On the 7th January 2021 I received confirmation from Offensive Security that I had passed the 24-hour exam and consequently achieved the OSCP Certification. This was the culmination of 4 months and 500+ hours work to pass the exam on my first attempt. This blog post contains a brief summary of my study method, the resources I used and how I prepared for the exam:
I didn’t have any Red Team, ethical hacking or offensive security experience prior to starting the course. I had never rooted a box or used any websites such as HackTheBox or VulnHub however, I had always been intrigued by the methods used to exploit vulnerabilities having commissioned and reviewed penetration tests throughout my career. My technical background includes network engineering (Cisco, HP, Huawei); virtualisation and storage (VMware & NetApp) and server administration within an Active Directory domain environment. I also have a BSc in Computer Science and have previously been a Cisco Certified Network Professional (CCNP). My skillset typically evolves to reflect the projects or technical challenges that my current role faces.
I bought the OSCP course with 90 days of lab time and later bought an additional 30 days, starting in September 2020.
I had just under 2 weeks from booking my place on the OSCP and my chosen start date, consequently I used this time to watch Heath Adam’s Practical Ethical Hacking Course and to read Eric Matthes’ Python Crash Course. I had always wanted to learn Python and research told me this would be useful during the OSCP.
I watched the training videos and read the corresponding chapter in the supplied PDF, completing all exercises and documenting my work using OneNote. I decided from the outset that I would complete the exercises and the lab report in order to receive the 5 bonus points available. I would recommend this strategy to anyone attempting the OSCP as I felt it consolidated my learning and also provided useful notes that I could refer to later in the labs.
It took six weeks and approximately 120 hours to watch all of the videos, read the PDF and complete all exercises.
Starting the labs was daunting. As mentioned above, I had never exploited a vulnerable machine before and had no prior experience of ethical hacking. Nevertheless, I began rooting boxes and capturing the contents of the all-important proof.txt files. After 3 weeks of working through the lab machines, I became aware of a blog post written by Offensive Security that detailed their new Learning Path. Essentially, this is a list of lab machines of increasing difficulty that can be worked through as a starting point in the labs. Additionally, Offensive Security gives minor hints on how to approach the machines and where an initial foothold may lie. This is exactly what I needed when first starting the labs rather than randomly selecting a machine from the list. After finishing my current lab machine, I began following the learning path and completing the machines in order. This really helped to build momentum and increase my confidence before tackling the more difficult machines.
I struggled with privilege escalation when the vector was anything other than a kernel exploit. I therefore purchased Tib3rius’ Privilege Escalation courses from Udemy for both Windows and Linux. These were invaluable and complimented the course information perfectly. I watched both courses, taking notes and referring to them during my lab time and ultimately during the exam.
Prior to starting the labs, I had no idea how many machines I should compromise. Fortunately, Offensive Security released a useful chart showing pass rates vs. the number of compromised machines. Using this information, I aimed to complete at least 40 machines and ideally 50. Ultimately, I completed 46 machines before my lab-time ended. According to Offsec’s chart, this put me in the 65% pass rate bracket.
I had to book my exam 6 weeks in advance as it was very busy leading up to Christmas and I got a slot in the first week of January. After running through the pre-exam checks with my proctor, my exam started at 11:00 and I received an email with VPN connection details for the exam network.
Upon starting the exam, I took my time to document the IP addresses of the machines I would be targeting and recording my own IP address for reverse shells etc. Taking 15 minutes to acquaint myself with the exam environment, point allocation and the control panel were well worth my time. I forged ahead and began attacking my first machine.
The exam experience was very similar to working within the labs, with the exception that you and your screen are being monitored by Offensive Security proctors. For the most part this wasn’t a distraction, however, the software that monitored my screen(s) disconnected a number of times and had to be manually restarted. This happened approximately 8 times during the exam and was a little frustrating but not a major problem.
I won’t go into details about the machines I encountered as this is against Offensive Security’s policies. However, whilst difficult, the machines do represent a ‘fair’ reflection of the course and the machines encountered in the lab. Are they more difficult than the lab machines? No, but the initial foothold might not be quite so obvious due to multiple options.
I completed the exam and gathered the majority of my documentation before heading to bed at 06:00 the following day. I had been awake for 22 hours and had been working on the exam for roughly 19 hours - surprisingly I felt ok!
The OSCP was by far the most challenging and rewarding certification I have obtained. I’m no stranger to sitting exams having held multiple Cisco Certifications including CCNP. The quality of the OSCP training materials, lab environment and exam experience exceeded all other vendors significantly. For anyone seeking a career in Cyber Security, I’m certain that the OSCP provides the best possible exposure to the skills and techniques required to succeed in this field.
