What to Expect From the New OSCP Exam


Introduction

Preparing for your OSCP exam can be stressful, requires time management, and the “Try Harder” mindset. With the new OSCP exam structure including Active Directory (AD), students have asked what and how to prepare for the new exam.

We (M4ud, Ravel, and Kourosh) are Students Mentors (SMs), previously known as Student Administrators, who had the chance to test the new exam sets in a black-box environment setting where we had no information about the exam target machines.

We would like to take this opportunity to share our experiences to help you familiarize yourself with the new exam environment. We are going to cover the exam changes, findings, and recommendations to help you better prepare for your exam.

Exam Changes

To start, we will summarize the changes that have been made to the exam. We highly recommend reading OSCP Exam Change and OSCP Exam FAQ as both articles contain all the detailed information you need to know about the new exam format.

Point System

The new exam structure will still be 100 points. However, the point distribution has gone through significant changes:

  • Up to 60 points can be gained from 3 stand-alone machines. Each stand-alone machine provides 10 points for low-privilege access and 10 points for privilege escalation for a total of 20 points per machine.
  • 40 points are awarded for the full exploit chain of the domain set. Points are awarded only for the full exploit chain of the domain.
  • Bonus points increased from 5 points to 10 points.
  • Students will still need to obtain 70 points to pass the exam.

Active Directory

The domain set consists of three (3) machines, one (1) domain controller, and two (2) client machines. You will need to exploit all three (3) machines to receive points. Failing to exploit one (1) of these machines will result in zero (0) points for the domain set.

Stand-Alone Machines

There will be three (3) stand-alone machines, whereas the previous exam structure was made up of five (5) stand-alone machines. Each stand-alone machine will require both low-privilege and escalated-privilege access to obtain full points. Unlike with AD, for stand-alone machines, partial points will be awarded.

Buffer Overflow

Buffer overflow will now only be a low-privilege attack vector. A twenty (20) point machine with a buffer overflow will now also require privilege escalation in order to get the full twenty (20) points. There is also no guarantee that a buffer overflow machine will be in each exam set.

Bonus Points

Submitting a lab report will now be worth ten (10) points. Please see the Lab Report section below for more detail.

The Exam Experience

Start of the Exam

Not much has changed here in terms of getting connected to the exam environment and getting started on the machines, outside of a more appealing Control Panel. It’s quickly evident if there is a buffer overflow machine to exploit based on the information in the Control Panel. Some of the finer details regarding the buffer overflow machine may be different than your previous attempts if you’ve taken the exam before, so make sure to read the Control Panel carefully.

Approaching the Stand-Alone Machines

As these machines are all independent of each other, the approach to them is pretty much exactly the same as the old exam. We all started with our initial enumeration of the hosts with a port scan. After services are identified, the approach becomes a familiar one.

The only slightly different experience here is the buffer overflow, and even then it was not too off from our previous experiences. The attack starts the same with developing and executing an exploit against a vulnerable service. Usually, once this step is complete you are done with the machine, however, that wasn’t the case here. That said, the experience quickly becomes the same as the other stand-alone machines: enumerate from our newfound access and escalate privileges.

Our conclusion: there wasn’t a meaningful enough difference between the new and previous exam structure. While the Buffer Overflow machine as a whole is slightly different, the approach of attacking the machine remains the same.

Taking on the Active Directory Set

This is of course the part that we expected to be different. Dependencies were not a part of the initial experience with the exam, after all.

Despite this fact, starting out is still much the same as the stand-alone machines. We begin to perform much of the same enumeration to find our initial foothold. Soon after we start gathering information on the machines, it becomes evident which machine is the domain controller, and which machines may be our initial targets.

Our approach continues to take a very similar approach to that of the stand-alone machines. After identifying the services available to us, we begin fingerprinting and finding what may be available on these services. For all of us, initial access was not entirely different from a vector that we may have found in a stand-alone machine. Privilege escalation was the same scenario, nothing here is unfamiliar territory yet. Up to this point, there is little deviation from our previous attempts. Even though there are more machines to consider at a time than just one, there’s not an overwhelming number of real possibilities in terms of what we would be able to directly attack.

It’s only once the first machine has been fully compromised that the experience takes a different direction from our previous attempts. At this point, post-exploitation of course now comes into play. Something to be said about this part is that nothing ever falls outside of what could have been experienced in the labs. That said, finding the way forward was quite varied. In some cases, the path forward was discovered within the host itself. Other times the important pieces of information we needed were found in the wider domain.

The path towards domain admin was much the same process repeated with our newfound information. Using the new access or information, we could discover new services, have methods to gain access to previously locked-off services, or even gain access to new systems, eventually leading to complete compromise and a massive root dance!

Root Dance

Main Takeaways

We have a few main takeaways from this experience that we would want to pass on:

  • Don’t worry about the stand-alone machines, at least not any more than you might have for the previous iteration of the exam.
  • When approaching the Active Directory machines, don’t miss the forest for the trees. Domains are made for computers to talk to each other, so be prepared to need to use the information found on one machine for another if nothing else is working.
  • While the bigger picture of the domain is important, don’t neglect standard post-exploitation steps on individual computers in the domain. Don’t neglect to look for interesting services either, at least make a note to return to something if you get stuck moving forward.
  • Have a structured approach to your enumeration, exploitation, and post-exploitation. Checklists and enumeration templates can help keep you on track to look for relevant information. There’s a lot of information to parse through so drilling down to the relevant information is vital. Keeping the information you find organized can give your approach more structure.
  • Time management is still a factor of course. Don’t spend too long going down rabbit holes, and try to automate as much enumeration (not exploitation) as possible. A few enumeration scripts can go a long way to helping save time in combination with the aforementioned checklist.

Remember your training, Luke! While pre-made checklists and scripts are great, keep your own experiences from the course and the labs in mind. If an important service to enumerate or an attack vector you’ve used isn’t covered by a checklist, add it!

As always, enumerate, enumerate, enumerate.

Pick Your Approach

When attempting the exam you will have two possible approaches to consider. We will discuss the advantages and disadvantages of each approach below.
Keep in mind that it will be up to you to evaluate the strengths and weaknesses before deciding on the best approach for your exam attempt.

Attempt Active Directory

Advantages

  • Everything you need to know about AD, including enumeration, exploitation, and post-exploitation is covered in the PEN-200 course materials and labs.
  • It could be substantially less time-consuming compared to exploiting 3 stand-alone machines. The student should be expected to spend no more than 4 – 5 hours on this.
  • Exploiting the AD set could provide a possible 40 points.

Disadvantages

  • For the students that are not familiar with AD concepts, this could be challenging. Considerably more if they did not take the time to review AD in the course material and practice in the PEN-200 labs.
  • You need to exploit the full AD chain including the Domain Controller. There are no partial points awarded.

Attempt Stand-Alone Machines and Submit Lab Report

Advantages

  • Students that have completed the majority of the PEN-200 lab machines, including most of the subnets, will be able to work on the stand-alone challenges more comfortably.
  • Exploiting all 3 stand-alone machines could provide a possible 60 points.
  • One could avoid AD completely and submit a lab report for a further possible 10 points.

Disadvantages

  • The 3 stand-alone targets may require more steps to successfully exploit and will possibly take substantially longer compared to the first approach.
  • AD is crucial in modern times, leaving it out of your efforts will leave the student with a possible disadvantage in their pentesting methodology.
  • Writing a Lab report can be somewhat daunting and time-consuming especially since you need to document all the exercises and at least 10 lab machines in the report.

Ultimately, the above are just general observations from our point of view and it is up to you to decide what would be the best approach in relation to your skillset and preference.

Lab Reports

With the new exam structure, students can now earn a possible ten (10) bonus points when submitting their lab report with their exam documentation. Lab reports do not need to be overly long, it is only expected that our students show us the exploitation steps. Screenshots of the completed exercises are acceptable. Enumeration steps and any detailed command outputs are not necessary. We recommend keeping the Lab report within hundred (100) pages.

In order to receive the full ten (10) bonus points, lab reports must include the full exploitation of at least one Active Directory set (including the Domain Controller) for all exams taken after March 14th, 2022. We will continue to accept lab reports that do not contain a fully exploited Active Directory set until then.

Every successfully submitted proof.txt within a particular AD set will count as one machine, as long as all other requirements are met. For more information about the exercise and lab report requirements, please visit PEN-200 Reporting Requirements.

Conclusion

After going through the unique experience of getting to relive the OSCP exam, this time in the new exam set, we have come to a joint conclusion that given what is in the materials currently, there were no real surprises. Ultimately, if you are really comfortable with the course material, you will be more than ready for the exam. Moreover, we are of the same opinion that the experience as a whole will be much better for you. The exam is much more aligned with present times and better reflects current companies’ needs. We are also here to assist, provide guidance, and give advice on what you can do to prepare. Feel free to contact us directly through our OffSec Community Discord Server, where we hope to continue the discussion about this exam and your ongoing learning journey.

Who Are We?



M4ud

I am M4ud, lifelong sysadmin, script kiddie, CTF addict in recovery, OSCP, OSWE, and a 5th-year medical school student. After some soul searching, I opted to pursue one of my oldest dreams of being a full-time penetration tester. Having joined forces with my dear wife, teammate, and colleague during this journey, we are happy to share some of our insights after both having had the opportunity to take on the newest OSCP exam.



Ravel

I am Ravel, who has discovered my interest in hacking after several years of switching between jobs. After initially being quite intimidated by ethical hacking, once I got into it, I never looked back. I’ve been blessed in having my husband M4ud (who is also a coworker of mine) as the teammate in learning, hacking, and working for Offensive Security. I have compromised more than 300 machines on various platforms to prepare for my OSCP exam. Taking notes on both the exploitation techniques involved and the lessons learned from the experience, I’ll be happy to share the tips on how the newcomers could avoid some common preparation pitfalls, and also offer insights on the buffer overflow and the black-box testing experience with the updated OSCP exam.



Kourosh

I am Kourosh, a well-known CTF player, former top 5 leaderboard holder in Proving Grounds, and numerous other platforms. I have extensive background experience and proficiency with Windows and Active Directory related exploitation. As with my colleagues, I am an eternal student of the craft, striving to reach higher levels of understanding in regards to penetration testing methodology with a strong focus on Active Directory and red teaming. I am here today in the hope to share some of my experiences in regards to the latest OSCP exam, but moreover, give my perspective on some of the student’s main concerns in relation to the Active Directory implementation in the new exam.