My OSCP Journey

Since I recently completed the OSCP exam and started this blog, I'd like to share some suggestions and insights about this journey. I'll try to keep it as short and informative as possible by touching on the following subjects:

• Whoami
• PWK & OSCP
  - PWK Course
  - PWK Lab
  - OSCP Exam
• How to prepare
  - Mindset
  - Methodology & Cheatsheet
  - Using Solutions & Writeups
  - Training Material
• My Exam attempts
• Conclusions

Note: This is not meant to be an exhaustive guide, I’m only sharing what I learned from this experience. Also, since English is not my first language, expect some minor errors. You can reach out if you want to suggest some edits ;)

Whoami

My name is Walter and I'm your friendly Italian internet neighbor. I'm very passionate about tech and security (among many things).  I started studying computer science very early at a technical High School (ITIS in Italian) in Milan. After high school, I found a job and started working right away in IT.

During these years I managed to get a Job in one of the biggest Italian SOCs as a security analyst, but Red Teaming has always been what I really wanted to do. The OSCP felt the right certification to prove myself.

It took me three tries to pass the exam, but with each attempt I was able to recognize my errors and slowly tune my methodology. Now I realized that I started this journey thinking it was a 200 meters sprint when instead it was a 200 hours marathon.

PWK & OSCP

PWK & OSCP Frequently Asked Questions | Offensive Security

Get official answers to the most common questions about Penetration Testing with Kali Linux and the OSCP exam. Learn about requirements, prep, and more.

Offensive Security

PWK

"Pentsting With Kali" is the flagship course offered by Offensive Security, it is paired with the famous OSCP exam.

I found the material, for the most part, quite straightforward. Of course, some topics were particularly difficult but google is your best friend during this journey, and It's also a great chance to improve your google-fu.

The course also provides multiple exercises (more than 100) to strengthen your skills on all the covered topics. They are very specific (and time-consuming) so I decided to focus only on what I thought were the most useful. In the end, I found that for me practicing on actual boxes was a lot better.

I think that the PWK Course does a good job teaching you most of the skills necessary to pass the exam, some more than others. What made the difference to me was integrating the PWK material with external websites and material (specific courses, books, conferences).

For example, I was struggling with the Privilege Escalation module for a while until I purchased the awesome Tib3rius Privilege Escalation course (highly recommended) for both Windows and Linux on Udemy.  As a learning platform, i found Udemy quite awesome, I really enjoyed its courses.

PWK Labs

A Path to Success in the PWK Labs | Offensive Security

As part of our ongoing efforts to support student success, we’re introducing a new learning path for the PWK labs. Find out more - along with pass rate data.

Offensive Security

I bought my first voucher with lab time included a few years ago so pricing is probably different, but the network structure of the lab itself has not changed that much over the years.

The most appealing part of the lab is the variety of environments, the presence of retired exam boxes, and the possibility to practice pivoting through different subnets and multiple departments. The lab should not be thought of as a CTF lab, instead, it resembles more of a real-life assessment.

Given the fact that the closest example of the exam environment will probably be the PWK lab, I suggest you use it when you're feeling ready to do some 24h simulations.

OSCP

https://help.offensive-security.com/hc/en-us/articles/4412170923924-OSCP-Exam-FAQ

The OSCP exam is tough, I think everyone can agree on this. I know that the actual boxes are not THAT hard once you compromise them, but the amount of work for only 24h puts your methodology and endurance skills to the test.

The OSCP exam is proctored since 2020. That means that someone from Offensive Security will be always watching you from the webcam to make sure no cheating (or other weird stuff) is happening; you should check the official article for more information: https://www.offensive-security.com/offsec/pwk-2020-update/

Having a proctor watching during the exam did not bother me, after a while you kinda forget about it.

Note: If you are not aware of the 2022 exam changes (BOF with Privilege Escalation and Active Directory Environment) take also a look at the official OffSec article: https://www.offensive-security.com/offsec/oscp-exam-structure/

Don't forget that the actual evaluation of your exam is based on the exam report that you'll deliver. So always keep an eye on the official Reporting Guide: https://help.offensive-security.com/hc/en-us/articles/360046787731-PEN-200-Reporting-Requirements

How to prepare

The Mindset

As said previously, the exam will test not only your knowledge but your time and resource management skills as well. It really is like a marathon, so prepare to suffer a bit.

I found some great insights in some slides from a very interesting talk by a security researcher specialized in IoT and ARM exploitation, Azeria (https://twitter.com/Fox0x01). Related to these slides there is also an article on her website:

The Process of Mastering a Skill

Azeria-Labs

The article talks at great lengths about the ins and outs of mastering your craft and how to approach the process of learning a new skill from scratch.

In retrospect, after achieving both the OSCP and eCPPTv2, I couldn’t agree more. This stuff is gold so make sure to give it a nice read.

The Methodology & Cheatsheet

Remember to Try Harder but most importantly TRY SMARTER! And the best way to do things in a smart way is to follow a good methodology.

After countless failures and re-iterations, I found that what worked for me best is having a dedicated checklist and a methodology mindmap (I use XMind): https://www.xmind.app

At the same time you'll need a personalized cheatsheet with all your commands and tricks. This is going to be your arsenal! Making a good cheatsheet, at least for me, was not easy, it took me a while to figure out what was important and what was unnecessary.

As an example, most of the theory can be looked up online, having a messy cheat sheet with lots of text is not useful. Here’s the difference between my first and last cheatsheet:

My first "Cheatsheet"

My winning Cheatsheet

Consider using Markdown to write your notes, it's easy to write but very powerful, pair markdown with software like Obsidian and unlock its full potential.

Some external resources on the topic:

• https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology
• The cond4 youtube channel has many videos dedicated to taking notes and reporting
• My Hacking Cheatsheet, I'll try to keep it as updated as possible. Unfortunately it's a bit hard to read since it's half in Italian and half in English

There are multiple guides online on how to build a better methodology. I suggest you take inspiration from some online resources to build your own. Don't forget to be thorough in following your schemes, DO NOT skip steps and try to stick to what you wrote as much as possible.

Using Solutions & Writeups

Contrary to what some people think (especially my old boss) solutions and writeups are incredibly useful when learning.

Proving to yourself that you can do something is important but wasting days at a week bashing your head against the keyboard is neither useful nor fun. At the same time, you shouldn't give up and always apply the "Try Harder" mindset. The question comes naturally: How am I supposed to do this without going crazy?
The answer is once again: A good Methodology.

It's very easy to get frustrated and lie to yourself that "you tried everything" when most of the time you are missing something so insignificant that probably already passed your mind. This is not great since it's very time-consuming, not to mention very frustrating.

I solved this problem with a checklist, built out of experience, to follow step by step every time you're hacking. This is an invaluable tool in your arsenal. Now, once you have exhausted your methodology, I would take a glimpse at the write-up to get unstuck. When you learn something new, stop what you're doing and write it down on your cheatsheet. Don't skip this step otherwise you'll find yourself repeating the same errors over and over again. This is to me the best way to learn while practicing.

Practicing Materials:

• OffSec PWK Lab: as stated previously I would suggest using the lab only when doing the 24 Hours exam simulations
• OffSec Proving Grounds [Practice Edition]: the best resource IMO, for a list of practice boxes check out my article. I suggest you pay for the "Practice" section.
• Hack The Box: Whilst great practice, I found the boxes in Proving Grounds to be better practice for the exam, HTB has a lot of focus on CTF-like boxes. If you chose to use HTB I would also use a list of boxes such as the TJNull list or this one.
• TryHackMe: Great for learning and practicing, I love the fact that no matter the topic THM will always have a step-by-step solution/guide. I found it extremely useful when studying concepts that I found particularly difficult, even the premium subscription is worth it in my opinion. These are the rooms that I would suggest:
  - Wreath: a MUST to master Pivoting and Tunneling.
  - BOF Prep: A room to refresh the BOF methodology
  - The Overpass Series [1, 2, 3]: Simple boxes but don't get too relaxed ;)
  - VulnNet Internal: Internal network assessment in a Linux environment.
  - Throwback: Great network of multiple boxes but keep in mind that this lab is much more difficult than the AD section in the OSCP. If you manage to pwn this you are more than ready.
• Local BOF:
  - https://github.com/3isenHeiM/OSCP-BoF
  -  https://www.vulnhub.com/entry/brainpan-1,51/

In the end, I don't think there is a "one size fits all" in terms of training. I'd rather mix and match lists and boxes to cover (and practice) the majority of topics.

My OSCP Exam Attempts

First Attempt, September 2021

[Old exam format]

"There is no time like the first time"

In this attempt, being the first ever, I didn't know what to expect other than what was specified in the official documentation. The exam started at 5 AM, I was able to clear the BOF in around an hour and I was only able to gain one additional foothold after 5/6 hours.

Unfortunately, I got stuck bad and was only able to progress after a few hours. Once understood how to get going, I was able to gain another foothold but I was already behind schedule. The 14th-hour mark had already passed. I drank a ton of caffeine and managed to stay the entire 24h span awake but needless to say, it was not useful.

In the end, I had around 40 points, a liquefied brain, and very demoralized. I decided to not even submit the report. Looking back at this attempt I realize that i wasn't ready. But having a clearer understanding of the exam experience revealed to be extremely useful for future attempts.

Second Attempt, April 2022

[Updated Exam with AD environment]

"Ah shit, here we go again"

This time I had a much better idea of what I was going to face, of course, i still had some doubts about the active directory section but I felt confident. I was able to clear the BOF (and subsequent privesc) again in around 1 hour. I decided to tackle the AD environment right away but, once again, I got stuck on the foothold for 5/6 hours with no real progress; which drained most of my energy.

I knew that mathematically I had to compromise the entire AD environment to have a chance of passing the exam. Powering through it felt like the only thing to do. Once I realized that I was overthinking like crazy, I managed to compromise the entire AD environment in around one hour.

At this point, at the 14th-hour mark, I had completed the AD environment (40 points) and the BOF (10+10) for a total of 60 points. I was only 10 points short of passing the exam! I was so pumped that I decided to skip sleep to quickly get the missing points but powering through the exam, just like last time, didn't work...

In the end I was really demoralized, I didn't have the lab report ready to submit so I couldn't even rely on the bonus points. I ended the exam missing those 10 points, again pretty demoralized. I quickly threw together the exam report but I knew it didn't matter at that point. Another Failure.

Third attempt, July 2022

"Third time's the charm, right?...  Right??"

During the cooldown months imposed by Offensive Security, I stepped up my game by finally fixing the cheatsheet and improving the quality of my time spent practicing. I completed my Proving Grounds List and most of the TjNull HTB List.

During the last weeks before the exam, I felt so confident that I decided to test my preparation with the eCPPTv2 certification from eLearnSecurity.In less than a week i submitted my report and earned the eCPPTv2, all of this only 2 weeks before my actual OSCP (a story for another time). At this point, I knew i was ready.

The days prior to the exam i decided to refresh my BOF methodology and review some AD theory. I also toned down the practicing since I didn't want to get burnt out before the big day. The exam started on the 16th of July at 11:00 AM.

I decided to go with the BOF as my first target, as usual, it took a little over one hour to get the exploit working and a bit more to root it. At this point I decided to go with a standalone box which I cleared (local + root) in around one hour. Honestly I wasn't expecting it to go this smoothly, after a bit less than 3 hours I had already secured 40 points.

After a break I focused exclusively on the AD environment; I managed to not get blocked in a pesky rabbit hole and quickly found the way around the first foothold in roughly one hour. The rest of the AD went so quickly that I had to force myself to stop and take notes/screenshots for the report. At around 5 PM i submitted the domain flag for the AD environment. At this point, 6 hours had passed and I had already 80 points.

I took a long break where I eat dinner, took a shower, and relaxed a bit. This was well needed. After it, I managed to find the final foothold in around 1 hour and got root in another hour. At this point it was done, I was able to clear the OSCP exam in less than 10 hours without Metasploit.

Conclusions

As I said at the beginning, try to see this journey as a marathon and not as a sprint. Anything rushed is not worth it so take your time and try smarter!

Preparation Tips

• Studying is important but practicing is fundamental.
• Finish what you started, don't do multiple boxes at once.
• Keep the practice fun, mix up things a bit if it becomes frustrating. It's easy to get burned out.
• Try SMARTER, focus on your methodology.
• Practice Practice and Practice I can't stress this enough! The more you hack the better the chances of passing the exam.
• Once you have built some confidence test yourself on the PWK labs with multiple simulated 24h exam.

Exam Tips:

• SLEEP! No matter how bad you feel the exam is going, powering through it will only lead to more frustration. Your brain needs to rest, whether you like it or not.
• Even if it sounds weird, it's important to keep yourself "pumped up" for the duration of the exam. Go after easier boxes if you're starting to get tired. Frustration is a bad co-pilot in this ride.
• During the exam you have multiple reverts, make sure to use them if something doesn't feel right.
• Don't be afraid of taking long breaks during the exam, just don't get too relaxed ;)
• Again, remember to eat and sleep! Don't power thro

I hope that you found this article useful or interesting, I had a lot of fun writing it. If you have any questions feel free to reach me.