What is the OSCP?

The OSCP (Offensive Security Certified Professional) is a certification granted to those who can pass a daunting exam, requiring you to hack your way to administration-level privileges across 5 different machines on a private network. The kicker? You only have 24 hours to complete it.

Once you complete the initial 24 hours and close out your connection to the private network, you have an additional 24 hours to write a report summarizing how you exploited each machine with detailed, step-by-step instructions, along with remediation recommendations to prevent such attacks in the future. In total, you can be awarded 100 points. A standard 70 points is required to pass.

Sound tough? It is.

First Try, No Warm Up

I signed up for the OSCP on August 1, 2019. My lab time started on August 11, 2019.

Lab Time

I bought 60 days of lab time. The moment your lab time starts, you are sent your training materials. The materials consist of a virtual machine image, a PDF, and accompanying videos. These are the guiding light through your journey. The materials themselves are a reference that teach you fundamentals, but more importantly, they teach you how to think about what you are attacking and how to attack it. They are not meant to teach you everything you need to know. Instead, they help prepare you for self-study in a methodical, guided manner.

I worked through the training material, completing the exercises and documenting my progress, and it took awhile longer than I expected. I spent extra time making sure I was understanding each concept and even branched out to research more into the topics I found particularly interesting. I completed the materials in about two weeks. This left me about 40 days to conquer the labs and prepare for the exam.

I tried to complete as much as possible on my own, only leaning on the forums for help if I was absolutely stuck. I probably completed 15 machines in the first couple weeks. I was working full time, leaving my 3-4 hours after work each night before I was burning the candle at both ends. I aimed for a minimum of 1 box a night and sometimes I just could not complete my goal.

Scheduling the Exam

Eventually, my lab time ran out. I had to schedule my exam soon. I did not feel ready. 60 days went by so fast. I figured to give me some more time to prepare, I would kick the can down the road a bit and schedule it a month out. In the meantime, I needed more practice. I tried out HackTheBox as supplementary material. I watched countless Ippsec videos, I practiced the buffer overflow brainpan from vulnhub probably 20 times. Things were starting to click. I was developing a methodology.

Exam Day

November 22, 2019. I felt ready. I completed machines out of the practice lab, machines from HackTheBox, buffer overflow vulnhub boxes, read every OSCP review I could. I was going to crush it.

I began the exam at 10:00AM CDT.

I started off strong. I ran enumeration scripts against each box to look at later. I fired up tmux and vim to take notes. First on the list was to tackle the buffer overflow. Then the nerves hit. I shuffled through my notes to make sure I wasn’t missing steps, and I had already began to panic. 2 hours in. I think I’ve got most of this completed. It works on the debug machine. I can’t get a shell back. 6 hours in. I can’t get a shell back. 8 hours in. I finally get a shell back. It’s been 8 hours and I have finally completed the buffer overflow after completely restarting it. I didn’t take a break. I didn’t eat. I was already a wreck, hoping to make up for lost time. I moved to the easiest box. I needed points, and fast. I can’t take a break now, I am too far behind. 12 hours in. I think I’m up to about 35 points. 16 hours in. It’s 2AM and I haven’t even left the chair except to pee. I make another pot of coffee. 20 hours in. I see daybreak from the window behind my desk as the sun begins to rise. 55 points. Almost there. I’m exhausted. I’m also out of things to try. I’m not going to make it. My brain is fried, I haven’t eaten. I’m shaking from consuming nothing but coffee. I just can’t figure out what to do on these other boxes. Not even a user shell. I’m crushed. I end my VPN connection and go to sleep accepting the fact that I was not going to pass. This exam was tough.

Attempt #2

I didn’t want to give up. I just needed to Try Harder.

More lab time

January 2, 2020. I got some more lab time - 30 days. I went for the harder boxes. No hints, no forums. I kept more details notes and began writing my own bash aliases and functions that would help me identify things faster. I was really starting to feel confident in my process for enumeration and note-taking.

Exam Day

February 2, 2020. The same day my labs ended. This time, I knew I was ready. I began at 10:00AM CDT.

I ran my scans against each host. I organized my thoughts about each scan into their respective notes file and went off to tackle the buffer overflow. I took screenshots of each part of the process, making sure I did not miss anything. at 11:06AM, I had completed the buffer overflow. I was excited. I didn’t want to get too confident. I took a break, warmed up my coffee. Ate a granola bar.

Fast forward. Several hours and several breaks later. It’s 2AM I had a shell on every box except for one. I had user shell on one, and root on the other three. I had more than enough points to pass. I went to sleep and got some rest, leaving my VPN open in case I had a surge of insight that night while asleep.

After The Exam

I woke up the next morning ecstatic to write my report. I finished the report that evening and sent it off to OffSec.

Then began the wait. I was nervous for what seemed like an eternity. I found solace on the offsec discord with a couple people who were also awaiting their results.

February 9, 2020. The results are in. I passed. I had done it. The months and months of work had finally paid off. I was an OSCP holder.

Fast forward to today. It’s been an interesting year so far. Offensive Security had some trouble shipping certificates due to Covid, but it finally came in the mail. I am official!

My Advice for Anyone Taking the OSCP

Practice

The lab that offsec provides is absolutely fantastic. Take advantage of your lab time. When you run out of time or pwn all the boxes in the lab, switch it up and go for some supplementary materials. HackTheBox was my main go-to for extra practice. There are some good writeups out there for older, retired boxes to help you understand things when you are stuck. I suggest tackling the easy/medium active boxes without hints on HackTheBox if you want to gauge where you stand.

The buffer overflow is probably what makes people the most nervous. There is no getting around this one. You have to know it. Practice this. There are many resources out there. Vulnhub’s brainpan, dostackbufferoverflowgood, OffSec’s training materials. Know these and they will serve you well.

Avoiding Pitfalls

Time Allocation and Getting Unstuck

It took me almost 8 hours to complete the buffer overflow the first time. That is a problem. I spent forever trying the same thing over and over and over. In the end, I redid the entire thing from the beginning and it worked. The second time, I finished it in less than two hours.

  • If you get stuck, take a step back. make sure you are approaching the problem correctly
  • Do you have all the information? What could you have missed?
  • Take a break and come back to it. A set of fresh eyes may help you see something new.

Rest

I’m not sure that I took a single break the first attempt. I don’t even think I ate anything. At around 20 hours, my mind just gave up. I was embarrassed and ashamed. After all, so many others can pass the exam.

  • Set yourself a timer. You have to take breaks. I think there is also a psychological component to this that complements the thought of hitting a deadline. i.e. “I need to get a list of possible vulnerabilities on this machine before my next break”
  • Take a shower. Some of the best ideas happen in the shower.
  • Eat something on your break. You need the food. Coffee is fine, but remember food and water.

Detailed Notes

Take all of your notes as you go. Your report will be half-written by the time the exam is over, and during the exam it can be life-saving to be able to jump back into a train of thought. The first exam, I only took notes when I felt like I was making progress. I didn’t think to note anything I had already attempted. This was problematic because I probably did several things over and over when I came back to a particular host.

  • Screenshot everything. scrot names them by date by default
  • Use notes. I ran tmux with 2 panes and one tab per host. My notes for each host were always open.
  • Take notes of what you tried, even if unsuccessful. If you have to come back and look at it later and question if you have already tried something, you can refer to your notes.

Stay Calm

If you feel apprehensive and begin to panic, remember to breathe. Take a break and relax. The reason for most of my panic during the first exam was the time running out. But as I showed myself, even if I had sat there the entire time without a break, my mind would have given out before the clock did.