The Ultimate OSCP Preparation Guide 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone uh welcome to this session on ultimate preparation guide to oacp 2021 though you can use it for 2022 23 24 or any year until offset actually changes their pattern so i gotta justify this word ultimate guys uh so this presentation could be very long and comprehensive um advanced apologies for the posts in the upcoming slides because it's been done in a hurry so if you could spot one actually yeah uh you can find these slides at my github repository it will be uploaded later and all the resources that you find underlined are hyperlinked so yeah that's it we are good to go yes um all right so you can ask me what makes me eligible to give a session on oscp yeah of course i'm not sponsored by offset and neither am i getting paid for this session by anyone else i'm doing this for free for uh oshanai chapter and the reason i'm doing this is because uh i published a blog on recently on how i passed the oscp with 100 points in 12 hours without metasploit in my very first attempt since then i've been getting a lot of queries uh so i guess a webinar would be the right choice to answer them all so yeah here we are uh i'm aditi kumar 21 years old uh offensive security certified professional and a certified ideal hacker i have completed both ch and c and ch practical to earn this master status and i'm also heading the os chapter for koi mutu right now and i'm an avid learner in the field of information security for more than seven years um i love to research offensive security and uh my area of expertise involves open source intelligence uh application and network security i was privileged enough to be invented as a speaker at various conferences and educational institutions like iatm uh and defcon meetups and os meetups like this um yeah i have been a bug bounty hunter as well in the past and even now i do it occasionally um yeah also i've been admitted into carnegie mellon university to pursue my masters in information security for this fall 2021 so i'll be starting as a student there from this fall so if you have any queries regarding my masters as well not just limited to ocp but if you have any queries regarding my master's that mission process as well you can shoot it at the end of this uh session so we will have a qa hosted at the end of this session you can shoot your queries then um yeah so today's agenda is about what is osp i guess most of us here know what is oacp but this will revolve around the preparation strategies for osap and the exam setup that you can prepare in advance for osap and it will have a qa session as well and what are the strategies for taking the oacp examinations so that's about today's uh uh agenda and wait a second let me monitor the chat as well yeah all right okay yeah so oscp what exactly is osp well actually it's pen 200 pwk also known as pen testing with kali linux is a course that is offered by offensive security so students who successfully complete this course and pass the exam will earn the of uh learn the certification called offensive security certified professional so this oscp stands to be a fundamental and a foundational course for people who are entering into this new field of offensive security or penetration testing so yeah trust me guys it's just a foundational course according to at least what offset says but yeah it's gonna break you along the way of preparation but once you finish you'll realize and agree that it's just a foundation but offensive security is a huge endless domain so it's a rigorous uh 24 hours exam to be precise it's 23 hours and 45 minutes a it's a completely practical exam there is no theories unless until i mean there are theories involved but you're not gonna write anything you're just gonna apply those theories in a practical manner and yeah you'll get uh five hosts or intentionally vulnerable machines one of them is going to be buffer overflow and the remaining four hoses are going to be you know just uh normal machines intentionally vulnerable machines and the total points will be 100 and you'll need 70 to pass so yeah let's get into uh what pwk will actually teach you so the syllabus of uh pwk will teach you right from bash scripting information gathering active as well as passive information gathering vulnerability scanning using tools like nmap or nss whatever and web application attacks like sql injection cross-site scripting file inclusion local as well as remote whatever and it will teach you windows buffer oslo specifically and how to perform file transfers from a target system to uh sorry from attacker system to the target system and vice versa and it'll also teach you about the password attacks like how you can brute force those passwords and how you can decrypt them into a plain text password and it will also cover about the basic uh av aviation techniques using some encoders and and it has privilege escalation techniques it covers a wide range of privilege escalation uh both windows as well as linux and it will also include a port redirection and tunneling all those needed for pivoting from one subnet to another and it will just touch up the essentials needed for active directory attacks uh and it will give you the overview i mean it will teach in depth i guess for metasploit framework and partial ampere but uh yeah while enrolling for pwk uh course you'll be given with the course videos and a pdf it's highly suggested you go through it um yeah so what are the skills required for oicp in order to pass oscp what are the skills required well uh using the information gathering techniques to identify and enumerate the targets running various operating systems and services are crucial for passing oecp so that would come under enumeration and the scripting skills involve like writing basic scripts and tools to you know help you with the penetration testing process it will just help you you need the scripting skills just to automate your process so that's it and you'll need a basic exploit modification skills like uh analyzing the exploit and modifying it or sometimes you will be asked to cross compile those exploits and sometimes you'll be asked to post those publicly available exploit codes so that is what exploit modification is and you'll be asked to do that uh in the course of time and finally uh privilege escalation like you know what privilege escalation is uh escalating your privileges from a low level user to a high level user um yeah so and again critical thinking yeah so the critical thinking what exactly i mean by critical thinking is uh um you know thinking of all possible exploitation techniques for a given scenario like like you should mimic like an adversary you should think like an adversary and mimic their capabilities so that's what uh critical thinking is and using critical thinking you'll be able to successfully detect uh the crucial rabbit holes which are going to be the greatest barrier in your oecp examination and yeah so what what are the prerequisites for osp osep is definitely not a beginner level certification so what these new backers will do is without learning all these basics like networking programming the basic programming i mean and without having any knowledge about uh basic encryption they'll directly jump into penetration testing and they'll eventually fail so that's not what i suggest you to do so before jumping into osp or any penetration testing course i would highly suggest you to go through all the networking essentials i mean you need to know how tcpip works how the publication works and everything and you need to have i mean at least the basic uh administration skills of both the operating systems windows and linux and you need to know how a web application functions like uh you will need to know how to tamper http request what are http request methods what are http request headers response headers likewise those basic functioning of our obligation and you'll need a scripting knowledge as well uh familiarity with you know bash or python scripting and yeah getting comfortable with tools this is also a major part you know you have to gain experience with tools like burp suit nmap and you have to know the scan types offered by nmap sometimes and also you have to get comfortable with the nmaps nse scripts and also cms specific scanners like wp scan zoom scan you'll have to uh get comfortable with them as well so those are the prerequisites for oscp and yeah there are several restrictions for uh oicp as well so someone the first one is spoofing you're not allowed to perform any kind of network level attacks uh be it uh either iep spoofing or arp and bns dns whatever it may be you are not allowed to do it and it's prohibited in oscp so i would highly suggest you to follow the exam i mean to not do the exam i mean do not do whatever that is mentioned in exam restrictions and yeah the commercial tools so you are you are free to use metasploit as well as bob suit and whatever that is open source and free but you are not allowed to use any kind of uh commercial tools such as metasploit pro burbs pro pub shoot pro or kinetics for like whatever i mean no commercial tools and no automatic uh exploitation tools as well like um sql map that's a great example you are not allowed to use sql map you think if you were encountering a sequel injection or a possibility of sequel injection in your oscp exam then you would have to do it manually so yeah that's why i said a basic functioning of a you know a basic overview about application vulnerabilities is essential before taking oscp uh or you can learn it in the path of oscp that's your wish and yeah mass vulnerability scanners such as nessus nexpose open mass or core impact especially yeah those are actually prohibited and you cannot use that or any other uh tools that perform these similar uh actions so you are ultimately responsible for uh you know uh for identifying what the tool does what kind of uh thing does what kind of things it does you know a best case example would be the recent issue that happened with lynn peace i'm sure you're all aware of that so yeah these are all the exam restrictions and yeah let's get into the phase one which is the preparation phase so uh if you are a complete beginner who have no idea about uh you know the penetration testing field then i would uh you know i would suggest you to start from comptia's network plus certification so that's a it's a great course that will teach you all the tcp networking fundamentals and everything and also this practical ethical hacking course by heath adams this is a great course actually uh here he explains you know all the phases of ethical hacking right from uh recognizing stage to privilege escalation and this course requires no prerequisites at all so even if you're a complete beginner you can take this course uh you know he starts from networking and moves into you know basic python programming skills and he teaches you the basic python required for print testing and uh you know the faces of pen testing such as exploitation scanning enumeration post exploitation and finally he ends up with the exploit development so yeah he will explain you know he is a good he is known for his uh you know his easy explanation so he'll explain all this theoretical part of you know each privilege escalation vector and each normal you know each technique so that that's a great course i would suggest and if you're an intermediate uh hacker or if you have already if you already have uh some kind of experience in uh penetration testing then i guess you would be uh you know getting an initial shell wouldn't be a problem for you so i guess most of you would suck at a privileged escalation either it be windows or linux i'm saying this from my personal experience because i i when i started i was an intermediate i have been passively preparing for ocp like for the past two years i was a passive hack the box player try acne player everything but yeah i sucked at a privileged escalation so yeah if you are intermediate i guess you should press up your uh skills in a privileged escalation so i'd highly suggest you to you know go through all these courses because i i can't recommend any you know either of them i would suggest you to go all of them because uh you know each of them has its own bugs you know windows privilege escalation and linux privilege escalation by tcm that is the cyber mentor uh aka heath adams so he will explain all the theoretical part of each privilege escalation vector in depth and later jump into the exploitation part uh i would i you know i would highly recommend you to watch both of them but if you are if you are restricted by time and you can't spend like a lot of time learning the theory part but you need to get the gist of what you're going to do then yeah it would be wise to choose you know tiberius course because he explains each vulnerability in crisp in just 1.5 hours for each of this course where he has you know heath adams scores will take up to seven hours for each so it's up to you and finally yeah this is the well-known uh playlist by ipsec where he published a walkthrough of all the hack the box machines that are similar to oacp osap machines so the list has been prepared by dgnl we will get into this later but yeah so these are the beginner as well as intermediate courses so if you are advanced i then you should probably go for os ed or ep um yeah so what are the blogs that will help you to get started with uh man this hat tricks dot xyz is a gold mine because it has everything related to for example if you if you are experiencing an smb related pen testing then you would have you would have all kind of interesting methods listed for that specific port so hack bricks dot xyz is a gold mine and these are other blogs these are also you know shushan's seven four seven or infosection everything is good and i have uh sneakily uh sneaking my blog into this as well yeah i have published all my uh notes uh of my oscp of my entire osp preparation here so you can check it out as well it's not up to the mark when it compared with other blocks but yeah it will do justice uh yeah you can check it later when the vpd has been uploaded to my github and yeah these are some awesome youtube channels which would help you to you know prepare passively even if you're not you know even if you're not actively preparing for osap whenever you get bored whenever you open social media like youtube or instead of using instagram i would i would recommend you to switch over to youtube and follow these channels because uh this is what passive preparation is so whenever you're free you can watch some kind of videos and it'll you know it'll just get stored subconsciously in your memory uh yeah ipsec i mean everyone knows about him but yeah conda is also i have i've i have mentioned them in an order that uh how much these are relevant to your oecp so ipsec is high relevant to your osap he post he posts almost every content that is related to ocp or offensive security and again konda is uh awesome youtube channel he is a great uh you know uh he posts great content and john hammond as well he's a well-known security researcher and jason seck dc cybersec elevates cyber these are all uh i don't know how how many years these channels are existing but yeah they are great as well and yeah michael lasalvia is a female she has started a channel recently i guess so yeah all of them are great they have the oacp playlist as well i have hyperlinked all those links with each of this so you can just click on this name to go to the to visit their youtube channels all right yeah i would you know highly suggest you to take notes throughout your osp journey because notes will help you remember what you already know and what you don't know and because not everyone has a great memory especially me i don't have a great memory at all so i started taking notes and now it's helping a lot of other people for preparing for osp that's how blog.negate.com was done that's how it came into existence i started uh preparing for osp and i wanted to take notes for myself but again now it helps for many people so yeah it's it's like a two shots in a single bullet yep uh it will help you to reinforce your learning because of taking notes and yeah notes will help you you know it will help you remember what you already know versus what you don't know so that if you come across anything that's new or unknown you can add it to your personal loads and refer it later so uh use others osap nodes as a reference including my blog or anyone's blog use them as a reference but write your own notes because that is what will help you to develop your own approach to offensive security everyone has their approach everyone has different approach for offensive security for example if ipsec has his own conda has his own and i have my own so develop your approach for uh offensive security and notes will highly help you to do that so my suggestions for note taking would be git book because i took in git book and cherry tree is also a good one and you can use obsidian as well so yeah let's move into phase two this is the phase where you'll be applying all the concepts and theories that you have learned from the preparation phase so practice phase is all about practice practice practice you don't uh just don't uh do it like you get into practice phase and go again back to the preparation phase and brush up everything don't do it like that so when you are into the preparation phase when you are into the phase one just make sure you're learning everything and make sure you are taking good notes because once you do that perfectly you would never have to go back to the phase one and you know brush up your skills again unless until there is a huge break between phase one and phase two so yeah uh this is the phase where you'll be applying all the concepts and this is where the notes you have taken will come into play and it's the most crucial phase for uh getting osup successfully uh finished in your first try you can get uh osap in first attempt if you are lucky and i believe that luck is directly proportional to the amount of practice you put so this face is absolutely crucial and yeah for uh practice i guess you guys might have already known about this but yeah i have made my own list so i have ranked them based upon priorities at least according to my preferences so i would suggest you to start from walnut because oh my god it's like a huge it has a huge list of open source free machines and you don't have to pay anything that it has like 500 plus machines and exercises you know it's a great resource and you can browse it at onenot.com and the next uh similar thing would be you know offset proving rounds i haven't personally tested this but uh from what i've heard from my friends or from online forums it seems that the machines that are in oscp is very similar to what people uh get in ospg so it has uh two things like uh play and practice so yeah play is actually free and for practice you will need to uh you know spend like 19 dollars a month so you can browse it here and try acme yeah it's like a well-known alternative for hack the box it's a freemium it has a free as well as a premium plan and this is a great resource for learning linux and windows privilege escalation especially if you're enrolled in a tiberius course it would be great wait a second yep yeah so especially if you're enrolled in a tiberius course it would you know it would help you to apply all whatever he is saying to directly practice in these labs even if you take you know heath adams course never mind you can use this as well this is a free call this is a free room in uh try acne so yeah you can anyone can use it and yeah hack the box it's like the most famous it's also a freemium one it offers both freemium and vip vip plus pass so much they have a variety of uh premium plans and yeah it's like 14 dollars per month uh and you'll get a vip pass so that you can access the retired machines so active uh there is this two things in act the box one is active machines and other is retired machines so uh if you if you are a vip member you will be able to uh access all the retained machines there are like a huge list of retired machines which are similar to oacp so yeah uh the box uh would be of great good if you subscribe to it and then here comes the virtual hacking labs it has like 45 plus intentionally vulnerable uh hosts and it costs around 99 per month uh well when compared with others it's kind of the most costly they have a reason for it because you know they provide course materials as well as a guide to compromise those hosts as well so yeah they'll also provide hinge for beginner friendly and advanced lab machines so on successfully completing and compromising all at least 20 plus missions in the 45 plus pool of machines and submitting the report you'll earn a certificate of completions which also has a value i guess uh yeah so then here comes a pentascale lab pro wow this is this is the great resource i would say because it has like 300 plus exercises and it's a great resource especially if you want to you know learn uh some exotic uh web attacks so that it's a great resource and it lo it will it will also have each and every uh we for each and every exercise you will have a video tutorial and a step-by-step guide and on uh completion you will also get a certificate so yeah what not uh it's just 35 for three months if you are a student and if you are not it's like 20 per month and you can browse it so apart from these what i have mentioned uh what i have heard is and i have used is this sports because web security academy is a great place to practice uh web attacks for free so yeah the takeaway from this is uh you know most of these people has this mindset that they're preparing for osap and they should not watch or read walk-throughs bro you're preparing uh preparing means learning new things and you know that you are not aware before so how could you learn new things if you refuse to look at write-ups you know try all the things you know and still you can't get a shell then why why are you wasting time go look at these write-ups and take notes so that next time when you come across the same situation you can use those notes and not look at the write-ups okay so yeah that's it's pretty much easy as that and that this is what i have done all over my you know phase of prepa preparation and yeah the most famous two lists so the there is this list called netsec which is a oscp like vms list so this is frequently updated and it's been created by uh tj null who also happens to be a community manager for uh offensive security and yeah it supports a wide range of platforms actually so right from it also has oacp like machines that are in walnut and ocp like machines that are in offset proving grounds and also in the box and there is another list called json six so this is created by a guy called jason said you can find him in youtube and uh this list also contains uh machines from oacp similar missions from hack the box and try hack me and offset proving grounds uh what it also has is uh he he tried some buffer overflows and he felt that it was similar it is similar to what he got an osp so it also has a list of buffer overflow exe's that he had tried during his course of preparation so yeah so uh the disclaimer is that the boxes in this list will help you to get started and it will help you to build your practical skills or you know brush up on any weak points in your fantastic methodology uh though this list is not exhaustive and it does not uh guarantee you know the passing points for osp exam and yeah uh this jason's like uh guy he's like uh he also passed this oscp within 12 hours spawning all the five machines and scoring the 100 points in his second attack actually but yeah so he'll he'll mention whatever he tried in his first attempt as well as what he tried differently in his second attempt as well so check out this list as well uh all these links are hyperlinked uh as you can see they are underlined so yep all right so now we'll have a look at what are all the unofficial oacp approved tools so this is this list is created by a guy called falcon spy who also happens to be the community manager sorry the community ambassador for offensive security uh yeah for note taking i personally used onenote and some guys i mean most of the guys use cherry tree i guess but guys i would i would prefer a note taking tool that can sync with cloud because you know who knows anytime your vm can crash or anything can happen so it's better to have something that's cloud synced so that's why i prefer onenote and you know it offers everything that that's i mean almost everything that is offered by hr3 so yeah uh also this obsidian is a is another alternative so you can use that as well and for enumeration i preferred auto recon or nmap automator uh but yeah both of them provides you know very similar uh outputs and then for web these are some tools i used i preferred a go buster and ferox cluster uh wfs for you know parameter good forcing and stuffs and i used nikto if i get nothing i'll go for an intro then because nico is one of the open source uh scanners which you can use in ocp so yeah i prefer it too and yeah for networking tools i used impacts repository like uh for smb enumeration i used psx etc and uh for file transfer i used uh uh python like there are two libraries there are multiple libraries for file transfer actually i preferred a simple http server and update so this is you know cute and i use the packets asmb server and in packet also has some other file transfer options so yeah that as well and wordless i preferred uh cyclists wordless wow this is a great resource it has like word list for every you know every situation that you will ever encounter in osap so yeah cyclist is one of the great word list and yeah rock you the universal word list that's like the most standard one for broad forcing passwords or usernames anything so yeah rocky.txt and for uh getting reverse shell i use the pentest monkey because from what i feel the reversals are stable so yeah i use their php and uh and some other reversal i'm not sure of it and for brute force i use the uh hydra and crack john depending upon the protocol that i'm proposing uh sometimes i actually uh find these enumeration tools to be exhaustive as you can see in the meme you know we need to use nmap nicktogo buster what web enumeration for linux everything in osap exam so you'll end up using auto recon dot py to enumerate all this but again it generates too many outputs to understand itself you know i i find this uh to be exhaustive results they produce a lot of results that in the end they confuse us and it will uh you know it diverts us to go beyond rabbit holes so that's exactly what uh wants to enter in the rabbit hole seeing through the results of authority yeah so the uh as vancouver said uh see vancouver is also a crt certified he's a certified writing professional so yeah uh we can vouch for that um so it's better to develop your own manual enumeration approach so use auto enumeration only when you can when you can't find anything after uh you know exhausting your uh manual enumeration techniques and it's just my personal experience and when cuts so i can't guarantee that it will work for all so yeah um yeah privilege escalation you know uh when you this is how you'll feel if you don't understand the file system of the respective operating system that you are you are trying privilege escalation on you know everything literally everything will feel like a privacy backdoor for you uh because unlike other fantastic phases privilege needs experience a lot of experience it's not like getting initial initial shell you know it will have only maybe a 10 or i mean if if it has a lot of rabbit holes then you'll have only maybe like six to ten uh end points entry points but for uh you know for privilege escalation if you are not if you don't have enough experience then everything will look like a previous vector so you know getting comfortable with linux and windows file systems is a crucial vector is a crucial thing for a privileged escalation actually this will help you find you know the odd scripts that are running and located at odd places so for uh you know for gaining this experience you should look you should spend hours and hours looking at the output of a privileges class in enumeration scripts such as plain piece or linanum whatever to know which are common files and which aren't so it's better if you create a checklist of all the vectors that you have learnt uh both from tiberius and heath atoms so that would help you uh in your exam and yeah so these are some tools i used for uh i use for linux and as well as windows privilege escalation so linux exploit suggester and sweet and um dot sh linpe's lint proof checker pspy and for windows i used uh win bees power up seat belt windows exploit suggester sherlock and accesscheck.exe so lynn p's as you all know uh you should not use any lane piece version that is less than 3.1.3 because of this uh thing called uh pseudo inject uh issue that has been in a little piece prior to version 3.1.3 and it's now fixed so you can use any version that is from 3.1.3 or above so you're good to go and i i actually prefer lend piece over any other uh tools because you know the colored output that linkpiece produces helps us so much you know so it will it helps us identify it will help us to identify what are all the you know common files and what what are the suspicious files so it's a great tool and so while using suede denim just don't use the hyphen e flag because it might be considered as a auto exploitation and yeah pspy will check for uh will will continuously monitor the scripts that are running in the background so it will be uh helpful for exploiting uh current apps or any uh automated scripts that are running in the background and win piece yeah like uh actually the power up and uh sherlock are actually partial scripts so you can use them in a partial environment and access check are used for uh checking your privileges uh yeah so all of these tools are hyperlinked as well you can click on them and you will be redirected to the respective repository sorry yeah oh i haven't seen that okay so from where did i leave i guess from i have explained this so you can get the slides later guys just grab the content whatever i'm speaking so this is what you will not be able to get later yeah so uh buffer overflows for uh oscp so this you know this is the only machine that uh for sure you'll be able to crack because whatever you're going to practice uh will be the one that your face that you are going to face in the exam so you know if you are a complete beginner and you have no idea about buffer overflows then i would i would suggest you to start from uh the cyber mentors uh buffer workflow playlist because it's a comprehensive guide and you can compromise a host using static you know stack based buffer overflows in just six steps uh because he had made it so easy and yeah i would suggest you to watch his uh youtube playlist which is completely free so yeah you can go over that and if you want if you need any uh help with the code you can visit over my blog and there is this specific section called buffer overflows where i would have mentioned all the uh exploit codes that are needed for exploiting stack based buffer overflows and if you wanna uh if you are an intermediate and if you wanna you know sharpen your uh buffer overflow skills then uh uh feedback hit to the triac me room uh that is called view of preparation this is created by tiberius again and this room will actually use a 32-bit windows 7 vm as a intentionally vulnerable host which will also have immunity debugger as well as putty pre-installed you know this room will actually mimic the ocp environment so i would highly suggest you to go through this and it will have like 10 plus oscp like uh vulnerable buffer overflow executables and they will also provide you walk through a step-by-step manual to how to exploit those things so yeah uh try me view of preparation is a great room and other things would you know if you want to further and enhance your your buffer flow skills then you know uh start start learning uh core lands uh blogs here he would have mentioned you know everything related to buffer overflows right right from uh that includes stack as well as heap everything and if you wanna practice with other executables uh that are similar to oscp executable that you're going to get then you can use the sl mail our free float ftp server 1.0 and mini share and savant all these are hyperlinked you can check out them as well and yeah uh getting into the osp packages there are like three main packages uh uh so one of them is ranges from thousand dollars two thousand three fifty dollars depending upon the number of lab days and you'll be provided with only one exam attempt and it's obviously self-guided but yeah you'll be provided with course videos and a pdf uh and there is another package called pwk 365 so it will give you a year-long access for the oacp lab and it will also give you two exam items again this is self-added and you have another package called offset academy uh you'll be given 90 days of lab access and one exam attempt and in this case you will you're not self-guided you'll be in a session of one-to-one mentoring and uh they'll provide you they'll include you in a small group of instruction so yeah these are all the all three available uh pwk packages which you can enroll into to get ocp and yeah so i have uh i have created two uh two possible oscp journeys uh according to what i fee is right so it's up to you to whether uh enroll in this plan or that plan i'll show you i have created two plans actually this is a comprehensive plan and this is the modest ocp plan so let's say you want to embrace this osp journey you want to learn a lot in the field of offensive security then i would suggest you to you know uh make yourself a calendar you know dedicate 30 days for uh practicing how whatever you can in walnut machines and dedicate another 30 to 30 days to practice in hack the box or ospg so it will cost you either thirty five dollars or twenty dollars or fifty five dollars both and then uh buy a ninety dollar subscription from osep labs it will cost you thousand three fifty dollars so in total it will be thousand four not uh five dollars so this will give you a lot of time to go through the course pdf and course videos if you are willing to uh i didn't actually uh i i just referred to a lot of blogs i didn't go through all of that because it's like uh 800 pages long i guess the the pdf course pdf fees so i thought i would either i would just go with the blogs so yeah uh but again uh the one of the demerit with uh going through this plan is that uh since osap labs has only 70 plus missions according to their blog i'm not aware of how many machines they exactly have but according to their official sources they have only 70 plus machines it's not a great deal you know despite oscp lab missions will teach us crucial concepts like ad and pivoting hack the box proves to be an um you know effective alternative for the price that we are paying here it's like 1350 and it's like just 20 dollars per month so yeah uh but again you can get uh additional five points if you complete the lab exercise and write a report for 10 hosts that are in lab more on this later in the upcoming slides so this is my plan for comprehensive osap journey and here's my favorite part this is what i followed and yeah this is modest oacp journey uh so yeah this is this will just take you three months but again this three month is purely for practice and not for learning any theoretical concepts so before beginning this three months you should be fully well-versed in the all the theoretical con concepts that you should have prepared and the preparation phrase itself this is practice phase and you're just going to practice whatever the skills that you have already known and you are going to acquire new skills by researching on your own if you are lacking something so this is the practice i followed and what i did was i i dedicated completely you know 30 days completely for uh well numb and it has like 500 plus hose man and uh oacp like vms are like more than 30 or 40 plus uh in this vulnerable so i did all the you know i'm not sure if i did all but again almost 70 percent or more than 70 percent of oacp like williams in walnut platform and it's completely free so what not i dedicated i completely dedicated 30 days like 16 hours per day i did this and the next 30 days was my ospg uh sorry i didn't enroll no spj i i i had the box vap subscription so yeah i practiced for 30 days and it has like 150 plus host man so yeah it just cost me 20 and i used hack the box so uh well actually the thing is i actually had 90 days oac lab because i won the osp lab boxer by winning a ctf so what i did was i started my oacp lab from this 30 days but instead of doing my lab i was doing one and hacked the box and later finally in the last 30 days i did oacp lab because when i first started oacp lab i was just compromising i just compromised on like 10 or 20 machines and i felt like it is repeating okay so i i lost interest and i started doing walnut and it was pretty exciting so i just kept on doing walnut and i moved to hack the box and finally i came to oacp lab so i just had like uh 15 days or something yeah so this osep lab 30 days will include an exam attempt and you will have 70 plus hosts to hack into and it will just cost you thousand dollars so uh it will just cost you a thousand fifty five dollars in overall when compared with the previous comprehensive journey it will cost you like thousand four hundred and five dollars which is like uh you know uh three hundred dollars is more uh yeah well yeah four hundred dollars more actually uh yeah so using this you can also add you can also add two more items like it will cost you 150 dollars each so it's like 300 so even if you add two more items it will just be thousand three fifty five dollars so yep uh that's what uh i mean this is one of the most modest uh oacp plants and you have nearly 700 machines when you when all of these are com combined you know you have like 700 missions and so even if you read walkthroughs for like 350 machines and compromise them and take notes you'll still have 300 plus machines left to practice without looking at the walkthrough so don't feel guilty looking at the notes man every time you look at the notes just make sure you're learning something new okay prepare your own checklist for you know each phase such as enumeration or scanning or exploitation previous for everything prepare your own checklist that will help you a lot and yeah so this is uh phase four the lab phase uh yeah every battle is one before it's fought you know it's it's not about how you practice in the oacp labs but it's about how much you have practiced before taking oacp labs before taking this 30 day or 60 day or 90 days about how much efforts you have put in prior to enrolling into this ocp lab that is what going to matter in this phase so yeah uh well you might have already known uh you you'd be provided with five points if you complete a lab report in osap but yeah there is like a lot of struggle so let me let me break down each of them for you so in order to gain those five points you have to complete all the lab exercises i don't know how many lab accessories are there but again uh the the course pdf is like 800 pages long and it will have exercises as well so you have to complete all those exercises and you have to create a comprehensive report including all the screen shots of the exercises that you have completed and you know you have to also write a report for minimum 10 lab hosts so and not just any normal labors the lab force that you have chosen to include in your report must contain unique previous techniques for each so yeah you have to remember that and you know but again if you if you do this if you do this report part you will also get five points like uh you will be eligible to get five points and also you will be provided with 40 isc square cp credits so what ise is it's like it's the international information system security certification consortium or also known as iac square so this is the organization that provides a certification so if you're already certified in order to maintain the ship certification you must earn like 40 cps also known as continuing professional education credits annually and 120 credits over a three three year period so you'll get like 40 isc square cp credits by completing oacp exam by completing oacp if you submit the lab exercise or pass the certification challenge you can earn it either way if you submit your lab report you will be eligible to get this 40 iac square points and or if you pass the certification challenge you can get these points but again this is only applicable for the people who have already attained cis and again this five point right it will be applicable in only one situation that is only if you score 65 points they'll allow you to use the five points that you have scored so this 65 point scenario is only possible if you are able to compromise one 25 point mission and 120 pointer and another 20 pointer like 220 pointers and a 25 point machine so this 25 is obviously going to be buffer overflow because it's the easiest in 25 and then compromising both the 20 pointers is a risky area i don't know if if everyone could do it but again you can use this five points only if you attain 65 points that is this exact combination other than this if you if you if you compromise 225 hosts and you have a you have compromised a 10 pointer you can't use this five points so yeah that's one thing to note about and yeah this is the lab architecture so once you are enrolled into the labs you will be uh sent with a you will be provided with a vpn connection over your mail and after connecting it you will be uh after connecting the vpn connection you will be connected to the student network and you will be provided with a set of three clients uh one is a windows client uh and ubuntu client i guess and a domain controller you will be connected to this and you will have direct access to student network so there will be a range of machines over here like for i don't know exactly how many machines but again uh on compromising uh all these machines in one of them uh you will have uh you you will find that the machine is uh interlinked with another subnet so you can use that uh device as a pivot to get into it department or development department and after compromising it department you can double pivot to access the administrative department so this is how your lab oecp lab architecture will be and this is this is how your osap lab control panel will look like uh here it will show your os id which is unique for every user and here you can select the ip address of the target machine that you are trying to practice in order to revert so you have to select the iep and click on revert to revert the machine and yeah here you can see the sandbox here you can paste the subnet keys to unlock each subnet for example if you have successfully uh pivoted into you know if you have successfully uh found a machine that is interlinked with another subnet then it will have a key called subnet key so you have to attain that key in order to unlock this it department so you have to attain that key and paste in this subnet keys place in order to unlock id department and yeah here is where you will submit a proof keys for each missions um yeah and yeah this is where you'll schedule your exam date so that's about it and yeah so am i ready to take osep well this is you know this is a hypothetical question actually so you know uh whenever let me let me put it like uh let me share how i decided to take oacp so uh before uh you know before my practice phase before entering my practice phase and spending 16 hours a day whenever i start a mission i i always has this fear or anxiety whether i'll be able to you know solve a machine or not without looking at the walkthrough but you know after a certain point after continuously pointing like you know 100 plus 150 plus machines uh in walnut and uh hacked the box for like uh as well as an oscp live for like straight uh you know 60 days without rest at one point uh my my anxiety started to fade actually and my mindset was like you know man screw it uh i i have learned so much in this process you know uh it's just an exam and it would be even worth to retake this you know because osap is a journey actually and i love this journey of offensive security so yeah it would be even worth to retake it so that is when you get this mindset that is when you should book the exam and that is when i booked it so i'm just sharing my personal experiences and yeah finally welcome to the phase four the exam phase and yeah don't do this guys your exam will be proctored so yeah don't do uh and yeah about proctoring uh uh you you are strictly prohibited from a screen recording you should not screen record from like 2020 or 19 i guess this rule was implemented and in order to you know uh so instead of screen recording you should use a screen shot you take as much as screenshots or as possible so screenshots for the win and for uh for enabling proctoring you have to download this uh web extension called janus web.tc screen sharing it's a chrome plugin actually you can download it from chrome web store it's hyperlinked so during your uh exam like uh 15 minutes before your exam you will you'll have to log into a portal and it will ask you to share your screen so that's when this comes into play and in case if you're using multiple monitors or in case if you're having dual screen or multiple monitors please let the proctors know you know if you don't let them know then it might also flag as a malpractice so yeah let them know and make sure you don't have any kind of connectivity issues in the middle so you know that's like the basic thing so yeah um and yeah regarding the proctoring uh this is from official offset uh statement so offset has always been an open book exam uh they always encourage you to use google or your own personal notes or any other tools and the proctor will not disqualify your exam you know just note it down they will not disqualify your exam for using your own notes or google or anything or even for any of the reasons like for having your mobile or any other any other person entering your room they'll not disqualify you for doing that and all but you should not discuss anything related to osap to the person who is entering into your room or to any other person so that's the only goal of proctoring here and yeah so this is the login page that i was saying about during the exam day you will be receiving a uh you will be receiving uh md5 hash i mean three days prior to your exam day yeah you'll be receiving a md5 hash uh along with your os id you have to enter it and log in to enable screen sharing and yeah finally yeah so this is how you should take proof screenshot so as you can see uh we are opening the txt file and we are showing the ip address as well so it should be your screenshot you should be displaying both of these things one is proof.txt as well as the ip address of the target host it's crucial that you do it because there has there has been many incidents where the people had failed because of the failure to do uh providing screenshots like this okay so it's crucial to do this but again how i did was i did not take any chances so i just uh made a comprehensive screenshot like proof.txt a screenshot that includes proof.txt as well as who am i as well as hostname of the target as well as the ip address of the target so that's about the proof screenshot the requirements for proof screenshot and remember this guys you have to get a interactive shell access to the target uh target host to qualify as a successful compromise you know reading these proof.txt or local.txt through some kind of remote code execution or via web shell or arbitrary file lead vulnerabilities like local file inclusion would not count as a successful compromise unless until you get interactive access you should have an interactive access such as reversal um that should have a console or that should have a console to interact and execute commands with so that is what will qualify as a interactive commercial and that is what will qualify as a successful compromise when it comes to oacp so remember that and yeah this is how your exam day control panel will look like once you attain approved.txt from the machine you have to choose the ip address of the target from where the proof.txt or local.txt has been obtained and you have to paste it and you have to submit proof key so this button will just say proof key even if you obtain local.txt from uh okay let me break down what is local.txt and proof.txt so when you compromise a 20-pointer or a 20-way pointer it will have two flags one is local.txt and the other one is proof.txt so the local.txt will be accessible if you have a low interactive access like if you if you gained uh initial foothold into the target machine and if you have a low level access you will be able to access the local.txt and then on successfully compromising the entire host after attaining privileged escalation you will be able to read the proof.txt so this is what local.txtnproof.txt is and even if you attain local.txt and paste it here this button will just say proof. submit proof key it's not going to change the submit local key so it's uh just don't get confused and uh another most important thing to mention here is that this panel won't show you whether uh the flag you have pasted here is a right flag or not it will obviously check whether the hash you have pasted is according to the format or not but it will not say whether the flag is right or not so it's up to you to make sure whether you have copied the correct flag or not so that's about exam control panel and yeah let's discuss about the point uh distribution so as as already mentioned you will have five uh hosts so one is obviously going to be buffer overflow this is the most straightforward box that you're going to get in your entire ocp lab exam so you'll just need maximum 45 minutes and with enough practice and if you if you have done extensive practice you can finish it in you know just 30 minutes so it will going to be it's just going to be straightforward if you practiced enough with the tray acme rooms that i have mentioned earlier and yeah the next is 25 points which is also known the hard machine again it will have a plethora of rabbit holes uh you will have two flags to obtain one is local.txt another one is proof.txt and i'm actually not sure of how the point is distributed between local.txt and proof.txt in case of uh in case of 20 pointer i'm pretty sure that it will be divided as a 10 and 10. so if you attain local.txt or low players low privilege access you'll be product with 10 points and if you do privilege escalation you will be uh provided with 10 points but again some people say that uh in the 25 point machine if you attain initial shell you will get 12.5 and if you attain a privileged escalation you will be provided with another 1.5 but also some other say it's 10 and 15 or 15 and 10 vice versa whatever i'm not sure of that so again it's it's going to be full of rabbit goals and it's going to be the hardest machine and yeah it is from what i've experienced uh and you have uh another 20 pointer again although icp machine will have rabbit holes you have to perform you know initial foothold you have to gain initial foothold as well as privilege escalation in these three machines in this 25 pointer and these two 20 pointer so yeah it's going to be uh hard obviously one of them will be comparatively easy from my experience one of the 20 pointer might be comparatively easy and the other 20 pointer might suck a lot so yeah from my experience my personal experience and yeah the then there goes the 10 pointer which is like the easiest one uh but again it is easy but only if you figure out the rabbit hole if you figure out the rabbit hole uh you'll get shell within like you know a matter of time like within 10 minutes and it requires no privilege discussion so what not it's the most easiest point you can get and then if you complete all the lab exercises and the 10 lab hosts then yeah you'll be provided with five lab points so this is my exam uh timeline uh so i started my exam at uh 4 30 so it's like 5 a.m yeah i started my exam at uh 5 00 am uh because i felt like i i can't really you know start at afternoon and go through all the night i just wanted my exam to end soon quickly so i started my exam early morning and it took me you know uh just 13 minutes to compromise the location although it had some last minute surprises i was able to successfully compromise it within a minute of within like 30 minutes and it took me like three and a half hours to fully compromise the 25 pointer you know it's like uh it was okayish because uh you know when compared with the last 20 pointer the 25 pointer was comparatively easier for me so yeah it took me like three and a half hours and another two hours for the medium difficulty 20 pointer machine so in just six hours i attained enough marks to pass okay and i took i took breaks and then hard and off later uh i cracked the easy 10-pointer machine and took a long break because i am now in a safe zone i have 80 points and i'm not in a safe zone all i have to make sure is that i have enough screenshots to pass so that's it so yeah i took a long break and came back and finally yeah it took me like more than four hours to compromise the last 20 pointer that's why i felt like this 20 point was more more difficult than the 25 pointer i faced so yeah overall i took like six breaks between my exam uh yeah that's my icp journey i completed it before like 6 pm and yeah this is the exam setup i would uh suggest so first and foremost thing that you could do is split your workspace there are you can create multiple workspaces so what you can do is uh just split them into seven workspace so dedicate five of them to each machines and uh dedicate the sixth workspace to report writing i mean not report like note taking and the last workspace is for your vpn connection don't go there and don't mess it up so that's your workspace and get comfortable with the you know with the locations of your tools so that you don't have to search where your tool is located in the last minute although you can use locate commands and other commands just get comfortable with it it will it will help you in the long run and make use of this zrc script okay you know or zrc or bash rc depending upon what terminal you are going to use i use a zsh shell because uh you know it has received a lot of updates in the recent times and it's like the inbuilt shell of kali linux and yeah it's pretty much convenient for me i split my screen usually into four terminals and i have set up i've set the shortcuts for everything uh i have also pre-configured aliases for uh all the you know the frequently used commands and uh in these z such rc file this will save you a chunk of time uh traversing into directories and guys time is a you know is an essential thing when it comes to osp so the amount of time you're going to save will you know will directly reflect your in your exam because if you save a lot of time you can use it to relax your mind so yeah that's about my exam setup tips and yeah i gotta demystify the metasploit restrictions because a lot of people don't know about it so yeah you are allowed to uh it's it's well known that you can use metasploit on only one machine in the process so excluding the buffer overflow machine you have four other machine to try metasploit for so what you can use is on only one target you can use either auxiliary or exploit or post you know post exploitation or you can use metal payload only on one target so all these modules are restricted for one target so if you choose the target and launch the metasploit then that's it you can't use it on any other target if you do it then you are disqualified from the exam if you use it on any other machines even if the exploit you have launched or even if the auxiliary module that you have run does not produce result or the expert you have launched even if it failed you cannot use it on any other target that is crucial to remember and also what uh people are not aware is you can use multi handler actually you can use any other payloads you can use shell reverse tcp you you just can't use mater payload okay you can use shell reverse tcp or you can use a lot of encoders using msfnm you can create a stable reversal using shell reverse tcp payloads and also you are allowed to use msf pattern create and msf pattern offset which we should become handy when you are doing windows buffer overflows so yeah these are the metasploit restrictions and yeah here's my wholesome advice guys this is you know whatever advice i do you will end up doing this actually you will be fascinated and going beyond rabbit hole when the actual you know actual path will be looking right into your eyes this is what i did but again i was lucky enough to find rabbit holes as soon as possible so you have to do it you have to do it the way i did i'll let me break break it to you so you have unlimited breaks actually use it okay there is no limited breaks like you should take only 10 breaks or 20 picks you have unlimited breaks like enter into the exam and say that you want to break and come out you man it's like easy as that so you can take unlimited breaks whenever you are not feeling good or whenever you feel like you're getting frustrated take breaks and it will help you obviously you aren't writing your semester exam and you can get breaks okay and so whenever you're not uh making any progress even after spending like two hours just skip the host skip the host and move to another because this is crucial you you don't know how much time you are spending on the host and time management is crucial this is why a lot of people fail chasing beyond rabbit holes they forget the basic enumeration things and they just keep on trying you know the things they already know you have to do things different you have to change the host or you know concentrate more on enumeration use different word list likewise you have to change your enumeration methodology you are missing something in your numeration it's not about trying harder osp is not about trying harder oscp is about you know enumerating harder the enumeration is the key like everyone say enumeration is the key and you know 24 rivers are like already plenty enough go use it like whenever you want whenever you whenever you you're launching an uh buffer overflow exploit or something like that uh you know the stack is going to be messed up the you know the kernel is going to be messed up or if you launch some kind of kernel attacks so yeah reward only then it will work if you if you keep on launching some kind of kernel exploits or buffer overflow exploits without reverting then you might not uh end up getting a reversal and yeah caffeine or coffee is a must it will help you a lot again if you are not a coffee drinker then you might have to skip and you have to keep this one important thing in your mind you are not gonna pentest a real world mission you are gonna try you are gonna try to hack into a intentionally vulnerable machine that is vulnerable to a specific exploit in case if you are trying to hack into a real world machine there are two possibilities either it could be fully patched or it could be vulnerable but in your case you're into oacp exam and all the machines are intentionally vulnerable so all you have to do is exploiting it right in 24 hours is your only goal so osap is actually a lot easier than real world mission plan where you don't know whether the machine is vulnerable or not all you have to do is find the right exploit or find the correct path so you have to enumerate a lot and finally yeah ipsec dot rocks is a great resource to use if you need help in exploiting a specific service or if you forget something you can use uh use it to brush up your animation skills on the go so this is my wholesome advice and finally the reporting phase um let's get into that yeah okay yeah you are required to write a professional uh report describing your you know exploitation process for each target you'll have 24 hours to complete your report and it's like more than enough to complete your report i mean six hours is more than enough if you if you do it full-fledgedly so i have attached some of the sample report and videos that will teach you how to write a report so i have attached this oacp's official sample report from provided by offensive security you can use this for your reference all of these are hyperlinked as well and this is a great tutorial by conda like i mentioned this guy provides a lot of oacp relevant tutorials he had actually explained how you should begin writing ocp report and what all the things you should include and not to include everything is a comprehensive video go through it and this is another video icp report uh made easy this is specific video for osap report writing by michael lazalvia and finally here comes the heath adams he he also made a video on how to write generic pen test report for like not specific to osap but it can also be used to write osvp reports as well so yeah you can use that as well and yes screenshots like include as much as screenshots as possible and remember the screenshot format one of the screenshots must contain the ip address as well as the proof dot txt in the same screenshot so yeah that is crucial and yeah and your report must be comprehensive because your deport your you must document all of your attacks including all steps commands issued and the console output in the form of a penetration test report so your document should be thorough enough to you know your document should be thought of enough that your attackers can your attacks can be replicated step by step by a technically competent reader okay so that's your end goal that's how your report should be and failure to provide the sufficient documentation will result in reduced or zero points being awarded so make sure you you submit the report in time and yeah things that you should include in your report like if you have made any kind of modification then you should you should do all this like the modified exploit code and the url of the original exploit code you should provide the original url of the original express code it might be from exploit db or it might be from github it might be from anywhere else or from search plot even you should provide the original url of the exploit code and the command used the the exact command used to generate any shell code including the bad characters if it's applicable and yeah highlight whatever the changes that you have performed in the exploit code and uh you should also you should also be able to explain why you did those changes why you have changed the the exploit code why you have modified the exploit code likewise so yeah uh this is this is only applicable if you have made any changes in the exploit code if you have not made any modifications to the exploit code then you should only provide you know the url where the exploit can be found you know you don't have to include the full unmodified code especially if like it goes like several pages long so you don't have to do that and yeah so the final takeaway from this session is you know osap is not an exam it's a journey yeah it's journey into offensive security and just cherish your way into it and here are some uh you know frequently asked questions to me we are the end of the session thankfully i made it within time i guess so yeah here are some frequently asked questions uh so is programming skills mandatory yeah it is recommended but not mandatory let me break this down to you uh it's recommended to have but not mandatory because uh it will ease your way into compromising the hosts and understanding the attack vectors if you if you learn programming okay for example uh let's consider like if you are trying to exploit an lfi in a php based application okay so you should understand what makes the application vulnerable to lfi in the first place or what stops the application from reading arbitrary files so if you understand enough you can use the php wrappers to bypass those restrictions and read the files so it would just help you to understand the application better and develop your own attack vectors as well so you can survive even without knowing all these you can just pretty much blindly follow ipsec spin testing methodology or conduct fantastic methodology or just learn your own pinteresting methodology from you know ipsec sorry uh hacktrix.xyz anything so it's not mandatory but yeah it's actually recommended and it will help you in the long run it will obviously help you in the long run so yeah um what scripting knowledge is needed okay so python and bash are the scripting things scripting knowledge that is crucial but again you can learn uh perl as well uh well to what extent it is needed i would say uh you know just the basic is enough that is you know you should be able to perform you should be able to automate tasks you should be able to uh search to strings or perform several string functions you should be able to segregate outputs or you should be able to perform url operations or to the very least socket programming you know that's that's to that extent is enough and how many hours per day did you spend okay so i have spent around four to six hours for like two months four to six hours a day and 16 hours a day for one month that is for 30 days like all i did was offensive security that is what like i'll i'll wake up i'll do offensive security actually that's that's how my sleep cycle was for uh this 30 days so yeah overall it took me like three months to do this but uh i already had prior experiences with the real world pen testing as well i have done a lot of interesting projects as well in prior and i have been i have been into the passive preparation thing for like two years you know i have been watching a lot of videos i have i've been reading a lot of walkthroughs even before enrolling into osap labs i was watching a lot of walkthroughs i have been a passive player and hacked the box as well you know i did everything so yeah it differs from for us each and yeah i guess it's uh we are done and it's time to shoot your queries sorry guys i i was not able to you know check the zoom chat but what i can do is i have created a uh canva live so what you you can do is uh just uh visit this link canva.live and enter this code 831 315 and you can post your queries there i'll try to answer them now i'll be able to view your queries from there so yeah you can shoot your queries uh by visiting canva.live and posting your queries there i'll wait go ahead thanks a lot for sharing your experience on your oscp journey i'm sure it's pretty interesting and fascinating for every one of us i hope the participants would have gained some prayer experience on how to start their oacp journey thanks mother thanks a lot so i've been i'm getting uh questions so i'll i'll just share them so yes i guess you can see the questions you mentioned you did 100 to 150 missions before you started to get less anxious what is your approach to taking on machines and hitting a wall then using a walkthrough how long will you enumerate previous before checking a walkthrough this is where uh the notes that we have taken comes into play so what i'll do is i have a checklist of everything that i have to perform right from right for enumeration as well or for privilege escalation for initial foothold everything i have made a checklist and you know if i have performed everything that is mentioned in my checklist and still i was not able to get initial shell only then i will uh watch the walkthrough and so when i watch the walkthrough uh i'll obviously learn something new because it's not already in my notes so if it's not already in my notes i might have not learned about it previously so what i'll do is i'll watch the walkthrough i'll add it to my notes and then i'll continue the face i'll continue it so that's how i did my faces and yeah so what if we change the ip and port on the exploit do we need to paste the whole script in the report or just mention the link so if you are passing the ip and port as an argument then you just have to mention the command but if you are changing the ip and port in the exploit then you should paste the whole script but if it but if it's again it's like like several pages longer like more than you know uh three to five pages long or long then i think it's uh it's better to you know just mention the part where you have changed the script or the line number where you change the exploit code um should one go for all the 500 plus wellness machines no uh you don't have to go for all the 500 plus volume machines i have i have showed you a two list right one is uh netsex oscp like vms and the other one is json6 osp like vm so what you can do is uh go through uh both of the excel sheets and both of them will have a vulnerable like osep like well-known vms so just do whatever machine names that are mentioned in that list i mean it will have less than 100 ocp like vms i guess so yeah do that that's far enough okay yeah so this is one of the good questions how to know which machine uh is going to use metasploit and how much value they'll have generally uh to be honest you would never have to use a meta split actually because uh this rule is actually a hawks because uh like osap is like a a decade old exam it was introduced long back and back then it was like print testing with backtrack so when when it was long back there was we don't have any alternatives we we had only metasploit and metasploit was like only metasploit is the only full-fledged framework but right now for every exploit we have a github alternative for every all you have to do is enumerate the cv number put it on github and you will get an alternative exploit script so all you all you need is the essential you know the basic python or or whatever the language you have to understand how the code is uh written so that's what you need and yeah you don't need you don't need to use metasploit until i never had to use metasploit because there are several alternatives so we never need metasploit at all so do i recommend completing lab report for five marks uh personally i like i i like i've already mentioned i i never even had gone through like all the 800 pages of my course pdf so from that itself you could have guessed i have never completed all the lab exercises but you know i just felt it was like uh too much uh uh you know in the meantime actually i hate reading books you know i am kind of a blog reader so i love reading blogs so what i do was i just uh kept on reading blogs like uh hat tricks or whatever osp related walkthroughs everything like that and i i was just watching videos but uh you know uh instead of i don't know man i it would be biased if i answer this so i can't really answer this but yeah i didn't do it i i just used my time lab report will take a lot of time actually it will it'll exhaust you so i think you could use it wisely in some other things so yeah that's my recommendation there you go okay so this is regarding my masters uh from i mean this is regarding my masters okay so can you share your admists and rejects uh i have made a sheets uh that has all the universities that i've applied to i've got from except university of southern california i've got admits from uh john hopkins uh penn state uh maryland university new york university and carnegie mellon and another university george mason university yeah so i i have applied to seven universities and except the university of southern california i've received that much from everyone and uh so yeah people who are targeting us for masters they have relaxed the gre so you can go ahead with you exactly for fall 2021 the gre scores have been relaxed so i didn't even take gre and i got into cmu it's pretty lucky right how much oscp is accepted in companies in india honestly all the big four consultancies recognize this ocp certification and also if you complete oscp there is this thing called crt equivalency so crt is a certification that is offered by crest actually it's like a crest certified registration tester or something like that i don't know the exact obligation but yeah crest is one of the uh reputed certifications in all the asian as well as european countries so if you finish oacp you can attain uh the crt by just paying a fee of 100 pounds or dollars so it's like two certification in one so yeah you can if you pass oacp you can get that as well and yeah osp is widely accepted in india from what i have heard yeah in case if any kind of connection issue occurs in the middle your vpn connection will be passed and your proctoring session will also be passed so you can reconnect even if your machine restarts in the middle so no worries regarding that but don't uh don't let it happen frequently okay so how much of sql map i can use an example uh zero percent yeah that would be the precise answer zero percent of sql map is a thing that you can use an example you should never use sql map if you use sql map you are disqualified so don't uh do the risk of using sql map learn manual exchange you know you're you're attempting oscp you're getting into the field of penetration testing so it's it's important to know how to perform manual sql injections okay so please can you describe more the os scope of the exam like how much of asp option top end should we prepare um from os totten i can't specifically pick any vulnerabilities but all the server side vulnerabilities every server side vulnerabilities will help you in the exam like yeah the right from a1 injections to any other server side uh injections that you mentioned server side exploits uh vulnerabilities you mentioned you would be able to use that in the exam you can use zero days as well like if you are strong enough to go uh you know write zero day exploit then yeah you can waste it on osp as well your previous zero day how to overcome a rabbit hole uh i mean this has only one solution you will never know it's a rabbit hole until you get initial foothold from some other path so you will never know it is a rabbit hole until you get you know a low privilege access by exploiting some other path so in order to overcome a rabbit hole first you have to identify that it's a rabbit hole and trust me guys in osap you can never identify what is a rabbit hole and what not is so i think in order to overcome a rabbit hole you should just concentrate on enumerate enumeration harder so if you're if you are doing something complex if you are facing something complex in your exam then that's not the right path uh that might be a rabbit hole because uh you know most of the times uh you should be like from all the preparation from all these months of preparation you should be able to exploit it easily but if you are making it complex then you are missing something in the enumeration part so that's how you can overcome a rabbit hole at which college year i started my oscp journey right when i entered into my college i decided that i should take my osap but uh yeah i didn't have the money until uh i won a ctf so yeah uh i started preparing like uh two and a half years ago like right when i started playing ctf's i started my ovc journey as well um best resource for uh web application penetration testing let me uh let me state my preferences so the first thing would be pentester labs and the second thing would be web security academy i don't know about uh thm uh because i have never tested any web application related pen testing in dhm but i have personally experienced pentaxera labs and they are awesome and web security academy as well i i've been getting like a lot of good reviews from them so yeah these two are best resource to learn publication penetration testing um yeah any resources for uh python and bash scripting so if you are an indian then i would suggest this channel called telescope t-e-l-u-s-k-o uh they have a python playlist and that guy explains it crystal clear so yeah it's a good resource for bash scripting i can't i can't really pick any single resource it's like a combination of resources and actually all these scripting comes from practice okay so you can refer to any blogs you can choose whatever resource you want but again practice is the thing that is going to help you in the long run so when it when it comes to scripting you need to practice a lot um academy subscription will be enough for clearing osap no definitely not pentester academy subscription you know uh pentester academy won't be providing you uh you know intentionally vulnerable machines and all they'll just provide you a exercise i guess from what i know but uh you know with uh with ospg subscription are with hack the box subscription and combined with practice in walnut machines then yeah you would be able to clear uh oicp but not just pentester academy with pentester academy you can just learn specific web exploitation skills but not uh compromising the entire hosts and this question is uh regarding my masters so how was the admission process to get into cmu what are the traits they are expecting from the students if possible please mention the cut-off damn uh see i'm not a i'm not a bright student and i don't have like a flashy cgpa all i knew was information security like i only knew information security i took btec id and my cgpa is average okay it's like 7.5 out of 10 it would roughly translate to three out of four when it when it's compared to the us epa so it's like average uh when compared with other people who are applying to cmu so yeah uh i think uh they look for uh specific traits like uh the the depth of knowledge that you have into the field that you are going to pursue for example i am going to pursue ms in information security then they would check uh uh what are your previous accomplishments in the in the domain that you are going to pursue in my case i i have uh uh you know i i'm a offensive security certified professional i have written exploits i have i have a lot of research papers actually and yeah uh from what i have heard research plays a lot of role uh when it when it comes for admissions in u.s universities so we have to do a lot of research i have and where you are publishing your research is also matters it's not just any blog or your medium articles you have to do a comprehensive research and you have to publish in ieee or any other build reputed journals and then maybe they will consider so i have done few researches as well and i have interned at gurugram cyber cell and i have interned as application security tester at like two or three places so yeah uh it's up like i can't guarantee you that uh if you get if you have nine cgpa you will get in but i can guarantee you that if you have uh if you are if you have a good understanding in your subject if you have done uh if you have previous accomplishments in your subject then yes you might uh get get into cmu okay so yeah this question before osap is it okay to take other exams like ceh and what is the biggest exam ch or ejpt so yeah uh guys i did ces because i got it for free okay i got a ch theory as well as chr practical for free so yeah i did it because it's something is better than nothing so i did ch but i wouldn't suggest you taking ces i mean at least if you want to go for ces then go for ch practical because it's like it'll cover you the basic enumeration what you'll what you'll be doing in oacp so yeah if you want to go for ch go for ces practical but i would highly suggest ejp ejpt is like it will help you clear your oscp maybe at least from what i've heard so i have this another question oh it's like a huge question i have a technical question i have uploaded a web shill and tried to take reversal um in netcat but i was not getting a stable shell so i took the shell uh in the exploit multihandler uh then the target machine was having okay set aside primary token pulled right so you must have uh exploited juicy potato yeah with and so i exploited that with metal printer shell as you have already seen i have mentioned that you you should not uh use metapreterm like i said uh you you could get a stable reversal but again it depends upon the type of reversal you should not get a matter of potential if it's a metropolitan shell then yes it obviously comes under metasploit usage but if it's just a generic reversal like reverse reverse under course shell underscore tcp or a stage payload like reverse slash shell underscore tcp it could be anything stage or run stage it doesn't matter but if it's a matter printer payload then yes it would count as a metasploit usage uh do you think videos and course videos is sufficient to clear the exam definitely not so as you might have already seen in the description of each oacp packages that they would have clearly mentioned that it's self-guided you should have to research on your own they'll provide you with you know the fundamentals that are needed to get going but it's up to you to research further and to practice yourself definitely the course pdf and course videos are not enough you have to research a lot you have to read a lot watch tons of other videos in youtube watch ipsec's approach maybe that would help you okay so now that i have completed osap if i would do it again how would i do it what platforms would you recommend hack the box ospg i guess try me actually when i was preparing for uh osep i did i did a lot of machines in hack the box so i would if i am about to redo i would use ospg because uh you know a lot of people online in reddit and other forums have been saying that uh the machines that they get from ospg similar to what they encounter in osap so yeah i would go for ospg and then for hdb i wouldn't go for triac me i don't see a lot of osp like machines there but i think they are increasing now okay so after completing osp what's the next step like i said you can apply for crt equivalency but in order to attain a crt certification you have to pay a 100 fees and also you should hold a basic crest certification called cpsa so in order to get that certification it's like a it's very similar to ch theory you will just need to answer 125 uh theory questions and if you answer them successfully then yeah you'll become a cpsa and if you have cpsa then yeah you can apply for crt equivalency and you can get crt so after getting crt i would probably do crtp or crto because it would help me a lot in oscp i guess so yeah i'm preparing for oscp i would after getting to cmu or maybe if i have time now i'll prepare now ocp plus plus knowledge without having oscp certificate makes sense yes it will make sense if you could uh spell sense right but yes you don't you don't need to actually have oacp certificate i don't think uh you know a lot of legendary security researchers like from what i know the people who are working in uh google's project zero or any other security team i don't think they have oscp certification or any kind of certification at all so yeah in the end certification are just to prove your skills but again if you feel like you don't have to prove to anyone even to your employer then yeah why why bother taking a certificate i'm a fresher so i i think i should screw my skills to my employer in case if i'm going to get employed so i am getting the certificate what part of your application for your master's helped you was it the education and marks your like i said my education see i'm from third tier college i don't know if it would come under third tier as well uh it's called shri krishna uh college of engineering and technology uh in kaimukur of tamil nadu so yeah and i said i don't have a good marks so extracurricular work in the field yeah i think that's what made me get in and your statement of purpose should be impressive like your resume as well so statement of purpose as well as resume i mean there is no particular uh uh you know there is no particular criteria for them to select uh they'll just you know they'll just evaluate your overall profile and they'll select from what i've heard so yeah i can't vouch for any single thing but again if you have performed a lot of research in your uh area of interest that you are going to pursue and if you already have a lot of you know if you already have a lot of accomplishments in the field then i don't find any reason to reject you actually to be more precise each university has their own set of standards to be followed i mean they would have their own weightage for academic achievements marks uh your gre and toefl and your sop the weightage differs from university to university so what we can suggest is that uh prepare a good sop good uh have set of uh researchers published over and renowned thing like ieee or etc yeah that's actually true because uh the reason why i was uh uh you know from almost from the seven universities i've applied i've got uh uh you know rejected from only one universities and from what i've heard usc want you won't you know accept if you have less than uh nine c gpa so i don't know at least this is what the rumor that i've heard so yeah it differs from uh for each universities they have their own scale and yeah his industrial experience will be helpful it depends upon what kind of industrial experience you have like for example if you work in policy related sites then i don't think how it will be helpful for you in oscp but if you are if you are a pen tester then yeah your industrial experience will help you definitely i guess we have a question related to uh winter star academy search like crtp then i guess it would be best fit if uh venkat answers this yeah so any experience to princesses so crtp and crt are certifications that are more focused on active directory penetration testing so crtp would be a more basic thing and you would have again five missions to compromise including two domain controllers so and see both crtp and crtv uh would have an consideration where you have gained an initial foothold you only need to pivot and you need to perform lateral movements and gain domain controller privileges over the forest and the dc which you are in so yeah um okay so how did you manage time for your college stuffs and oscp journey six hours 16 hours a day uh well okay so i did this in my last semester so my last semester doesn't involve a lot of theory papers i just had to do my project so and i have already done my project as well so i you know basically i was free totally so i was able to manage another thing is that for our first one year we are under lockdown so there is a lot of time i guess i want to know in ocp exam can we use phone to take help of a friend in case if you stuck anywhere no definitely not as i've already mentioned you are not allowed to discuss anything related to osap exam to anyone so if you do that you would be instantly disqualified um i'm a 47 year old not from computer background but make android and ios apps websites and now interested in learning and getting osap can it benefit for me uh yeah it would benefit for you for you to transition from your development background into a security domain it would benefit for you but again i can't really vouch for it so it's up to your interest and pay scale so like if they pay you more than what they pay you now if you get into security then yeah why not why not give it a try yeah so in in five boxes there is only one windows box for buffer overflow and other for linux no it's not like that uh the other four will be a combination of both windows and linux there is no specific uh answer for this like uh two will be windows two will be linux noise it's based on a random choice osap has a pool of exam machines and anything will be thrown at random for you so yep after completing ocp is a better choice or not cisp is always a better choice but uh the question is uh are you eligible for cis i mean like for cis you need several years of experience in the field of uh in in multiple domains of information security so i don't know uh see sysp is actually always a better choice so yeah if you if you are eligible then yeah why not do it how one can start research in information security hmm by researching well to be precise i think you should google a lot instead of using instagram or facebook i think you should use chrome a lot uh you should keep on you know reading blogs keep yourself updated with what are the current affairs in cyber security like it's pretty much like preparing for upsc exam but upsc exam will come to an end once you pass but information security will never come to an end and uh select a particular field where you want to pursue your information security in like there are multiple things like hardware security from any number of fields select a particular area in it and start researching start putting your notes online around git books that would help you get a name in information security yep uh so i'll be soon taking my ch practical exam any tips on how one can is ch practical so if you add uh if you have pre or ctf experience or if you or if you have prepared for osp then cs practical is just the enumeration part of osp it's nothing much uh so you can head over to my blog which is blog.adainak.com uh so yeah i have a ch practical notes posted there so i think it would help you better uh now no limpies was flagged as auto exploit yeah it was flagged as auto exploit on a certain instant but now it's fixed so right from version 3.1.3 the source code has been fixed so what this actually did was there is this uh privilege escalation exploit called pseudo injection which will uh arbitrarily inject pseudo tokens of a of a privileged user into a process and create a suite bash so what that linkpiece did was while running the tool if if it was vulnerable to pseudo injection then it will automatically create a sweet bash with high privileges with the root user privileges so you know this is considered as auto exploit according to osp because you are not doing anything you are just running a tool and the privileged escalation was done so this is a consideration exploit so right after uh people started reporting it uh uh the creator of lynn peace whose car was pulled up who's also one of the reason why i was able to pass osp like i said hacktrix.xyz is owned by uh uh carlos paulup so he's uh he after uh receiving complaints from people he just removed the code as soon as possible like within within an hour of report and he modified the code in such a way that it will not create a temp it will not create a suite bash but instead it will just exploit the vulnerability uh it will create actually technically it will still create the sweet batch but it will remove it and it will just display as uh the target host is vulnerable for pseudo injection and you have to manually copy the exploit code from uh from other repositories and run the exploit so it's not actually a an auto exploit now if you run the correct version of land piece so how to get crest after oecp could you please elaborate so it's it's as simple as mailing the crest i think crest support team yes you can find the email of the crest support team online so once you have completed your ocp certification and received your osap certificate uh you can contact the crest support team that you are willing to apply for uh crt equivalency so once you do that they'll check whether you you have the basic qualification that is you have uh the cpsa certificate you have completed the crest cpsa certificate if you own cpsa certificate then yes you can you just have to pay 100 pound or dollar and you'll be getting a crt certificate okay so what are your thoughts on automotive tools such as auto econ versus manual enumeration also what is your approach in the exam automated okay so to put it uh straight i i didn't use the automaton i actually used but i didn't go through the outputs what uh auto recon was uh producing uh i just when i got into my exam i started uh my buffer overflow and ran this uh auto recon in the background uh but after finishing my buffer overflow and i came back uh the result was like overwhelming for me and i i don't i don't i don't feel like going through all the research because it will suck a lot of time so what i did was i just run an nmap scan with multithreading like with

Info

Channel: Adithyan AK

Views: 15,145

Rating: 4.9746838 out of 5

Keywords: oscp, offensive security, penetration testing, oscp preparation

Id: Wqkr5S1b9gA

Channel Id: undefined

Length: 109min 35sec (6575 seconds)

Published: Sun May 02 2021