My OSCP workflow

Taking the Offensive Security PWK class and their OSCP exam while working a full-time job presents several challenges, the greatest of which is time management.

To make effective use of my available time, I need to ensure I can work wherever and whenever I have a spare few moments. This means a few things:

  1. I need to have access to my notes from everywhere
  2. I need to have access to all collected lab information from everywhere
  3. I need to be able to access the labs from everywhere

All of these boil down to personal preference. There are myriad ways to approach each of these; the ones outlined here are simply the ones I’m most comfortable and productive with. I won’t discuss remote access to the labs, as I think anyone capable of completing the OSCP can figure out at least a half-dozen ways to resolve that particular issue on their own.

The issue of note-taking and information access, however, seems to be a hotly-debated one among PWK/OSCP students. While some prefer using text files or markdown, others want some kind of organized note-taking system. The official OSCP recommendation is KeepNote, but I’m rather partial to Microsoft OneNote. It’s cross-platform, it allows my notes to be accessible from anywhere, and gives me the freedom to easily include not just text, but drawings, diagrams, screenshots, etc. While there’s no native Linux client for OneNote, there is a web client that works just fine from within the PWK/OSCP VM.

I did consider other options, including Google Docs, Google Keep, and Evernote. But none had the capabilities and ease of use that I find OneNote has. This is, of course, personal preference, but I just find that OneNote and I get on the best. By all means, use what works best for you.

Making available the information I collect from various hosts is a bit trickier, but only just. I don’t use DropBox, so that’s out. I could push everything to a private FTP server on a VPS I pay for, but that’s somewhat cumbersome. I considered using onedrive-d, but in the end decided against it, in part because it doesn’t run properly on the official PWK/OSCP VM image.

Instead, I decided that, since I was going to be doing most of my work in a shell, I’d use something shell-friendly: git. I have a directory structure set up within several private repositories that’ll allow me to easily store tool output, notes, images, and so forth. All I have to do is keep everything in sync and I should be fine.

As an added bonus, a private github repo gets me a private wiki I can use as well.

My directory structure is the following:

root@OS-xxxxx-kali-32bit:~/PWK-OSCP# ls -F
exam-report/  lab-report/  oscp-notes/  oscp-scripts/  oscp-work/  SecLists/  vpn/

exam-report and lab-report are where I’m keeping all my finalized markdown files for generating the actual report via pandoc (see T0w3ntum’s page for more information on doing this). Both of these directories are private GitHub repositories.

oscp-notes is another private GitHub repository, in which I keep notes for myself in markdown format, where I can refer to them regardless of location.

oscp-scripts is where I keep things I want to run remotely or locally during the course.

oscp-work is where the magic happens. Its structure is as follows:

root@OS-24310-kali-32bit:~/PWK-OSCP# ls -FR oscp-work/
lab-exercises/  netrecon/  template.txt



notes/  penetration/  pillage/  privesc/  remote-enum/  root-in-10-steps-or-less/  template.txt

lab-exercises is where I store the markdown files documenting the work I do in the lab, for my lab report. template.txt is a markdown template for documenting hosts in the PWK lab. netrecon is where I store all the information about the hosts I work on. Within netrecon, there is and host-template-dir. is a quick shell script which takes a host name or IP as an argument, and creates a clone of host-template-dir, named for the argument provided to the script.

The created directory contains subdirectories for notes, data from remote-enum, penetration, pillage, and privesc, all of which should be self-explanatory. root-in-10-steps-or-less is designed to be a repository for reproducable root on the box in question, which will more or less mirror what will go in the report for that box.

SecLists is a clone of the SecLists project, containing hundreds of useful wordlists, just in case.

vpn is where I keep the details necessary to connect to the OffSec VPN.

All of the directories that represent GitHub repositories will be synced with that repository at the beginning of a work session, and again at the end (and, depending on how much information I generate, possibly several times during).

I chose this approach for several reasons, including the three listed above, but also for this one very important reason: I won't be stopping after issuing every single command to document it and its results in my note-keeping system.

My general workflow will be something resembling:

  • Orient myself for the current work session
  • Decide on my focus
  • Review any existing data for that focus
  • Work in small, sane chunks and take note of what I did and what the outcome was
  • Reserve a block of time afterwards to fully-document and integrate information from the current work session

Sometimes my definition of small, sane chunk may be an attempt at a particular exploit. Sometimes It may be more all-encompassing. The main issue is that I won’t always have time to, or want to, fully-document what I’ve just done, as it might interrupt my train of thought. Instead, I’m giving myself a way to make relevant notes (OneNote), and a way to keep detailed information accessible (git). I can then take 30 minutes or so later in the day to organize and synthesize everything from that session into a coherent whole.