I did it! How I OSCP’d and how you can too!

Greetings! This blog has been out of date for a few months as I’ve been in a bit of a study hole with grad school, but before starting school I managed to pass the OSCP exam!

There are probably hundreds of blog posts like this out there, so I’ll try to distill some advice I’ve passed down to other students who’ve reached out to me on Discord.

Tip 1: How I studied

There’s no right way to study for this exam, and I benefitted from having a lot of background knowledge through my coursework at City College of San Francisco. If you’re just getting started in cybersecurity, one great learning resource I’d send you to is https://samsclass.info/. Sam Bowne archives his old course material here, so you can dig in with a lot of exercises in everything from exploit development to mobile app security.

I also had some background in Active Directory pentesting from my preparations for various rounds of the Collegiate Penetration Testing Competition. The OSCP doesn’t usually stand up a whole Active Directory domain, but this is good stuff to know as a Pentester in general, plus it helps you work through the world of Windows authentication.

Even with a lot of background in web app testing, ethical hacking, and AD, I decided to go for the 90 day PWK package and work through all the exercises. I think there’s something to be said for reviewing things you already know, but in retrospect I wish I’d dove in to more machines on Hack The Box with the time I set aside for the PWK exercises.

The exercises are time consuming. If you don’t have much exposure to pentesting, I’d say to get as much out of the PWK and the OSCP lab as you can. The PWK is a great course for beginners in pentesting, and also provides some solid review and background for basic networking and CLI tools for Linux and Windows. Otherwise, I’d say it makes sense to start hacking away at vulnerable machines.

The OSCP is a pretty specialized exam. If you’re already working through machines on HackTheBox or VulnHub, you’ll know what to expect. You may already be familiar with the TJ Null list of “OSCP-like” machines, which I’ll back here as well. Whatever machines you go for, this is probably the best way to practice.

The Offensive Security Proving Grounds machines were definitely the most similar to the machines I hacked on the OSCP exam, which makes sense as they include “retired” OSCP boxes and other machines built by Offensive Security staff. I ended up working through most of the Proving Grounds machines included on the TJ Null list, plus a few extras. For what it’s worth, I found the TJ Null machines on HackTheBox to be quite a bit more difficult than the OffSec Proving Grounds machines.

If you’re in a place where you’re able to solve at least 50% of these machines without a walkthrough or hints, you’re probably ready to schedule the exam.

Another great resource is Portswigger Labs. These are exercises in custom web exploitation from the people who brought you BurpSuite and the Web Application Hackers' Handbook. If you know you’re rusty on any particular subset of web exploits that you might need for authentication bypass, information disclosure or RCE, this is a great place to get some hands on practice with tricks like SQL injection, XXE, or SSTI.

Lastly, I knew I had to refresh my exploit development skills. The PWK has a few exercises to refine your approach, so if you have some time with the OffSec labs definitely start here. I’d recommend getting some extra practice as well. Some people find this part of the exam intimidating, but if you get enough practice you realize this is probably the easiest 25 points to get. A great place to practice this is Tib3rius’s buffer overflow room on TryHackMe. I also recommend his rooms on Linux and Windows Privilege Escalation.

Tip 2: Don’t just study, practice!

I gave myself two “practice tests” for the OSCP before taking the exam. The first one annihilated me, and the second one I managed to ace. This probably has something to do with the machines I picked for each one, but however it goes I definitely recommend picking four boxes and a buffer flow out of a hat and seeing how far you can go in the span of 12-24 hours.

Giving your self one or two practice runs will give you a chance to shake off some of the nerves that come along with such a long exam period, figure out the best schedule for your exam, refine your approach, and–most importantly–figure out when to…

Tip 3: TAKE BREAKS

I can’t emphasize this enough. When I say “take a break”, I don’t mean take 5 minutes to go to the bathroom and eat a granola bar or whatever. Make sure you let yourself walk away from the computer, eat a real meal, spend 20-30 minutes thinking about something besides the exam. Watch an episode of Detroiters or something.

I say this from experience: on exam day, I was convinced I was going to fail by 5 points, but after I took a dinner break I realized I was missing something very obvious. Within a half hour I had all the points I needed and I was on to reviewing my notes and making sure I had screenshots.

Tip 4: Taking screenshots and taking your time with enumeration

Did I mention screenshots? Get in the habit of taking screenshots and taking good notes. Find a note-taking app that works for you. I used Obsidian while I was studying, but you probably can’t go wrong with Notion, OneNote, Joplin, CherryTree, or even MS Word. Whatever you do, take screenshots and make notes with each and every step.

This is as much to make sure you have a quality report as it is to make sure you’re slowing down. It’s been said before, but this is a marathon, not a sprint.

The boxes you’ll see on the OSCP exam have a pretty wide attack surface, with as many as a few dozen TCP ports open for you to investigate. The best approach here is to be methodical. When you first start looking at a box, get an understanding of what each service is doing before you start to try to break it open. This is a good way to get a broad overview of what’s happening on the box before you get caught in a rabbit hole.

Tip 5: Privilege Escalation

Am I the only one who has a hard time with automated privesc scanners? Usually when I run something like WinPeas or lse.sh I have a hard time seeing the forest for the trees. That said, if you practice with the steps above you’ll probably have a solid understanding of what approach works best for you. I’ll say that it’s worth a manual check of common privesc vectors on OffSec Proving Grounds machines or in the exam itself.

Don’t forget the obvious stuff: SUID binaries, cronjobs and scheduled tasks running as root/Administrator, privileged services, etc. Privilege escalation is my favorite part of the puzzle, so savor it!

Tip 6: Time Management

24 hours is a long time! However, don’t hurt yourself.

I recommend giving yourself a time limit for each box at the beginning of the exam. One hour per machine or two hours per machine, no more than that. If you find yourself stuck or not making any progress by the end of the time limit, force yourself to move on to the next one. Don’t spend your first twelve hours of the exam chasing one machine when there are three other ones waiting for you.

Tip 7: Report writing

Don’t forget you have a report to write! Luckily, you have 24 hours from the end of your scheduled exam time to turn it in. Also lucky, you’ll have a ton of notes and screenshots to write your report from if you’ve followed these other tips.

Be sure to budget some time the next day to turn in your report. Being able to write clear and concise steps to replicate an exploit in your client’s environment is one of the main products you produce as a pentester in the real world. This exam is actually an opportunity to practice this, so make it count. Give yourself five or six hours to write this when you’re done.

Tip 8: Don’t stress?

There are a lot of hang-ups with this exam. I wanted to take it as a capstone of sorts coming from my City College computer security coursework before starting grad school. I’m glad of the experience and glad I passed it on the first go. On the other hand, if I hadn’t passed I think the biggest bummer would have been trying to find the time to set aside three days for the exam, report writing, and R & R in the middle of my first quarter of grad school.

The exam is hard, but it’s still just a survey and starting point for a pretty technically intensive career in offensive cybersecurity. Since passing I’ve met a lot of people who don’t have the cert but can still hack circles around me in their respective areas of expertise. I see a lot of beginners stressing about this exam on Reddit, Discord, and Twitter, but at the end of the day it’s just one step in a career that’s always been about learning new things and adapting.

One of the appeals of cybersecurity to me is that there’s always something to learn. Whether there’s some new technology to analyze or some arcane field to dig into, it’s hard to get bored. There’s always a new challenge, so try to get excited for this one and whatever comes next!

Cheers, the difficult hell man