Your Path to the OSCP+

I have one year of experience in red teaming operations, backed by a strong foundation in cybersecurity. Recently i passed the Offensive Security Certified Professional (OSCP+) certification after dedicating 4 months to intensive preparation, including hands-on labs through the PEN-200 course and various other practical exercises.

I passed the exam on 12/11/2024 and submitted the report the next day. I’ve decided to share all my knowledge to help others succeed in cracking the OSCP+.

Earning the OSCP+ certificate was a challenging but rewarding experience. Over the course of three months, while managing a full-time job, I dedicated the first 1.5 months to completing the PEN-200 course material. Afterward, i transitioned to practicing HTB machines from the , list and focused on building a strong foundation in Active Directory by working extensively on AD-focused machines and then i moved on to PG (Proving Grounds Practice), completed over 70 machines.

OSCP course summary

The course covers the basics in each module and depending on your experience level you might learn something new.

For me most of the modules were things i already knew and i highly recommend following the CPTS path as it covers the OSCP topics in more depth and detail. I’m not suggesting you skip the course material but you should complete it first and then move on to the challenge labs.

Remember, every challenge you solve is an advantage and you'll learn something new and have the opportunity to add valuable insights to your cheat sheet.

All the challenge labs are excellent for gaining more practice and knowledge and for additional information, you can explore Reddit or Medium blogs. Personally, i completed all of them except Skylark where i only reached 30% completion , however i highly encourage you to finish it as it offers valuable learning opportunities.

The Key Tips

2. Time Management I always heard about managing time but didn’t give it much attention until the exam made me realize how crucial it is. It’s like advice from parents you ignore it until you grow up and understand its importance. Set time limits for different parts of the exam.

   • AD Set: Allocate 3 to 4 hours depending on your experience. If you can’t compromise the domain in that time, move on to another machine.

   • Standalone Machines: Similarly, set time limits for each step (e.g., foothold, privilege escalation). If you’re stuck, switch to another machine you may begin with the difficult one and feel more stressed and pending too much time on it drains energy and wastes valuable time.

3. Take Breaks Taking breaks every 2 hours or after getting a foothold that helped me reset and think clearly. It’s important to pause, rethink and rebuild your ideas, don't feel ashamed to ask the proctor for more breaks. Just send a message and take one.

4. Practice, Practice, Practice

   • Work through PortSwigger Labs to master common attacks like file uploads, LFI etc.

   • Build familiarity with both standalone and AD style challenges.

5. Stress Management Don’t overcomplicate things. Stay calm even if you spend 8 hours without a foothold in any machines you can still earn enough points in the remaining time just manage stress by taking a step back, breathing and revisiting problems with a fresh mindset.

6. Diversify Your Toolkit Learn multiple tools for the same task. For example, relying only on linpeas for Linux PrivEsc might cause you to miss something critical. Using a second tool or a manual approach can reveal what one tool might overlook.

7. Manual Over Automated Automated tools are helpful but not foolproof. For instance, if you find PuTTY installed on a machine, don’t just rely on tools like LaZagne to retrieve saved passwords. If the tool fails, manually investigate the registry for stored credentials—it could save time and effort.

8. Learn from IppSec Watch IppSec’s videos and adopt his methodology. Combine it with your own approach to develop a well-rounded strategy.

9. When Stuck, Step Back If you’re stuck, go back to basics.

   • Check HTTP titles, source code, CMS names, vhosts, etc.

   • Look for things you may have missed during the enumeration phase—it’s the cornerstone of OSCP success.

   • If you’ve spent over 3 hours without progress, refer to a writeup to learn what you missed, update your cheatsheet, and move forward.

10. Don’t Be Hard on Yourself Missing something simple happens to everyone. Instead of getting discouraged, learn from the experience and move forward. Every mistake helps you improve.

11. Don't trust automated tools

12. Prepare your environment

    • Take a snapshot of your Kali VM to safeguard against any crashes.

    • Reboot your machine before exam day to ensure everything is functioning properly and there are no unexpected issues.

By focusing on these strategies, you’ll improve your skills and increase your chances of success. Good luck and rremember,it’s all part of the learning journey.

The New AD Set structure

OffSec has updated their AD set in OSCP+ by providing a valid user credential making it easier compared to the older version.

In the previous version you’d spend more time enumerating web applications and trying to get a foothold which caused many to fail due to that scenario. The focus wasn’t entirely on testing AD skills but now with the updated version the game has changed and you can concentrate entirely on the AD section.

Recommendations for AD set

1. Play Active Directory 101 from HackTheBox to build a strong foundation.

2. The key to cracking the AD Set lies in being proficient in Windows PrivEsc. Strong AD skills alone won’t be enough you need to complement them with solid PrivEsc techniques so to improve your PrivEsc:

   2. Play more Windows machines on Proving Grounds. If you get stuck during PrivEsc, take the time to crack it, as you won’t have writeups during the exam.

   3. Use two different tools for tunneling and PrivEsc to avoid relying solely on one.

   4. Enroll in the Windows PrivEsc Path on HackTheBox Academy. It’s a great module that covers various PrivEsc techniques and prepares you for the exam scenarios.

3. BloodHound will be your friend, so practice more on it and it's not that hard. It will give you an overview of how the domain looks like. A trick is to import the JSON files into BloodHound GUI if they don't load just don't import the computers JSON file, just the others for a quick view. However, you need to restart the extraction of JSON files.

OSCP+ summary

OSCP+ is a challenging certification not overly hard but definitely not easy. Even with experience and strong skills, you might fail because the exam demands a deep understanding of OffSec’s mindset. It’s not just about technical skills but it’s about how you approach their machines.

Recommended for preparation

• Active directory 101 in THB

• Read writeups
• Join online communities like the OSCP subreddit for support and advice

Common questions

Practical Advice

• If you get credentials for a user, fully enumerate that user (check folders, groups, and services).

• For domain credentials, use tools like CrackMapExec or Nmap with --local-auth and -d flags to perform enumeration.

• Always try default admin creds like admin:admin on web apps; OffSec often uses simple usernames such as username:username as credentials.

• Start with the most obvious and simple attacks, then increase the complexity as needed.

• Use at least two tools for the same task (PrintSpooler and GPPotato, Dirbuster and wfuzz with different wordlists, Mimikatz and SecretsDump, etc.).

• Remember, OSCP doesn’t just test knowledge, it tests your methodology.

• For the AD section, have a ready methodology. Consider all possible scenarios when you approach AD with credentials. Test each scenario methodically and note down the results.

• Always perform thorough enumeration and fingerprinting after exploiting a target and avoid exploiting immediately.