My OSCP Experience
My Background (Skip if you are only interested in OSCP content)
Around two years ago, I was still unsure of what I wanted to do as a job. While I enjoyed programming, I realized that software development was not for me and did not want to do it every day of my life. After some research, I found a community called misec, which is a group of information security professionals and those interested that has monthly meetings across Michigan. After attended a few times, I realized that information security was much bigger than I thought and there were a lot of opportunities. As time went on, I gained the courage to talk to some people and develop some connections.
I ended up attending my first conference (Converge) and I was shocked at how big infosec was. I explored for a long time learning about infosec. I got a job on campus that allowed me to use my programming and Linux skills, joined an IT student organization, and really accelerated my learning outside of class. A year after initially attending misec, I gave a presentation at the IT organization on penetration testing and from there I knew it was what I wanted to do.
I managed to get a cyber security internship at an Accounting/Tax/Consulting company called Plante Moran, and although I was only able to shadow the pen testing team, I was sure pen testing is what I wanted to do. After completing my internship, I was lucky enough to find a professor willing to sponsor me for an independent study which was taking the OSCP. Right before leaving for vacation to Japan, I took the exam not expecting much and managed to pass, which brings me here.
Enrolling in The Course
Enrolling is a straight-forward process. You purchase the course and select a start date. The reason for this is because you do not immediately gain access to the labs or the materials until your selected day starts. The labs are limited to a few students at a time, which is the reason for having to select a start date. I purchased 90 days of lab time as that was basically a semester.
Preparation and Experience
Before taking PWK (Penetration Testing with Kali, the course for the OSCP), I had taken several programming and data analytics courses, so I had a very good foundation in programming. In my free time, I learned Linux and I bought a server from the surplus store, so my Linux ability was also fairly good because of my side projects and part time job at the High Performance Computing Center at MSU. Before the OSCP, I was always looking things up and learning about networking and security and attempting CTF’s on vulnhub. I had some pen testing experience, but not a lot. I would not say I started from nothing, but following Offsec’s pre-requisites is a fairly good idea.
After I completed my internship, I had some time before my time started, so I used it by practicing on hackthebox and watching Ippsec’s old walkthroughs on Youtube. I highly recommend checking him out, it is without a doubt one of the best resources I know of. Something I wish I did beforehand was to read more of other people’s experiences with the OSCP. There are a lot of fine details and tips that help a lot.
I highly recommend getting a copy of VMWare Fusion/Workstation. Being able to take a snapshot of your virtual machine is very helpful because there is a high chance you will break something at somepoint or need to update.
Before you even start the course, you should download the PWK Kali Linux. It’s a rather outdated copy of Kali, but it is highly recommended that you use it as it’s designed to be used for the course.
When you first get your materials, there are a few things you should do.
- Actually read the manual, every word of it. Never ignore what Offsec tells you to read. Everything you need to know will be there.
- Make a backup of the materials. The link is only available for 48 hours if I recall correctly. If you lose them, you will have to pay to get a new copy.
- Activate your form account. There are tons of hints if you get stuck in the labs and you should definitely look for a machine called Alpha. There is a great guide to give you an idea of how someone else gets from 0 to root.
- Don’t forget there is an IRC channel that also gives hints.
- Find a way to stay organized. It was really a struggle for me for a long time. I found OneNote to be the best thing for me, but everyone is different.
- Remember that the course materials are just a starting point. The more you put in, the more you will get out.
- My methods/strategies worked for me, but I think it’s a very unique experience for everyone. Get to know what things work best for you, not just me because I passed.
I personally struggled deciding what I should do. Not just at the beginning, but throughout the course. You will receive a PDF document, a bunch of videos, and your VPN connection to the labs. I personally jumped between the labs and the course material, but I would probably recommend focusing on the course materials first as that is what most people do. I think that learning nmap early on is important because you can take advantage of the time you have while going through the course materials to start scanning the network. There are quite a few recon scripts out there, but you will learn how to discover things on the network throughout the course materials.
When I first got started, it was very difficult for me and I could barely do anything. Scanning the network and getting a bunch of results I had never seen before was intimidating, but looking back, it was actually fairly simple. I would spend days until I figured out a machine instead of jumping around, which was probably a bad idea. I think it’s a good idea to take breaks and cycle between machines when you get stuck.
The labs are obviously the most important part of the course. You will learn a ridiculous amount of things, but even I was not able to complete a lot of the machines (Once I start work, I am even considering buying more lab time to go back through some things). Without a doubt, I think I put a lot less effort into the labs that I would have liked. Most of the time I was completely stumped and overcomplicated things, but getting root is extremely rewarding. You will learn a lot of interesting things.
There are a few things to note about the lab:
- You need to document 10 lab machines to get the extra 5 points. You also need to complete all exercises in the course PDF. Unfortunately, I actually lost part of my documentation, but I ended up not neededing to pass. But those 5 points can be the thing that make you pass, so be extremely careful with it.
- Figure out how to stay organized early. I used OneNote for everything and still do.
- Always revert a machine before you work on it. Some people do some destructive things that can cause a lot of frustration
- Never bother using metasploit. You can only use it once on the exam and it’s better to not get used to it. Practice with it, but don’t rely on it.
- When nothing works, you are probably over-complicating things. Think about your process and the things you missed.
- Once you get root, don’t forget about post-exploitation. Look for password hashes, passwords, ways to pivot, and strange files. You can find some funny stuff in the labs sometimes.
The amount of time I put in each week varied A LOT. Sometimes I would be busy with student organization work or other classes and not touch the OSCP stuff at all, some days I didn’t leave my room once working on it all day. As a student, it’s much easier to make time though. If I had to estimate, I would say I spent anywhere from 5-50+ hours a week on it. Again, it was very different every week.
Something to think about is that you pay for the lab and every day you don’t work on it is one less day of the lab. Even when you are completely stuck, it’s not a bad idea to go back through the course materials or even try learning something related. At one point, I was learning about reverse engineering and came back to the labs and figured something out. It was completely unrelated, but sometimes that break is helpful and you are still learning something in the background.
I tried setting a goals throughout my experience and that helped even when I couldn’t acheive them. For example, say you will get user on 2 boxes and root on 1 over the course of the week. It really helped keep me on track, or at least motivated to keep trying.
A few things to note about the exam:
- You need to schedule it in advance. I would recommend doing it even two months in advance because the slots fill up fast.
- The exam is proctored the entire 23 hours and 45 minutes, meaning someone is watching you via webcam and your screen at all times.
- You have to do some set-up before the exam to make sure everything works and you will receive a connection pack when your time starts.
- Have a fresh Kali VM ready and your completed lab exercises/documentation.
READ THE INSTRUCTIONS. If you don’t, bad stuff can happen.
I accidentally scheduled my exam to start at 2AM instead of 2PM, but it ended up working out well for me. At night there’s a lot less people awake to distract me. Going into the exam, I was not feeling too confident and wasn’t expecting to pass.
Within 10 minutes I scanned the network and managed to easily get user on a machine. You can read my blog post from that night for more details, but I had a great start and didn’t feel too confident about the rest. I slept normally (actually around 7 hours) and had meals like usual. I took breaks often too. The following day I managed to get enough points to pass and finished my exam around 2-3 hours early. The next day I wrote up my final exam report and submitted it. I got 80/100 points in the lab. I probably should have spent more time on the last machine, but I was brain-dead by that time and have a good idea now how to get into that last machine. Within 24 hours, I was notified that I had passed the exam!
Recently, the OSCP moved to a proctored format exam. At first, it is a bit strange knowing you are being watched in every possible way (webcam and your screen). But in all honesty, it makes no difference and I completely forgot I was being watched until a proctorer that switched with another accidentally moved my mouse. It’s definitely not something to worry about, but make sure to communicate with your proctorer. I use a cheap wi-fi adapter on my desktop (not a good idea) and my wifi card restarted twice randomly in the 23 hour period. I checked-in with them every time this happened in addition to letting them know when you need to take a quick break or just get up. I personally refrained from using my cell phone at all during the exam and had it on my bed. It’s best to ignore it too for distraction purposes.
In general, I think that a lot of people over-estimate the OSCP. The exam was difficult, but it was much easier than the labs in my opinion. If you develop a good process and follow it, I think the exam is fairly straight-forward. It’s really easy to overcomplicate things and manage your time, but if you spend enough time on the lab, I think you get used to this. If you are in doubt of taking the OSCP, there’s a good chance you should just do it. Even if you fail, you will learn a ridiculous amount of things. All of my college courses combined do not even come close to the amount I learned from taking the OSCP. Though, passing the OSCP definitely is just a starting point. There is still much to learn and I really only consider it a starting point for becoming a pentester.
Something I really want to stress is how important it is to read EVERYTHING. After I got to 80 points on the exam, I was mentally checked-out and had my proctorer close my exam VPN early because I wanted to sleep. What I didn’t realize was that in two of my proof screenshots, I was missing the ifconfig/ipconfig portion of it. The rules state that your documentation MUST include that in the proof screenshots. I freaked out for quite a while, but for whatever reason, I still managed to pass. I was actually expecting to fail because of the two minor screenshots. Even though it was a small mistake, it’s extremely important.
If you have any questions or are looking for advice, you can contact me via twitter @AzerBrandon at any time :)