My OSCP Exam Day
An account of those 48 hours — the day when my preparation was tested!
Hello folks!
I hope you all had a great start for the new year. I certainly did — got my OSCP, after a lot of pain and hard work.
Scheduling the exam
On October 9, 2023 I purchased the PWK course labs. Since there is a minimum 3 months lab time, I had to go for that (I hope this changes in the future).
As soon as I purchased the course, the first thing I did was to schedule my exam the day after my lab period ended. This kept a deadline for me and helped me stay on track. So my exam was scheduled for 8th January 2023, morning time, because I am a lark.
For these 3 months, it was a constant cycle of wake up, complete the course and play as many labs as you can. I aimed to finish everything within the first month so I can get a lot of time to revisit things I was weak at as well as to try out the VulnHub (FREE) labs that were similar to the OSCP boxes.
3 months went by quite fast (except the last 3 days before the exam — the days were too big to end). The night before the exam was seemingly endless too, or so I believed it to be.
The Exam Day
It was 07:30 in the morning, when I my exam was supposed to begin but due to some delays with the proctoring, my exam began a few minutes later.
It was quite cold, plus the exam was giving me some anxiety and fear too — all these months were going to be defined by these 24 hours of the exam.
If I pass, the effort and the time I put would be worth it. Else too, it would be great in terms of the knowledge and skills but since the OSCP certification has become an industry standard, my only option was to get it by passing the exam.
With this initial fear and panic, my brain wasn’t working as well as I wanted it to — I was trying to do multiple things at once. Then I stepped back for a while and took a long breathe. Since my preparation was rock solid, I knew all I had to do was to sit with a calm mind and everything should fall into place, or rather I would make it fall into place :)
So I came back with a fresh mind and started hacking the boxes again but this time with the strategy I developed for the exam.
Note: It’s very very very important to have a sane strategy and a good methodology to tackle the exam. Otherwise either it will take a long time or you will be setting yourself for failure. So its advised to develop your own cheatsheet and a set of commands that would be invaluable during the exam.
Solving the machines
The Active Directory set seemed quite hard to me initially. I was able to map the attack path but there seemed no possible way to get in. This meant 40 points are out of reach, or they seemed to at that moment.
So instead of spending more time there, I moved on to the standalone machines.
My plan was to finish all 3 of them and have the passing score (I already had 10 points from the course). After the passing score I would be able to spend time on the AD set and solve it too.
With that plan, I stuck on to the first standalone machine. I progressed with it for a bit but was missing the initial foothold vector time and again. And then I realized the tool I was relying on was not adequate for the job or atleast not for the scenario I had. So I resorted back to manual enumeration and found the missing bits and pieces. Got foothold into that machine.
Privilege escalation for that box was probably the hardest of all the other boxes I solved. It was quite unique, and something I had never seen before. But I was definitely confident about my skills so I knew I could find a vector to escalate my privileges. And soon enough I found the thing to be exploited. I did exploit it in a manual fashion again. In hindsight, I noticed few automated scripts for that same thing but I definitely learnt a new technique, while solving the exam and managed my time and resources well. So it was definitely a great confidence booster.
With the first machine down, I was around 3 hrs into the exam. Then I took a slightly bigger break and had my breakfast. This was the first meal I had, since I started my exam. The break was quite refreshing and I was back to the exam which had 1 machine less now :)
The next machine was again quite different and unique in its own way. The initial foothold for this machine was quite hard, harder than what the first machine had. But I was determined to pwn it. So I kept on exploring every possible avenue that I can exploit and managed a good set of notes so I can clearly map out the possible attack paths and then strategically go about attacking the machine.
After some fuzzing and poking around, I found the initial vector — it was quite cool! I leveraged it to get the initial foothold. For the privilege escalation of this box, I didn’t had to look that far. I managed to perform privilege escalation and pwn this box within next 1 hr and 10 minutes.
Then I jumped to the third standalone machine and call it my practice or luck, the first vector I tried worked and I got the initial foothold on the machine. Privilege escalation for this box took me some time due to a lot of rabbit holes that were there. But I managed to pwn this box fully within 1 hr 10 mins again.
So I was now 6 hrs into the exam and had pwned all the 3 standalone machine and had my 60 points. Since I had completed the course, that gave me 10 points, making it a total of 70 points — which meant I passed the exam at this point.
But after going through the course and preparing so hard for it, I wanted to make sure I pwn every single machine.
So after taking a short break 5–10 minutes, I came back and started with a fresh mind to hack the AD set.
After 3 minutes of enumeration I had the initial foothold right in-front of me and I got my initial shell on the box. I was also able to escalate my privileges very easily due to an organized methodology I developed for myself. After pwning the box, I got my tunnel set up to access the other domain-joined machines.
Before the OSCP course, Active Directory was something I wasn’t too comfortable with — I knew the concepts but wasn’t very comfortable with hacking an AD setup due to lack of practice. But during the course I made sure to pwn every AD set they had in multiple ways so that it doesn’t stays my weakness anymore.
Due to that practice and time spent hacking the AD environments, I was able to fully compromise the first domain-joint machine within a minute of tunneling. After hacking it, I went for lunch.
Came back from lunch and within 5 minutes I was able to compromise the domain controller as well.
And with that, I got a total of 100 points — the perfect score I was aiming for, something that actually indicated to me that my preparation was solid. And all this within 7.5 hours which included my 2 meals and a few breaks I took.
It was definitely mentally exhausting and challenging but I was in my zone during the exam and no sound or tiredness or stress could bother me the very least.
Post pwning
After pwning everything, I utilized my exam time to prepare the basic report with all the screenshots. During my pwning I did took the screenshots but in case I missed any, it would become very very hard to prepare the report.
So I didn’t wanted to take any chances there. Took a short break after reaching the 100 points mark and started writing my report. After 4.5 hours of preparing report and taking any missing screenshots, I chose to end my exam.
The next day I again began preparing my report and got the final report ready — it was 123 pages long. I wasn’t aiming for something that big but since I wanted to be as comprehensive as I could, I made as perfect report as humanly possible. My days from Pentester Academy and INE definitely helped here as I had to prepare a lot of challenge manuals and walkthroughs there.
The Results
After exactly 2 days of submitting my report, my results came. It was a positive news — something I was expecting for. And with that, I became the Offsec Certified Professional (OSCP):
I hope this certification and my dedication helps me land a good pentester/red teaming/VAPT role that I have been seeking out.
If someone reading this post is looking to hire a pentester, I am open for the opportunity and available to join immediately.
If not, then I hope you got some value from the post or atleast became less anxious for your OSCP exam attempt, if you are planning to give it.
Some tips
Before closing off with this post, I would like to give some tips from my own experience that I found very very helpful in my journey:
- Maintaining your own methodology.
- Maintaining your own cheatsheet.
- Maintaining a sheet containing the tools and scripts that are quite handy for the exam along with their links.
- Remembering the fact that OSCP exam machines are meant to be hacked and it won’t take you more than 5 steps to get the initial foothold or the privilege escalation. So keeping it simple is the key.
- Keeping track of your time and allocating it wisely.
- Keeping track of what things you want to try, what you have tried. This is immensely helpful because during the situation of panic, it is quite normal to try the same thing again and again. But that’s definitely not going to help, so having a checklist of what you have tried so far and what you want to try next because quite crucial.
- Lastly, keeping a calm mind helped me tackle the exam much better than an anxious mind would have.
That’s all from my side.
Stay curious and keep on learning!
