OSCP+: Step-by-Step Guide to Success
Hi all, I am back with everyone’s favorite certificate and most requested certificate — Offensive Security Certified Professional+ (OSCP+) by OffSec. I wanted to share my view and give tips on the latest version of OSCP+. Let’s keep it short and don’t worry if you were preparing for the OSCP exam earlier but couldn’t go for the exam yet this blog you help you out enough to pass your OSCP+ in the first attempt.
Background
I took my OSCP 3 years ago and it was a worth while journey. I am back at it again so I could renew my CRT and I have been waiting to try the Active Directory updates on OSCP (now OSCP+). Do not be confused or overwhelmed by the changes made to the new OSCP+.
I believe OSCP+ is more easier than the OSCP I gave 3 years ago. It is not because of the experience i have gained but the Active Directory part is super simple and free points if you ask me.
Prerequisites and Preparation
I personally didn’t prepare for the exam but did check the coursework on the Active Directory part and did the labs. I want to link back the blog I wrote about my last OSCP review: Passed OSCP with 100% in 15 hours.
I suggest you give it a good read. The blog above covers the plan and preparation i did in the last OSCP exam. If you have covered most the things, you should be a good to go for the exam. If you’re lazy enough like me let me list you all things from the blog earlier ._.
- You should have done enough machines on TryHackMe and HackTheBox. If not, start with TryHackMe get some experience and then move to HackTheBox Retired machines and eventually moved to TJ Null OSCP list.
- My favorite: Ippsec and 0xdf. These guys are the best for understanding the mindset. I used to watch ippsec/0xdf even after finishing a box, just so i can understand what else could have done.
- Use walkthroughs wisely. Keep in minimum. Always make sure you learn something whenever you take a look at a walkthrough.
- Definitely do all the Challenge Labs from the OSCP. If you have the time, take a month of Proving Ground (Paid) and do as many machines as you can: you can use 3 hints and 1 walkthrough everyday so better utilize it.
- Privilege Escalation: Do a TCM Academy (Windows and Linux) or tib3rius Privileges Escalation course. These course will teach you more than you need for OSCP but is very helpful in future.
- Note everything you do. Trust me don’t make the same mistake as me. Get yourself a online notebook like Notion or OneNote and write everything you learnt, poc to exploit, etc.
- Learn to perform one task in multiple ways like transferring files, manually verifying the exploit, etc.
- Take a snapshot of your VM before exam and make sure everything you might need in exam is handy to you.
Exam Experience: OSCP+
OSCP+ has 40 points for AD Set and 60 points (30 each) for standalones. Good news now you don’t need to compromise the whole AD set to get points, each machine from AD set will give you points. You need 70 points to pass the exam with report.
I started my exam at Saturday morning will good sleep, coffee and motivation. I got the AD set done in around 4–5 hours, I had some issues with stabilizing shell. I knew the better way but was planning to do the least amount of work but regarding at the end I had no choice. The standalone took me sometime. In under 15 hours I had enough to pass the exam so I just wrote the report.
Active Directory Set
In my opinion, this is almost free points. When I say this I meant to say this set is very simple. Ofc with my nature I had to overcomplicate things as usual but everything I found and exploited was actually done using manual checks. My automated recon like winpeas, etc were good as well but sometimes those information can overwhelm you and waste a lot of time. So my tip would be do a manual checks to your known commands/locations and hopefully that would be all you need to finish the AD set. Compromising DC could be little confusing at first, but see what privileges you have and see what could you use it for — this part might need some out of the box thinking but is supper simple.
Standalone Machines
Now this part I would say is always the most interesting. It could be super hard or super simple. It all depends upon how you handle the issue. But As always stick to simple stuff, you won’t be asked to write or edit a very complicated exploit. It is always simple enumerate, whatever you find think how can you use it. If you found some information like idk like home address — it is most probably a rabbit hole. You should always look for names, password, logs, etc. something which you could use later in exploitation or post-exploitation. Check for default config and see what you can do after that.
I saw a blog which was quite good when comes to preparation: Muhammad Noman’s OSCP+ Journey: A Comprehensive Review. Do check it out! :)
Report
Just follow the Official OSCP+ Report template or Noraj Report Template. Normally when I am writing a report I just include — What was found and it’s exploitation part. Sometimes if i found two ways to exploit a vulnerability I might include it. You don’t need to write every single step you take — but make sure you include whatever is needed to replicate the whole compromise.
My Final Tips:
These were my last OSCP tips and I would say is still relevant but I did add some new ones :)
- Remember every machine is vulnerable so don’t just lose hope if you don’t find anything useful. Take a break and come back.
- Make sure you do some manual/default checks. Sometimes automated scans can throw off false positives.
- Find multiple ways to exploit known vulnerability if it is possible, also make sure you don’t depends upon just ‘curl’ or ‘wget’ to move files.
- If you get a 500 Response with your payload, you could be on right track just not the right payload.
- Taking breaks is way more important than you think. If I didn’t break I would definitely fail. WE ARE NOT MACHINES!
- Don’t overdo coffee or energy drinks.
- Have a full 7–8 Hours of sleep before the exam.
- Learn everything you need before the exam. Do not panic and rush to learn on the last day.
- Do a full TCP and UDP Scan. You don’t wanna fail because you missed a UDP port.
- I would suggest checking out PG Practice from OffSec before the exam.
- Remember this journey is a marathon, not a sprint.
- Practice as much as you can, get used to reviewing scan outputs. This will save you a lot of time.
- Lastly, remember if I can pass it so can you! Trust your hard work!
Thank you
Best of luck with your preparation! Remember, it’s all about staying calm and following the process step-by-step. You’ve got this! If you need any advice or just want to chat about the exam, don’t hesitate to reach out — I’m happy to help!