[Write-up] OSCP Experience

I passed the OSCP back in January and originally shared this write-up on reddit, but I think it deserves it's own place here as well.

-----

There are a ton of great write-ups on peoples’ OSCP experiences, but I want to give back to this awesome community, so I’ll try to keep this short. I just received my email notifying me that I have passed after waiting anxiously for about 40 hours. Before starting, I had no idea what hacking a machine really entailed, but that was one of my big motivations for going for this cert.

Ninja edit: it is not short.

Preparation 

I’ve been in IT for about 8 years and currently work at an MSP as a Network and Systems Engineer™. I have a slew of other certifications under my belt, including: CCNA, CCNP, Security+, and CEH. I’ve had a mild interest in development over the years and have started a few self-study courses, but never finished them.

Once I decided to pursue the OSCP, I started reading about it as much as I could. Lots of blog posts and reviews. Before I started my labs, I did the following as well:

• OverTheWire Bandit – Because I didn’t have any Linux experience. http://overthewire.org/wargames/bandit/ 
• Do Stack Buffer Overflow Good – Buffer overflow was really intimidating to me, but after going through this and the course materials, I feel comfortable with the basics. https://github.com/justinsteven/dostackbufferoverflowgood 
• ippsec videos – I actually didn’t do this beforehand, but I wish I had. I started watching his videos after a few weeks fumbling around in the labs. It really helps to see someone else pwning machines and following their methodology. I took detailed notes (with some screenshots and every command noted) on the videos I watched, so they also made for great reference material. https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA 

Coursework and Labs 

I completed most of the course material before starting the labs and it took me about 3 weeks. I wanted the bonus points, so I documented each exercise and marked the ones that I needed to go back and complete later. I ended up completing these exercises the last week of my lab time. I recommend OneNote for these notes/documentation.

For the labs, I documented each machine as it was pwned. At some point, I reread the exam guide (https://support.offensive-security.com/#!oscp-exam-guide.md) and realized that I wasn’t documenting correctly. Luckily, I had enough boxes pwned with the right screenshots to submit on the lab report. I ended up getting about half of the guest network boxes, including two of the four “hard” ones. I didn’t make it into the IT or admin network.

• Keeping track of the machines is crucial. I found pentest.ws (https://pentest.ws) after a few weeks and I never looked back. This website is great.
• If you get stuck, check the forums for a nudge in the right direction! You can’t learn by wasting hours in vain. On that same note, don’t resort to the forums immediately. You do need to waste some time in vain. If you get stuck, move onto another box and come back later. Some boxes require resources found on other machines.
• I ended up purchasing an additional month when my 90 days was up. I had some serious procrastination going on about half way through, so I knew I wasn’t ready after 3 months.

Exam 

My exam started at 6 am on Sunday. I tackled the buffer overflow first, as most people recommend. Next, I knocked out a 20 point machine and then the 10 pointer. I had those done by 3 pm and then I got stuck until 1 am. I was pretty much resigned to failure, but I kept at it and started reading up on some services exposed on the 25 pointer. This led me down the path of pwnership and I had enough points to pass!

• Read other posts and have a game plan. 
• Read the exam guide. Then read it again. 
• https://support.offensive-security.com/#!oscp-exam-guide.md 
• When I was stuck, I switched from one machine to the other every couple of hours. 
• Eat food. Take breaks. Go for a walk. 
• Document as you work. I took all of the screenshots that I needed while I was working. 
• The proctoring was fine. I used another computer for the webcam as others have recommended. The proctors were prompt, courteous, and professional. 

Reporting 

I went to bed around 3am and then woke up at 11am to get some food and then start my reports. Since I already had everything mostly typed up, I spent the next 4-5 hours copying/pasting, formatting, and double/triple/quadruple checking. I uploaded my report at 8pm and received confirmation about an hour later.

• My exam report was 25 pages long. No need for hundreds of pages in your report like I’ve read elsewhere. They just want detailed enough documentation to reproduce the exploit.
• My lab report just had the walkthroughs and proof screenshots. None of the vulnerability details or recommendations. I put the course work documentation in the “Other Items Not Included” section.
• Familiarize yourself with the report template beforehand so that you know what info you’ll need when completing it later. To be fair, I have no idea if my lab report earned me the 5 bonus points since I had enough points from hacking the machines. YMMV.

 Conclusion 

This was a great but grueling experience. I’m proud to say that I earned this certification, but I’m also glad that it’s over. I have lots of sleep to catch up on. I’ve omitted details about tools and guides that I’ve used. That stuff is all over the internet, but if you want some information on that, let me know. Good luck and try harder!