Path to OSCP

I originally considered obtaining OSCP certification last year. I was already using Hack The Box and Try Hack Me quite regularly, and with an eye on a potential career move into the offensive security space at the time, it seemed like an ideal certification to go for.

But with a change in job came a change in career focus, steering me towards Cloud security and GRC, so OSCP had to take a back seat. I’ve gained a ton of certs in the past year which align with my daily work as a cybersecurity consultant, including CISM, CRISC and a few Expert level Microsoft Azure certs. But with all those “sensible” certs out of the way, and nothing else really of huge benefit to my career at this stage, it’s time to revisit OSCP. A certification that I consider 50% career driven and 50% hobby driven.

I’m not a penetration tester and at this stage in my career I have no intentions of becoming one. But OSCP appeals to me for a number of reasons.

Firstly, I’ve come to really dislike traditional multiple-choice vendor certifications. I strongly believe that technical certifications should require practical exams with hands-on assessments. RHCSA is an example I always use. You cannot pass RHCSA by simply reading a book. You need to spend many hours at the CLI. It is how a technical exam should be. So with OSCP falling into this camp, it’s a welcome break from the memory-tests I’ve been doing for the past 12 months. Excluding exceptional cases, you will not pass the OSCP without many weeks, if not months, practicing at the keyboard. And I like that.

Secondly, despite no desire to become a penetration tester, I think practical knowledge of the tactics, techniques and procedures used in offensive testing is very beneficial to those of us on the defensive side of cybersecurity. Understanding the capabilities of bad actors, the anatomy and details of a typical attack, as well as the difficulties and frustrations encountered by actors during an engagement, can only lead to a greater understanding of how to build better and more robust defenses. Again, practical knowledge trumps theory. You can read all you want about exploits and attack methodologies, but there is no substitute for getting down to the operational level and viewing your assets from an attacker’s perspective.

And finally, it’s just fun. One of the main reasons I’ve enjoyed my career in IT is because it often feels like I’m paid to solve puzzles. It sometimes doesn’t even feel like work. And OSCP feels more aligned to that way of thinking than any other exam I’ve done. I’m under no illusion that, like most things in life, hobbies and interests that become professional endeavors can quickly lose their charm. But at the moment I consider learning these skills and tinkering away at CTFs a very enjoyable pastime, with their professional benefits just an added bonus rather than a career requirement. And if the result of that hobby is a final 24-hour challenge with a certificate of accomplishment at the end, all the better!

So, with maybe a naïve perspective of what is required to pass OSCP at this early stage, here is my initial plan to pass OSCP:

1. Complete The Journey to Try Harder: TJnull’s Preparation Guide for PEN-200 PWK/OSCP 2.0 | NetSec Focus . There will be a lot of sections of this guide I will already be comfortable with, and a lot of sections I won’t. I don’t know how long it’s going to take me to work down through this, but I think it’s a good primer and a way to brush up on skills I haven’t used much in the past year.
2. Complete NetSecFocus Trophy Room – Google Sheets VM list. I’ve already completed a number of these machines, but I’m going to re-do them anyway and write a quick blog post on each one. The list on Google Docs doesn’t appear to be in suggested order of completion, and unfortunately there is no OSCP track on Hack The Box (or an ability to create a custom track, which is a pity). Instead, I’ve simply favourited every VM on the NetSecFocus list, which adds the VMs to your “to-do” list. From there, I can sort by difficulty (or another metric which I find to be a useful indicator of how easy a box is, “System Owns”). At this stage, because I will be learning new techniques and have limited time, I will be using some rules to keep progress moving. If I haven’t found a foothold on a box within 30 minutes, I will be consulting the official walkthrough for guidance. Likewise, if I haven’t achieved user or root flag within 2 hours, I’ll be completing the box with the official guide. I know this goes against the “Try Harder” ethos, but that will apply in the next step.
3. With HTB boxes complete, I’ll register for PWK/PEN-200, which gives me 90 days access to the lab environment. I’ll be working trough the exercise modules first to obtain the 10 bonus points, and then working through as many VMs as possible in the remaining lab time I have. For the official labs, I won’t be giving up after 30 minutes of no foothold or 2 hours of no flag. I will also be leaving a number of VMs and one of the Active Directory sets to do a 24-hour mock exam.
4. With the mock exam completed without issue, I’ll book the exam about 2 weeks out.

So there we have it, subject to change, my strategy for passing OSCP. Let’s see how it goes.