My OSCP exam experience — The most intense 48 hours of my life!

I tried harder and passed the OSCP exam in my first attempt, you can too!

Hello reader, thank you for choosing to read my post among tons of other posts on this topic! In this post I write about my background, preparation strategies, the D-Days and everything I did leading up to my exam.
PS: Don’t miss out on my tips and reflections at the end!

An intro to Offensive Security Certified Professional (OSCP)-

OSCP is a 24 hour hacking exam where a student needs to hack into machines in a virtual environment and fulfill objectives such as collecting flags. A maximum of 100 points can be achieved and a score of 70 points are required to pass. At the time of writing this post (July 2024),The machines are categorized as follows -

Active Directory — 40 points
The Active Directory set consists of 3 machines and the end goal is compromise the Domain Controller (think of it like the brain of the whole active directory environment). You need to hack through the other two machines first to get to the Domain Controller. Domain controller not hacked? no points for you!

Standalone machines — 60 points
There are three standalone machines and they are, well, standalone.. So you start on a fresh slate with each of them. There are partial points given here though, 10 points for access as a low-privileged user and 10 more points for an administrative/root user access.

Ready to read about how I did it all in just over 4 months?

My background before I took the OSCP —

I was a graduate student in my final semester of college in the USA when I decided to pursue the OSCP certification exam.

Even before I purchased the LearnOne subscription (A 1 year subscription which includes access to the PEN-200 course designed by OffSec and 2 exam attempts) I had a fair bit of knowledge on web application and network penetration testing as well as active directory, thanks to -

1. My eJPTv2 certification preparation from 2023
2. My Master’s program. Some amazing classes on software security here
3. TCM Security’s Practical Ethical Hacker
4. TryHackMe Junior Penetration Tester Path

Exam preparation timeline -

Even before I purchased the LearnOne subscription, I decided to over-prepare for a month, and for this I used a one month subscription to OffSec’s Proving Grounds (top notch resource for OSCP preparation btw!), and the HackTheBox Academy’s Penetration Tester Path to study as many concepts on Active Directory and Privilege escalation. In hindsight, this over-preparation is not required if you decide on purchasing in the LearnOne, but it could be helpful in building a basic methodology before starting the course material if you decide on buying the 3-month subscription.

Bonus Tip: Always remember to take snapshots of your virtual machines, I lost all notes and tools I had gathered on my virtual machine during my over-preparation days

Once I purchased LearnOne, I went all in and it was just Wake up-Eat-PEN200-College Assignments-Sleep-Repeat for about 1.5 months. I wanted to be done with the course ASAP so I could start practicing the challenge labs and around this time was when I experienced what a real burnout was.

POV: Me in the first month of buying the course

Don’t do what I did! If you have the LearnOne, DO have a sense of urgency to want to finish the course soon and to take the exam, but definitely prioritize your health, sleep and exercise too!

Had a break for about 1.5 months after this because, well, life happened, which meant I was off the terminal. Once I got back, I continued the challenge labs and secured my 10 bonus points (OffSec awards this upon satisfying certain criteria) with another month of study, with adequate breaks to reflect on a machine that I solved, or that new attack path that I learned from a YouTube video.

Once I secured the bonus points, I scheduled my exam for 4 weeks ahead, which meant I had to focus even more now that the clock was ticking down.

In the final 4 weeks, I used the LainKusanagi list I found on reddit, shoutout to you Lain! Solved all machines from the Proving Grounds Practice list, did a few freely accessible medium level machines from the TryHackMe list, and meticulously took notes from S1ren and IppSec’s videos on a majority of the HackTheBox list. Every weekend in the last 4 weeks leading up to the exam, I took the OSCP A,B and C challenge labs and treated them like a mock exam. These labs are a real simulation of the actual exam environment, and I wanted to check how I could manage my time, focus and energy levels in a 24 hour period.

D-Day and D-Day+1 -

• Began exam pre-checks with the proctor at 1045 hrs
• Exam start at 1100 hrs. Started with the AD set.
• 2000 hrs, AD foothold.
• 0500 hrs, AD pwned. Insert a quick little celebration here.
• 0700 hrs, 2 footholds done. Had enough points to pass!
• 0900 hrs, 1 machine rooted. Vanity points secured!

I kept noting down commands that worked and taking screenshots as and when I came across interesting findings, so I had all screenshots I needed when I decided to the end the exam 5 minutes before time.

Caught up with some sleep the next day, and spent an all-nighter again to finish my report, double triple checking every screenshot, command pasted and the the relevant output highlighted. Thankfully the flags are not longer than 32 characters, it was a pain to check them multiple times for correctness!

Submitted my report at 0900 hrs and 24 hours later, I received my certification badge in the email!

Some tools of choice — Ligolo-ng (pivoting and accessing internal ports), Notion (for all notes), Obsidian (most frequently used commands list. checkout the templater plugin!), CherryTree (also a good tool that I used before my kali VM got bricked)

Tips and reflections -

• I’d actually made a list of advice redditors offered in their exam passing posts. One of them off the top of my mind is — ‘Enumerate thoroughly, exploit simply’. I can understand why now!
• Everyone says enumerate, ENUMERATE, E N U M E R A T E but what does it really mean? It all comes down to your methodology in the end. From the top to bottom of an nmap scan, I ask myself, which ports are open? I used some brilliant resources such as hacktricks, wadcoms and my own notes and thought in my mind — Okay, port 8080 is open. It is running an http service. I am going to check some common files like robots.txt next I will run a file and directory fuzzing tool next I will run then a check for subdomains. Ooh an interesting finding, say, a program running and its version. Check public exploits next … you get it now
• Solving 100 boxes with multiple hints taken does not mean a passing score is guaranteed. Know when to take hints and ensure the same mistake is not made the next time you see a similar finding.
• I took notes as though I was talking to myself and towards the end of my preparation, I made a list of all mistakes I made, places where I took a hint and these lists helped me a lot when I saw a certain scenario.
• ABSOLUTELY NO GIVING UP IN THE EXAM! The exam really puts your mental and physical endurance to the test, and everything comes down to your mindset. 10 open ports staring at you on one monitor, your whole notion/obsidian notes database staring at you on a second monitor, and you doubting yourself when you haven’t popped a shell for 8 hours straight? That’s when you don’t give up! Btw, taking a nap never worked for me because of all the thoughts and ideas running through my head when I was away from my workstation. So basically up for 26–28 hours. Been there done that!

POV: You to yourself when you feel like giving up in the exam

• Someone on reddit rightly said, you should be running out of exam time before you run out of ideas, that’s how thoroughly you should be enumerating and taking actions on findings.
• Although you must go in to the exam with an intention and drive to root all machines, I feel attacking the AD set first and then moving on to standalones worked best for me. Feels good once 40 important points are in the bag.
• I took the exam on my macbook (ARM64), and did not have issues with the exam. Although I did question my decision of buying a mac at times when I had to compile exploits when doing the labs XD
• You really need to think outside the box in the exam, hence, the more boxes you solve, the more frameworks you understand, the better. I hate when people ask — Hey, will 40 boxes on proving grounds be sufficient to pass the exam? I don’t have an answer to that!
• Special mention — DerronC’s video series on Active Directory hacking

Conclusion -

Happy to answer questions about the exam preparation, feel free to DM me on linkedin.

Thanks to all student mentors who helped out on discord and to OffSec for their brilliant exam and lab environments, I personally feel like the PEN-200 course material could use slight updates in some modules ;)

Now that I know how OffSec’s courses and exams work, I definitely look forward to pursuing their OSWE (Offensive Security Web Expert) certificate next!

Just kidding, I still have a LOT more to learn. Godspeed, hacker!