OSCP — My Experience

Preparation

My preparation started around January 2020. I went through the course syllabus and made sure I knew most of the stuff presented. The only thing I didn’t really practiced was buffer overflow but one of my friend told me that the course itself was really good at teaching it. Next, I found the TJ_Null HTB OSCP like machine list (link down below) and started going through the list. I noticed that I already rooted some of them in the past but I did them again. I did 25 boxes from the list. During the same time, I bought a VHL 1 month subscription and did some machines on the platform. I was jumping from one platform to another without following any strict schedule. All platforms bring something different to the table which is a plus in my opinion.

To this day, I think one of the best platform is Proving Ground by Offsec. It’s only 19$/month and you get access to plenty of machines created by Offsec. They have 3 sections, easy — medium — hard. It’s really similar to the PWK lab.

Here’s a list of what I think could really help during your prep, I haven’t done everything in the list but it might help someone. The Tib3rius courses are a must have.

• Tj Null OSCP like machine
• Virtual Hacking Labs
• Try Hack Me Offensive Pentesting Path
• Tib3rius Linux Privilege Escalation Course
• Tib3rius Windows Privilege Escalation Course
• Offsec Proving Ground
• Hack The Box
• Watch IppSec’s videos and take notes
• Rana Khalil blog
• Take notes while hacking machines, I use Joplin
• For screenshots, I use Flameshot
• Create write-ups of all the machines you root, all the steps, commands, exploit code…
• Create your cheat sheet with the command you use and anything that is valuable. Don’t just take someone else cheat sheet and copy it into your note. Build it so you know where your stuff is.

The key here is to practice as much as you can and learn the fundamentals before jumping into PWK. Don’t rush things and try to learn how things work. You can root a thousand boxes but if you don’t understand the how/why you can root a box, it won’t be beneficial to you. Again, take notes and create write-ups.

Take your time and most importantly, have fun!

PWK Labs

The course and lab access started on September 26th 2020. I was so excited to receive the material. I got an email around 8:00pm that day. I downloaded the pdf, lab connection and a link to the VM that Offensive Security recommend to use. I installed the recommended VM in VMWare Fusion and started reading the pdf. My schedule for the pdf/exercises was:

• Monday to Friday 8am — 5pm from Sept 26th to Oct 26th

Having a schedule really helped me to stay focus and treating the PWK like I was going to school. Obviously, I didn’t stick to the plan everyday because life issues and other stuff gets in the way but I tried my best to stick to it. Every once in a while, there’s exercises you have to complete. You have to documents/explain each step of the exercises and there’s a LOT of exercises. It took me almost 3 weeks to go through the pdf and complete the exercises.

I wanted to complete the exercises but I’ve stopped doing them at some point (I think right after the Active Directory chapter) because the exercises began more and more to become chores… I really wanted to dive in the lab.

One small advice, make sure you go through the pdf and do the exercises (not like me). It’s not a big deal if you don’t complete the exercises but make sure you do some of them, especially the buffer overflow (Windows and Linux). Offensive Security gives 5 bonus points if you complete them all and submit a lab report after your exam. If you have 65 points during the exam, the lab report can definitely save you!

To be completely honest, the videos are okay. They’re not fantastic but they don’t suck either. It’s basically the pdf but in a video. It might be beneficial to you if you’re a visual person.

I was ready to jump in the lab around Oct 18th. I was super excited but really nervous at the same time…I didn’t know what to expect. I was scared I wouldn’t be able to root any machines from the lab, imposter syndromes was hitting me hard.

I started by scanning the whole Public network and targeted the low hanging fruit machines first. The whole lab is awesome. You get all sorts of vulnerabilities and you get the chance to practice client side attacks which was really cool. On top of that, you get to practice port forwarding, tunneling and pivoting to other networks.

My lab time was gonna end on Dec 29th (Offsec got some issues during my lab time, I think it was a power outage or something but they added the amount of days student couldn’t connect to the lab as an extension). After 55 boxes rooted, I felt confident so I booked my exam and set the date to Jan 19th 2021.

Weeks before my exam, I got myself a Proving Ground subscription which I suggest you give it a try. I was going back and forth from PWK lab to Proving Ground to HTB.

Side notes, the student forum might not be all that great. You have to be really careful on what you read because you can easily spoil yourself reading through some posts. Also, I get the try harder but I think some people on the forum doesn’t really apply the try harder in a proper way. By that I mean some people will just comment “Try harder…” when in fact I think they should say, have you tried harder? did you look this port? did you find the web service? You’re not helping anyone by saying try harder and I think Offsec is aware that some people interpret the mantra in a wrong way. I avoided the forum(lab section) otherwise great community. Just be careful in the lab section!

The Exam

I scheduled my exam at 4:00PM on January 19th 2021. One of the reason I schedule the exam for 4:00PM was because I’m used to go to bed late so it wasn’t a problem for me. My girlfriend was at work till 5:00PM that day and she was working early the next morning. I had a really good sleep the night before and woke up at around 10:00AM. I went over some notes, cleaned up my office, prepared a lunch and plenty of snacks.

Note: I used my own instance of Kali during the exam. I had no issues at all. Using the provided vm by Offsec is a safe way to avoid any trouble but I like when things don’t work so I gave it a shot.

• 3:30 PM Offsec recommends to connect to the proctoring software 15min before the start of the exam. It was 3:30PM when I connected to the proctoring software. I followed the proctor instructions (confirming your identity with a passport or valid government ID, showing the room, etc). I received the connection pack to the exam at exactly 4:00PM. Before starting the exam, you have to run a test to make sure you’re connected to the vpn (you copy paste the result and give it to the proctor). Once everything was confirmed and ready, I started reading the exam instructions via the exam panel. I was really anxious about being constantly watched but this feeling quickly disappeared. The proctors are really friendly.
• 4:10 PM It was 4:10PM when I was ready to work on the exam. I decided to tackle the buffer overflow first. I connected to the debugger and started the usual process. I had already prepared a folder containing the fuzzer and exploit template i’m familiar with. I was able to get a reverse shell on the target machine after around 45 minutes. I had the proof.txt and I was ready to move to another machine. One thing that really helped me was to create a draft write-up during the exploitation. Great, I had 25 points.
• 5:00 PM The next target was the 25 points machine. I ran nmapautomator and told the proctor I was going to take a break. My girlfriend arrived, we chatted a little bit and I was back in the office to check the scan results. I saw some ports opened, poke around and found a way in. I had user on the 25 points in about 40 mins. I started working on the privilege escalation but I hit a brick wall. I spent an hour+/- trying to find the vector. It turns out I couldn’t find anything so I decided to start working on one of the 20 points machine. I had 37.5 points so far.
• 8:00 PM Next, I ran nmapautomator against one of the 20 points machine. During the scan, I was still trying to find the privilege escalation on the 25 points machine but I still couldn’t figure it out… Once the scan was finished on the 20pts machine, I investigated the results and find the vulnerability. I had user really quickly. Nice! I had 47.5 points. The privilege escalation on the 20 points took me 20–25 minutes. I had 57.5 points! I decided to tackle the 10 points machine…
• 9:00 PM Like I did previously, I ran nmapautomator against the 10 points machine. During the scan, I went back to work on privilege escalation… Still couldn’t figure it out… I went back to checked if the scan was finished on the 10 points machine and I started looking at the results. I quickly found the vector but it took me quite a while to exploit. It took me around an hour to get a shell. I know exactly why I struggled but it is what it is! I definitely learned a lot from this machine. I had 67.5 points so far! Only 2.5 points to reach the passing mark…
• 10:30 PM At this point, I had 67.5 points. I decided to take a longer break and go play Rocket League, eat the lunch I prepared earlier and clear my mind. Maybe I’ll be able to find the privilege escalation on the 25 points machine later…
• 12:00 AM I came back in the office to work on the exam at 12:00 am. I started working on the 25 points again. I poked around some interesting stuff but nothing was working. The time was flying, 1am…2am…3am…4am… I started to panic. I decided it was time for me to sleep. I told the proctor I was going to take a break to sleep and left everything opened. I was in bed at 4:30am, I couldn’t sleep. My brain was going 100mph. I was thinking of all the things I was going to check in the morning. I fell asleep at some point but only for 40min before hearing my girlfriend’s alarm…
• 7:00 AM My girlfriend woke up at 7am to go to work. I got up at the same time and I took a shower, ate a small snack and went back in the office. I only had 40 mins of sleep but I was super hype to work on the exam that I felt like I slept longer. One thing I’d like to point out is that I should’ve worked on the other 20 points machine instead of focusing on the 25pts. I felt like I was so close to get the privilege escalation that I couldn’t move to the other machine before rooting the 25 points… Time passed…8am…9am…10am… and I couldn’t believe it… I FINALLY did it. I rooted the 25 pointer. I had 80 points! I was feeling really good! I realized what I was doing wrong the entire time…
• 10:30 AM Since I had 80 points, I checked if I had all the screenshots, commands, etc. After that, it was time to work on the last machine. I ran nmapautomator against it and took another break. This is where I made a mistake. I layed down in bed and literally fell asleep for 3 hours…
• 2:00 PM I woke up at 2:00 pm, panicking. I forgot to set an alarm. I went straight back in the office. I had only 1 hour and 45 mins left to my exam. I started poking around but I think I was too exhausted. I tried to find the vector but I wasn’t able to. I told the proctor to end the exam, it was 3:35 PM.
• 3:45 PM End of the exam. Time to work on the report.

Exam Tips

Here’s some tips I suggest for your exam. I tried to stick to this list when I started my exam but it’s easy to forget about them. Follow what suits you best.

• Time management is key, build a schedule. Know what you’ll attack first, second…etc
• Eat and drink plenty of water.
• Take notes, which command failed, which one worked.
• Read the exam goals in the exam panel and make sure the requirements are met.
• Take breaks every 2–3 hours but it’s really up to you. You might handle longer period of hacking like myself but I tried to follow my schedule.
• Revert the machine if you can’t find anything, start fresh. You have 24 reverts and this can be reset after your 24 revert. Use it.
• Don’t use metasploit if you haven’t scanned all the machines. You might waste your 1 time usage. Keep it as last resort.
• Start with the Buffer Overflow since it’s a straight forward process.
• Don’t assume it’s not vulnerable. Test it first and confirmed after.
• Don’t be intimidated by the easy/medium/hard rating. See it as a vulnerable machine.
• Take more screenshots than you should. Just in case.

I’m probably going to add more tips eventually. Keep in mind that the exam is doable and 24h is more than enough to root all of the machines. It’s a marathon not a sprint.

The Report

I started working on the report at around 4:30 PM till 2:00 AM. Because I documented every steps with screenshots and commands in Joplin, it was just a matter of cleaning it up and making sure there was no missing screenshots/commands. I went to bed at 2:30 AM. I woke up the next day at 7:00 AM and finished the report at around 9:00 AM. I read the report maybe a 100 times and the exam guide from Offsec till I was satisfied with the final report. When I felt like the report met Offsec requirements, I exported the report in PDF and archive the file in a 7z file. I uploaded the report through the upload panel, verified the md5sum and that was it. I got an email the next day (early morning) from Offsec. The email I was waiting for… I passed the exam!

Got the email!

Conclusion

The OSCP exam is much more than just an exam. It’s a mental/physical challenge. You go through all sorts of emotions. Pain, happiness, self doubt, confident, self doubt, happiness, pain, crying, pain and so on. I really enjoyed my experience. One thing for sure is you realize if you really like hacking. I passed the exam but I want to learn more, I would hack 24/7 if I could but it could’ve been the opposite. If you’re in a position that you don’t know if you’re ready or not, just go for it. The course is amazing and even if you fail, who cares? you will eventually get it. That’s what try harder means in my opinion. Don’t ever give up. That’s all I can say.

What’s Next?

I booked AWAE for March 13th 2021 and i’m looking forward to it. I want to write more articles, find a job in InfoSec and find more bugs. If you read this far, thank you and I hope you enjoyed. Each experience is different and i’m glad you took the time to read mine. If you have any questions, feel free to reach out! I’ll finish with this quote from BruteLogic:

Don’t learn to hack, hack to learn!

Thank you for reading.