OSCP | Tips, Tricks, and Exam Review

May 20, 2024 Arjen Glas 8 min read Certification
#oscp #certification #pentest #career

Introduction

  • Why I Took the OSCP Exam
    After working as a sysadmin for several years, I’ve always been interested in the security side of IT. In my free time, I often worked on Hack The Box machines and followed TryHackMe courses. Through my previous employer, I got the chance to join a training—the OSPP course from OptiSec. That training was a real eye-opener. It gave me a clear direction and motivation I hadn’t felt before. My goal was set: pass the OSCP exam and, hopefully, start a career as a penetration tester. But where do you start?

  • Purpose of this Blog
    The purpose of this blog is to hopefully inspire others to pursue the OSCP exam and explore what I believe is the most interesting, challenging, and exciting side of IT. To do this, I’ll share my experiences and, off course some tips&tricks.

Preparation for the OSCP Exam

  • The Learning Resources I Used

    • TryHackMe : As I mentioned earlier, before I even decided to go for (or heard of) the OSCP exam, I spent quite a bit of time working through TryHackMe courses—something I definitely don’t regret. The courses I completed include Jr. Penetration Tester, Offensive Pentesting, and Red Teaming. The last one is somewhat ‘out of scope’ for the OSCP, as it dives deep into evasion techniques. However, these courses provide a solid foundation and teach you most of the key methodologies.

    • Offensive Security PWK Course :
      The official PWK course, which comes with the OSCP Learn One subscription, was quite a challenge to get through. It’s a lot of material, though I was already familiar with most of the terms and techniques. Even so, going through the course is something I highly recommend. After completing the coursework, it was finally time to tackle the practical exercises. I worked through the first two labs and all three practice exams. My tip for the practice exams: keep track of how long it takes you to complete them. This will give you a good idea of whether you’re ready for the real exam.

    • Hack The Box (HTB) :
      When searching online for OSCP-like machines on Hack The Box, you’ll quickly come across TJ Null’s list. This is something I highly recommend. As part of my extra training, I ended up pwning 20-something machines from this list.

    • OSCP - Proving Ground Two weeks before my exam, I decided to get a Proving Grounds subscription from OffSec. The machines available there are quite similar to the standalone machines in the OSCP exam. There’s also a OSCP-like list provided in TJ Null’s list. I managed to pwn 34 machines in total, which was quite a challenge and involved some long nights with little sleep.

  • Time Commitment It’s hard to say exactly how much time I spent on all the learning resources. After completing the OSPP course, I almost immediately signed up for the OSCP Learn One subscription for three months. With a decent amount of prior knowledge and determination, this time frame should be doable.

My OSCP Exam Experience

  • Exam Day! I scheduled my exam to start at 10:00 AM, which seemed like a good time to begin so I could stick to my usual morning routine and have a full day to (hopefully) reach the required 70 points. I had set a strategy for myself in advance: focus on the Active Directory (AD) environment while running AutoRecon on the standalone machines. This way, I aimed to quickly secure the first 40 points + 10 bonus points = 50 points. After that, I would just need one more standalone box to pass the exam.

And that’s exactly what happened. I had practiced my AD enumeration
thoroughly, and thanks to my sysadmin experience, I pwned the AD environment with ease. By lunchtime, I had cleared the environment and secured the first 50 points. Feeling good, I took a break to eat lunch and go for a walk. Just one more machine, and I’d pass the exam.

If only it were that simple. I got stuck on the standalone machines for quite a while. Finally, around 9 PM, shortly after dinner, I managed to get a foothold and not long after that; root, bringing my total to 70 points! However, my goal was to achieve the full 110 points, so I didn’t stop there.

I gained a foothold on the second machine around midnight, but privilege escalation didn’t go as smoothly. I noticed my concentration and focus were slipping. I decided to review all my screenshots and double-check if I had properly documented and noted all the steps I had taken. Around 3 AM, I took a short nap and resumed at 6 AM.

Best decision ever. After the brief rest, I looked at the machines with fresh eyes, and managed to root the second machine. Just one more to go. I got a foothold on the final machine, but I couldn’t achieve root access within the time limit.

An hour before the deadline, I reviewed all my screenshots one last time. Exactly at 10:00 AM, my VPN connection was cut off.

  • The Exam Environment
    The exam environment was stable, with no downtime or other unusual issues. Although the proctoring felt a bit unfamiliar at first, I got used to it fairly quickly and was able to fully focus on the exam. Whenever I took a break, I informed the proctor each time, and they were very relaxed about it.

  • Submitting the Report
    After the exam, it was time to work on the report. During the exam, I had already documented as much as possible using my note-taking tool, OneNote. For reporting, I used SysReptor in combination with the OSCP template, which I highly recommend. During a practice exam, I had created a test report in SysReptor to familiarize myself with the tool—a step I would definitely recommend!

Thanks to having enough screenshots and thorough notes, I was able to complete the report within 4-5 hours. Taking detailed notes during the exam makes a big difference and saves you a lot of effort later on.

Tips and Tricks for OSCP Candidates

  • Master the Basics
    Before diving into complex exploitation techniques, make sure you have a solid understanding of basic concepts…

* **Networking basics**
* **Linux basics**
* **Common vulnerabilities**
* **Tools**
* **Practice, Practice, Practice** The more you practice, the more confident you’ll become. Spend hours on **Hack The Box** or **TryHackMe** , and don’t be afraid to tackle harder machines. It's all about exposure to different attack scenarios.

  • Find a Training Buddy One of the best tips I can give is to find someone who is also working on their OSCP and study together. Look for ethical hacking communities (https://ehgn.nl/ is a very good dutch community) and start networking. This was incredibly helpful for me. It keeps you motivated and helps you stay on track, while also providing an opportunity to encourage each other to push through tough moments. Plus, it makes the whole process much more enjoyable!

  • Time Management / Strategy
    Break your 24-hour exam into manageable chunks and develop a strategy that works best for you. I began by fully focusing on the Active Directory (AD) portion of the test. Once I completed that, I reviewed the output from AutoRecon and started with what seemed to be the easiest machine of the remaining three.

If you’re struggling with a particular machine, move on! Don’t waste too much time on a single box. It’s better to attack the easier machines first and get that 70 points.

  • Take Breaks and Stay Calm
    The exam is stressful and long, so it’s important to step away from your screen every so often. I made sure to take breaks every few hours to stay fresh and clear-headed. After getting some sleep, it suddenly ‘clicked’, and I managed to pwn the machine.

  • Document Everything
    Take notes on everything you do. Whether it’s an IP address, a command, or a potential vulnerability, make sure to log it. This will save time when you go back to write your report and helps you stay organized during the exam.

  • Read the OSCP Exam guide carefully
    Be well prepared when you go into your exam and read the exam guide carefully!

  • Don’t Give Up
    Even if you feel like you’re not making progress, don’t give up. The exam isn’t necessarily that difficult and 24 hours is a long time! If you’ve prepared well, you’ve got what it takes to succeed. Stay calm, keep your focus, and don’t panic.

After the Exam: The Waiting Game

  • The Wait for Results
    After the exam, I submitted my report and waited for the results. The results came surprisingly fast after 2 days , and I was thrilled to learn that I had passed.

Conclusion

Passing the OSCP was one of the most rewarding accomplishments in my infosec career so far. It not only boosted my technical skills but also gave me a sense of accomplishment and confidence in my abilities. If you’re thinking about pursuing the OSCP, I highly recommend it — but be ready to put in the work.