Hello amazing hackers! I am really happy to see you here because i was afraid to write this article. I do not want to boast, and it feels like boasting when i say this but i passed my OSCP exam the first time around with all but 1 flag found and i had no prior hacking practice. Here’s how i did it!
OSCP or CEH?
I want to start off by prefacing this with saying no certificate has my preference, i think they both have a valid field of applicability.
I always wanted to get into cybersecurity and one day when browsing the internet i came across an indie bundle on cybersecurity books. For those of you who don’t know, indie bundles are where you pay what you want for the bundle and receive a certain amount based on how much you pay. There are more complexities but they are not for this article. I bought the bundle and got about 25 cybersecurity books on things like web hacking such as the web application hackers handbook which i really enjoyed reading but i did not understand any of what they were saying. The bundle also contained the CEH v9 e-book which was a blessing in disguise for me.
I was working at a bank at the time and we had a pentester that we hired regularly. I asked him what i had to do to get into hacking and if i should go for CEH as it seemed nice and entry level but he told me that for what i wanted to, OSCP would be a better solution. You have to prove yourself in a gruelling 24 hour exam where you have to hack 5 machines he told me. That exam thing stuck with me for the rest of the course. It seemed like a massive wall i had to climb with no ladder in sight but i am not a rat that gives up easily.
OSCP it is!
I am someone who does things well when he does them or i stop doing them if i can’t do them well enough. If i do something i go all out so i went to my boss and i asked him if it would be possible to follow this training and try for the certification. My boss did not like my idea however. He loved it! He is all for self development and he knows how much i like to learn new things and new disciplines even so we booked the 90-day option and then it began.
I decided to not do any preparations for it as i had quite a few years in general IT experience at this point and i am not someone who can look at learning matter more than 1 time. If i see something new and i learn about it online, i will be less motivated to study properly in the course. This might have been a good idea or it might not, you know yourself the best. Do you want to prepare or let it come to you? That’s up to you but you are also the only person to thank if you pass or fail. That is a sentiment i carry heavily, us being responsible for learning is a whole new world. We don’t learn well on our own unless we have a very specific goal and of course OSCP is a specific goal, it’s up to you to determine the value of that goal in your life and how you want to handle it. I can only tell you my story.
I went into the course totally blind, i looked at the syllabus before and it seemed okay but you never know until you actually get started. It started out quite calm but i noticed they had a “try harder” mentality on many different aspects. I looked up a lot of information myself which is good because we need to learn how to google but on the other hand i was they would have included all the information we had to know about in the course.
I learned a whole lot in those first few days, i went through the video’s first and got about 10 video’s in before i wanted to really try it out and am not a very patient guy. I want to get into the action right away but of course i failed misearably at my first attempt. I did an nmap scan of the entire network and put down my results into a oneNote notebook.
I went about it very dilligently but i could not find anything with the few issue types i learned about that point so i went back into the video’s and i took very notes which i never used again.
I learned a bit more this time around and i went back over the notes i took about the network. I found several interesting things that they talk about in the course like smb and anonymous ftp server access. I was even able to abuse some of them to gain a reverse shell like the anonymous ftp which i abused to upload a reverse shell, I then opened it via the web browser because they had a website running as well. This boosted my ego like crazy and i felt like a genuine hacker who just managed to hack his way into EvilCorp to destroy their evil ways of business!
As you can imagine, i hit a wall very soon. Open FTP servers only get you so far after all. I had to get back to the course and learn more but i am the kind of person that gets bored easily. i spent 8 hours a day working and spent 4 hours after that learning OSCP. In the weekends i spent 8 hours in total learning and i had 10 days from work that i could spend learning as well. All of this is a lot of time it may seem but i more than needed it. After a while of learning i wanted to hack more but i knew i was not there yet. I just needed that little push.
Don’t look at the forums!
At this point i want to bring up the forums. They contain tips posted by the community on the lab machines but they never had a full explanation except for 1 machine which was provided by OffSec. Many people tell you to avoid these forums but i will not do that. I used them extensively and it is how i learn but i do ask you to take a critical look at yourself from the perspective of an outsides and honestly define how you learn. And i do mean honestly because it is really easy to deceive ourselves.
I looked at the forums a lot and they gave me the little push that i needed. I spent the remainder of my 40 days in the labs trying to hack and root machines while i googled like crazy and used the course as a sort of mini-google that i could search through. I did not root a lot of machines in the end but that’s okay because i learned a ton and i needed to learn a little bit more on my own.
In comes the W0lfP@ck, if you guys are reading this, my heart goes out to you! These guys took me in when i was looking for people to learn more about OSCP with and we teamed up on tackling HTB machines. We did this for several weeks and we went all in. I can highly recommend getting a hacking buddy to hack with. Don’t know how? Just ask everywhere that you can! For me, i found my group on the OSCP subreddit so that might be a good place to start with.
24 hours of madness
Let’s talk a little bit about my exam preparation now. A lot of people ask me how i prepared for my exam and i just wanted to see if i could have 5 machines in 24 hours so i took a subscription on hack the box VIP for 1 month and started to compose a list from TJnull’s OSCP playlist which would resemble the OSCP config. 2 Medium machines, 1 hard machine, 1 easy and i left out the BoF machine because i was pretty should i could nail that easily.
Since these machines are all old, you can easily find how difficult they are online.
I simply tried my best to hack all machines in a 24 hour exam and tested my strategy out to finetune it. I failed misereably but i learned a lot about what was missing from my repetoire and i started working on that. my weak points were and still are windows priv-esc and the fact that i was overthinking things. My startegy however still felt valid so i did the same thing over again. This time my technical skills were more finetuned so i could fully focus on how i would handle the exam.
I’ve talked a lot about my strategy now so here it is. I start with the medium 20 point boxes and i go on until i get stuck at which point i move on to the next thing i want to investigate. Remember that offsec can’t require too complex exploits since they still have to make it doable for everyone to hack 5 machines in 24 hours. With this in your mind, you should be able to avoid rabit holes that are too complex to seem valid. When i got a flag or got stuck i took a break and there were a lot of breaks. I need to let my subconscious work on the information that i found. That being said it’s important to enumerate everything. I mean everything. Every single port, not just the top 1000 that nmap scans by default and not just the TCP ports. Your gold may be hiding on an unconventional UDP port.
If i get really stuck and i have no other avenues to investigate i start to feel down. This is exactly why i saved the BoF and the 10 point box for when i needed them. You know that feeling when you finally get a foothold and a flag. That feeling makes you think better. I believe that OSCP is more a test of character than a test of skill. Again the exploits can not be too hard because of the time limit so i think you are your own worst enemy here. You determine whether you pass or fail but you have to believe in yourself. Can you solve several HTB machines? You are probably overqualified but you need to stop doubting yourself. Doubt is the enemy of success is something i have noticed and you will need to convince yourself you are good enough for this. Get a hacking buddy if you can, my hacking buddy cybertuna helped me through some tough times and i miss hacking with him from time to time. Our nightly sessions are what contributed immensely to my success, there is no doubt about that.
My 25 point machine i saved ’till last with the fact in my mind that i could use metasploit one time. Funny thing is that i totally forgot to learn about metasploit so that was kind of useless on my exam. The previous machines had given me enough confidence to get a foothold on this machine by thinking about this machines scan results in the back of my mind this time around so i felt ready for the exam.
24 hours left before the 24 hour torture
I booked my exam and as timed neared, i felt less and less confident in my own skills. I am a very emotional person and i had taken it up to myself to not do anything OSCP related 24 hours before my exam so i could clear my head and i think this helped a bit. I spent the day doing my normal routine until about 10 hours before the exam where i peacefully went into my car and cried like a little baby. If i don’t let these feelings out, i know they will come back to bite me.
The exam itself went pretty bad to be honest. I am not a smart man, a few days before the exam i lost my ID card and of course you need that at the exam. I had a replacing document from the police but that was only available in dutch and the offSec team could not read it well. They translated it so i have to give full props to my proctor and the offSec team for going out of their way to get my into the exam. They verified the document and i could start my exam with an hour of time wasted.
I unfolded my routine like i practiced and while i doubted myself a few times i reminded myself that i was racing my buddy for flags on live HTB machines a few days ago and that they could not ask too complex things and i got through the exam with everything done except for rooting the 25 point machine. The moment i got foothold i was 20 hours in and i knew i had enough points so i told my proctor i wanted to end my exam and i fell asleep the moment my head hit the pillow. The next day i wrote my report and send it in. The wait began.
I checked my mailbox every hour after sending in the report and every email that i got made me jump. After a few days i finally got the word that set me free from anxiety.
I tried harder.
Thank you so much for reading this amazing hacker! It was a blast to write and grab those memories back from a long forgotten place. My memory is not the best so whenever i can think about the past i do not pass up on the chance. OSCP has been an experience that allowed me to form myself into what i want to be and i think that’s exactly what it should be treated as. It’s a show of skill, a show of time management but most of all a show of character. I hope to see you soon <3.