Offsec Pen-200 OSCP 2024 Lessons Learned

Thank you! I was super unsure about that so I just didn't. I didn't do a lot of things because I didn't want to be penalized. I did just stand up a server at home and tested the attack vector I faced on the AD set and I was a single command from administrator so I REALLY choked there. lol. Good luckon number 3! Hey, how much did it cost? I googled it but couldn't really get a definitive answer on pricing. And when I go to purchase again I'm seeing the full cost of an exam and training. How do you get the retake price without having to pay for training again?

@@noxlumensIf you got the email of your result.The offsec site and cart will be updated where you can add the retake voucher for 250$ and pay for it.

oh dude , thank you! I just turned in the report yesterday so hopefully I'll see an email from them before too long. Do they happen to give you any feedback on what you missed or should have looked for or....I sent my steps up to where I had managed to get on the domain network so I'm kind of wondering if they'll give me a tip/hint/comment on what I could have done with what I found.

They do have videos in the pen-200 course now. They’re not half bad if you’re following along with them. They’re exactly the content. Also thank you. I know I can get it done. I wasted a lot of time trying to write the report while I was moving through each machine which did save me time the next day but was a detriment to me during. And I should have moved to the AD set a lot sooner. Maybe even after I got root on one of the standalone machines instead of getting all standalones and then going for the ad set. At least I would have been more fresh. I’m sure I missed some little piece of information

@ thanks for that information! But don’t sweat it bro! You have the methodology down packed and once you retake it you will already have a feel of what to expect. Thats how I passed the PNPT. I failed first time I learned and passed in within some hours of retaking it.

@B1G_LIL that was my experience with the PNPT too. lol. I ended up passing attempt to too.

Is that one of the hackthebox certificates? If so I’ve thought about them both very much. I’ll probably go through the bug bounty courses they have when I pass the oscp.
I just finished testing an open source app and found a lot of vulnerabilities that I reported to the vender. Once k finish with them I plan to get back to studying but I needed to get some experience on non CTF/exam web apps.

Absolutely you can. I liked going through all of them but proving grounds practice labs were the most like the exam itself so I’d say if you have limited time and want more practice proving grounds practice labs is the way to go for the most OSCP like machines

I did get all of the standalone flags so 60 points. Just got an email from them saying I would have recevied 60 points so my exam report was accepted I suppose. Next time I'll likely get everthing scanned like I did this time but I'll focus on the active directory domain set first since it's what took me out this time. If I get stuck I'll go back to one standalone machine then back to the ad set. I'll end up alternating like that. Thank you for your kind words. :) I think I know what I missed now that I'm more awake and had time to think about all the information I had. We'll both get it next time. :)

@noxlumens what can you recommend me for be confident on stand alone machine

@@noxlumens I appreciated your simplicity

For me it was repetition that has me so confident with them. From what I can tell based on the TJ Null's OSCP lists, there's only a certain number of things we'll see on the exams and a lot of the enumeration you do on all of them is pretty similar. Start with network scanning and all TCP ports, then you can get away with UDP ---top-ports=1000 (in most cases) you might need to scan all ports on udp and tcp but from all of the proving grounds challenge labs I did only required tcp and top ports udp nmap scan. If there's a web server, start simple and look for .git and robots.txt. From all of the proving grounds labs I did, it seems like initial access is likely to be something like a public exploit, an anonymous smb share or ftp server, if all else fails try brute force for ssh, ftp, etc. but a lot of the practice labs came down to enumeration, gathering services running on the host and googling for something like "product-name 1.0.0 exploit". so basically just google the service your found, the version if you could find it, and the word exploit at the end. some of the time you might need to add rce or path traversal depending on what you're looking at. Honestly, there are a lot of things I look for during enumeration. You can watch some of the proving grounds play labs I did. That might help you see how I move through machines a lot of the time.
TLDR; nmap scans with -sC -sV, scan udp and tcp, google found services and version with exploit at the end, attempt brute forcing services if you haven't found anything else, and while bruteforcing go back to enumeration and scanning incase you missed a service running on the host, look for robots.txt, .git directories, and other hidden files when doing directory fuzzing with tools like dirsearch, gobuster, or feroxbuster. Use several scanning tools.
Once you've on the machine, what you should look for depends on operating system. I still exclusively use my notes from the Practical Ethical Hacker from TCM Security. Actually, almost 100% of my notes have come from that course. If you can go through their linux privilege escalation and windows privilege escalation courses that is a bonus. Additionally, if you join Tib3rius on twitch you might be able to win one of his courses through marble races. His privilege esclation courses give you a wonderful place to start for windows and linux enumeration/exploitation.
Hopefully this wasn't more than you were looking for.