How I Passed the OSCP on my first attempt

Overall Exam Experience

I recently passed the OSCP exam, and while it was challenging, I found it to be a manageable experience overall. The Proving Grounds practice machines were a huge help for the standalone machines in the exam. Similarly, if you’re able to root the Active Directory networks in the PWK-200 labs, the Active Directory set in the OSCP exam shouldn’t be much harder. Of course, everyone learns differently, and I can’t guarantee that this will be accurate for everyone.

Guide: Before buying the course

If you are new to pen-testing it’s important to build a strong foundation before jumping into the PWK-200 course.

  1. Build a strong foundation of the Linux command line, as you’ll be using Kali Linux for the exam and labs. Take some time to explore the command line and learn basic commands.
  2. Try your hand at some beginner-friendly pen-testing challenges on TryHackMe to understand the different steps of penetration testing and their importance.
  3. There also is a chance that one of the initial footholds will have to be via buffer overflow so I recommend trying out the buffer overflow room on tryhackme.
  4. Once you’re comfortable with the basics, move on to more advanced challenges like the Linux and Windows privilege escalation rooms on tryhackme.
  5. As for the Active Directory portion of the test, I recommend looking at thecybermentor’s Active Directory playlist on YouTube to familiarize yourself with how Active Directory works and also look through tryhackme for Active Directory specific rooms.
  6. After you’re done with all of those, I recommend trying out some of the machines on TjNull’s list of HackTheBox machines. Getting stuck while doing these machines is expected. I recommend watching Ippsec’s walkthroughs on YouTube when you are stuck for long periods of time.

Remember, the OSCP exam is designed to test your skills under pressure. You won’t have the luxury of looking up hints or walkthroughs during the exam, so it’s important to develop your skills and knowledge beforehand.

TjNull’s List: https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview

Guide: After buying the course

I’m going to assume you bought or are planning to buy the 90 day lab time which is similar to what I did. I got the learn one subscription because with it I would get two exam attempts with 1 year of lab time but I ended up only using the labs for about 70 days before moving on to Proving Grounds practice. But what I recommend you do first is immediately skip the course and fly straight to the lab machines (if you did the preparation before purchasing the course). I also skipped the course material and was on good pace for some time but then struggled after a little while which made me resort to asking for hints in the offsec discord. I’d recommend trying to tackle one machine per-day and take vigorous notes while you’re doing the machines. You will have to eventually do the course exercises if you want to get the 10 bonus points but these shouldn’t be that hard to do. It took me about 10 days to finish all of them in total.

After 70 days I had done 50+ machines in the PWK-200 labs so in the last 20ish days I decided to try the machines in Proving Grounds Practice. I used TjNull’s list for this as well and the goal I set for myself was 2 machines everyday day. I found the privilege escalation portions for the machines in Proving Grounds practice to be very helpful in preparing.

Timeline

  • Started doing hackthebox machines on 2022-10-29
  • Bought the PWK-200 course on 2022-11-20
  • Stopped doing the PWK-200 course and started Proving Grounds practice on 2023-01-28
  • Attempted the exam on 2023-02-27

The Exam

My plan was to get two footholds on the standalone machines, root the Active Directory set and get 60 points. The other 10 points would come from the bonus points. In the end I ended up getting two footholds and rooting the Active Directory set and I also managed to get root on one of the standalone machines just to be safe.

  • 1PM – I tried the Active Directory network first and made some progress. After this I got stuck for about 1 hour and 30 minutes so I moved on to the standalone machines.
  • 2:30PM – I managed to get a foothold on one of the standalone machines and immediately moved on to another standalone machine.
  • 3:30PM – After spending about an hour, I managed to get another foothold on a standalone machine. I was feeling pretty confident after this as I had secured the 20 points I needed from the standalone machines. All I needed to do now was root the Active Directory set.
  • 4:30PM – I went back to the Active Directory set and tried again. After about 2 and a half hours I managed to find what I was missing before.
  • 7PM – I decided to take a break here and eat dinner.
  • 7:30PM – This is where things started going downhill. I spent 4 and a half hours trying to make progress in the Active Directory network.
  • 12AM: I gave up at this time and thought that I would just attempt it early at 5 AM in the morning. I managed to fall asleep at 1AM so I was awake for about an hour unable to sleep.
  • 4AM: I woke up at this time and decided to push through it and continued with the exam.
  • 4:30AM: Turns out waking up at 4AM was actually a game changer because I managed to make progress in Active Directory and rooted the network at about 4:30AM. I still can’t get over how I randomly woke up and managed to find what I was missing. But from this point on I decided to re-exploit all of the machines I had previously exploited to make sure I didn’t miss anything and take better screenshots and notes.
  • 8AM: The past 3 and a half hours were pretty calm as all I was doing as writing my report. After I was mostly done, I decided to try to get 10 more points just to be safe. My options were to either get another foothold or get root on a previously exploited machine. After 2 hours of looking around, I got root on one of the machines and secured 80 points (counting the bonus points).
  • 10AM: The next hour and a half would just be me double checking all of the flags, re-reading the report submission requirements, and making sure I have proper formatting.
  • 11:30AM: I’m not sure on the exact time I ended my exam but I believe it was at 11:30AM. I was sure I had everything I needed and didn’t want the stress of the camera being on while fixing the report.
  • In total I spent about 13 hours in total on the actual exam and about 5 hours and 30 minutes writing the report and making sure it was properly formatted with all the proper screenshots. What you should take from this is that taking breaks and moving on to different machines when stuck for long periods of time can help prevent tunnel vision.

Report Writing

The report writing section of the OSCP exam is probably the most straightforward and least anxiety-inducing. Offensive Security provides a template to follow, so all you have to do is fill it in with your progress and findings. Make sure to take proper screenshots as you’re doing the exam, and include the specific commands you used to achieve each step. The reader should be able replicate what you did with the screenshots in the document.

Report template: https://www.offsec.com/reports/sample-penetration-testing-report.pdf

Summary

  • Practice easy machines on THM
  • Do both of the privilege escalation rooms on THM
  • Do the buffer overflow room on THM
  • Try the Active Directory rooms on THM and use thecybermentor’s playlist on YouTube for more help.
  • Do the Hackthebox machines from TjNull’s list until you feel comfortable doing them without hints
  • After buying the course, do one machine per day.
  • Do the course exercises here and there to make sure you get the bonus points.
  • Once you’ve done most of the PWK-200 labs, try TjNull’s list for Proving Grounds practice

Leave a Reply