OSCP Review & Preparation Tips

I took the OSCP exam on 1 May and managed to obtain the passing score after 9 hours. A brief personal background: I majored in Economics in university and after graduating in 2019, decided to pursue a career in cybersecurity. Since then, I passed eLearnSecurity’s eJPT and eCPPT in 2020, and most recently OSCP in 2021. I hope that by sharing my experience as a non-IT grad, this review can help to motivate and inspire others of similar backgrounds who are also considering embarking on a journey in cybersecurity.

In this review, I will cover the resources I used for preparation, my exam experience, and other tips. This review is rather lengthy so feel free to skip to the sections you are interested in.

Preparation Resources before starting PWK

I took eLearnSecurity’s Penetration Testing Student (PTS) course and its accompanying eJPT certification exam, as well as the Penetration Testing Professional (PTP) course and its accompanying eCPPT certification exam prior to using the following resources. If you are completely new to penetration testing, I would recommend starting with the PTS first, which is free with the INE Starter Pass (https://checkout.ine.com/starter-pass). After learning as much as you can from PTS, you may choose to forgo the PTP course and go straight to the following resources to prepare for the OSCP:

• Hack The Box - I spent about 2 months doing 25 boxes on HTB (mostly from the TJ-Null’s list). When I get stuck on a box for a few hours, I would refer to a walkthrough for hints, and continue from there without referring to the rest of the walkthrough. After completing a box, I would go through 2 - 3 different walkthroughs on the same box I’ve just completed to learn different attack vectors, since there are various methods to solve a single box. Besides IppSec’s videos, I recommend the brilliant walkthroughs from Rana Khalil and 0xdf, since they explain their steps and rationale clearly. Rana Khalil will also write remediation pointers for each box and 0xdf typically goes beyond attaining root to explore other aspects of the box, which helped me to better understand certain technologies used on the box.
• The Cyber Mentor’s Privilege Escalation Courses (Windows and Linux) - I found these to be invaluable resources for Privilege Escalation vectors. The Windows course also goes through a few TryHackMe rooms, which were all free when I did them in December 2020. After taking these two courses, I was fairly comfortable in my PE techniques for Windows and Linux. TCM has a 50% off voucher code every month, so it should be 15USD per course after the discount. Alternatively, you can purchase the Hacker/Super Bundle for a lower price per course. Check them out at https://academy.tcm-sec.com/courses.
• TryHackMe - I have heard great things about TryHackMe but didn’t really try it out much besides the few free rooms I did as part of TCM’s Windows Privilege Escalation course. There is a beginner path (https://tryhackme.com/path/outline/beginner) and Offensive Pentesting path (https://tryhackme.com/path/outline/pentesting) which I believe is relevant for OSCP preparation. Subscription is extremely affordable at £8 a month. Compared to Hack The Box, TryHackMe is more beginner-friendly as each room has hints/instructions to guide you through when hacking a vulnerable machine. Hence, I included it on this list even though I didn’t use it much as I think it can be a great resource for people just starting out. There are also some rooms from TryHackMe featured on TJ-Null’s list of OSCP-like boxes.

Buffer Overflow Resources

The following are Buffer Overflow (BoF) resources I used before starting PWK:

• The Cyber Mentor’s Buffer Overflows Made Easy - I had zero knowledge of BoF before this, and this free YouTube playlist from TCM is fantastic. I even adapted the python scripts here for my OSCP exam. Frankly, I think this resource alone would be sufficient (albeit providing just the bare minimum). You can find the playlist here: https://www.youtube.com/watch?v=qSnPayW6F7U
• dotackbufferoverflowgood - If you’re interested to get a more in-depth understanding of BoF in order to better apply it in a wider variety of scenarios, do check out https://github.com/justinsteven/dostackbufferoverflowgood. Replicate the PDF step-by-step, you’ll learn a lot from this. It also goes through interesting payloads other than the typical reverse shell we normally use.
• TryHackMe Buffer Overflow Prep room by Tib3rius - I did a few exercises here to solidify my methodology. This room is free so you do not need a TryHackMe subscription to access it. The exercises here are great practice, you can find it here: https://tryhackme.com/room/bufferoverflowprep

Additionally, be sure to attempt the BoF practices in the PWK PDF and lab. You’ll be good to go for the BoF on the exam after doing the above (based on my experience).

PWK Labs

Now to get into the meat of this review, the PWK Labs.

I bought 90 days of lab time. As a gauge, while balancing a full-time job, I managed to study approximately 3 - 4 hours a day on weekdays, and 6 - 8h on weekends throughout the 90 days. Hence, I would recommend going for 90 days if you’re in a similar situation.

Disclaimer: I did not do the PWK exercises as I found it too time-consuming to go through all the exercises. Documenting the exercises will earn you 5 points which can make a huge difference between a Pass and Fail on the exam, but I didn’t find the time I’d need to spend on the exercises to be worth the 5 points, especially since lab time is limited. It is up to you if you want to do it though, as you will definitely learn a ton from doing them. I did attempt a few exercises but decided not to continue as I felt that the 90 days could be better spent hacking the lab machines and learning from there instead. I did, however, read through most of the PDF and took notes for areas that I was not familiar with (I alternated between hacking boxes in the labs and reading the PDF whenever I was stuck on a box).

After starting your lab time, I recommend scanning through the PWK PDF to note down the areas you are weak in and spend some time reading through those sections. I personally spent about a few hours here before starting the labs.

If you’re not sure which box to start with, I recommend following the PWK Learning Path (https://help.offensive-security.com/hc/en-us/articles/360050473812-PWK-Labs-Learning-Path). These are beginner-friendly machines and there are hints provided if you get stuck. Also, check out the walkthroughs for Alpha and Beta in the OffSec forum; they are extremely detailed and guide you on how to approach a machine, including the thought process behind how to find where the vulnerable services are. I spent around 8 hours on the Alpha walkthrough to fully understand what was going on. This might seem like a waste of time to some who might prefer to move on to other boxes, but I found it useful to grasp the methodology behind tackling boxes in general instead of finding a quick solution to a particular box.

Whenever I found myself stuck on a box for too long I would refer to hints on the forum or ask for help on the Offensive Security Discord. (Side note: I preferred using Discord to the forum as there were many cryptic hints [e.g. Spiderman’s enemy can help you here”] left by other students on the forum. Some were so cryptic that even after I had rooted the box, I still didn’t understand what those hints were supposed to mean, haha.) As a beginner with limited experience, you do not know what you do not know. By asking for help, you will know what you do not know, and you can then do your own research to fill those knowledge gaps — now, you know what you know. Hence, don’t shy away from asking for help if you find that you have exhausted all your options.

I believe that it’s important to try out as many boxes as you can in order to learn as many attack vectors as possible, rather than getting stuck on a box for a few days and banging your head against the wall with no progress. I learned this the hard way — as I was going through the Learning Path, I got stuck on a box which frustrated me to no end. Despite trying numerous methods to escalate privileges, I was unable to make any headway. I was reluctant to ask for hints as I wanted to try solving it on my own first, but being stuck made me lose my motivation and that led to me procrastinating for a week where I didn’t touch the labs at all. Eventually, I decided to move on first and come back to that vexing box at a later date. Moral of the story: if you find yourself stuck on a box for days, there is no shame in asking for hints so that you can continue progressing (alternatively, if you don’t believe in using hints because it’s not “trying harder”, move on to another box first). This helps you make full use of your lab time and builds upon your existing momentum instead of having to fight against inertia to rebuild your momentum after stopping for a while.

On a related note, the community of PWK students and Student Admins (SA) were extremely helpful. After posting a question on the discord, it is common to get a response from a SA/fellow student within ~10 minutes. Chatting with fellow students was also helpful as we could trade tips and ideas on how we hacked the boxes differently, so I learnt a few new tricks as well. I still keep in contact with some students even after we passed OSCP, which is pretty awesome.

After completing the PWK Learning Path, feel free to attack whichever boxes are in the Public Network. I just chose an IP at random and started from there. I believe the pdf also mentions using nmap to scan the entire network to look for common ports (e.g. 21, 80, 443) and choose a target with these ports open as they might be low-hanging fruits, which is also a viable alternative.

My initial goal was to do at least 40 boxes, but I ended up finishing all 70 boxes (this was before Offensive Security added 5 ex-OSCP exam machines in the lab, which is a great addition!). However, I need to stress that there is no point in rushing through boxes and rooting them quickly without absorbing what you are learning. I made it a point to document learning points from each box, so that when I face a similar situation in future, I can refer back to my notes on that specific attack vector/vulnerability that I have encountered before. There is also more than one way to root a box, so after getting root, I made sure to try out other attack vectors as well. This method helped me learn a lot more than if I were to just blaze through boxes and not reflect on why certain methods worked or did not work.

Although the objective of the OSCP exam is to get root, the objectives in the PWK labs are different — there are interesting artefacts to discover beyond root, so make sure you do Post-Exploitation as well. The stuff you find will come in handy for boxes which have dependencies ;) (psst, if you have time on your hands, there’s also a juicy email thread somewhere in the first few boxes you’ll encounter)

Side note: Pivoting to the other subnets was fun — there’s also double pivoting involved for one of the subnets! Although pivoting is not tested on the exam, the lab is a great environment to try your hand at pivoting techniques using different tools (e.g. Metasploit, chisel, sshuttle, or just simply using the ssh command). I found some of the boxes in these networks more challenging and fun than those on the public network, so if you have the time to pivot in, go for it. Just take note that traffic might get slower in these pivoted networks since you’re going through a proxy, but I found that switching from SOCKS4 to SOCKS5 greatly improved the connection speed. I also learnt how to configure Burp to use a SOCKS proxy, which makes life a lot easier when pentesting web applications on the pivoted network.

Overall, I learnt a lot from the PWK labs, mostly due to the many different attack vectors and types of boxes available. I also got used to the typical methodology — nmap scan, find vulnerable service versions, search for exploits on Exploit-DB/GitHub, tweak the exploits and fire them off, get a shell, do privilege escalation, root. I will say though that some machines are pretty old, so the privilege escalation vectors for these old machines were mostly kernel exploits. Another factor which contributed to my learning was the 90-day time limit which propelled me to go through as many boxes as I could. There were a few times where I would look back on the boxes I did in the past week and be surprised at how much my knowledge grew in that 1 week. At the end of the PWK labs, I was ready to move on to Proving Grounds (Practice).

Proving Grounds (Practice)

After the PWK , I spent 1 month in Offensive Security’s Proving Grounds (Practice). It costs 19USD per month and I think the price is worth it due to two reasons:

1. Each user gets their own isolated environment. Say goodbye to the days of encountering boxes littered with exploits/files from other users.
2. Newer boxes.

I found PG Practice to be an excellent resource. Most of the boxes here are newer so you can practise various PE methods, rather than using kernel exploits (especially for Windows). I also encountered new technologies/web applications here, which widened my repertoire of attack vectors. During my 1-month subscription, I did 15 boxes, most of them from the TJ-Null list which was recently published in April 2021 (https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview).

Doing these boxes after my time in the PWK lab really helped me solidify my methodology and get a feel of how OffSec designs their boxes. I specifically chose to do boxes which were created by OffSec and were recently released— these are the ones published after August 2020 (a significant portion of boxes have a release date of August 2020 since that was when the platform went live; it doesn’t necessarily mean that these boxes were created in August 2020). You can check the box creator and date of release by hovering your cursor over the box name.

In terms of which platform is more beneficial for the OSCP exam, I have to say I preferred PG Practice to the PWK labs due to the more stable environment and newer boxes. The platform also provides a certain number of hints per day, which helped nudge me along. If you run out of hints for the day, you can also ask for help on the OffSec Discord (although response is much slower since there are no Student Admins for PG). Additionally, each box is standalone which is similar to the OSCP exam. I also learnt a ton from PG Practice despite only doing 15 boxes. That said, the purpose of PWK labs is more on providing exposure to a larger variety of techniques, e.g. pivoting to internal networks, post-exploitation, executing client-side attacks (I don’t think PG Practice has these but I could be mistaken).

Hence, I highly recommend trying out Proving Grounds (Practice) before taking the OSCP exam.

OSCP Exam Experience + Report Writing

In this section, I will be sharing my experience during the 24h exam itself and the report writing portion afterwards.

TL;DR I managed to get 70 points within 9 hours (including breaks). I started with the BoF, then the 25-point machine, and finally the 20-point machine. After compromising these 3 machines, I went through my notes again and made sure I had every screenshot needed in order for the assessor to replicate my process step-by-step. The next day, I spent 12 hours writing the report.

I scheduled my exam to start at 9am. The proctoring began at 8.45am, which consisted of sharing all screens and showing the proctor the room I was in, including the door. I also had to provide the proctor with a few details including my host machine OS version, browser version, and external IP. In the end, I only managed to start the exam at 9.20am since more time was needed for the proctoring to be complete, so do be prepared that you might not get to start your exam on the dot.

First, I ran a scan on the 25-point machine using nmapAutomator (you can use any auto-enum tool or simply nmap on its own is sufficient). After making sure the scan was running, I started with the Buffer Overflow machine. It took about 1h 20 min to finish the BoF box, as I was taking screenshots of literally every step I did… and I mean every step, even the most mundane ones such as attaching the exe in Immunity Debugger (not sure if that was needed but better to be safe than sorry!). The BoF was pretty straightforward, there were no twists to it, so practising BoF until you are familiar with each step pays off. After being done with BoF, I checked if the scan for the 25-pointer had completed. I then started scanning one of the 20-point boxes and took a 10-minute break to recharge.

Next, I started working on the 25-point box, which had a good number of ports open. After poking around on a few ports, I decided to go for a quick lunch. The 25-point box was pretty fun actually. Obviously I can’t share any details but once I eliminated the rabbit holes and found the vulnerability, everything worked smoothly. I found it fun as I had not utilized such a method for the initial foothold before, so as always, think outside the box. Privilege escalation was manageable too. After rooting the 25-pointer, 5 hours had passed since I first started the exam, which means I took around 2.5 hours (excluding breaks) to root the 25-pointer. At this point, I felt quite relieved as I had heard horror stories of others not being able to get a foothold on any of the boxes, so I almost couldn’t believe that I already had 50 points. I decided to take a 20-minute break.

After coming back from the break, I worked on my 3rd box, the 20-pointer. There were also a number of rabbit holes here but after thoroughly exploring each port, it was obvious where the intended path was. I was struggling here as it was a technology/service I had zero experience with, so I took quite a number of hours to figure out how it was supposed to work. After figuring out its features and vulnerabilities, I was able to get a shell! I was excited at this point as I knew that the passing score was within reach. Privilege escalation was a walk in the park for this box; all the prior PE preparation had paid off.

At this point in time, it was 6pm and I had obtained 70 points after 9 hours. I was honestly in disbelief at obtaining the passing score on my 1st try (before taking the exam, I was so sure that I would fail and was jokingly telling peers that I would have to schedule a 2nd attempt). Since I technically had sufficient points to pass, I decided to take a break and went for dinner. After coming back, I started writing an outline of the report and made sure every important screenshot had been taken — I would not allow myself to fail just because my report was lacking. There were a few screenshots which could be improved upon so I retook some and ensured that it fit into the attack narrative.

It was around 9.30pm that I decided to try my hand at the 4th and 5th boxes. Unfortunately, nothing I did worked. I even used my one Metasploit attempt and tried different payloads and played around with the advanced options, but nothing came back. I was alternating between the 4th and 5th box and trying everything I could think of at this point, getting increasingly frustrated at the lack of progress. It was 1.40am when I finally decided to end the exam as I was beyond exhausted and had a headache. I told the proctor to end my exam VPN and decided to be content with the 70 points. A pass is still a pass after all.

I started writing the report the next day and thought that it would be a breeze since I already had all my screenshots, so I naively assumed that it would take at most 3 hours. How wrong I was. I ended up taking around 12 hours writing the report, making sure that the report is detailed enough for another person to replicate it step-by-step with the relevant screenshots. Yes, it was a bit of an overkill being 120 pages for just 3 boxes, but it gave me peace of mind that I was being as detailed as possible, since that would decrease my chances of failing. That said, my report was mostly filled with screenshots and exploit codes in the Appendix for further clarity, so your report does not actually need to be that long. Before submission, I read through the PDF version of the report to double check and ended up having to revise it 5 times, since I spotted a mistake every time I checked through which was incredibly frustrating. By the time I submitted the report, it was 1am and I was ready to put this chapter behind me.

Results Day

The email from OffSec came pretty quickly. I submitted my report on 3 May at 1am and received my passing email from OffSec on 5 May at 2am, so a big thanks to the assessors from OffSec for their efficient grading process. Even though it only took 2 days, it was an agonizing wait where I was checking my email every hour or so.

Side note: I received my physical certificate recently and this OSCP card came with it, which was a pleasant surprise!

General Tips

• If you use tmux, I recommend using tmux’s logging plugin (https://github.com/tmux-plugins/tmux-logging). This is helpful in case you forgot to take a screenshot and the exam VPN has ended — no worries, you can refer to your logged tmux output and screenshot from there as a last resort.
• Not familiar with tmux? Check out IppSec’s tmux tutorial — I learnt everything I know about tmux from here (https://www.youtube.com/watch?v=Lqehvpe_djs). Even though this video is from 2017, I still found it the most useful out of all the other tutorial videos I watched. Using tmux helped me to be more efficient when navigating the terminal, and its logging capabilities is an added bonus.
• Don’t be afraid of rabbit holes. When I first started HTB, my favourite boxes were the ones with only 1 or 2 ports open as it was obvious where the vulnerable service was located. However, things will not be so clear cut in OSCP or an actual pentest engagement. Searching through rabbit holes trained my patience, and after practising on many boxes, I developed an inkling as to which services were designed to be rabbit holes, and which were the more interesting ones to focus on. Hence, I would recommend trying to embrace the rabbit holes. Think of them as extra learning material, since you may encounter a new application you have not seen before on these “rabbit hole” ports, and learning about this new application will increase your overall knowledge.
• Note-taking is crucial due to the vast amount of techniques and commands in existence; it is best to take notes in a way that would allow you to efficiently locate what you’re searching for. I was as detailed as possible when writing notes on each box, so that I will still be able to understand it if I read it again a few months later. I also compiled a master list of boxes and summarised learning points and key techniques for each box. As such, if I want to refer to a specific technique, I can just use Ctrl+F to search for it in the master list and refer to the relevant box in the other document to get more context. For example, if I need to refer to notes on how to carry out DLL Hijacking, I can search for that term in the master document → this will point me to the box where I utilised DLL Hijacking → I can then refer to my notes on this box which will walk me through how to carry out the attack.

Exam-related Tips

• Before exam day, read the proctoring FAQ to familiarise yourself with the proctoring procedure. It gave me peace of mind (I mistakenly thought that every time I went for a break, the VPN would disconnect → this is false.)
• Take plenty of breaks during the exam. I took around 8 - 10 breaks during the first 9 hours, including meal times and toilet breaks. Breaks can be as short/long as you want, as long as you let your proctor know beforehand that you’re going on a break.
• Read through the exam panel carefully as there will be details on which are the BoF machine, lab machine, and the other 4 vulnerable machines. Note down the amount of points each box corresponds to so that you can map out which boxes you want to attack first. The shortest path to 70 points is to do the BoF machine (25 points), 25-pointer, and a 20-pointer.
• For the report, document every command run that led you to root, such that the assessor can replicate your report step-by-step on the same box and attain root as well. Make sure to include the relevant screenshots including local.txt and proof.txt with the accompanying IP address. It would be a huge pity to fail the exam just because you missed out on a screenshot. Refer to the Exam Guide for more details: https://help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide
• I believe that OffSec is not looking for a typical penetration test report for OSCP. What is more suitable here is to write an attack narrative, with recommendations on how to patch vulnerabilities you encounter for each box. I adapted my report template based on the following 2 guides: https://help.offensive-security.com/hc/en-us/articles/360046787731-Penetration-Testing-with-Kali-Linux-Reporting and https://github.com/whoisflynn/OSCP-Exam-Report-Template
• During the exam, if you find any information that is remotely interesting, Google it. You never know what you might find.
• I’ve read this before in other reviews and will reiterate this here —24 hours is more than enough time, so think through each step carefully. Follow the same methodology that you have honed over your months of practice and slowly work your way through. Rana Khalil puts this succinctly, “you will run out of ideas before you run out of time”. Do not rush!

Personal Takeaways

After spending months in HTB/PWK/PG, the biggest and most sobering takeaway I had from this journey is that there is always uncertainty when facing a new technology/vulnerability you haven’t come across before. Hacking is not simply going through a checklist of possible attacks. I’ve learned that there is no guarantee that a particular exploit will always work for vulnerabilities of a similar nature; hacking entails a great deal of trial and error, pushing through the uncertainty that the exploit may not always work. It took me a painfully long time to adopt this mindset, and I realised that only trying things that are for sure going to work is, ironically, not going to get me far in this field.

Another important point is that your worth is not dependent on whether you pass OSCP. Honestly, passing the exam takes a combination of skill and luck. I still think I was fortunate enough to get boxes that I was able to solve. If you fail the 1st time, try again. If you fail the 2nd time, try again. If you fail the 3rd time, try again (you can write a loop for this). Regardless of how many attempts it takes to pass, simply preparing and studying for the OSCP is a feat on its own — it takes perseverance and discipline to keep going at it, and the amount of knowledge gained is huge. I also have to stress that getting the OSCP does not equate to being a good pentester; real-world pentesting is a whole different ball game as compared to hacking intentionally-vulnerable boxes in a lab environment.

This review went on much longer than expected but I hope it was helpful. Feel free to reach out to me on LinkedIn if you have any questions or would like to connect. Cheers!