I’ve shared this before on reddit, but I wanted to put it in a more permanent place for me. So here is my experience of the OSCP course and my thoughts on the exam. Now also enhanced with GIFS!

Previous knowledge

I’m a Linux system administrator and have been doing that for about 8 years. For prevoius penetration testing experience: I did the Jr Pentester path at Tryhackme during the Covid lockdown (2021). I also looked at HTB, but I didn’t like the fact that the boxes were shared with others. After that i had a look at THM every couple of months, but didn’t really devote much time to it.

I did find it all very interesting though, and I also felt that it would help me in my work of configuring servers securely. If you know how hackers think, you can stop them. That’s why I wanted to go into more depth and booked the OSCP.

So, to sum up, I had some prior knowledge but no practical work experience.

The course

I booked the LearnOne package at the end of March to give myself enough time to study. It took me about 4 weeks to go through the course content at about 15 hours a week. I completed 100% of the modules. Then I started the labs. I did Medtech, Relia, OSCP-A, OSCP-B with a few PG Practice boxes in between. This took me another 4 weeks.

Now came a period where I had a lot of time. I was able to work on the labs pretty much full time (about 40 hours/week) for 2 weeks. I did Skylark, OSCP-C and some more PG Practice boxes in between. It really made me feel like I was in the right place. I felt I had all this knowledge in my head at that point, so I booked the exam for one day in advance.

I ended up doing all the challenge labs and about 20 PG Practice boxes. I was a bit scared because others do a lot more PG Practice or other stuff like VHL, HTB Academy, HTB Networks, … and still fail, but I had 2 exam attempts anyway, so why not just try.

Exam time!

I booked the afternoon start time (15:00). Obviously I can’t say anything about the exact content of my exam, but I started with AD. The foothold was tricky, but I think I was lucky to find it very quickly. After that it was smooth sailing. It took me 2 hours to complete it. I felt pretty good after that. I took a 15 minute break and mentally celebrated my victory.

Afterwards I started on the first standalone machine. I got the foothold relatively quickly, but couldn’t find a way to escalate privileges.

I then went to the second standalone. Couldn’t find a way in. So on to the third standalone… no way in there either.

After feeling so good just a short while before, I now started to feel really worried.

“I have the AD set and 1 foothold. 10 bonus points. 60 points… 10 points too few. I’m going to fail here.”

I moved back and forth between the three machines, but felt stuck. I took a few short breaks in between, as is often recommended.

Then I had an idea for a privilege escalation on the first machine, and it worked. That was a huge relief. After 6 hours in I had a passing score.

At this point, I wanted to make sure I didn’t mess up, so I started with the documentation. I hadn’t practised this before in the challenge labs and that turned out to be a mistake. I don’t have Windows or Office on my PC, so I used the LibreOffice template from Offsec. It was such a pain. Nothing worked. The text spacing was all over the place. It was almost impossible to insert images because the text always moved behind them.

Wasted about 1 hour with LibreOffice and then started looking for other templates. I ended up with the SysReptor template and really liked it. I chose the self-hosted version as I didn’t want my exam information to be in some cloud. Using Markdown made the documentation really easy.

I reset the machines and repeated all the steps, taking screenshots along the way. I really think this is the better way. If I had documented everything I tried before in the same way, it would have taken much more time.

2 hours later I had all the documentation in order. My mind was at peace and I could go to sleep (24:00).

I didn’t set an alarm and woke up around 7.30. While trying to sleep, I had some ideas about what to try for standalone #2 and #3. One of those ideas turned out to be good and I got a foothold on standalone #2. Breakfast, then privilege escalation on #2. Then foothold on #3 and privilege escalation. What? That was it? All done? And I had so many doubts yesterday?

I reverted all the machines, redid all the steps for the report and was completely done by 12:00. 110 points and report done. I ended the exam 3 hours early.

3 days later I got the email confirming that I had passed.

A few thoughts

Hints

I see a lot of people in the Discord asking for hints that didn’t really put much effort in. For Medtech and Relia i can understand that. You need to learn the concepts. Starting with OSCP-A try to not rely on hints that much. If you are really stuck for multiple hours get a hint. For OSCP-B and C try to really use them as a test run for the exam. If you are stuck move to another machine. Think about it and come back to it. Look closely at your enumeration again. Check your notes for things you may have not tried yet. Check every open port. See how many points you can get without hints. This should tell you if you are really ready for the exam.

TJNulls list

I’m not a big fan of the TJNulls list. Some of the boxes on that list are simply out of scope. There is always a lot of talk about the “try harder” mindset. As I understand it, “try harder” means the ability to overcome problems. But there is a limit. In my opinion, it is a disadvantage if you cannot solve the machine because you lack the basic knowledge (because it goes beyond the course). If you want to do “volume” and do a lot of boxes, take a look at LainKusanagis list. As far as I can see, he has removed the stupidly difficult ones.

After I shared this, I was actually contacted by TJNull. He removed the machine I had a bad experience with from the list, as it did not teach anything valuable for OSCP. So I can say that he is at least constantly working on this list, so I will partially redact this statement for now.

Skylark

A lot of people skip Skylark. Skylark is a much better exercise than most of the TJNulls list. Really. Do it. The main difficulty (and why the course material says it is beyond the course) is the size. You can ask on Discord where to go next and if you need information from a machine you have pwned.

Report

Really do a practice report in the challenge labs. For example, for OSCP-C, do it as you would in the exam. Go back, do the steps again and document it with screenshots. I didn’t and regretted it. Would have saved me a lot of trouble.

What is next?

I’m not really sure. I might do CPTS, but at a veeery leisurely pace.

I think I’ve learnt a lot for my current job, but I can’t really see myself moving into pentesting or red teaming. Although I enjoy it, I think I’d have to take quite a pay cut to move into a pentesting role. So it is more of a hobby at the moment.

Was is worth it?

I have learnt a lot for my current job. Whenever I configure a new service, there is now often a voice in the back of my head saying “hmmm, I wonder if this could be abused”. So even though pentesting is more of a hobby for me, I think the OSCP has taught me some valuable things.