A few weeks back I took the OSCP exam and wanted to put together a post about my experiences along with some links to resources I found useful.
I’ll begin by saying this was without a doubt the toughest exam I have done and probably the most stressful!
I began the OSCP/PWK course back the end of September 2020 and signed up for 2 months lab time. I originally scheduled the exam for Jan but ended up pushing it out to March as pretty much burnt myself out coming up to Christmas.
Part of this burn out was due to my (now previous) job role and the other was trying to do this course in with a full time job and single parent to 2 young kids. If you are wondering whether to do the PWK course whilst it is very rewarding it also is intensive and will require a significant investment of your time unless you are already doing this stuff as a career.
Offsec are rightly very strict about disclosing any details of the exam so I obviously wont be able to talk about the specifics so don’t ask!
After reading a heap of posts about other exam experiences and approaches I decided I’d approach the exam with the following strategy:
- As it takes a while to enumerate a machine fully I might as well focus on the higher points machines and reach 70 points as quick as possible (passing mark) This meant I’d attack the buffer overflow (25pt) then another 25 pt followed by whichever 20pt looked easiest
- I would begin with the Buffer overflow machine and run scans on the other machines in the background to make good use of time
- I created a word doc for each machine and I’d write the steps and paste the screenshots in as I went along to hopefully avoid missing anything
- If I got stuck for more than 2 hrs I would rotate to another machine – its very easy to get stuck on something that is not going to work from my lab experience
- I put together a OneNote notebook of approaches for different ports/services and common commands that I would work through. Its very easy to forget to test something especially in stress of exam
My day went like this:
Of course my day ended up quite different to my original plan and went like this:
7:30 – I setup the proctoring software and wait nervously for exam connection details to arrive. Setup was straight forward and once running you don’t really notice it. It is worth noting that you do seem to occasionally need to click the proctoring window otherwise they’ll ping you to get you to share your camera again which is a bit distracting if you are in the middle of stuff
8am – VPN Details arrive and exam begins! I start on the buffer overflow using my pre-prepared scripts and approach. I kick off scans for the other machines
10am – Buffer overflow done and documented. I’m feeling good. In practice I got the buffer overflow process down to around 20 min in tryhackme room but it takes longer in the exam to do screenshots etc. I double check I have everything I’ll need for the report. I look over the scans for the other machines and continue with my strategy with approaching the higher value machines first
12:00 – Hmm i’m not making much progress on the 25 pointer I decided to take a look at one of the 20pt machines opting for the one with less services running..
13:00 – I got some lunch and had a walk around outside for 20 min to clear my head. I’m already feeling quite tired from 5 hours or so of this and the stress of the exam with only one machine complete..
I continue and I decided to take a look at the 10 pointer to get hopefully a quick win and some of my confidence back. This unfortunately doesn’t happen and I’m unable to make any progress on what I’d expected to be the easiest box pointwise which is er really discouraging ☹
15:00 – Really starting to feel pretty down about lack of progress as had hoped to complete a machine by now. Starting to wonder if I’ll end up chalking this whole exam up as a learning experience. I decided i’ll probably call it a day if I haven’t got any further by 20:00 (12hrs exam)
16:30 – Finally some progress on 25 pointer and I obtain low privilege access. Also realise I could have had this in the morning if I hadn’t made a dumb mistake.. !#$@
17:30 – Yay full access and 25 pointer done. Hmm start to feel a bit better as I “only” need another 20pts to pass which seems achievable in 12hrs
18:00 – Get some dinner and watch a bit of TV to clear head
19:00 – Try one of the 20 pointers for a couple of hours
20:00 – No luck on 20 pointer so switch to the other
20:30 – Yay low priv shell on 20pt!
22:00 – Root access and a sigh of relief as I now theoretically have enough points to pass 😊
23:00 – I double/triple check my notes and make sure I have a heap of screenshots. I find I’m missing a couple of steps so have to do them again grrr
23:30 – Go back to the 10 pointer – why is this so damn hard?!
01:00 – Get a really crappy 3 hours or so of sleep. I’m quite wired at this point from the stress and excitement of exam (and a few cups of coffee and cola)
05:30 – I wake up and have another go at 10 pointer with a few other things I thought to try
07:00 – Last check of notes, tidy up some items
07:45 – Exam ends. I’m actually quite glad about this as don’t want to look at any more machines, do any more labs etc
I then went and took a walk to get a big coffee and treated myself to a big almond croissant 🙂
I have to write a lot of reports and proposals in my role so this is probably a strength for me.
During the exam I had been writing up the machines as I go along in separate Word documents. This makes it easier to edit each individually before pulling them into one report.
I decided to use the offsec official reporting template as figure this will make it easier for them to mark and will def contain everything they want to see.
I spend the next 6-7 hours or so writing up the report and double/triple checking I haven’t missed anything and that the format, filename etc is correct – I’d hate to screw up some minor detail now!
Finally I submit report and am absolutely exhausted and i’m pretty wrecked the next day as well but luckily have taken it off.
Then just under 48hrs later I then get the confirmation I have passed 😊
- Don’t give up – I really very nearly decided to call it a day after making little progress for 8 or 9 hours but ended up passing. Stuff can come together really quickly once you find the “thing” and this could be just around the corner..
- For the Buffer Overflow create fuzzer/overflow scripts prior to the exam and practice the approach several times on the tryhackme room or dobufferoverflowgood (see below). These 25pts are likely to be the easiest points you’ll get on the exam
- Buffer overflow machine first and scans in background seems a good approach to make good use of time
- I’m not sure whether beginning with 25pt was a good idea or not. It was quite disheartening not to make any progress for a while and put me in a negative mindset which I suspect made finding stuff more challenging
- The points value of a machine may not reflect its difficulty – I’d love to know what I was doing wrong with the 10pt machine!
- Don’t underestimate the impact of the exam stress and tiredness will have on you. I suspect I wouldn’t have struggled with some of these machines outside of the exam environment
- Take lots of breaks to clear your head. The exam is very tiring and this is a marathon not a sprint. You have plenty of time
- Dont plan on doing much after the exam – you’ll likely be exhausted. I’m er not sure whether 48hr exam format is a great idea healthwise tbh
- Screenshot everything and leave shells open with a big history. I had to go back and get some pics of items I had missed as closed shell terminals which wasted time
- Double check everything – you dont want to find you have missed a key screenshot
The Portswigger labs are actually intended as the 3rd edition of the book (to make it easier to keep up to date) and whilst the book was published a while ago it still contains some very relevant content and this will be a great reference for years to come so I have a hard copy of this.
I have a play project I am working on to create a deliberately vunurable.NET core app that I’ll post more about shortly..
- Get comfortable with debugging stuff and using tools such as TcpDump, Burp etc. Ippsec has some great examples of this in his videos and it will help you understand whats really going on. Note how he’ll start with the simplest thing to check if it works before expanding onto something more complex to check connectivity before finally trying things like a reverse shell
- Dont rely on Metasploit when practicing. Remember in exam you only get to use this awesome tool on one machine
- What is your weak area? For me it was Linux skills and privesc so I focussed on these. After you’ve done so many labs and have the approach nailed down you are probably better off focussing on weaker areas rather than doing yet another machine
Below is a list of resources I found useful for preparing for the exam:
- Ippsec HTB Videos. I tried to watch two of these a week and learnt a heap of techniques, approaches and Linux tips and tricks. Highly recommend and they are quite entertaining at times as well
- Rana’s HTB machine writeups. Rana’s walkthroughs are really detailed and I read every single one prior to the exam.
- Hacktricks book. This is really detailed and covers a lot of material including stuff to try on each port/service
- Proving Grounds. Make sure you do the paid one/Practice machines are fairly similar to lab. I liked that these after 90 min provide an optional tip for scanning, initial foothold, privesc through to full walkthrough if you get stuck
- Hack the box. You’ll want the paid VIP subscription to access retired machines. These all have walkthroughs and plenty on the web. The online VM works really well but is ParrotOS
- Tib3rius TryHackMe Bufferoverflow Prep room. This is likely the best prep you can do and there’s a sample application with several variations, some well known apps like slmail all conviently on one VM
- Tib3rius bufferoverflow script. I took the fuzzer and overflow scripts, modified them and added comments to describe step by step what to do. I then did two or 3 of the tryhackme buffer overflow challenges each week leading up to the exam
- DoBufferOverflowGood Tutorial by Justin Steven. This is a really detailed explanation and tutorial that helped me understand a few things
I generally could get onto a box and found privesc the hardest aspect so really focussed on this area making use of the following:
- Sagishahar’s privesc workshop. This is great and has a downloadable linux VM with detailed instructions to work through
- Tib3rius Linux Privesc
- Tib3rius Windows Privesc
- Heath Adams Linux Privesc
- Heath Adams Windows Privesc
- I setup Windows and Linux VM’s to try some of the common approaches
Finally I wish you the best of luck if you are taking the exam. Its important to remember if it doesn’t work out that there are some really awesome folk in the industry who ended up taking this exam multiple times – I really liked Ian Coldwater’s tweets regarding this and they contain some great advice.