My 2021 Study Plan for OSCP
At the end of 2020 I set my goal for 2021 to complete my OSCP certification. It didn’t go 100% to plan and my preparation continues.
The Decision
In 2020 my primary educational focus had been to renew all of my Networking Certifications. I spent the last 6 month of the year prepping and completed renewing all my certifications by completing the CCNP Enterprise exam. At this point there was a choice to make. I could jump into my CCIE lab exam preparation or I could take a break from it and do something drastically different. I chose to take a different path and start preparation for the OSCP (Offensive Security Certified Professional). This really turned out to be a good but difficult choice.
But this isn’t even in my specialty?
Why would I start working towards this, and say it is a good choice when the subject area really has little to do with my normal day job? Firstly, I and another engineer I worked with had discussed doing it for a couple years but timing had never really fit. Secondly, it seemed like something that would be fun to learn while broadening my perspective. Lastly and as a surprise benefit the huge time invested actually made me much better at my existing job.
How did it make me better at my job?
This is a big topic with a lot to go into so I will write a whole post about it when I have time.
So what’s the study plan?
The first step was research on how others were prepping for the exam and learning this material. Based on this I put together a preliminary plan on what path to take.
Python
I started with Python. The exam requires working with exploits written in Python, and building basic tools in Python would be a requirement. There was some Python in my Cisco renewal, but not enough. I love to read so I picked up Python Crash Course, 2nd Edition by Eric Matthes. Although a simple book if one goes through the whole book and understands the concepts it provides a good starting point. It isn’t everything one needs and plenty of more specific knowledge will be needed. Mostly, this can be learned by doing as one going through the rest of the studying.
Virtual Hacking Labs
A site that has a “course” and labs available for learning. They showed up a lot during my research about prep as a good option. This was really the first step into the security aspect of the preparation. I only did 30 days of work on the site labs, but it did provide a starting point.
This course provided a 430 page PDF with a lot of study material, general information, and guided exploits of specific lab machines. The PDF was useful as a tool to build a base level of knowledge about tools, techniques, and general approach to hacking. The first 9 days of my time was spent reading and completing examples. The final 20 days was spent working on the provided lab machines.
When all was finished I was a little disappointed with my abilities in the course completing only 12 of 45 total machines and 8 short of the number needed for the sites document of completion. I did complete all the sites easy machines, but with my limited experience in the subject area harder machines were difficult to crack. At the time I had a general lack of ability in most areas including enumeration, working with exploits, and very little ability with privilege escalation. I knew I needed to spend more time reviewing basics and getting better in all areas.
https://www.virtualhackinglabs.com/
Hack the Box, (but mostly Academy)
Near the end of my time doing VHL I needed to improve at Fuzzing. At Htb Academy they have a large selection of basic courses. These cover basic attack methods, some enumeration, and even some general Linux and Windows information. Testing the module for attacking web applications with FFUF was useful for improving the enumeration I was doing. The module was well put together.
Although it had not been part of the study plan I decided to try out and complete all of the basic modules available on the site. My morning pre-work routine became reviewing the module learning material and completing the practical labs. For someone starting out you learn a lot if you do all of these.
For those who might want to take a look and see what Academy has to offer.
https://academy.hackthebox.com/
Hack the Box, (The Machines)
Evening study time (basically the 9 to midnight session) was time to work through TJNull’s list of boxes, and working through the accompanying IppSec’s videos. The plan was to spend 90 days completing as many of these as I could before starting the actual PEN-200 course. I learned a lot during the time period, but some machines were actually very difficult for me to follow along with. Working on these machines and completing modules took me up through may when it was time to take the plunge into the actual PEN-200 course material.
For anyone wanting information on TJNulls’s List or IppSec’s Videos
https://www.youtube.com/c/ippsec/videos
PENN-200
The actual course for the certification includes lab time and a huge PDF 800+ pages. I took 60 days of lab time. After finishing my time I would have probably done the 90 day time had I done it over. For someone of my experience level I think completing every single exercise in the 800 pages would have been beneficial. Completing over half of the exercise was OK, but completing them all takes an extremely long amount of time. With 90 days of time I think completing all of them and having a lot of time in labs would have been good. With 60 days it was very tight to try to do all the exercises and get a lot of lab progress.
After reading the entire PDF and taking notes and working on exercises I found the easier machines in the lab to be doable. There were still a large number that I found difficult, and by the end of the time I completed less that 50% of all the machines.
A Small Detour
At the end of May I actually ended up taking 4 days and doing no work on the PENN-200 course. For a specific reason I ended up wanting to get Hacker rank on Htb. I worked basically every free second for 4 days and ended up rooting all easy machines on the site that were active, and finishing just enough challenges to get the rank. Although it doesn’t sound like much, this was a massive accomplishment for me. Being able to get through all those machines and challenges in a short time wasn’t easy but it did at least show that the work I had been putting in over the last 5 months was leading to improvement.
Post PENN-200 until the first Exam attempt.
As soon as the course was finished I picked a date for the exam. I picked a date 90 days out to provide more time for prep and returned to practicing machines on htb, and doing buffer overflow practice on the weekend just to stay quick with them. This 90 days was hard because I was pretty worn down after about 10 months of studying. Sometimes during this period I would even ask myself why I was torturing myself with 15 to 20 hours of studying before and after work to prep for this when I could have just made an easy goal… I kept at it and basically repeated the same thing every day. Until my test day arrived.
A First Attempt
The first attempt at the exam was brutal. I took the day off work, and took the following day off to have time to work on an exam report if needed. It took a very long time to settle in and make progress on the exam. I scored the first points fairly quickly but after the first machine was done it was a long slog to get through. I won’t go into details, but in the end I only completed two total machines, and didn’t have a foothold on the other three. My biggest takeaway? know when to leave a vulnerability and move on. Rabbit holes will crush your hopes, dreams, and soul!!!
So where does that leave us know?
Post exam it was actually hard to get motivated again to study but I did. I actually did the PrivEsc courses from Tib3rius on Udemy and found them to be very good. These should be on the prep list for people to do early in their prep if they are not experienced. Machines that I had trouble with in the past are getting easier. Vulnerabilities are a bit easier to see (most of the time). Things are actually clicking much better overall after almost an entire year of study. I changed my note taking (using obsidian now), and still plan on completing the exam.
Second Attempt?
Will likely be in February of 2022 if I can work it out time wise. There will be a lot of Active Directory Study in January and likely the Offensive Security Proving Grounds for the last 30 days before I take the exam. I would change a lot of things in how I prepared looking back on it, but this is part of the learning process.