I recently passed the OSCP and got my certification. I began preparing for the OSCP back in November 2017 and received the email stating that I had passed in November 2018.

What is the OSCP?

The Offensive Security Certified Professional (OSCP) is a cybersecurity certification offered by Offensive Security.

The OSCP is a hands-on penetration testing certification, which requires students to successfully penetrate live systems in a simulated lab network during a 24-hour exam. The student must also submit a comprehensive professionally written penetration test report which details all of their findings during the exam.

It is one of the few cybersecurity certifications which requires evidence of practical penetration testing skills.

The OSCP exam is a 24 hour long exam in which you are given access to a previously unknown network containing vulnerable machines which you must exploit and document in a penetration test report. It is a practical test of the students penetration testing skills.

Before you can take the OSCP exam, you must complete the Penetration testing with Kali Linux (PWK) course. The course consists of the online labs, which is a series of networks containing vulnerable machines which you can practice on, as well the the course material, which contains a PDF and series of videos.

In order to pass the exam you must score 70% in the lab exam. Additionally there is a bonus 5% which can be earned by doing the course exercises during the PWK and submitting a report on them.

I opted not to do the course exercises, because I felt that my time during the PWK would be better spent practicing in the labs, however I would not recommend that people do this. Often students would ask for hints in the OffSec chatroom only for a staff member to reply “It’s in the PDF”. Even if you understand the course material it is worth taking the time out to do the course exercises to refresh yourself, and the 5 bonus points may even end up helping you pass the exam.

Preparing for the OSCP

Before I signed up for the PWK course, I used many different free online resources to prepare myself.

Before signing up for the course, Offensive Security recommend that at minimum you are familiar with the following:

A solid understanding of networking and TCP/IP
Reasonable Linux skills
Familiarity with Bash scripting along with Perl or Python scripting.

Networking

You will need to be familiar with subnets, ports, IP addresses, and other foundational networking knowledge. A good understanding of the OSI model is a plus. There are some free basic networking courses on cybrary.it.

Linux

I highly recommend downloading and installing a free Linux distro and getting familiar with the command line. During the course you will be using Kali Linux, so I recommend downloading that distro and practicing with it. Practice moving around the filesystem, running commands, specifying arguments. I would also recommend learning how to use the Nmap port scanner, as well as using ssh to login to machines at minimum. It is also advisable to get familiar with the following tools as you will be using them in the lab a lot:

Nmap - port scanner
Dirb - http path bruteforcer
enum4linux - SMB enumeration script
smbclient - SMB client application
snmpwalk - SNMP enumeration script
nikto - Web server security scanner
metasploit - exploitation framework (Note: use of metasploit is restricted during the exam, but is OK to use in the labs).
Apache - web server
Burp Suite - Web application testing tool

Another tool that is useful to get familiar with is tmux, which is a terminal multiplexer, it will help you organize your terminal windows.

Python

The Python knowledge you will need is very basic. You will need to be able to modify exploit code at minimum, however being able to write your own custom tools using Python is very useful. There are some free Python courses on cybrary.it. If you wish to learn more, I would recommend the books “Learn Python the Hard Way” and “Automate The Boring Stuff”.

Penetration testing

To start, I would recommend completing some challenges on overthewire.org. The Natas challenges are good ones to try, which will teach you about common web application vulnerabilities. Finishing these challenges can take some time, you don’t need to completely finish them.

After completing some overthewire challenges, I would recommend downloading some of the easy Boot-To-Root VM’s from vulnhub.com. Here you will learn to put together everything you’ve learnt and start developing your methodology for pentesting. You will need to enumerated the virtual machine, identify potential vulnerabilities, explore them and find/write exploits for them and exploit them. You should also practice taking good notes when doing the VM’s, as well as practicing writing a formal penetration test report, see Offensive Security sample report as an example of what this should look like.

I would recommend spending at-least a day on a vulnhub box, and if you get stuck ,you can lookup a walkthrough. You should at least spend a day working on the machine though, trying everything you can.

I would also recommend watching Ippsec’s videos on youtube. He does walkthroughs of machines on hackthebox.eu. Watching him can help you pick up some tips and tricks, as well as develop your pentesting methodology.

Once you have a few vulnhub boxes done I would recommend moving onto hackthebox.eu. The machines are harder than vulnhub, but they are more polished and they are hosted. There are no walkthroughs available for any of the “active” boxes, which are the only ones that free users can do, however once a box “retires” Ippsec will do a video walkthrough. You can also buy a VIP plan from hackthebox.eu in order to get access to some of the retired machines.

If you are able to complete a few hackthebox machines, then you are in a strong position for the PWK course.

I signed up for 60 days of lab time and during that time I managed to complete most of the machines in the lab. Often people ask how much lab time they should buy. I really recommend just going for the 90 days. It is worth it so that you have plenty of time to do the course exercises as well as tackle most of the machines in the lab.

My Exam Attempt

My exam was scheduled for 9PM on a Friday. I started my nmap scans and other enumeration and left it running in the background while I worked on one of the high point boxes.

This box is the only one that doesn’t change much and the process for tackling it is covered in the course exercises. I had my steps written out for it and was following along. 40 minutes in and my process wasn’t working. After some debugging I found the problem and had my exploit fully developed. I ran my exploit and it worked on the first try. 1 hour 30 mins in and I had my first box down.

I then started working on the other high point box. I spent 40 minutes looking for a way to get an initial foothold on the box, but couldn’t find anything. So I decided to switch over to the lowest point box. I immediately noticed a very obvious hint, and within 10 minutes I had root privileges on this box. 2 hours and 10 minutes in and I had 2/5 boxes done, I was feeling confident.

The Wall

After this point, I had hit a wall. I spent the next 13 hours switching between the three remaining boxes, but I was getting nowhere. I had initially planned to sleep for 5 hours, however when I tried to go to sleep I got an idea and had to get up a test it out, and so only managed to sleep for 2 hours.

The exam was destroying me, but I kept my cool, persisted, and most importantly I followed OffSec’s motto and I tried harder and after 13 hours I finally got an initial foothold in the high point box.

Finishing

I had regained my confidence, and decided to take a break and go for a walk. When I got back, it suddenly clicked and I got an initial foothold on one of the remaining boxes. After some enumeration I decided that the easiest way to escalate privileges on this box would be to use metasploit. During the exam use of metasploit is restricted, you may only use it on one box. So I waited until the end of the exam to attempt the privilege escalation, just in case I decided to use my metasploit “life” on another box.

So I switched back to the high point box which I still had to escalate privileges on, and within 30 minutes I found the path and it took another 30 minutes to do it. At this point I had 3 hours left and I had got just about enough points to pass my exam!

However I was still worried because OffSec do not disclose exactly how many points a low privilege shell is worth, and I could still lose points if I had mistakes in my report.

So at this point I decided to switch back to the other box I needed to escalate privileges on and use up my metasploit life. However my theory was incorrect and I was not able to escalate privileges on this box.

So I switched over to the last remaining box and after two hours, I managed to get an initial foothold on it, with only 1 hour left on the exam!

Writing the report

With the exam over, I moved on to writing the report. You are given 24 hours to write the report which details all your findings during the exam. The requirements for this report are also quite strict.

The report is where I really messed up. During the exam I was taking screenshots and brief notes and putting them into a word document. But I personally do not like using word and decided I would write the final report in LaTeX.

So after my exam finished, I slept for 8 hours and when I woke up I read through the exam guide and looked at the sample report.

I had never really looked at the sample report OffSec provide or prepared for the report writing, because I was so focused on compromising the boxes. So I had to write the entire report from scratch! Also during the exam, I did not take very good screenshots, but luckily I was recording my screen.

But during the exam, I noticed something weird. When I was writing something using vim, I would press ctrl+r to do a “redo”. But nothing was happening. Turns out the screen recording software I was using was using this key combo as a shortcut to start/stop recording. So during the exam I was continually starting/stopping the recording, and had managed to lose a lot of video!

Also I was admittedly stupid and never thought about how I search through the video afterward. The smart thing to do would be to start a new video file after each box or major milestone, but I thought that I wouldn’t even need to use the recording, it was a backup plan. All of my recording was one huge video file, which included times when I took breaks. So it was really painful to find what I was looking for, and in many cases that part wasn’t even recorded. So it ended up taking me a very long time to do the report.

When I initially booked my exam, the start time was booked for 8PM, but because of daylight savings time, it actually ended up being 9PM. So I was worried that the deadline for my report may actually be 8PM. So I decided to submit the report before 8PM. It was finished and I had quickly proof-read it, but I could’ve used more time to read over it.

After submitting it I noticed a problem with my report. During the section which described privilege escalation for the high point box, one of my commands included a pipe | character, but in the document, this appeared as - . I had used this command in two places, the first had a screenshot showing the actual command, and the second did not. According to the exam guide, if they are not able to replicate what you did step-by-step, you won’t get any marks. I was really worried that they would say “well this command doesn’t work, therefore you get 0 for the privilege escalation” as that would put me under 70% and I would fail.

At this point I was cursing myself for not doing the course exercises, where I would’ve got practice writing a report and wouldn’t have made all these mistakes and would’ve got 5 extra points which would mean I wouldn’t have to worry about this as I would still pass. This is why I can’t stress hard enough that you should do the course exercises, even though they are quite easy and you may feel like it’s a waste of time. I put in so much work during the exam and was dreading having to repeat it all again.

Getting the Results

36 hours later I received an email with my results, and I had passed! It was amazing. The OSCP is a very unique experience and it is an experience I will never forget. I have learned so much from it, not only about penetration testing, but about myself. I learned how to Try Harder. I stayed determined during the exam and wasn’t going to let it destroy me, and it paid off.