It took me 4 and a half months, $2600 USD and a hell of a lot of patience, but I beat the OSCP on the first try. It was one hell of a ride, but in the end, it was all worth it. Today, I’m going to share why I did it, how I did it, what I learned and what I recommend going in for the first time.
Background
Sometime around December last year I realised that it was time for me to start boosting my resume. I was unemployed – and for some reason, I was having an even more difficult time finding a cybersecurity job than I did fresh out of university, which was incredibly disheartening.
I knew I had to do something.
When I was in university, I did a few CTFs, mainly because I knew I had to have a skill outside of the basics to be employable at all. A year and a half later, I was running out of options, as I didn’t have another high-level skill I could offer to prospective employers, apart from some niche anti-forensics skills. So I decided to look into it – I watched a few videos about it but I didn’t do a lot of research. Everyone on the internet said “It’s incredibly difficult. People fail at this. Do not hedge your bets on finishing the exam in one shot.”
I don’t take uncalculated risks, but this time I made an exception. Besides, if I didn’t do something, I knew I was going to have to eventually cop out to a helpdesk job I’m overqualified for and get kicked out in a year when automation took my place. I always heard the OSCP was a respected cert and I saw it on a ton of job openings, including blue team ones. I spent a decent chunk of my savings on the LearnOne Subscription for the OSCP PEN-200 course, which gave a year of lab access and a free exam retry attempt. I got started the next day, but my lab access didn’t kick in due to technical issues. So I started reading the first couple of chapters, which was pretty basic cybersecurity 101. I was thinking; this will be a walk in the park!
Learning the Material
Spending about 6 – 12 hours a day, I would read the materials from the OSCP documentation, write my notes in Joplin, and do the lab exercises. To be eligible for bonus points, you needed 90% of labs in each subject finished, so that’s exactly what I did. Many of the concepts across the content were very familiar to me, so I didn’t have much trouble wrapping my head around the basic concepts. But to actually complete the lab exercises you needed a little more than basic understanding. So I would bang my head against the labs all day until I figured them out, trying to stay away from hints if I could.
Every day my head would feel so hazy and foggy after I finished work for the day. It was intense! Every day I learned something new and it was a lot to take in. But I was having a good time, I felt smarter and stronger every day I did it. I would wake up most days at about 7 to 9 AM, go to the gym, and then get some breakfast. I’d come back home, eat, drink coffee and watch some TV. After that it would be around 11 – 12PM, and I would work for about 7 hours, sometimes more or less. On my breaks I would watch TV and film to clear my head before jumping back in. I started to use the pomodoro technique – 25 minutes of work, 5 minutes of break – and eventually bumped it to a 50/10. Everyone has a different method, but I found this worked well for me. 50 minutes allowed me to get a solid chunk of work in before having 10 to decompress before jumping back into it.
Joplin was the tool I used for notes. I used to use Google Docs, and I had hundreds of pages of notes on there. But at that point the site would start to lag quite terribly, and Joplin was much better in that regard. It was also easier to categorize notes and write sub-notes on complex subjects. Instead of adapting my existing notes, I began creating an entirely new one. A lot of my existing methods were beyond the OSCP’s scope or used forbidden tools, so I decided it would be best to just write everything from scratch and supplement the new notes with the old ones when relevant. This was very time consuming, but it helped me learn things from scratch again and saved me time later when it came to reading streamlined notes.
After I did as much as I could, I’d finish up for the day, eat some dinner and play video games till about 2 in the morning. This wasn’t healthy, but I found that you need something that you can enjoy without thinking too hard after learning all the time, or you’ll burn out. More on that later. It took me about 2 months to get through the content, with full notes on all of it and 85% of the exercises completed. I felt great – like I said, I was moving fast, and everything was working just the way it should. I didn’t have much of a social life anymore – or anything interesting going on outside of the OSCP, but I didn’t care. I was ahead of schedule and everything was playing out perfectly.
The Hard Part / Preparing for the Exam
I started preparing for the exam immediately after I finished the course material. I did this in early stages by using TJ Null’s list of PWK Practice boxes and the Medtech and Relia Challenge Labs. There was a significant bump in difficulty here. I think the hardest parts of any CTF aren’t exploitation but instead enumeration. What the boxes teach you is how to enumerate, and I think that’s the most important thing to learn to pass the exam.
I booked my exam at this time. I planned to book it in three weeks. Unfortunately the most recent space was in six weeks. I didn’t know it at the time, but I was completely out of my depth and this was the minimum amount of time I needed. Anyways, I started with easier boxes and slowly scaled up the difficulty. Things were quite difficult and I had to use a lot of tips. Those tips were fundamental for my speedy progress through the boxes and personal notes, though. But I would constantly fail to complete many or all of them – which I took personally.
Five weeks left.
Things got easier, and I was knocking out 1 – 2 boxes a day. Medtech and Relia were still quite complicated though and the rabbit holes were slowing me down big time. I was starting to get quite frustrated, though. I didn’t feel ready and I was getting stuck on things that I thought I knew, like basic SQLi auth bypasses and fixing web exploitation among others. The work was also getting to me a little bit. The first signs of burnout were appearing – I was visibly tired quite often and mentally fatigued. Yet, I had to press on. I needed this more than anything else, and it wasn’t because of my circumstances or anything like that. I just wanted it more than anything else in the world.
Four weeks left.
I relaxed as much as I could on the weekend, and prepared for a mock exam using Challenge Lab 4 (Challenge Labs 4 – 6 mirror the exams). My goal was to complete the Active Directory set of the exam before the day was wrapped up. The logic was – if I can do it in 12 hours, I can get one more Linux box in the other 12. And that’s exactly what I did. Took me about 11 hours and I did a standalone as well (a Windows one). I felt absolutely great about this, because it proved that I can do the exam environment. Anyways, I spent the rest of the week doing Linux boxes and finishing off the ones I didn’t do. Things were moving well.
Three weeks left.
I did the same thing as the last week and set up my environment for another mock exam with Challenge Lab 6. I was sick with a cold. I completely lost it in three hours and caved to using tips, and then just gave up after that because it felt like a cop out. Bad experience, but I learned from it. Don’t push your body too hard. I tried again the next day and failed it again. So I just did the machines normally over the next few days, more challenge machines. I didn’t feel ready anymore. The burnout was also starting to really get to me at this point. I stopped going to the gym and slept less than 6 hours a night consistently to the point where I couldn’t sleep longer if I wanted to. My physical and mental health were declining rapidly – I was not taking the whole process well, but I had to keep pushing. Giving up was not an option – it never really was.
Two weeks left.
I did Challenge Lab 6 in the mock exam format and I passed it. I also did my first proper exam style writeup, which was important. The rest of that week is a blank. I was locked in so hard I wasn’t able to create long term memories.
One week left.
Things are a little hazy here too, but I remember a couple things:
- I did another writeup of the Medtech challenge lab.
- I double checked my requirements for the bonus points, which I was eligible for.
- I went over concepts I was rusty on, which were predominantly SQLi injection and fixing exploits.
Things were getting really intense for me at this point.
I knew I could do it. But I didn’t know that I would. I heard things about “impossible AD sets” on the internet and I was scared. Scared – but ready.
On the weekend before, I sat at home and played Grand Theft Auto all day. The day before, I cleaned my house, got my environment ready, bought three days worth of takeaway food and iced coffee, and tried to relax. Surprisingly, I was relaxed. I think it was because I knew I did everything I possibly could. I went to bed at 10 or 11 PM to wake up at 8AM, an hour before my exam. That night, I slept like a baby.
Exam Day
At 5:30 AM, I awoke to the alarms in my apartment block going off at max volume. There was an emergency evacuation. I walked outside in my dressing gown and all I could do was laugh. I mean, this was the most important day of my life and it was already going bad because someone probably burnt their toast. Anyways, half an hour passed, the evacuation stopped, I went back to bed and slept for two hours.
My alarm goes off at 8AM. I jump out of bed, log onto my computer and setup my environment. I eat breakfast and drink iced coffee. 8:45 AM – I log on, talk to my proctor, and get the go ahead to start. Now I can’t describe the exam environment itself but I can describe the general events that occurred. My goal was to compromise the AD set quickly and then wipe out one last standalone machine with enough time to go get takeaway dinner before 11 PM – then use the rest to sleep.
It took me about an hour and 15 minutes to get an initial foothold on the AD set. My in depth notes and experience regarding the first attack vector made this very quick. I took a break and went to watch 10 minutes of Scarface outside while I had a snack. “Awesome,” I said to myself. “I’ve got this in the bag.”
For the next 8 hours, I got stuck on privilege escalation. I got scared – I hit a massive roadblock with no apparent exploitation method. I gave up on passing the exam in my head and went to the individual machines. Couldn’t find anything there either. But even though I gave up, I didn’t want to stop. I knew I wouldn’t be able to live with it. So I have a shower – and suddenly thought… “what if I tried something completely different?”
I came back, angry but determined, and conjured a privilege escalation vector for the first AD machine out of thin air. Then I completed the other two AD machines in two hours. Everything I saw after that first privilege escalation on the AD set was something I had seen before on a CTF or in the OSCP material. Boom – 40 points. 14 hours left.
So I took another break and watched some more Scarface. I enumerated two of the machines and started to feel a little foggy. Couldn’t see a way through them. Went to the last machine, did some experimentation and got a relatively simple initial foothold in about 2 hours. Guess what? I got stuck again even worse with privilege escalation than the first machine I faced.
I kept going over the others as I only needed 10 more points to pass. Just 10 more points. Couldn’t do it. My head was so foggy, I felt like I was underwater. So I circled back to the one I was working on. Everything I tried – every enumeration method I learned. None of it worked. 10 hours left. I gave up again. I was so tired, I was stumbling around and tripping over the air. I went to have a shower and I broke down. I started hitting the walls of the shower – “Why? Why? Why can’t I do it?” Everything was on the line for me and I was failing a metre before the finish line. So I just sat down in the running shower and gave up. I had nothing I could do, and the other machines were basically an enigma to me. 10 points, 10 points, 10 points – my inner monologue kept repeating. It was like a cruel joke where I was the punchline, sitting on the floor without enough energy to get back up. I had hit rock bottom.
Exhausted, and without any motivation to even stand up, I had nothing left to give. My conscious mind had no more energy to suppress all the stress and self doubt, and it all came flooding out at once. My inner monologue was telling me I was a failure, a good for nothing – and worst of all, not a real hacker but an imposter. But then a second voice emerged in my delirium – it said – “are you just going to give up like that? Are you just going to let them win? Surrender? No. Get up. Get up and take it back.”
This was exactly what I needed to hear. Lying on the bathroom floor, I had nowhere else to run, nowhere lower to fall. The voice was right – it was time to show them who’s boss. Fight or flight kicked in, and I chose fight. So I stood up, with my whole body trembling and shaking.
I jump back in the computer seat. I’m so hyped up on adrenaline and determination that when I type that I’m back from my break into the proctor’s chat, I also type “It’s time to finish this.” She writes back “You got this.” I’m locked in. 2 hours pass, I’m not taking breaks. I’m throwing everything I can at this box. Suddenly it clicks in my head again. “What if I did… something completely out of the box… AGAIN?” I discover some absolutely inane privilege escalation vector I would have never thought of. It works. Points requirement passed. I win. 8 hours left.
Oh, except it wasn’t over. I forgot to take some PoC evidence from my AD set. So I had to re-exploit the first box from scratch, which took two hours. Then I redid everything just to make sure. Then I messed up the notes for the first box AGAIN, so I had to redo it. I made lots of mistakes and it was an enduring process – but the hard part was over, so I wasn’t struggling. I clock out of the exam with 3 hours left and set my alarm for about 5 hours away.
The next day, I spend 20 hours writing my report, including every single piece of information, every screenshot, and every detail that could be possibly relevant. The final report is 80 pages. I submit it. I think I may have failed because I messed up the notes on the first box so many times and I need every point to win. Oh well. I did what I could.
You Win!
I spent the next couple of days in a dreamlike state, barely able to function after the ordeal I just went through.
Two days later. Email notification.
We are happy to inform you… and well, you know the rest. Truth be told, I wasn’t feeling too great about it initially. By then, I was so stressed out that I felt completely detached from the whole situation. But I got a couple days of rest and I realised that I won. All the suffering, all the hard work, all the self doubt. I beat it. I won.
Was it worth it?
The easy answer is yes, because I passed. But in recommending it to other people? I couldn’t say yes confidently. Sure I won, but I barely won. It took every single bit of determination in my body and mind not to give up. It was an extremely painful process and the most difficult thing I have ever done in my life. I don’t know what I would have done if I had to retake it.
So can you do it? If you’re not an intermediate hacker already, I’d say it depends on your resilience. You need to have inner strength and fortitude to do it. That’s the only hard prerequisite in my opinion.
Lessons Learned
I learned a lot from the course and I’ve got quite a few tips if you’re planning to take it. A lot of the things I recommend are specific to the OSCP simply because it’s not like a traditional CTF.
Tools I Recommend
- Use Ligolo-ng to port forward. It’s a lot simpler than using other methods. Not much to say here.
- Pwncat-cs is great for stablising Linux shells.
- Write your own binaries for privilege escalation / persistence on Windows. I use an executable called addjesse.exe that creates a new user, adds them to Remote Desktop / PSRemoting and enables those services.
- Autorecon is a godsend for fast in-depth enumeration. But don’t forget to do your own enumeration manually.
- Linux Smart Enumeration is great for finding low hanging fruit.
Resilience
You need to be mentally resilient to beat the OSCP – no two ways around it. For me, I got more resilient by learning to accept failure but also never giving up. There’s always a way forward – you just don’t know what it is yet. Another helpful method here is…
Find Good Role Models
Find people, whether fictional or real, who inspire you to keep going. Like I said before, I was watching Scarface during my breaks on the exam. Why? Because Tony never gave up and always kept going no matter what. But it can be anyone. Identify these people who resonate with you and follow their ideals if it helps you push forward.
Try Smarter, Not Harder
The motto of Offensive Security is Try Harder. You should always try harder, but also try smarter. Work too hard without doing it the right way and you’ll burn out.
Have A Way To Release
You will burn out if you don’t have something to do that takes the edge off. For me, I played a lot of open world video games like GTA IV and Red Dead Redemption II. That helped me clear my head. Exercise was good too. Regardless, the point is find something that helps you stay clear headed.
Don’t Let Your Emotions Win
It can be easy to let anger, sadness, anxiety or fear get the better of you. However, you need to be clear headed to fully exploit machines. I succumbed to anger during my exam, but I had to do that to stay awake, to stay focused.
Practice, Practice, Practice
I used the Challenge Labs and Proving Grounds Practice machines to revise for the exams. You don’t need to use these, but you need to practice. It’s the only way to get better. If you don’t practice, you will fail.
Conclusion
There isn’t too much for me to say. The OSCP is a personal journey and it’s different for everyone. Only you can determine whether you can do it or not. I’ll end this post with a quote that reflects my experience passing the OSCP.
“I have self-doubt. I have insecurity. I have fear of failure. I have nights when I show up at the arena and I’m like, ‘My back hurts, my feet hurt, my knees hurt. I don’t have it. I just want to chill.’ We all have self-doubt. You don’t deny it, but you also don’t capitulate to it. You embrace it.”
Kobe Bryant, 5-time NBA champion