My OSCP Journey Brain Dump

My experience and why I did the OSCP exam.

I started my career in 2018 as a intern security consultant and then I managed to get a full time job after the internship ended. During my time I have been involved in various jobs including mobile, web, external / internal penetration tests. I also managed to get my first bug bounty and the basic CREST qualifications (CRT and CPSA).

  • More self confidence in my own testing methodology. This would mean I am sure I haven’t missed anything critical during the test.
  • More efficient testing methodology. The PWK Labs would be able to offer a lot of experience and practice which is something that would help my methodology.
  • More knowledge.

My Journey (December — March)

My journey started near the end of December. I booked my PWK course to start just before New Years day. Before starting the course I had read other blogs where people described their approach. The conclusion I came to was to not skip the course material.

January

When I received my materials and lab access, I spent the first two weeks going through the lab materials. I knew most parts of the material but I did the lab exercises anyway. This just meant I covered pretty much everything the course wanted to teach me. I also did learn some new tricks as well which was great.

February

Starting February, this month was mainly dedicated to popping the machines. I started doing a lot of the easy boxes, then I moved onto what I would reckon are more realistic boxes which I would face in the exam. After two weeks, I managed to squeeze the time taken to do a box from 12 hours to 6–8 hours.

March — Aborting the first exam attempt

It was a week until my exam attempt and I have popped roughly 20–25 boxes. I still needed the forums, and after each box I was learning something new to add into my methodology. The time taken was still 4–6 hours per box. If I was to have the exam at this time, I would only have 5 hours for breaks or sleep.

March — the final push

After bailing out on my first exam attempt, I went on holiday to Turkey. Covid-19 was just about to hit Europe and I was one of the last tourists in Istanbul. This was meant to be a stress free holiday so I could hit the ground running when I returned. After my flights got cancelled twice, my mind was on more important things. The logistics of trying to get back home took over my mind and I was able to ignore the OSCP exam for that week.

Preparation in the week leading up to the exam

The week leading up to the exam I managed to do about 20 boxes on the PWK labs and I got 3 network secret keys. The time taken per box was roughly 4–5 hours each.

The exam

I started my exam at 9pm on a Saturday. I had some initial problems connecting as the credentials I was given weren’t correct. If you encounter this problem, go talk to the online chat support. This will sort you out.

My thoughts about the OSCP

Compared to CREST CRT, I believe this exam much more difficult and anyone who has OSCP will be able to do CRT. However, getting CRT does not mean you’ll be prepared for doing OSCP.

  • More self confidence.
  • More efficient and thorough testing methodology.
  • More knowledge.

My Recommendations

  • Don’t skip the course material! Upgrade to the 2020 version if you can afford it.
  • The forums are there to help but try your best to not be too reliant on it. Its great to see other people’s opinions.
  • Try harder mentality is great and all but also remember to take a step back if you get stuck.
  • Ask for help when you need it.
  • For every box, try to find something that you can learn.
  • Try not to burn out.
  • If you have a 9–5 job, try book a week or two off to study.

Appendix A: Normal revision weekday.

My normal work day for those who are interested.

Appendix B: Moving Forwards

I’m starting blogs, this will be the first of many. My next step is to continue writing blogs and further my knowledge in mobile / web application testing to prepare myself for OSWE eventually.

Turkey.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store