I take away from all this that the OSCP does need to be updated badly, and it their report standard should not be anyone's guide on how to write a proper pen test report. That said, focus on you methodology, approach, and time management.

What I mean by time management is, if you're taking the test and you're hammering at a machine or service and getting no where, move on. Same goes for the lab even. Instead of banging your head against it, find another machine or service to look at, take a break, change your approach, but do not waste time on one thing leaving you no time to make progress else where. You can always come back to it later after popping other boxes, but managing your time wisely is key on the exam. Just as it is on a pen test with a limited engagment time use your 24 hrs in the exam or 30-90 days in the lab wisely.

If you can swing it, run your webcam on a separate machine to reduce load on the machine you're taking the exam on. Note: The proctored exam wasn't that intrusive. Also, again if you can swing it screen record the computer you're working on in case you forget to take a screenshot somewhere. This was a tip I got from another OSCP article, and helped in a few cases where I didn't have a screenshot or needed to remember something I did to document it. Run the screenrecording software on the host machine, not the VM for obvious reasons. I would screen record for an hour or so, save the video then start recording again. Keep the recordings secret/safe or delete them when you're done.

I also reccomend popping as many boxes as you can in the OSCP labs and on Hack The Box. There is a list of OSCP like boxes that HTB regulary hosts in it's retired boxes (which requires a membership but is worth it).

What that means for now is that despite its shortcomings the OSCP is still probably the best cert to have for a pen tester since its still the only practical hands on test that gives you a foundation of methodology to build on. I don't know for how long that will last or how hard it will be for another company to come in and do something that's better that addresses my issues above. Even if that never happens its value is going to be less and less over time as modern TTPs are what's in demand.

social