Table of Contents
What is an OSCP?
Before jumping into my exam preparation and experience, let us quickly cover what an Offensive Security Certified Professional (OSCP) is. An OSCP is someone who successfully achieved at least 70 points on their exam, with or without bonus points, and submitted a professional exam report. Exam takers are given 24 hours, 23 hours and 45 minutes to be exact, to complete exam objectives and 24 hours to create an exam report.
OSCP Preparation
I began my OSCP exam preparation on June 19, 2022, and finished on September 17, 2022. Only 5 days within my preparation period were spent on activities unrelated to getting OSCP certified.
The following materials were used during my preparation:
- Offensive Security’s Proving Grounds Practice (PGP)
- Offensive Security’s official PEN-200 course
- Offensive Security’s Discord
Although there are only three elements in the preparation list, I was training over 70 hours per week. Please do not fret, it is not mandatory nor do I recommend you use my study schedule. Everyone is on their own journey and it makes no difference whether it takes you 5 weeks to prepare or 5 years. What does matter is sticking to a plan that works for you.
Now let us take a closer look into each of the elements in the aforementioned list.
Proving Grounds Practice
PGP subscribers have access to vulnerable machines to practice their hacking methodology. I purchased one month of PGP to prepare myself for the PEN-200 course, which I scheduled for July 1, 2022.
Between June 19, 2022, and July 1, 2022, I managed to root 17 machines in the PGP lab environment. It had been quite some time since I did any capture-the-flag (CTF) challenges so I needed the refresher. PGP proved to be helpful in regaining some of my Kali Linux powers, allowing me to begin the PEN-200 course on the right foot.
PEN-200
The PEN-200 course covers topics that can show up on the exam and provides a lab environment to practice what is learned in the course material.
Some of the topics covered in the PEN-200 course include:
- Structured Query Language Injection (SQLi)
- Cross Site Scripting (XSS)
- Buffer Overflow
- Privilege Escalation
- Port Redirection and Tunneling
I spent the first month and a half working through the course PDF, exercises and videos. I read through all of the topics and completed each of the exercises with a score of 100%. On August 19, 2022, I put all my attention and focus on the lab environment.
The difficulty of the machines within the lab environment ranged from super easy to extremely difficult. The lab environment consisted of 5 different networks which allowed me to work on my pivoting techniques, among other things.
Here are the 5 networks in the lab environment:
- PUBLIC
- SANDBOX
- DEV
- IT
- ADMIN
I completed all 75 machines found in the lab environment by September 17, 2022. Completing all 75 machines and all course exercises qualified me for 10 bonus points towards my exam! This was exciting as I wanted to increase my odds of passing the exam in any way I could.
In order to qualify for bonus points one must complete a minimum of 30 machines in the lab environment and achieve a score of at least 80% on each of the course topic exercises.
Discord
I would be remiss not to mention the folks over in the Offensive Security Discord channel. As much as I would like to say I prepared for the OSCP exam on my own, it simply would not be true.
Whenever I needed guidance, someone to explain a topic, or a new tool, I turned to the Discord channel and was quickly aided by student mentors or fellow students.
I am still active on the Discord channel and I do my best to help those who are in the same position I was once in. I find that helping people gives me great joy and reinforces my knowledge on various cybersecurity topics.
OSCP Exam Point Structure
Here is a quick breakdown of the current OSCP exam and point structure:
- Active Directory (AD) set — 40 points for complete compromise, no points are given for partial compromise, all or nothing
- 3 Standalone Machines — 20 points per fully compromised machine (root.txt), 10 points for partial compromise (local.txt)
- Bonus Points — 10 points for completing at least 30 machines and getting at least 80% per exercise topic in the PEN-200 course
The OSCP Exam
After completing all machines in the lab environment, I scheduled my OSCP exam for Friday, September 17, 2022, at 2 pm the following week. I was lucky enough to find a time slot that worked me as most were unavailable.
On the morning of my exam day, I did not do any studying whatsoever. The only actions I took which related to the exam was organizing my notes and skimming over my 100+ tabs in Google Chrome. At 2 pm I was ready to begin as I already connected with an Offensive Security proctor and successfully connected to the exam environment via a virtual private network.
I immediately targeted the AD set in hopes to earn a quick 40 points but as it turns out it took me 6 hours to compromise the set. Getting a foothold on the domain is what took up most of my precious exam time. Once I completed the AD set I felt a sense of relief as I had accrued a total of 50 points including bonus points. It was then time for me to turn my attention to the standalone machines.
I was conflicted between working on trying to root one standalone machine for 20 points or partially compromising two standalone machines for 10 points each. After 2 hours of chipping away at one of the standalone machines, I managed to partially compromise the machine by retrieving the local.txt file earning me 10 more points.
The time I spent working on the first standalone machine gave me the confidence to attempt to escalate my privileges and obtain the root.txt file for the remaining 10 points needed to pass. About an hour and a half later, I was was staring at the root.txt in my terminal in triumph. After jumping out of my seat with joy and taking some time to get myself together, I began working on gathering screenshots for the exam report.
OSCP Exam Report
The purpose of the exam report is to exhibit your ability to relay information to other people, in this case Offensive Security, in such a way to give the reader actionable steps to mitigate or remediate any vulnerabilities found during the assessment.
It took me 9 hours to reach 70 points and another 9 hours to take enough screenshots to effectively show my hacking methodology. I know what you are thinking, “What? 9 hours to take screenshots?” I wanted to present my methodology in such a way that even a nontechnical person could follow along.
On top of creating screenshots, I annotated each piece of evidence to aid me in writing my report. It is best I mention that you do not have access to the exam environment during your time allotted for the exam report.
When I was not sleeping, I was working on the exam report. I will be honest here, the exam report demanded more out of me than the exam itself. In hindsight, I should have created a skeleton of my exam report prior to starting the exam. The skeleton would have included a cover page, section headings and any content not dependent on the actual exam.
OSCP Exam Final Thoughts
With my newfound knowledge I can comfortably state that the OSCP is not a beginner certification. This might not be breaking news to some but as we continue to see more people trying to break their way into the cybersecurity industry, this should be known in order to adjust expectations.
Here are a few of my thoughts on what the OSCP certification represents:
- The ability to adapt in a dynamic environment
- The ability to keep calm under undesirable time constraints
- The ability to create and present actionable deliverables
- The ability to think critically and find solutions when none are apparent
The PEN-200 course and OSCP exam made a profound impact on my mindset. You are not only taught to leave no stone left unturned but to question your method of turning said proverbial stones.
The journey to becoming an OSCP was well worth the time and effort. The skills I acquired and the insight I have gained exceeded my expectations. I must highlight that you are cheating yourself if you do not try your absolute best before asking for help. There is nothing wrong with asking for help when it is needed, just be cautious of asking for a leg up prematurely.
Check out my official OSCP guide where I share recommended paths and share tips and tricks.
Until next time…
— N3NU
Disclaimer: My content is for informational and educational purposes only. You may try out these hacks on your own computer at your own risk.
