I recently passed my OSCP Exam. It was everything I've heard others say it would be and more. I've used blog posts others have published about the OSCP to help me prepare. I will try to not repeat what others have said,however, I have several observations that I think might help others planning on taking the PWK course and the OSCP exam.
My first attempt #
I first attempted the OSCP in 2020 after watching the video content and attempting only a handful of labs. It went as bad as you'd expect. I got local.txt on 3 boxes and rooted only one. I was used to other certification attempts where I could absorb all the content within a short period of time and just wing it. I paid the price for underestimating the OSCP exam!
My second attempt #
It took me two years to attempt the OSCP again. In that time, they changed the course and exam content to be more AD centric. This was good news to me because I am a blue-teamer that works in an AD environment. I've spent the past 2 years getting SANS certs and studying threat actor techniques all within an AD environment, which meant the AD attacks taught in the PWK course were very familiar to me, just not from an offensive-security perspective.
One thing I knew without a doubt about the OSCP before taking the new PWK course is that the exam is not a test of knowledge but rather a test of skills.
This is a fundamentally distinguishing aspect of offensive-security certifications that everyone in the infosec community needs to be aware of. If the OSCP was a multiple choice question, several of the SANS exams I've taken would have been more difficult,however, the OSCP is testing your ability to conduct a penetration test, not your knowledge about penetration testing techniques(!). This seems obvious but it was important for me to be conscious of this fact because it means I would have to be good at not just knowing all the different attack paths and tools available to me but how to use Kali to execute a succesful attack. And more importantly, the 'Try Harder!' aspect of the OSCP, which means I needed patience and perseverance.
The PWK course #
I gotta say, both the course content and webui to access it have dramatically improved. Something very new to me (I don't recall if it was always there) was the topic excercises.
The Labs #
I startec picking off random lab machines and I was struggling! I finally decided to join the OSCP discord server, the folks there are life savers! As great as the course was, I couldn't have done it without the help of friendly (and patient) people on the PWK related rooms.
After my first week, someone mentioned that there is a learning path. I focused my efforts on solving all of the learning lab machines, all 3 AD sets and anything else I could find time for. All in all, I finished 31 lab machines. I reached the 30 lab milestone by the time I had only two weeks left on my 60 day course access. This was good enough for the bonus point, so I shifted my focus to the topic excercises.
Topic Excercises #
Before the labs, I sampled a few Topic Excercises, they were extremely simple so I put them off to the end. This was a big mistake. The first few secions about bash, cli usage and other basic things are indeed very easy,however, many of the topic excercise VMs were as difficult as your typical lab machine.
I wanted that bonus point in the event I didn't get the AD set or it took me the whole 23 hours to complete the AD set. The folks on discord were gain very helpful with this.
Unlike the labs, I felt like some of the excercises couldn't be solved by finding some attack path and getting the flag. You have to use a specific technique they want you to learn and that isn't very obvious by looking at the course content either. While this was very frustrating to me, I wouldn't have it any other way either because I learned a ton from these excercises, at least as much as I did when doing the lab VMs. I finished my last topic excercise 2-3 days before my exam date (which was the same day I'd lose course access).
Exam Prep #
I took the advice by most blog posts by people that had passed OSCP and by offensive-security as well on their exam preparation page, which included taking notes and startegizing how to tackle exam and non-exam details like meals, rest times,etc...
I only needed two, maybe three items from my notes which were commands I frequently needed to copy-paste.
I split the 23.5 hour exam into three 8 hour-ish stages, mostly because regular work and sleep cycles are more or less around 8 hours. I documented how much time I wanted to spend on which boxes, when to take breaks and set documentation checkpoints to make sure I don't spend my time at the end scrambling to get screenshots.
I also prepared meals, drinks, organized and cleaned up my environment as much as possible before the day of the exam. As is custom, I did not do any studying or labs within the ~24 hours before the exam.
The Exam! #
Alright, so I made the mistake of booking the exam at 12:00. For some reason I assumed this was midnight, the date picker and email didn't clarify AM/PM, there must have been some footnote or warning I missed about this. But I prepared my sleep, work,etc... so that I can start the exam at midnight on a Saturday and have a few hours of sleep before starting work on Monday. I freaked out a bit when the exam portal hash wasn't working. I then talked to offensive-security support and they told me after some time that I am actually 12 hours early. At least I wasn't 12 hours late :)
The confusion there messed up my schedule and pre-exam rest time,meals,etc... and psyched me out a bit.
As if that wasn't enough, the exam proctor couldn't see my ID clearly for some reason, although I can see it very clearly in the camera stream in my browser. I don't use email on my phone (I know, how is that possible right? well it is!) and I never connect my phone to any laptop so I don't even know how transfer files from it that way (would probably require installing a bunch of stuff on my Debian host). Since my phone was the only other viable camera and the proctor asked me to email myself and show him the picture of my ID, it took me 5-10 minutes (at least) trying to get my email to work on my phone (mostly because of 2FA issues I had), take the pictures, email it to myself, login to my email on my laptop and show the proctor a picture of my ID via screenshare.
Keep in mind, I am not saying the proctors did anyting wrong, nor am I complaining about this. I just thought if prospective OSCP exam takers read this, they would want to know all of this, I know I would have.
So, I had to move around the webcam and show them the room I'm taking the exam in. This took a while. I moved electronics to a different room as they asked (including my work laptops and equipment which were in the same room). Other items I couldn't move readily like monitors, I was asked to cover them with cloth (just threw a blanket over them).
However, when moving things around, I must have unplugged or damaged some cable or device that is part of my home-network setup that routed my laptop's network traffic, as a result, I became disconnected from the internet, VPN and exam network. This was another curve-ball, I couldn't immediately fix the problem, but fortunately I have a second internet connection available to me, so I quickly rewired things and reconnected within about 10 minutes or so. There were few more verifications and checks I needed to do before I could start the exam.
The one thing I want to share here is that the exam timer starts at the precise time your exam is scheduled. All these technical issues,verifications,etc... don't buy you extra time. So I lost 45 minutes to an hour of exam time on all of this. Again, something I would think potential exam takers would want to know ahead of time and prepare for.
Obviously, I cannot talk about the exam itself in any level of detail. But my experience was such that for the first 4-6 hours, I threw everything at my target of choice (after shell acccess that is) and it wouldn't budge. But I leaned on my PWK training, not assuming anything and using the advice others had given me, I focused on enumerating everything. It was something that in retrospect seems very easy and simple that I missed. The rest of my exam experience was mostly like this as well.
I cannot stress how important enumeration is! My takeaway is, that is the one skill offensive-security wants you to learn for the OSCP. Another thing I feel like I have learned is that "Try Harder!" does not equal "Keep trying forever", it might be worded better if it was "Try Smarter!", but I agree, that doesn't sound very cool for a motto.
I was able to get 80 points (without bonus) around the 12 hour mark, I kept at it and at around 14-15 hour mark I was able to complete all the lab machines.
I honestly have no idea if I had the easy set or the hard set of lab machines.
My experience with exams and just learning things in general is that everything is very hard when you learn it the first time. We all forget now but I am certain, even learning our alphabets or basic arithmetic as children was very hard for us. So please, do not listen to anyone that tells you "OSCP is easy" or "{{insert exam}} is harder than OSCP" (I've been told this a few times by others). Even experienced pentesters struggle with OSCP sometimes.
I did not use HTB, TryHackMe or any other services. I am not a pentester and I strictly used the resources provided by offensive-security such as the PWK videos, Topic Excercises and learning path labs as well as the 3 AD set labs (and one more in the topic excercises) to prepare. I have no doubt that if you do that, and most importantly, if you are comfortable with your ability to conduct a pentest in environments similar to what you see in the labs, without assistance from others, you will pass the exam.
Post Exam #
I spent the last few hours before I had to start work (with no sleep!) and before the exam timer ends, dilligently collecting screenshots and updating the report template I prepared before hand.
Once I re-read the PDF export of my report a few times (41 pages with screenshots) and I was comfortable with it, I followed offensive-security's instructions and submitted my report.
I've heard others say they heard back from offesnive-security with hours or a day or two, however, for me it was an entire week of checking my email several times a day before I heard back from them telling me that I finally passed! The wait almost felt harder than the exam. But I am so relieved I finally got past this landmark.
My plan going forward is to practice at HTB and other places so that I don't lose my OSCP skills and actually build upon them in preparation for OSEP and OSED.
I hope this post was informative and helped others who are also planning to take the OSCP exam. Even if you don't need OSCP for current or future jobs, if you work in information security then I highly recommend going for the OSCP regardless of that. At the end of the day, there is no aspect of information security that cannot benefit from having a solid understanding of threat actor tools and techniques and the OSCP is great for that. Plus, it's fun! :)