There are many OSCP blog posts out there. However, each person has its own experience and methodology, so I decided to share my own. There are many different resources that can help you before and during the PWK and the exam, and I will talk about the ones that helped me during my journey to OSCP.
I’m splitting this post into five sections:
Before Enrolling in PWK
Although I had some experience with penetration testing, I decided to prepare before I enrolled in the PWK. I spent about one month preparing until I felt confident to enroll in the course.
Hack The Box
Since I was already familiarized with Hack The Box (HTB), I started to hack some boxes suggested in the TJnull’s famous list. I hacked 26 systems, 13 Linux and 13 Windows, in the order they appeared in the list. I left the remaining boxes to practice before the exam and/or failed the first try.
Although I needed help to solve some boxes, I always tried to put my best effort before looking for tips. I checked for guidance on the HTB forum instead of reading walkthroughs. In my opinion, you should only resort to walkthroughs in extreme situations (i.e., if you cannot solve the box by using the tips of the HTB forum). Otherwise, you will not maximize the learning potential.
Another vital piece of advice is to take notes. This is very important to improve your note-taking and writing skills, essential to passing the OSCP. Also, notes provide you a database that can be useful during the course and the exam or during a real penetration test assessment. I used Notion to take notes since it is powerful, portable, and allows me to easily search for contents.
After rooting a box, I usually check for walkthroughs, to see how other people approach the same problems since each person has its own process and methodology. My two primary sources were:
- Rana Khalil’s Hack The Box OSCP Preparation - very detailed walkthroughs.
- IppSec Youtube videos - the “must watch” HTB walkthroughs.
“The Cyber Mentor” Courses
Since the 2020 version of PWK has Active Directory Attacks and I was not familiarized with that, I took the Practical Ethical Hacking - The Complete Course. The course is comprehensive and covers essential topics like Information Gathering, Enumeration, Buffer Overflows, Exploitation, Web Application Penetration Testing, and Active Directory Attacks. I strongly recommend you to take this course because it prepares you really well for the OSCP.
I also completed part of the Windows Privilege Escalation for Beginners course to fill some gaps on Windows Privilege Escalation.
If you are interested in these courses, I suggest you check the TCM Security Academy (not endorsed). I think the subjects are the same as on Udemy but are updated and have some cool bundles.
PWK - The Course
I decided to start the course at the beginning of July 2020. I enrolled on PWK and received all the documentation (PDF manual and videos) and the Connectivity Pack to access the labs about one week later. I chose the 90 days of lab access, which means that I had three months to complete the course. I idealized to spend 45 days in the course materials and 44 days in the labs to get the most of both. However, I spent about 40 days in the course and 30 days in the labs due to summer vacations and rest days. I don’t regret wasting these days because mental health is also a crucial factor to succeed in OSCP and in life.
After reviewing the course materials, I thought the videos are really dull (even at 1.5x speed). The content is identical to the PDF, so I opted to ignore the videos and focus 100% on the PDF manual. It is very detailed and a bit heavy (about 800 pages). Still, I feel that I learned a lot from it, especially on more advanced topics like Active Directory.
I took extensive notes of most chapters and completed all the exercises (more on this later), including the not mandatory and the extra mile exercises. Again, these notes were handy during lab time and the exam.
Besides the PWK course materials, I also resorted a lot to The Journey to Try Harder: TJnull’s Preparation Guide for PWK/OSCP. Although it is not updated for the latest PWK version, it contains useful tips and references to great resources.
The course PDF has multiple exercises. I totally recommend performing them (including the extra-mile ones) to practice what you learned. Besides that, if you solve all the mandatory exercises and 10 lab machines and send the report to Offensive Security, you can earn up to 5 extra points on the OSCP exam.
Although I completed all the exercises, I did not send a report to earn the extra points. Why? Well… When I solved the exercises, I took notes but didn’t organize them properly. One week before the exam, I decided to make the report, but I didn’t have time to organize everything properly and realized that it was better to invest the remaining time to practice (more on this later).
My last advice about the exercises is to start making a draft of the report when solving them. Take all the screenshots and write all the necessary information to have everything in place when finishing the report. Then, you just need to improve the text and/or fix minor issues.
For the report, I used the noraj’s template, available here. If you don’t like WYSIWYG editors, or don’t have Microsoft Office/LibreOffice, and think that the Offensive Security templates are a bit outdated, these templates are the best you can get.
I solved 31 labs during the 30 days that I dedicated to them. My objective was to solve at least 30, so I was able to succeed in that. I solved most of them without any hints. For the ones that I needed help with, I resorted to the Offensive Security Forums. I only checked the forums when I ran out of ideas and spent a significant time in the lab. Please remember the Offensive Security motto: Try harder!!!
As I mentioned before, it is imperative to take notes about the labs. When I finished a lab, I usually checked the forums post for that lab to understand how other people approach the same problem.
To earn the extra 5 points on the exam, you need to include 10 labs in the report, together with the course exercises. As with the exercises, I recommend you to make a draft of the labs' part as soon as possible. Trust me, it will make your life a lot easier when you need to prepare the final report.
Extra Preparation for the Exam
When the lab time finished, I booked my exam for three weeks later. I took about one week to rest from OSCP and focus on other things, and after that, I made some extra preparation. If you feel less confident in some areas, this time is an excellent opportunity to work on that.
As before, I spent my time in HTB and solved ten more boxes from the TJnull’s list. This time I focused more on Windows boxes since I felt very confident with Linux.
Although the Buffer Overflows content of the course is excellent, and I felt confident, I spent a few hours solving the TryHackMe Buffer Overflow Prep room. It’s a free room, so anyone with a TryHackMe account has access. The content is very similar to the exam.
Since my main OS is Ubuntu, I sent an email to Offensive Security to test the proctoring software before the exam. They provided me a test account for that, and I could test the webcam and the screen sharing.
The last step of the preparation is to rest! I took the day before the exam to relax and take some good sleep. I also checked if everything was functioning correctly (Webcam, host PC, etc.), filled my water bottle (because water is life!), and made a backup of the Kali VM.
The OSCP Exam
My exam was scheduled for 10 a.m. GMT., so I connected to the proctoring software at 9h45, as they recommend. As stated in Murphy’s law, I had some problems with the ID verification (my webcam doesn’t have autofocus) but they promptly provided a solution and I was able to carry on. I started my exam at 10h15.
I used Obsidian to take my notes, since Notion is an online service and does not offer E2E encryption. I didn’t felt comfortable putting my notes there. When dealing with sensitive information, I prefer to keep things offline or encrypt them before uploading them to the cloud. I follow the same approach during penetration testing assessments or any other job that handles customers’ data.
I created a simple bash script that encrypts my notes and moves the encrypted file to my cloud storage to backup them regularly.
I started by launching port scans for all the machines and proceeded to the buffer overflow machine.
tmux is really handy for this since it allows me to create a different session for each system and keep things organized.
Then, I moved to the other machines and didn’t find any blockers except in one system, which I decided to put on hold. After about 12h30 on the exam, I had 90 potential points, which are more than enough to pass the exam.
Since we are allowed to use Metasploit in one machine, and there was an excellent exploit for the system on which I had problems, I decided to use it. After some tries, I exploited the system and found that I had made some stupid mistakes in previous attempts. So after about 14h into the exam, I had solved all the machines.
After that, I spent about 1h30 reviewing and organizing my notes and taking some screenshots that I missed. Then, at around 3h40 a.m. I asked to end the exam and went to sleep (oh yeah!).
It’s important to mention that during the exam, I took breaks (about 30min each) every 2h and when I solved a machine.
After a good night of sleep, I wrote the report, following the noraj’s template with some modifications. I explained all vulnerabilities that I found, their impact, and how to fix them. Don’t forget to include any PoCs and scripts that you coded during the exam. For readability, you can add them to the appendix.
Time to Celebrate
Within three days of submitting my report, I received an email telling me I passed the exam on the first attempt!
[WARNING: certificate showoff below]
It was a long and fruitful journey. I had the opportunity to learn a lot and improve my patience in certain situations. Besides that, I achieved my goal of passing the OSCP on the first try, making me very proud of myself.
In short, my recommendations are:
- If you want to take the PWK and are not confident, practice in HTB, Vulnub, TryHackMe, etc., to boost your confidence.
- Practice your note taking and take as many notes as you can during your practice, the course, and the labs. These notes will be useful for the exam and for your future work as a penetration tester.
- During the course, complete all the exercises. Many of them are useful for the labs and for the exam.
- Try to complete as many labs as you can without getting hints from the Offensive Security Forums. Try harder!
- Start to make a draft of your Exercises + Lab report as soon as possible. This report can be useful to get the extra 5 points on the exam.
- Take breaks during the course and labs and after the lab time ends. Mental health is more important than you probably think.
During the exam:
- Be confident and calm, and don’t panic if you can’t exploit the machines on the first try. You have plenty of time, and as to how I once saw someone say on Twitter, “you will run out of ideas before you ran out of time”.
- Take regular breaks. Go for short walks, get some fresh air, hang out with our family, etc. This is especially useful when you are struggling. You will come back with new ideas that may help you.
- Take notes of everything. Things you tried and worked, something you tried and didn’t work, things you found and don’t seem much relevant, and so on. There’s no such thing as too many notes!
- Submit the required flags in the exam panel as soon as you get them. Don’t forget to take a screenshot showing the flag’s content and the machine IP address.
- Drink a lot of water (because water is life), and don’t forget to eat during the exam. Our brain needs fuel to work properly.
You don’t need to be a genius to succeed at the OSCP, but you definitely need to work hard, have a lot of patience, and try harder. The most important thing is to never quit! If you fail the exam, take some time to rest and organize your thoughts, focus on improving the things you feel least confident about, and try again. During the exam be calm, take your time, and do your magic.
Hope you enjoyed my journey! (probably not as much as I did 😛)