At the start of this year, I decided to take the OSCP exam after I completed my SSCP. After provisionally passing my SSCP exam on Feb 16, I got my credit card and paid OffSec the hefty sum of ~3400 CAD for a year's worth of access.
Why a year you may ask, given this article's title?
Because I thought it would take longer and didn't want to put all my cards in the 'third time's the charm' basket. I also get to complete my wireless pen-testing certificate included with the subscription and continue working on proving grounds machines.
This isn't my first rodeo
I'd taken this exam twice before my passing attempt. In the interest of keeping this section brief, I cover what went wrong on those attempts and what I learned from them.
The first attempt was right before they phased out BOF on the exam itself, when bonus points didn't impact much and required a significant effort to do all the course exercises. I had completed about four lab machines by the start of my exam. Other than quickly clearing the BOF section, this attempt was a wash. I just did not have enough practice implementing the techniques from the course exercises.
The second attempt was right after the addition of the AD section. 15 minutes before my exam started, I accidentally bricked my VM. It was at this point I realized that I forgot the golden rule: BACKUP YOUR NOTES AND TAKE SNAPSHOTS
I greeted my course proctor with a screen share of me downloading a fresh Kali Linux image. Don't be me here, learn from my mistake like I did. Despite that, I wouldn't attribute the failure here to my VM issues alone. I was underprepared for the AD section and struggled in pivoting to the other hosts in the network. I would have anticipated this if I had completed more of the lab machines.
By far, the biggest mistake I committed in my first two attempts was not completing enough lab machines.
How I prepared, what I'd recommend
Consistency is the most important factor in your studies. I know that not everyone will have the luxury to devote a significant portion of their day to studying. But the consistency of learning and following up on what you learned from the PDF is crucial.
Not doing the course exercises is a valid choice but it may bite you in the end. Personally, the PWK-2023 course is vastly improved on the previous version. I completed all of the PWK-2022 exercises and completed all of the AD exercises in the 2023 version. Offsec wrote a detailed post about the changes they made that I've linked below:
Pentesting with Kali Linux - Updated for 2023
I decided to complete all of the course exercises and labs to be eligible for bonus points. I completed the 2022 exercise set and the 2023 labs to prepare for my attempt.
My days, evenings and weekends were largely spent studying. This was due to my desire to complete the course as fast as I could while not actively employed. I still took breaks and kept active at the gym to manage burnout. I spent roughly 50 days completing the course material and about 30 on the labs.
It is extremely important to allow yourself time to take the material at a suitable pace. This varies for everyone and it can be hard to extend that exam date when you realize you still need more time. Take advantage of being able to reschedule for free, I know I did.
Like most of the posts that I have read about passing the OSCP exam, I primarily used the course material to learn everything required for the exam and added in extra material to help myself out. I will note a few resources and tools below that I liked or are well-regarded by other students:
Recommended Proving Grounds Machines by TJ Null:
TCM Security Linux Privilege Escalation
TCM Security Windows Privilege Escalation
LINPEAS , WINPEAS , PrivEscCheck.ps1 , ADPeas
Active Directory
Active Directory or AD, is an enormous topic to cover and I know that a ton of people are looking for this section specifically. Instead of doing a full dump of material, I will list the two most important tools I can think of:
CrackMapExec - It does everything, it is your AD friend.
Impacket Suite - Collection of specific tools that all work great. Highlights include secretsdump, smbclient, mssql, GetUsersSPNs, psexec, wmiexec, smbexec
You also will need to be familiar with Kerberos including ASREP roasting and Kerberoasting.
The most important consideration for AD in the labs or exam is getting yourself initial access to the domain. This can be a domain user's username and password or their username and an NT hash. The distinction between a domain account and a machine account can stump you if you aren't aware of it or misidentify what you find.
The Labs
The labs are hands down the best way to prepare for the exam now. Did I mention that each lab environment is now isolated, so no more reboots while you are about to crack root.
Offsec added three practice exams to the labs that mimic the difficulty and format of the actual exam. This takes the form of three standalone machines and an AD set in each practice exam. You won't get any closer to experiencing the actual exam without taking it.
The rest of the practice materials are called Challenge Labs. These emulate a network and provide you with a backstory on what is contained within. They attempt to emulate the networks of businesses paying for a penetration test. These are the bulk of the practice you will get out of the labs.
I recommend starting with Medtech and then moving on to Relia. At that point, I started on the practice exams. The labs were enjoyable and challenging, you get to practice skills you need for the exam without it getting too repetitive. A tip for the labs is that if you ever get stuck, go back to the relevant course material and start trying out methods from the text.
These are the keynotes of what you will practice in the labs:
Port Scanning and Enumeration - Strange ports, strange services
Obtaining Initial Access - Escaping 'This is not a TTY' jail and having a stable shell
Privilege Escalation - Learning to find things hidden in plain sight (WINPEAS, LINPEAS)
Post-Exploitation - I've got root / SYSTEM, now what?
Pivoting - I bolded this for a reason. The most important skill in the course, if you can't pivot you will be unable to get the 40 points from completing the AD set.
I'll quote Gonski Cyber who showed me a tool I found very useful for pivoting on the exam and lab:
"Of particular importance for success on the exam is the concept of pivoting and being able to leverage a compromised machine to obtain access to a new network of machines via your access as an attacker. If you are already familiar with pivoting via the classic proxychains + chisel method, I highly suggest you give Ligolo-NG a shot."
He also made this video about using Ligolo-NG that I would recommend watching:
You can read his experiences with passing the OSCP exam here.
Keeping good notes will make your life much easier while working on the course. I like to use Obsidian for this, as I can keep an eye on my files and notes within the same application. I found this a bit difficult to manage as I like to name my notes with the IP of the target host but that got changed as I would log on and off the labs.
I like Obsidian as you can write your notes in markdown and get live rendering, although I mainly used this to separate code tags in my notes.
Just remember, practice makes perfect so try to be as consistent as you can.
Dawn of the Last Day: 24h of your Exam Remain
I started my exam at 11 AM and I was ready to go. After completing the proctoring process and getting VPN access, I launched AutoRecon and left to go get a coffee. I find that waiting for the scans to complete is one of the most anxious parts of the process so this is how I decided to handle it.
I ran AutoRecon on all four machines (3 standalones, 1 AD entry-point) but it would have been more effective to run it on the standalones and enumerate the AD machine manually.
Despite that, I cracked the AD set in about four hours. I ran into some issues pivoting after getting initial access but it wasn't insurmountable. I took a break at this point and looked at the standalone scans. I got a foothold on one machine and another 10 points but from here on out I was having a bad time. I took another break and then came back and spent about 4 to 5 hours working on the other machines looking for some clues. The pressure of the exam got to me at this point and it would have been better for me to take a long break about two hours in.
At this point, I was feeling too tired to continue and went to bed for a few hours. The thought of being so close to passing just wouldn't escape my mind and I went back to hacking after sleeping for a few hours.
Fortunately, I was able to K.I.S.S and figured out what I had missed earlier. After getting a total of 70 points without counting the bonus points I had already earned, I decided to work on the report. This was about 5 AM or so, and I pushed through to make sure I had a written report before my access to the network was shut down at the end of the exam period.
Doing it that way is difficult but it allowed me to get any documentation from the labs that I may have missed while working on the actual penetration test. I turned out to not need anything but, found it easier to retake all my screenshots than import them onto my host machine for report writing.
I originally planned to write my report in markdown using Obsidian but after going through the exam I ended up writing it using the Offsec template in Microsoft Word.
I submitted my report around 9:30 AM and logged out of the exam portal, ecstatic to finally be done.
In conclusion
It's not impossible, anyone can pass. You just need to be willing to put the time in and focus. Don't worry about the details of how and why you got to this point or how long it took to pass. I can't begin to imagine how much time I've spent learning before I got to the point of beginning this process.
Everyone receives the same title in the end, OSCP. So, good luck and congratulations if you end up reading this article and passing later!
From start to finish, my passing attempt took me 86 days. It was well worth it.