Hack-notes
  • Whoami
  • MalDev
    • Reflective loader
  • Academy HackTheBox
    • Attacking Common Applications
      • Attacking Common Applications - Skills Assessment I
      • Attacking Common Applications - Skills Assessment II
      • Attacking Common Applications - Skills Assessment III
    • Attacking Common Services
      • Attacking Common Services - Easy
      • Attacking Common Services - Medium
      • Attacking Common Services - Hard
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • HackTheBox-writeups
    • Machines
      • Windows
        • Jab
      • Linux
        • ICLEAN
  • CheatSheet
    • AD
      • linux
      • Windows
      • Bloodhound cypher query
      • Powerview
    • Privilege Escalation
      • Linux
      • Windows
    • Payloads (Reverse shell)
    • Post-Exploitation
      • Windows
    • CLM and Applocker Bypass
  • Your Path to the OSCP+
  • Pwning OSEP with `secrets.txt` on my first attempt
Powered by GitBook
On this page
  • OSCP course summary
  • The Key Tips
  • The New AD Set structure
  • Recommendations for AD set
  • OSCP+ summary
  • Recommended for preparation
  • Common questions
  • Practical Advice

Was this helpful?

Your Path to the OSCP+

PreviousCLM and Applocker BypassNextPwning OSEP with `secrets.txt` on my first attempt

Last updated 6 months ago

Was this helpful?

I have one year of experience in red teaming operations, backed by a strong foundation in cybersecurity. Recently i passed the Offensive Security Certified Professional (OSCP+) certification after dedicating 4 months to intensive preparation, including hands-on labs through the PEN-200 course and various other practical exercises.

I passed the exam on 12/11/2024 and submitted the report the next day. I’ve decided to share all my knowledge to help others succeed in cracking the OSCP+.

Earning the OSCP+ certificate was a challenging but rewarding experience. Over the course of three months, while managing a full-time job, I dedicated the first 1.5 months to completing the PEN-200 course material. Afterward, i transitioned to practicing HTB machines from the , list and focused on building a strong foundation in Active Directory by working extensively on AD-focused machines and then i moved on to PG (Proving Grounds Practice), completed over 70 machines.

OSCP course summary

The course covers the basics in each module and depending on your experience level you might learn something new.

For me most of the modules were things i already knew and i highly recommend following the CPTS path as it covers the OSCP topics in more depth and detail. I’m not suggesting you skip the course material but you should complete it first and then move on to the challenge labs.

Remember, every challenge you solve is an advantage and you'll learn something new and have the opportunity to add valuable insights to your cheat sheet.

All the challenge labs are excellent for gaining more practice and knowledge and for additional information, you can explore Reddit or Medium blogs. Personally, i completed all of them except Skylark where i only reached 30% completion , however i highly encourage you to finish it as it offers valuable learning opportunities.

The Key Tips

  2. Time Management I always heard about managing time but didn’t give it much attention until the exam made me realize how crucial it is. It’s like advice from parents you ignore it until you grow up and understand its importance. Set time limits for different parts of the exam.

    • AD Set: Allocate 3 to 4 hours depending on your experience. If you can’t compromise the domain in that time, move on to another machine.

    • Standalone Machines: Similarly, set time limits for each step (e.g., foothold, privilege escalation). If you’re stuck, switch to another machine you may begin with the difficult one and feel more stressed and pending too much time on it drains energy and wastes valuable time.

  3. Take Breaks Taking breaks every 2 hours or after getting a foothold that helped me reset and think clearly. It’s important to pause, rethink and rebuild your ideas, don't feel ashamed to ask the proctor for more breaks. Just send a message and take one.

  4. Practice, Practice, Practice

    • Work through PortSwigger Labs to master common attacks like file uploads, LFI etc.

    • Build familiarity with both standalone and AD style challenges.

  5. Stress Management Don’t overcomplicate things. Stay calm even if you spend 8 hours without a foothold in any machines you can still earn enough points in the remaining time just manage stress by taking a step back, breathing and revisiting problems with a fresh mindset.

  6. Diversify Your Toolkit Learn multiple tools for the same task. For example, relying only on linpeas for Linux PrivEsc might cause you to miss something critical. Using a second tool or a manual approach can reveal what one tool might overlook.

  7. Manual Over Automated Automated tools are helpful but not foolproof. For instance, if you find PuTTY installed on a machine, don’t just rely on tools like LaZagne to retrieve saved passwords. If the tool fails, manually investigate the registry for stored credentials—it could save time and effort.

  8. Learn from IppSec Watch IppSec’s videos and adopt his methodology. Combine it with your own approach to develop a well-rounded strategy.

  9. When Stuck, Step Back If you’re stuck, go back to basics.

    • Check HTTP titles, source code, CMS names, vhosts, etc.

    • Look for things you may have missed during the enumeration phase—it’s the cornerstone of OSCP success.

    • If you’ve spent over 3 hours without progress, refer to a writeup to learn what you missed, update your cheatsheet, and move forward.

  10. Don’t Be Hard on Yourself Missing something simple happens to everyone. Instead of getting discouraged, learn from the experience and move forward. Every mistake helps you improve.

  11. Don't trust automated tools

  12. Prepare your environment

    • Take a snapshot of your Kali VM to safeguard against any crashes.

    • Reboot your machine before exam day to ensure everything is functioning properly and there are no unexpected issues.

By focusing on these strategies, you’ll improve your skills and increase your chances of success. Good luck and rremember,it’s all part of the learning journey.

The New AD Set structure

OffSec has updated their AD set in OSCP+ by providing a valid user credential making it easier compared to the older version.

In the previous version you’d spend more time enumerating web applications and trying to get a foothold which caused many to fail due to that scenario. The focus wasn’t entirely on testing AD skills but now with the updated version the game has changed and you can concentrate entirely on the AD section.

Recommendations for AD set

  1. Play Active Directory 101 from HackTheBox to build a strong foundation.

  2. The key to cracking the AD Set lies in being proficient in Windows PrivEsc. Strong AD skills alone won’t be enough you need to complement them with solid PrivEsc techniques so to improve your PrivEsc:

    2. Play more Windows machines on Proving Grounds. If you get stuck during PrivEsc, take the time to crack it, as you won’t have writeups during the exam.

    3. Use two different tools for tunneling and PrivEsc to avoid relying solely on one.

    4. Enroll in the Windows PrivEsc Path on HackTheBox Academy. It’s a great module that covers various PrivEsc techniques and prepares you for the exam scenarios.

  3. BloodHound will be your friend, so practice more on it and it's not that hard. It will give you an overview of how the domain looks like. A trick is to import the JSON files into BloodHound GUI if they don't load just don't import the computers JSON file, just the others for a quick view. However, you need to restart the extraction of JSON files.

OSCP+ summary

OSCP+ is a challenging certification not overly hard but definitely not easy. Even with experience and strong skills, you might fail because the exam demands a deep understanding of OffSec’s mindset. It’s not just about technical skills but it’s about how you approach their machines.

Recommended for preparation

  • Active directory 101 in THB

  • Read writeups

  • Join online communities like the OSCP subreddit for support and advice

Common questions

Do I really need to use Hack The Box machines while studying for the OSCP with PEN-200, Labs?

I don’t think is necessary, as I mention on the post I think people are still trapped on the idea that PWK200 is not enough, because that was the case a few years ago but not the case anymore. The exam is a CTF and the style of HTB is very different to OSCP

Would you say PG boxed and pwk200 are enough to pass this exam ?

Absolutely, they are more than sufficient.

I am having a hard time getting the foothold what can i do?

  • Watch videos from OffSec Siren to understand the methodology.

  • Practice using the LainKusanagi or TJNull lists and work through the boxes.

  • Set a maximum time limit for yourself before checking hints, don’t waste hours struggling aimlessly. If you’re stuck and can’t figure it out, move on and learn from it later.

HTB vs PG

HTB helps you learn faster, with fewer rabbit holes, and the amazing Ippsec videos are a great resource. However, PG boxes are more aligned with the exam format, so it’s better to get used to them and if you get stuck, consider asking for a hint in the OffSec Discord rather than immediately resorting to a walkthrough.

Scope and Exam Difficulty

I felt the exam was very much within the scope of the study materials. Make sure to do all the course labs and challenge labs. For OSCP-A to C, as others have mentioned, for more practice play PG.

How did you practice the independent machines?

Lab challenges and LainKusanagi's and TJNull lists (PG practice around 70 boxes). I would also read walkthroughs for the boxes that I didn't attempt and add new concepts to my notes.

Practical Advice

  • If you get credentials for a user, fully enumerate that user (check folders, groups, and services).

  • For domain credentials, use tools like CrackMapExec or Nmap with --local-auth and -d flags to perform enumeration.

  • Always try default admin creds like admin:admin on web apps; OffSec often uses simple usernames such as username:username as credentials.

  • Start with the most obvious and simple attacks, then increase the complexity as needed.

  • Use at least two tools for the same task (PrintSpooler and GPPotato, Dirbuster and wfuzz with different wordlists, Mimikatz and SecretsDump, etc.).

  • Remember, OSCP doesn’t just test knowledge, it tests your methodology.

  • For the AD section, have a ready methodology. Consider all possible scenarios when you approach AD with credentials. Test each scenario methodically and note down the results.

  • Always perform thorough enumeration and fingerprinting after exploiting a target and avoid exploiting immediately.

For more information about OSCP+, you can check the official Offsec .

Enumeration is Key You’ll hear this constantly and i can confirm it so enumeration is absolutely essential. Check everything uncommon ports, unfamiliar services and every clue you find. Your best friends during this process are Google, , and my cheat sheet xD.

Focus on Proving Grounds machines ( List and List).

Practice AD machines on Proving Grounds using the and lists to understand OffSec’s AD mindset.

Tib3rius - Windows Privilege Escalation (): This course is highly recommended for learning practical PrivEsc techniques.

Practicing in labs

Watch the IppSec OSCP prep to familiarize yourself with the process.

website
HackTricks
IppSec’s website
TJ Null
Lainkusanagi
TJ Null
Lainkusanagi
Udemy Course
TJnull List
Lainkusanagi List
portswigger
Enroll cpts htb path
0xdf
playlist
TJ Null list
Lainkusanagi
Page cover image