Hi, I follow this list https://www.reddit.com/r/oscp/comments/alf4nf/oscp_like_boxes_on_hack_the_box_credit_tj_null_on/ to practice on HTB to prepare my OSCP exam. Looks like Linux ones are good. But I found majority of Windows machines on this list have to be exploited using kernal exploits, which against the suggestion that not rely on kernal exploit too much. So are the windows ones on the list really accurate to reflect the windows boxes in OSCP?
i took the exam recently, was able to get all 8 flags, my main preparation beyond the pwk lab material was the list of boxes you are referring too. I watched the ippsec videos for each box and took notes on paper, then tried the box. they are very good prep for the exam. All but the easiest HTBs are harder than even the 25 point exam boxes. Unfortunately my report was not good enough so i need to take the exam a second time. But from the first experience i can say with confidence those HTBs are good prep for the exam, as long as you have also done the PWK training material. Also i found the cybermentor youtube buffer overflow videos very helpful for making some scripts that made BOF box trivial.
@bugeyemonster, thanks for your so valuable feedback! It’s a pity they didn’t let you pass even you got all flags. I’m also preparing my 2nd try. I actually crack all the boxes in the list before my first try, and I think probably I didn’t fully understood all the knowledge and tactics then, so it’s more about copying what ippsec did. I’ll revisit all the boxes and make sure I fully understand and master the knowledge and skills involving poping all these boxes before I sit my next try.
Thanks for the advice on the BOF.
I recently got OSCP. There is no list of machines can give you an indication of what will appear on the exam. All you can do is visit as many machines as you can to get a solid general understanding of the process.
The exam is not technically very tough. It is more about your performance really than the expertise you have. If you can pace yourself, be thorough and multi-task, you should be alright.
Feel free to PM if any more advise is needed.
I just got the OSCP. That’s the list I used as well. I didn’t do any of the offsec labs, just the entire list above, watched the @ippsec videos and completed half of the active machines. About 50 systems in all. I also completely avoided metasploit while practicing.
Bugeye, I’m curious on where they said where your report was not good enough? Did they leave you any feedback on what they wanted in the report?
i got no feedback, then i asked for a review and received feedback. My report was to brief, they want report to be an actually walk through of how to cut and paste complete the box. They do not want a pentest report .
Bugeye, I’m curious on where they said where your report was not good enough? Did they leave you any feedback on what they wanted in the report?
i got no feedback, then i asked for a review and received feedback. My report was to brief, they want report to be an actually walk through of how to cut and paste complete the box. They do not want a pentest report .
I’d been trying to corner their support team on that question as well. This was their response:
“As outlined in the OSCP Exam Guide, you must document all of your attacks including all steps, commands issued, and console output in the form of a penetration test report.
Your documentation should be thorough enough that your attacks can be replicated step-by-step by a technically competent reader.”
I hated that response, because then they also say only include what is relevant. So relevant is a pretty subjective term to me, as that’s just a judgment call. So I plan to include output of anything that seems to need it. Like if i say I found a file with passwords in it, I’ll probably throw a screenshot of the passwords in the file. I’ll probably throw a screenshot in of a successful reverse shell. Stuff like that.
So I got the same sense, that the report is less about a pen-test report and more of a walk-through. I plan to have all the sections on there like high level overview, discovered vulnerabilities, and stuff like that, but the main focus will be on the walk-through portion. What’s funny is they have two copies of pen-test reports on their site as examples, and the newer one doesn’t really fit what they seem to be looking for, as far as a total walk-through.
Here’s the link to the older ‘narrative-based’ report:
I recently got OSCP. There is no list of machines can give you an indication of what will appear on the exam. All you can do is visit as many machines as you can to get a solid general understanding of the process.
The exam is not technically very tough. It is more about your performance really than the expertise you have. If you can pace yourself, be thorough and multi-task, you should be alright.
Feel free to PM if any more advise is needed.
^ This. I recently passed with 100pts. It’s about time management and being good at enumeration. My 25pt box was pretty tough but the others were very straightforward once you found the thing. I posted my ‘lessons learned’ here: Reddit - Dive into anything
I just stumbled upon this thread and I want to leave my two cents. I passed the OSCP on my second attempt back in July 2019 having gotten all the flags except for root on a 25 point box. So I knew I had enough points even without any partial credit for having a low priv user on that 25 point box. But just cause you have enough points doesn’t mean it’s time to celebrate. Remember, the report is what you are graded on! It is meant to be a pen test report similar to a real-world engagement. My final report was 52 pages, but a lot of that was due to the screenshots.
For each target add in a section called Information Gathering with a screenshot and single sentence description for that screenshot. Do this for information that was useful in helping you identify the existence of the vulnerability. Open ports, directories, nmap scans, etc.
Link to any proof of concept code that you used (GitHub, exploit-db).
Include the exploit code and highlight any changes you made to it.
Disclose and explain each vulnerability used to get a low-priv shell and to escalate to root/system.
Provide a recommendation to fix the vulnerability.
Provide a step-by-step guide to reproduce the exploit (low-priv and root/system). Include some screenshots.
Provide a proof screenshot for each flag. Make sure that screenshot has the username, hostname, IP address, and the flag.
Don’t delay writing the report! I thought it would take less time than it did. It took me 8 hours and I turned it in 5 minutes before it was due.