This is an edited, redacted version of the original article in an effort to comply with a request from Offensive-Security. Though I believe little value could be gleaned from the original article from someone taking the course, they are very protective of their process and IP – rightfully so.
When I registered for my PWK course in May of this year, I promised myself I wouldn’t write one of these posts. I felt like there was little to gain from writing another blog post with the same resources that have been posted repeatedly. And in large part, I still feel that way, but feel strangely compelled to write this, a month after clearing the exam.
I pre-gamed the OSCP quite a bit. I have been in Information Security in some definition for 6 years. Around March of 2017, I joined HackTheBox, after struggling immensely with the join challenge. I wasn’t really sharp on web app security, and barely knew any coding languages of any type at the time, save C#. It was around this time that one of my friends made me aware of the OSCP exam and what it entailed. I had passed the only other two certifications I had attempted and obtained other certifications (CCNA, Network+) at that point fairly easily, and it sounded like a challenge – albeit one I was not prepared for.
Throughout 2017, I continued to do HTB, with some moderate success, though it was fairly difficult to do in the position I was in, which demanded a lot of my attention, and left me unable to study.
In 2018, I changed jobs to become a full-time Vulnerability Analyst, which was probably the biggest help in my preparation for the OSCP, as the exposure to breadth and depth of vulnerabilities and exploits that can affect a large enterprise environment is incredibly helpful. During this time, I also obtained my Security+ and my CISSP.
After registering in April of 2019 for the OSCP with 60 days worth of labs, I
patiently waited for the course to begin on May 11. On May 11 at 7 PM, my lab access came in. On my first night in the labs, I worked until 2 AM, and managed to own four of the boxes.
After owning the first ten or so boxes, I felt I would almost certainly be prepared to take the exam 30 days in. If I failed – so what? I had 30 more days of lab time. So, I scheduled my first exam attempt 30 days out from the course start date. During this time, I made it my goal to at least get a box a day down. This wasn’t always the case, but by the end of the thirty day cycle to my exam, I had taken down 32 boxes.
There is a lot of speculation around the ‘Big Four’ boxes in the lab online, but I will say that I believe they are not the be-all, end-all they are made out to be, and almost all boxes presented by OffSec present some value in the learning process.
Each of these boxes taught interesting lessons that I hadn’t considered before. Several of them taught me to never assume that a vector was not attackable based on previous experience, and to ensure you enumerate everything.
Once I felt I had really owned a significant amount of the lab, including 1-2 machines in adjacent networks requiring pivot, I began to work on my lab report , and completed it in the span of about a week – though it requires a lot of work, and I do not recommend underestimating this.
It was now time for my first exam attempt.
Hubris and Downfall – Exam Attempt #1
My first exam attempt began 30 days after venturing into the labs, at 1:00 PM. I was able to quickly set up the proctoring session, and the VPN email came through exactly on time, and was established without a hitch.
I immediately began working on the buffer overflow, as it was worth 25 points, and was easily the concept I was most comfortable with. I will say this about the buffer overflow – take your time, and don’t miss anything stupid. Make sure you step through each thing you were taught in the course material. That said, the BOF machine fell quickly, in about 30 minutes, and I had 25 points. Awesome.
From there, I made very little progress. Initially, I began to enumerate what I thought was the second 25 point box, but had gotten turned around somewhat, and was actually enumerating the BOF box again, looking for an entry point that did not exist. I wasted at least two hours before realizing my mistake.
After pivoting and returning to face the actual targets, I managed to enumerate one 20 pointer enough to get a limited shell. However, I could not find a method to escalate in any way, and spent several hours attempting to do so. Facing a dead-end, I moved to the 25 point box. However, I was unable to make heads-or-tails of it, the 20 point box, or the low-effort 10 pointer – which seemed the most confusing of all.
By midnight, it was apparent that I was not going to make any more progress, never mind pass. I let my proctor know I was stepping away, and slept. I did not bother to finish or turn in the report the next day.
I was pretty unhappy with my performance in the first exam attempt. I had assumed that the exam would be an extension of what was experienced in the labs, and that could not be further from the truth.
While there are certainly similarities, it’s far more important to understand the process itself, not the technical details of what the lab is teaching you. I had heard this before, but I believe it’s really difficult to take this to heart and understand what is really meant by this without experiencing it yourself – even if that initially leads to frustration and failure.
To better prepare for my second attempt, I did the following:
- Completed @TJNull’s HTB List w/ HTB VIP
- Watched IppSec on Youtube – specifically, areas I was weak in (Windows & PrivEsc)
- Found a set of enumeration checklists to follow
- Completed OSCP Pre-Exam VulnHub machines
- Spent a week feeling sorry for myself
After about three weeks of the above, I felt ready to challenge the exam again – though I really hoped I would have a different set of boxes and experience this time, so the challenge would remain. At this point, I also bought a second ultrawide monitor for use during the exam – I’d highly recommend having at least two monitors, as it did feel rather crippling to only have one.
Finally Free – Exam Attempt #2
My second exam attempt started a bit later in the day, at about 3:00 PM. I was more laid back during this exam attempt than I had been in the previous one. No butterflies, no sweaty palms, just ready to give it a second shot. Again, the proctoring session and exam started seamlessly, and I began.
The BOF fell again in approximately 30 minutes. 25 points, plus lab report left me with 30 out of a necessary 70. The plan going in was to immediately attack the second 25 point box to attempt to obtain as many points as possible quickly.
I began enumerating the 25 point box following the checklist I had previously obtained during my two-week pity party, and quickly found an entry point, though it was more complex than I had imagined I would see. With a limited shell on this box, I ostensibly now had 42.5/70. My initial attempts at privilege escalation were fruitless, so I then moved on to a 20 pointer to avoid tunnel-vision and missing something obvious.
The 20-point box was incredibly easy. I found an entry point to it within less than an hour, and the privilege escalation less than half an hour after that. It was a platform I was very familiar and comfortable with, and had no issues exploiting, as I had seen it before several times. I now had 62.5/70, and it was time for dinner.
I stepped away from my desk entirely at this point, at about 6:00 PM, and had a normal dinner with my family. I ranted and raved for a few minutes about how I was unsure if I could get the remaining 7.5 points, or if I would fail again, and returned to my test shortly thereafter.
The 10 point and remaining 20 point box seemed entirely hopeless, as I couldn’t find any entry point to either of those – though the 10 point box is supposed to be the easiest. In light of this, I focused all of my efforts on privilege escalation of the 25 point box.
There seemed to be very little to go on, which some might think would make the escalation rather obvious. In my case, it made it rather difficult, and I ended up spinning my tires until almost 1:00 AM. At about 12:45 AM, however, I managed to find the simple things I had missed, and was able to return a root shell. I now had 75 points – and with that, went to bed.
I got up far before my exam was scheduled to end the next day, and attempted to get some insurance points, but came up entirely flat. My brain was fried at this point, and I was not able to proceed. In light of this, I began writing my report, and submitted it shortly thereafter, about 24 hours ahead of schedule.
I’m a bit of a worry-wart by nature, so waiting for me is often the worst part of any process. It certainly didn’t help that I realized in a cold sweat at midnight three days after report submission that I had missed a piece of information I thought was a critically failing mistake.
My report took about nine days to grade with the lab report, when I was finally greeted with the email that I had passed. My stomach sank when I saw the email from Offensive Security, but I was pleasantly surprised to read that I had passed. About a month later, my certification package came in the mail.
Takeaways and Future Plans
I think most other folks have offered summations of this cert that are probably more than sufficient, so I’ll keep mine a concise, bulleted list.
- Have a Plan of Attack
- Follow your Plan of Attack
- Don’t Panic
- Take Your Time
I can’t really stress any of these enough. It isn’t enough to have a plan, you must also execute it. When things don’t go to plan, you cannot panic. You must simply adapt your plan. Remember – no plan survives contact with the enemy.
Take your time, be sure you do things right the first time. Good life advice and good OSCP advice. 24 hours is plenty of time to do it, and do it well, and be thorough. And don’t forget that you have another 24 hours post-exam to get that report in. Don’t rush it like I did, and there won’t be any doubt as to whether you passed.
As for the future, right now, I’m not sure what that holds. Shortly after taking the OSCP, I also took the Pentest+ with CompTIA and passed that, solidifying another credential. Really, at this point, I’m taking a bit of a break from the stress of it all.
That said, I’d really like to get some professional, real-world pentesting engagement experience at some point, and will probably tackle the OSCE at some point next year, as I’m already half-way through the registration challenge there.
But for now, I feel all certed up, and am going to see where this leads me. All in due time!
[Personal GitHub links removed at request of Offensive-Security]
@TJNull’s OSCP List for HTB: https://pbs.twimg.com/media/ECG-gPnW4AMs32A.jpg:large
IppSec’s YouTube Channel: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA