It was a long journey from being a teenager cracking Wi-Fi using BackTrack Linux (old name of Kali Linux) to acquiring OSCP certification after trying my hand in electronics, networking and system administration. I had to pick up from the very basics of penetration testing and have finally acquired this professional red teaming certification.

What helped me was the several other blogs, experiences, resources and personnel interactions before taking up this challenge. I am documenting my journey and curating resources so that this will be helpful for someone out there.

Learning Roadmap:

Listing all the resources and materials I utilized.

1. TryHackMe
   THM has an “Offensive Pentesting” learning path which is ideal for a beginner and helped me get an idea of what to expect on the OSCP journey.

2. OverTheWire | UnderTheWire | Specifically Bandit and Natas
   Fantastic web based games to cover the basics and create a foundation on Linux and Windows.
3. Web Application Pentesting Basics
   • PortSwigger SQL injection | OS Command Injection | Directory Traversal
   • HackTheBox Academy LFI and RFI
4. Basics of Scripting Languages
   • Python Basics The Cyber Mentor Course
   • PHP php codeacademy
   • SQL Relational DB Concepts | SQL Server Tut | codeacademy
   • HTML html codeacademy
5. Nail Privilege Escalation
   • Tib3rius Udemy Courses | Twitter for coupons | Udemy Linux | Udemy Windows
   • Utilize these TryHackMe labs to practice more win privesc | lx privesc
6. Purchased OSCP Labs for 90 days | Started documenting the labs and the exercises for 5 points
7. Nail Buffer Overflow
   • TheCyberMentor TCM Guide along with his Youtube playlist
   • TryHackMe Boxes: BO Prep brainpan
8. CyberSecLabs
   Easier lab machines but great for practicing and needed it to motivate me after my failed attempt.
9. Offensive Security Proving grounds
   First, do about 20 Play machines (easy/intermediate) then another 20 machines in the Practice category. The plan was to complete 40 machines but purchased VHL midway through.
10. VirtualHackingLabs
    VHL is on the expensive side of the labs but was well worth the investment. Highly recommended to perfect your enumeration methodology.
11. Read/Watch on Retired Boxes || https://www.hackthebox.eu/home/machines/retired
12. Watch YouTube machine walkthroughs by ippsec

Online resources, cheatsheets for reference

IMHO the below 3 cheatsheets cover pretty much everything that will be required to pass the OSCP exam. The smartest way is to create your cheatsheet using joplin/cherrytree/onenote.

• Pentest Monkey (10 years old but gold)
• HackTricks Gitbook
• PayloadsAllTheThings

You may download the cheatsheet I used to pass OSCP from the sidebar widget. It was created using Joplin.

Mindmap to crack any machine

The below mindmap along with the cheatsheet provided a step by step assistance to crack every machine. Feel free to duplicate it.

Link: https://whimsical.com/target-machine-ip-23aVmgehajqmAvT9cH4q2K

Pre-Exam Plan

• Only applicable for OSCP aspirants from the United Arab Emirates due to the throttling of OpenVPN packets, setup a solid VPN tunnel using VPS or other alternatives. Stay tuned as I will post how I managed to do it using pfSense firewall.
• Read the official exam guide and create a plan, checklist for every phase of the journey. I have left a sample in the joplin cheatsheet.
• Have a disaster recovery plan for internet/router, machine/laptop, kali virtual machines(snapshots, 3-2-1 backups), webcam, national identification cards.

Exam Mindset and Plan

• Choose an exam timing that doesn’t hinder your normal sleep cycle.
• Enumeration is key. Enumerate as much as possible horizontally before moving vertically.
• Write down machine IP addresses in a sticky note, add a bookmark in the browser, whitelist the IP addresses in burp etc
• Create your own 5 machine order and stick to the plan. The most popular one is starting with BOF (Buffer Overflow) machine while the scans for other machines run in the background. I started with 25 points since I will at my sharpest and BOF was set aside to when I was feeling least motivated or exhausted.
• Set up a 2 or 3 hour timer for one host and take breaks every 45 minutes. Switch to a different machine if there is no progress within the time and reset the timer in case you obtain a low-level shell.
• Keep in mind that non-25 point machines are 5 flags worth 10 points each. So plan for the metasploit usage accordingly.
• Don’t touch metasploit until the last 3-6 hours of the exam. Note down or skip the probable metasploit exploits to the very last. Don’t be that guy who got disqualified due to using metasploit on two machines by mistake.

Tools

Skipping all the obvious tools in the OSCP texts.

• Enumeration Automation : nmapAutomator or AutoRecon
• pspy – allows you to see commands run by other users, cron jobs, etc. as they execute in real time
• wappalyzer – GUI alternative to the command $whatweb
• $wfuzz -u 'http://abc.html?file=FUZZ' -w <wordlist> -fuzz for LFI, an alternative for burp intruder
• rlwrap – alternative to interactive shells, will be handy with nc listener for windows machines $sudo rlwrap nc -lnvp 443
• Static Binaries like netcat etc – can be utilized on machines that don’t have netcat installed by default
• BruteX – automatically brute force all the available services

Tricks

• tmux – learn how to use tmux and manage multiple machines in a single window
• yank plugin for tmux
• Learn markdown syntax and document walkthroughs using Typora or similar editors
• For exam and lab report: document in markdown then convert to PDF || markdown template/scripts to convert as docx
• Learn git fundamentals and commit everything related to OSCP to the same project with proper comments.
• Create linux aliases for frequently used commands like $sudo nc -lnvp 443 , $sudo python -m SimpleHTTPServer etc.
• Pair AutoKey with a gaming mouse for screenshots or frequent commands like $wget http://192.168.1.1/linpeas.sh
• Utilize shell generators like Venom Builder from pentest.ws or revshells
• Stream on Twitch or YouTube your OSCP journey for the extra motivation and try to build a following.

FAQs

• How do you know you’re ready for the exam?
  You will never feel ready and it is difficult to gauge. A general rule of thumb is whenever you are able to crack most machines in under 4 hours.
• How much did you spend for acquiring OSCP?
  An approximate total of USD 1678 = 90 days of OSCP ($1349) + Exam retake fees ($150) + 4 months of TryHackMe ($40) + 1 Month of CyberSecLabs ($10) + 1 Month of VirtualHackingLabs ($99) + Tib3rius udemy privilege escalation course ($30)
• Will the OSCP texts, videos and the lab suffice to pass the exam?
  I will suggest against relying only on the OSCP resources.