I wanted to make this post detailing everything I did when studying for the OSCP examination. I made a lot of mistakes along the way, and my path was far from the most efficient or effective method for studying toward the OSCP. Nevertheless, I did learn something from every resource listed here and I strongly believe that everything I I did has some value.
With that said, there is always room for optimization, and in the interest of creating a resource to help people work towards the OSCP as best as possible, I have streamlined what I did into a more focused list. Keep in mind that this is intended for people who are completely new to penetration testing like I was, so for those with more experience feel free to skip a few of the points below.
My complete pathway for obtaining the OSCP, zero to hero style:
- Penetration Testing – A Hands on Introduction to Hacking by Georgia Weidman
- IppSec’s YouTube channel + Retired HackTheBox machines
- eLearnSecurity Junior Pentration Tester (eJPT)
- Penetration Testing with Kali Linux course (PwK)
- Offensive Security Certified Professional (OSCP)
In the instance you fail, complete all the beginner and advanced machines on the Virtual Hacking Labs platform before another exam attempt.
I’m confident that this pathway, combined with determination and the right attitude, will lead to success. This is without a doubt the pathway that I would take if I had to do the whole process over.
For a complete breakdown of everything I did in the lead up to passing the OSCP, read the rest of this post below. I’ve included links to relevant blog posts for further reading on specific platforms or resources, as well as some of my favorite tools that I used frequently.
Pre PwK Preparation
Before I even started in the PwK course work and lab environment, I put in a decent amount of study to make sure I wasn’t going to get too overwhelmed. In hindsight I think I prepared a little too much, and not all of what is in here is useful or relevant. If you are a complete beginner like I was, I’d recommend reading Penetration Testing – A Hands on Introduction to Hacking and watching IppSec’s videos of easier HackTheBox machines. If you want to spend more time, obtaining the eJPT certification could also be a worthwhile endeavour. After that, just jump straight in and give the PwK a go.
For more details about my PwK Preparation, check out this blog post
The Security+ was my first security certification, so I’ve included it here for the sake of completion. Not really relevant to the OSCP, but useful to have for those who are complete beginners in Security.
Penetration Testing – A Hands on Introduction to Hacking by Georgia Weidman
An incredible book, this is a must read for beginners. It acts as an excellent segue into the PwK course as it is a technical guide walking readers through the basics of penetration testing. Georgia’s accompanying video series on Cybrary, titled Advanced Penetration Testing is also useful.
The Hacker Playbook 2 by Peter Kim
An interesting book that acts more as a reference manual, this book is useful to familiarize yourself with some of the tools and terms you may come across, but not particularly necessary in my opinion.
Kioptrix 1-4 on Vulnhub
My first vulnerable machines, the Kioptrix series is well known in the community as being beginner friendly. There are also numerous walkthroughs available which you can use to follow along with, including my own.
IppSec’s video tutorials of retired HackTheBox machines
I then watched a collection of IppSec’s videos, especially the ones he made for easier machines. Following along with the video is extremely useful to help familiarise yourself with the commands and tools he makes use of. His channel can be found here
Post PwK Lab Time
I managed to gain root or system access to 28.5 machines in the PwK lab environment, but wasn’t confident I was good enough to pass the exam. I pushed the exam date a little ways out from when my lab time ended, and did some more study in between.
Vulnerable machines on HackTheBox
I almost exclusively used HackTheBox during this time, focusing on retired machines. I completed 25 of the OSCP-esque machines listed below, often with the use of walkthroughs or IppSec’s videos. In hindsight I think I would have learned a lot more at this point if I refrained from working alongside videos, but at the time my primary concern was exposure to a large range of services and attack vectors. I would highly recommend attempting these machines without any assistance.
Exam attempt #1 (failed with 65 points)
I gave the OSCP exam a real good go, but in the end, I was just shy of passing on my first attempt – ending with 65 points. I was so close to passing that even now I regret not being able to finish the exam on my first time around. I feel like with just a little bit more I could have passed, but it simply wasn’t to be. The details of this exam attempt and reasons for why I failed can be found in my post exam write up.
Before exam #2 (passed with 85 points)
This is where I made considerable progress and learned the most. After taking a 3 month break to accommodate some big changes in my life, I jumped back in to studying. Deciding not to extend lab time and test the waters with other external services, my focuses were on web applications and privilege escalation. Of what is listed below, Virtual Hacking Labs deserves a special mention – it is absolutely incredible.
I tried this platform out as a colleague had recommended it to me, and it allowed for some targeted study on web application testing. While interesting and well done, I personally didn’t find it as valuable as racking up more practical experience was proving to be. I completed the Web Application Essential Badge, which I discussed in some detail in another blog post.
Vulnerable machines on HackTheBox
I went back to HackTheBox and completed 5 of the easiest active machines, taking my full tally on the platform up to 30 machines. The active machines do not have walkthroughs available like the retired machines do, and are quite challenging (despite their easy ratings). In my opinion, the current generation of ‘easy’ active machines are noticeably more difficult than what is found in the OSCP, so keep that in mind when completing these machines.
eLearnSecurity Junior Pentest
I then turned my attention to the eJPT, as I thought it would be a good bridging certification as I continued to study for the OSCP. Although it is generally well thought out and executed, it was far too easy for me at this point in my studies. I would recommend this for beginners as a precursor to entering the PwK course. My full review and post certification thoughts on the eJPT can be found in another post.
Virtual Hacking Labs
I can’t say enough good things about the Virtual Hacking Labs platform. In my opinion, the courseware and lab environment they provide are superior to that which is provided by Offensive Security. I completed all the 28 of the available 42 machines, and learned something new from each one. I believe that out of everything listed here, I got the most value out of the Virtual Hacking Labs.
For anyone using this platform now or in the future, be sure to visit the unofficial discord channel which is full of friendly and helpful members.
Recommended Tools and Scripts
Finally, I want to give a mention to some of the tools that I personally used when passing the OSCP. These tools are not included in the default Kali Linux distribution, so I recommend downloading them and trying them out for yourself.
AutoRecon by Tib3rius – An incredible tool that makes enumeration so much easier, this tools is basically an essential for anyone attempting the OSCP exam.
Dirsearch by maurosoria – My go to directory enumeration tool, I personally find this tool to be much faster and more versatile than GoBuster or Dirb.
pspy by DominicBreuker – A linux process monitoring tool, pspy is great for viewing running processes to spot cron jobs or other potentially exploitable services. Has come in handy on multiple occasions.
linux-smart-enumeration by Diego Treitos – One of the best Linux privilege escalation tools out there, this was always my first port of call when faced with a low privileged Linux shell.
J.A.W.S by 411Hall – I found this script provides the most amount of information required for Windows privilege escalation, and is very worthwhile to run when working with a low privileged Windows session.