I recently got my email saying I passed the OSCP exam first time. This blog will illustrate the approach I used and what worked for me. I hope it helps out some of you who are trying to get it done.
(TLDR: The recommendations at the end might help)
My experience and why I did the OSCP exam.
I started my career in 2018 as a intern security consultant and then I managed to get a full time job after the internship ended. During my time I have been involved in various jobs including mobile, web, external / internal penetration tests. I also managed to get my first bug bounty and the basic CREST qualifications (CRT and CPSA).
After working and talking to people who have completed the OSCP exam, I sensed that there was something I was missing in my methodology. The people who completed the exam managed to work more efficiently and they were testing in greater detail which meant they could sometimes escalate a medium vulnerability to a high. So after completing the exam I was hoping to gain the following:
- More self confidence in my own testing methodology. This would mean I am sure I haven’t missed anything critical during the test.
- More efficient testing methodology. The PWK Labs would be able to offer a lot of experience and practice which is something that would help my methodology.
- More knowledge.
My Journey (December — March)
My journey started near the end of December. I booked my PWK course to start just before New Years day. Before starting the course I had read other blogs where people described their approach. The conclusion I came to was to not skip the course material.
January
When I received my materials and lab access, I spent the first two weeks going through the lab materials. I knew most parts of the material but I did the lab exercises anyway. This just meant I covered pretty much everything the course wanted to teach me. I also did learn some new tricks as well which was great.
After these two weeks I felt exhausted but I was itching to have a go at the labs. I forced myself to take a week break so that I would feel refreshed and I don’t get burnt out.
With 40 days remaining, I popped my first box. It was one of the easier boxes with a common windows exploit. After this, I spent a couple of days doing another box, Phoenix. This one felt very satisfying as the new things I learned in the PWK course really helped.
Ending the month of January, I managed to complete the course materials and make a start hammering my way through the Labs. My current skills allowed me to get user in roughly 6 hours and root in 6 hours. I also needed the forums to guide my thinking a bit. So far I was happy that I was able to do it.
February
Starting February, this month was mainly dedicated to popping the machines. I started doing a lot of the easy boxes, then I moved onto what I would reckon are more realistic boxes which I would face in the exam. After two weeks, I managed to squeeze the time taken to do a box from 12 hours to 6–8 hours.
I also managed to get the big 4 machines; Pain, Sufferance, Payday and Gh0st. I needed a lot of help on Sufferance and Gh0st though. After doing Pain I’ve never been the same since, that one does some serious character building!
March — Aborting the first exam attempt
It was a week until my exam attempt and I have popped roughly 20–25 boxes. I still needed the forums, and after each box I was learning something new to add into my methodology. The time taken was still 4–6 hours per box. If I was to have the exam at this time, I would only have 5 hours for breaks or sleep.
The main thing that was bothering me was that I still needed the forums and I was always learning something after doing a box. The use of the forums had changed from pointing me in the right direction to confirming what I already thought. The stress and amount of work I was doing also made me feel exhausted which affected my performance. Thus, I postponed my exam by 1 month.
March — the final push
After bailing out on my first exam attempt, I went on holiday to Turkey. Covid-19 was just about to hit Europe and I was one of the last tourists in Istanbul. This was meant to be a stress free holiday so I could hit the ground running when I returned. After my flights got cancelled twice, my mind was on more important things. The logistics of trying to get back home took over my mind and I was able to ignore the OSCP exam for that week.
In the middle of February, the PWK course was updated to the 2020 materials where everything was improved. I looked through the syllabus and I found some of the content was information I learned myself in the labs. I thought that there would be extra ‘golden nuggets’ in the new course notes so I decided to upgrade my materials and buy 3 weeks of lab time.
This was one of the best decisions I made during my journey. The new course explained everything much better, there were a lot more exercises as well. I spent the first week of the labs going through the exercises. There were hundreds more pages and a lot more exercises to do. I still managed to learn a fair amount as well. Near the end of the syllabus, the lab exercises consumed a lot more of my time so I decided to stop the exercises and just read through them.
Covid-19 was in full swing now. Lock down had started and my company put me on furlough. This was perfect timing and I spent the time leading up to the exam doing all the boxes again.
I discovered the lab machines were more up to date and some of the original ways I used to exploit machines did not work. This allowed me to improve my privilege escalation skills which was the main thing I learned during this second phase.
Preparation in the week leading up to the exam
The week leading up to the exam I managed to do about 20 boxes on the PWK labs and I got 3 network secret keys. The time taken per box was roughly 4–5 hours each.
To avoid the burnout I experienced in the first attempt, I stopped popping boxes 2 days before the exam. I spent one day on buffer overflow practice before the exam.
I also did some loose capture the flags where I would go through a walk-through and scroll down the page slowly. After seeing the results of the scan I would try to guess what the next step would be. This requires some thinking but it is not so strenuous. This also allows me to understand other people’s methodologies and learn about different points of view.
The exam
I started my exam at 9pm on a Saturday. I had some initial problems connecting as the credentials I was given weren’t correct. If you encounter this problem, go talk to the online chat support. This will sort you out.
My plan was to do 2 boxes before going to bed. Then have the following day to do the remaining boxes until I get 70+ points.
In reality, I managed to get 55 points before going to sleep and so I spent the next day getting the final box and then reporting for the rest of the day.
My thoughts about the OSCP
Compared to CREST CRT, I believe this exam much more difficult and anyone who has OSCP will be able to do CRT. However, getting CRT does not mean you’ll be prepared for doing OSCP.
The three goals I listed earlier in the blog were definitely met and I am very happy with this achievement.
- More self confidence.
- More efficient and thorough testing methodology.
- More knowledge.
My Recommendations
- Don’t skip the course material! Upgrade to the 2020 version if you can afford it.
- The forums are there to help but try your best to not be too reliant on it. Its great to see other people’s opinions.
- Try harder mentality is great and all but also remember to take a step back if you get stuck.
- Ask for help when you need it.
- For every box, try to find something that you can learn.
- Try not to burn out.
- If you have a 9–5 job, try book a week or two off to study.
Appendix A: Normal revision weekday.
My normal work day for those who are interested.
0545 — Wake up
0630 — Get on the bus. Catch up on sleep.
0800 — Get on the second bus to work.
0900 — Start work.
1700 — Finish work. Then get the first bus home.
1800 — Get on the second bus home. Do roughly 45 minutes of studying. This is mostly going through the course materials and doing lab exercises.
2030 — Get home and either study for an hour or go gym for 2 hours.
0000 — Sleep
Appendix B: Moving Forwards
I’m starting blogs, this will be the first of many. My next step is to continue writing blogs and further my knowledge in mobile / web application testing to prepare myself for OSWE eventually.
Thank you for reading.