My OSCP Journey

I passed OSCP on January 5th, 2023. Here’s my somewhat detailed experience with OSCP (and how you could have done certain things better than me).

Update: Fixed exam details (I finished the report by 9PM of day 1, not day 2). Added more tips.

Background

I had been interested in penetration testing for quite some time. As an anxious incoming college freshman majoring in CS wanting to get an internship ASAP (still procrastinating on creating a resume), I thought getting OSCP would be a decent first step into the field. Seeing various job postings stating that OSCP would be a plus further confirmed my view. Even though I had no idea whether or not cyber security internships accept first-year undergraduates yet, I figured having a cert might at least boost my chances of getting an interview.

Being a fresh high school graduate, I had the summer to prepare. The exam is by no means cheap ($1,500 for 90 days lab, which is the only option at the time of writing), but fortunately I received some family support.

Some relevant experience I had before I started the course: Linux competency, basic networking, TryHackMe offensive path, some IppSec HTB walkthroughs. My experience with building backend with JS and MySQL probably also helped. I had some CTF and wargame experience, though practicing with actual boxes would prepare you better for OSCP than solving CTF or wargame challenges.

With enough basic cyber security experience and networking knowledge earned through random YouTube videos, TryHackMe rooms (especially the AD rooms on the offensive path), and competitions like CyberPatriot, I believed I was ready. In retrospect, it would have been better if I had dabbled more in HackTheBox and other platforms before I purchased the course, but oh well. If you do not have any experience at all, TryHackMe paths would be a good place to start.

Preparation

Online Resources

There’s a week or two’s delay between your payment and the start of the course. So I gathered some guides and helpful articles first:

• Exam Requirements
  • OSCP Exam Guide
  • OSCP Exam FAQ
  • PEN-200 Reporting Requirements and Templates
  • OSCP Sample Penetration Test Report - MegaCorp One
• OSCP guides
  • The Journey to Try Harder: TJnull’s guide for PEN-200 PWK/OSCP 2.0
  • I passed OSCP, and here is how you should(nt) do it
  • OSCP 2022: Tips to help you pass (tips, pentest methodology, and tool)
  • OSCP Reborn - 2023 Exam Preparation Guide (new one that just came out not long ago)
• Machine lists
  • PEN-200 Labs Learning Path - Offensive Security
  • NetSecFocus Trophy Room List
• Tools
  • 21y4d/nmapAutomator
  • Tib3rius/AutoRecon
  • jivoi/pentest
  • swisskyrepo/PayloadsAllTheThings
  • danielmiessler/SecLists
  • GTFOBins - UNIX binaries
  • LOLBAS - Windows binaries
  • andrew-d/static-binaries - statically built *nix binaries for Win/Linux
  • DominicBreuker/pspy
• Checklists
  • HackTricks (strongly recommended)
  • Red Team Notes
  • kashz-jewels - OSCP notes
  • Pentesting Active Directory - XMind
  • 740i/pentest-notes
  • sushant747 - Total OSCP Guide

Exercises

With the new exam format, we have an opportunity to get 10 bonus points. When I started the course, the 10 bonus points can only be acquired through a written lab report containing answers to book exercises plus reports on 10 lab machines. I took a few weeks to slowly go through the material and complete all exercises. Although the course did its job, I felt that it could really use some improvements seeing how the tools it demonstrates were pretty outdated (some tools I use: rustscan, nmap, dirsearch/feroxbuster, ffuf, linpeas/winpeas, enum4linux-ng, smbmap, impacket tools, wpscan, etc). Just before I jumped into the labs, Offensive Security updated the bonus point system. Though I was already done with the old-style exercises, I was uncertain about the strictness of OffSec’s report grading (I assumed a single mistake would render the whole report worthless), so I went back and did all the topic exercises too (which lets you know if you are correct or not).

Ditching the Lab

Since the passing score is 70 points, you either have to finish the AD set (40 points, all-or-nothing) and obtain 3 more flags on the independent machines (30 points), or complete all 3 independent machines (60 points) and rely on the 10 bonus points to pass. With the latest change to the exam, you can get the bonus points by doing all topic exercises and getting 30 proof hashes in the lab. Though I finished all book and topic exercises, I didn’t feel like dealing with the lab’s interdependent nature. I ploughed through Offensive Security’s PEN-200 Lab Learning Path and went straight to proving grounds. To be honest, if you are also taking the OSCP, don’t be like me. Since you paid for it you might as well use it to get some good practice (at least practice with the lab AD sets).

Proving Grounds Practice

OffSec’s Proving Grounds Practice is a good place to practice for OSCP due to how similar its machines are to exam boxes. A friendly note: avoid using kernel/sudo/polkit exploits! They are very unlikely to be the intended route, and they don’t prepare you at all for the exam, since the exam machines are usually fully patched against CVEs like those. I finished all machines (except the “Harder boxes to try out” part) on TJnull’s PG Practice list, and they are definitely worth doing. A community-rated intermediate is about the same level of difficulty as an exam machine (you can view the community rating by hovering your cursor above the machine name). I don’t have any experience with the HTB machines on TJnull’s list, but judging from the experience I had last time with HTB, they are probably more difficult than OSCP exam machines and might be less efficient than PG for prepping (even though the ones on TJnull’s list should be older and somewhat easier than ones with the same HTB rating today).

As for the machines themselves, I can say that I struggled on quite a lot of them and had to resort to hints to progress. That said, I think it would be a bad idea to bash your head on a foothold / privesc for too long—at least I know it would be very demotivating for me. So don’t feel bad about taking a hint when you need it, as long as you take note on it and figure out how to identify the attack vector next time. Here are some of my notes on why I got stuck and went for a hint (admittedly I overlooked quite a bit of basic things during enumeration):

• not trying more credentials, e.g. for Sonatype Nexus Repository Manager, only trying sonatype:sonatype or admin:admin or admin:admin123 but not nexus:nexus
• not enumerating LDAP for users/user descriptions/user properties/etc
• not enumerating enough of the website (EVERY place, EVERY navbar item, EVERY user-created source file, EVERY version info, EVERY exploit you can find of the server software)
  • not reading the HTML source of the index.html, which had a attackable endpoint in the comments
• not scanning ALL ports, and if you don’t find anything, try scanning UDP ports
• not waiting for the dirsearch / gobuster scan to finish / not using a more concise wordlist first (should have ran common.txt first instead of directory-medium)
• not using simple wordlists before large wordlists to crack password hashes (ESPECIALLY simple cewl wordlists without using rsmangler)
• not checking CVEs / EDB for local PE and SUID binaries (e.g. exiftool had a CVE for arbitrary code execution)
• Nmap didn’t find a specific port (took way too long to scan ports) but rustscan did (though nmap -T5 probably would’ve worked)
• not researching about service-specific common vulnerabilities (e.g. VoIP – SIP – SIP digest leak, though to be honest stuff like this won’t be on the exam)
• not running smb-vuln* scripts against BOTH 139 and 445
• not reading about every service, even though it might look insignificant (e.g. erlang port mapper service used for rabbitmq, which I mistakenly ignored, thinking it was just some random port mapping service)
• not ping-testing in RCE exploits, thinking that the exploit doesn’t work when it actually could have (e.g. using double quotes instead of singles in command); always test RCE connectivity with ping and check tcpdump output; try changing ports if the current one doesn’t work
• not using pspy to identify cron jobs
• /opt and other “exotic” directories
• not reading white text in linPEAS output
• not checking the HTTP response Server header
• The list goes on…

As you can see from the list above, the machines are not “hard” hard if you know what to look for and where to, so enumerate like crazy.

Before the Exam

By the time I was done with PG practice boxes, I didn’t feel like practicing any more, so I just watched some TCM security’s videos on AD, which are available here (it was on sale when I bought it, you can periodically check Reddit/Twitter for coupons). I transferred my notes from Obsidian to Org-Roam and organized them, but that’s about it. Knowing that I was pretty burnt out, I made myself completely forget about OSCP the few days leading up to the exam to recover some energy.

Exam

Day 1: Exam Network

The exam begins with verification. Make sure your webcam works beforehand. To save time, scan a copy of your government-issued ID before the exam in the case that your webcam can’t zoom in on your ID, which happened to me. Apart from that, the proctor doesn’t really bother you at all, as you would only interact with yours for taking a break, etc. Some posts online also suggest that they can check if the machines are still exploitable (as in if the environment works or not, etc; doesn’t hurt to try).

As per online suggestions, I reset all the machines prior to beginnning the exam. Some mentioned how there were times when exam machines may not be working perfectly out of the box (even though they should be already be reset before the exam starts). Since you have 24 resets in the exam (resetting 1 AD machine resets the entire AD network and costs only 1 reset IIRC), spending some resets to afford a peace of mind was pretty worth it. I started with AD since there’s no way I’m passing the exam without it (I don’t have any bonus points after all). It was surprisingly not that difficult, and I was finished with it in about three hours (07:29 - 10:37)—It always comes down to a good enumeration methodology. I kept notes and screenshots taken with Flameshot (strongly recommended) in Obsidian. The notes are version-controlled and periodically pushed to a private GitHub repository.

The rest of the free-standing machines took quite a while. For one of them I simply cannot get a foothold whatsoever, so I gave up on that one. After taking an hour-long lunch break, I got the 3 flags I needed from the other 2 machines by 3 PM.

Though OffSec offered exam report templates in Word and ODT format, I resented the idea of copying screenshots from Obsidian to Word and deal with the formatting hell. To my delight, a Redditor mentioned on r/oscp that he passed with a PDF exported by Obsidian. A few hours of filling in the details resulted in a 26-page-long clean-looking exam report. Although I had plenty of time to spare and edit as I wish, I chose to submit the 7z file by 9 PM–I was pretty exhausted and I wanted to just be done with the exam.

Day 2: Passing

I already knew that I passed the exam at noon of the next day thanks to the OffSec course portal. The exam result email arrived approximately 24 hours after I submitted the 7z file. I would love to see a physical certificate but I guess a digital one does its job. I believe the concise nature of my report also played a part in a speedy grading process, so if you want your results quick, don’t add excessive or irrelevant details to your exam report, e.g. for enumeration, you only need to include details that are directly relevant to exploitation.

Next Steps

To be frank, I’m still pretty lost with regards to what to do next. For now, all I can do is to participate in as many things as humanly possible (CTFs, CCDC, potentiall CPTC next year) and make a good resume. I’ll probably finish the HTB Dante Pro Labs that I registered for during the sale and do more HTB boxes / THM rooms. Certificate-wise, I don’t think I really need more for now, but I want to do RTO for fun (to play with Cobalt Strike). Looking back at my six-month journey, OSCP is not some unsurmountable beast as the younger me saw it—you might even think it’s quite easy once you have conquered it. In any case, I wish all exam takers the best of luck.