What’s that famous saying by Mike Tyson? Aha! Yes, “…Everyone has a plan until you get punched in the mouth”. This pretty much summarizes my situation about two days ago. After studying extremely hard for months, I made the bold decision to attempt the exam, but I did not pass it on the first attempt. This blog post is a summary of my experience with the exam.
Pretext
In the April of 2021, I landed my first role in cybersecurity at Safaricom PLC. This was obviously a huge win for me and I was determined to succeed in this industry. I applied myself and after about three months, I took my CEH exam. With CEH under my belt, I felt that was ready to move on to the next thing, and obviously, there is no bigger challenge than the OSCP. At around that time, I got a PWK voucher from my then employer. So the stage was set and it was decided that I had to attempt the OSCP.
I had initially planned to start studying for the exam in December of 2021, however, I ended up preparing for my interview with Cisco. The interview spilled over to January 2022 and I did not do anything during this period. When I finally got the offer towards the end of January, I was so happy to be starting a new role. I had to move to a new country and I spent the next few months preparing for the move. Again, I got nothing done during this time. In the end, after settling in my new job, I started my PWK labs in June of 2022. I had the 90-day access. I applied myself, did the exercises, and had my 10 bonus points.
The Exam.
I had scheduled my exam for November 11, 0500 CET. This is also the Independence day in Poland. I woke up at 4 AM and started preparing for the upcoming task. At 0445 hrs, I signed in to the exam portal and minutes later, I was connected to the exam environment. This process was smooth for me and I spent almost 45 minutes before starting the actual exam.
As obvious, the new PEN-200 exam has an AD set worth 40 points and three stand alone machines worth 60points in total. All along, I had planned to do the Buffer Overflow Machine, hack the AD and with only those two, I would essentially have achieved the minimum passing points. This is where I got punched in the mouth, I had no Buffer overflow machine, so I had to rethink my strategy. In the end, I couldn’t get the AD, and I turned my attention back to the stand alone machines. I was only able to get two machines and that was it, I decided to end the exam.
The Lessons…
- I started with the AD set and spent almost five hours trying to get in. This was obviously an error in judgment and a huge lack of discipline on my part. I wasted five hours with no luck, and with no break. The lesson, if two hours have passed and you got nothing, take a break and move to something else.
- There is the power of regularly scheduled breaks. I realized this towards the end and it helped me a lot. I took a step back and got new insights that eventually helped me root two stand alone machines.
- If things are not working, revert that machine and try again! Scan the machine more than once.
- OSCP is all about methodology, one of those ports from your nmap scan is vulnerable, you just have to figure out which one it is!
- If you can, PLEASE get the 10 bonus points. The thing with the AD set is that if you cannot get in, you are essentially screwed. If you have the 10 bonus points, you can take your chances with the three stand alone boxes.
- Did I mention the part about taking breaks?
- HTB, THM, and PG Practice are great resources. If you can afford them, please have a run at them!
What Next?
- Yep, you guessed it right. I will definitely be trying this a second after the cool down period and the upcoming holidays. I already bought the exam and I will schedule an attempt after the holidays.
- Aside from that, I will be attending the AWS reInvent 2022 at Las Vegas at the end of this month. If you will be in attendance, please ping me, I fancy some IRL conversations.
- Continue trying harder.
- Enjoy the Holidays and come back to 2023 recharged.
