How I Passed the OSCP on the First Try

Passing the OSCP was one of the hardest things professionally I've ever done. It put some real stress on my life — and woke me up more than once with nightmares about pinging servers (for real). I wanted to quit more than once.

I was worried that I wouldn't be good enough come test day. I got anxious that I hadn't prepared enough. Or I would get stuck and panic for hours.

But I don't regret the process at all — and I passed. I want to share how I prepared for the OSCP, what worked well for me and what I would do differently, how the lab helped me, and what extra cybersecurity training resources I used. Maybe I'll save you a few sleepless nights or extra grey hairs.

Pre-Game: What Do You Know?

It's really important to plan ahead with the OSCP because time really is money. OffSec bundles the Penetration Testing with Kali course, lab access, and the OSCP exam fee into one package. The package costs between $800 and $1,500 depending on whether you get 30, 60, or 90 days of lab access. OffSec says the course is self-paced and online, but the clock starts ticking once you gain access.

That's why you need to do some pre-planning before rushing to sign up for the course. Check out OffSec's OSCP page first. Under the prerequisites section, they recommend:

A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus.

Let's break that down: You need to know networking. You need to know Linux. Programming seems somewhat optional, but it's definitely not.

You can learn these things on the fly during your coursework, but it's better to brush up on your skills before starting the OSCP course. Remember you only have so much time before you'll have to pay to extend ($200 for 15 days, $650 for 90 days). So, why not level up some skills before the clock starts ticking?

Before you even touch the OSCP practice labs, you should thoroughly learn networking, Linux, Bash, Perl, and Python.

Here's how I pre-gamed the OSCP.

You'll Need to Know Networking

How are your networking skills? You don't need a CCNP or be a full-time network engineer. But you need a good familiarity with the basics like subnets, ports, DNS, pings, and TCP connections.

You might need a bit of a refresher, but I felt good in what I knew here having done networking for years, being A+ and Network+ certified, and also having a number of years as a Windows Server admin under my belt.

How I Learned Linux

Linux skills, however, I knew would be different. I was not so handy in a Bash terminal. One fantastic (and free!) resource I used was Linux Journey. It breaks down Linux basics into very small pieces, going through essential concepts like permissions, the file system, and processes. If you are used to Windows, you'll see the similarities quickly, but you need to know the nitty-gritty as you'll soon be on the terminal often.

After completing the Linux Journey, I tackled Bandit from OverTheWire. This set of exercises takes some of the knowledge you've gained and applies it on a real VM that you'll SSH into. You'll have to complete a basic exercise to get a password for the next level. You'll learn lots about manipulating files and some tricks like exploiting SUID binaries and cron jobs.

Scrappy Scripting

After Linux, the final prerequisite called out Bash, Perl, and/or Python scripting. I did some very basic work on Bash and Python scripts. Bash will be covered in the courseware later, and there are about four million Intro to Python websites, just pick one that mentions network sockets and spend a few days on it.

You won't be writing any scripts from scratch, just learn to follow the flow of an existing script and you'll be more than fine.

Next: Start With Virtual Hacking Labs

If you're comfortable with networking, Linux, and scripting languages, then it's time to do some light hacking on Virtual Hacking Labs. This is a mini-OSCP basically. You'll drop $249 for three months. For that, you'll get courseware and a PDF. It's nowhere near as in depth as the OSCP course but it's a great starting point so you aren't overwhelmed later.

You'll get plenty of experience with the basics of enumeration and tools like Nmap and Netcat, plus putting all that networking and Linux practice to work.

Post-Pre-Gaming: Sign Up for Your Course

By now, you'll start considering when you want to start your OSCP course. One thing I did not know about when I went to sign up: you will not be able to immediately start your course after signing up. They space out their students, so you'll get some options for the next available open slot. The soonest I could start was three weeks out. I was ready to get going, but disappointed to have to wait. Plan ahead!

If you have a little pentesting experience, as I did, you should consider signing up for three months of lab time. That should give you plenty of time to get through the course work, most of the lab, and review areas where you feel like you need more practice (maybe privilege escalation or SQL injections).

Grab your schedule and find a three-month block where you don't have many commitments already. Taking a few days off won't kill you, but it won't help much with your forward momentum either.

During those months, you'll need to devote at least a couple hours most (if not every) days. I probably averaged around four hours a day and intentionally took Sundays off. I knew I could do one to two hours in the morning before work, and grab anywhere from two to four hours during the day between other work tasks. I avoided studying after dinner, saving that for family time.

If this sounds like a lot — it is. You'll have to figure out how to make it work with your work schedule, family commitments, and social life.

Hack the Box

Go sign up for Hack the Box right now and pay for the monthly VIP plan. Do it, it is the best pentest practice resource on the internet. As of August 2019, they host over 120 virtual machines for pentest practice, and add one a week. Some are killer hard with few mortals capable of conquering them, but there are lots of more reasonable ones also.

Get stuck on one? Check the forums, follow other users' hints. Enumerate again. Walk-throughs are available with a quick Google, but resist the urge to read them without trying harder first.

You can sort HtB machines by difficulty level, so I jumped into the easiest ones after finishing the Virtual Hacking Lab. Difficulty-wise it was comparable, but the extra practice didn't hurt. Slowly, as my skills and confidence grew, I tackled slightly harder machines.

Once I felt I had enough of a grasp on the basic pentest process (after owning the 10 or so easiest HtB machines) then I felt finally ready to register for my OSCP course. I continued using HtB for exam prep though even after my OSCP lab time, using this handy list.

While 20 HtB machines are considered "active," with your VIP access you have access to all of the older retired machines. Each retired machine will have two invaluable walk-throughs. One is a very succinct PDF; the other is a long form video by master pentesting teacher Ippsec.

If you nothing else from this article, get this: watch as many of his videos as you can. They are long, on average an hour each, but you will learn SOOOOO much. The instructor explains things very clearly, shows multiple ways to achieve the same result, and gives equal weight to the basics and using flashier techniques. They are an invaluable resource.

Using the PWK Courseware

That day will finally come when you receive from OffSec your courseware and VPN connection pack. The courseware is good stuff, they give you a long PDF and a set of videos. The videos basically reiterate what's in the PDF, just with less detail.

I skipped the videos and focused on the more comprehensive PDF, which starts you on the basics of working in Kali Linux. It also acquaints you with the basic tools you'll need in Kali, and then some basic pentesting methodology. You'll quickly get into more specific and difficult concepts like buffer overflows and working with exploits, just take it a step at a time.

Sprinkled throughout the PDF are optional exercises. Some of them are pretty straightforward ("run the tool discussed in this section on a lab machine"). Others will require you to go off on your own further researching a technique they only introduced. Documenting your work on these exercises forms the first half of a potential five bonus points on your exam.

The other half of the bonus points comes from a lab report detailing how you compromised user and root on 10 lab machines. They provide a template that's recommended to use; basically fill it in for each machine with enough screenshots and code snippets showing how a technically competent person could recreate your steps. Complete this report and the exercises, submit them along with your final exam report after test day, and you'll earn five bonus points.

Is it worth it? Depending on your experience, you could spend a whole week or two just completing the exercises then later writing out your lab report. While five points will be a lifesaver if you are five points short of passing, that's also a lot of time you could be practicing in the lab and Hack the Box. I did it — it was a lot of busy work, but I don't regret it.

Some people say go for it, some people say spend your time hacking. Even if you don't plan on submitting the exercises, going through the coursework is still essential, it's very well written, very thorough, and full of helpful nuggets.

The Lab

The lab is the bread and butter on the course to help you prepare for the exam. You'll start on the public network with nothing more than a list of IP addresses. Start scanning machines, looking for low-hanging fruit, applying what you learned in your coursework and research.

Eventually, you'll find a few machines that are multi-homed; they have a network adapter in both the public network and another network. Once you fully compromise those machines, you can use them to access these new networks with a technique called pivoting.

For my lab time, after about two months, I had a majority of the public network compromised and had gained access to two other networks. Instead of continuing into the other networks, I decided my time might be better used on Hack the Box. I spent my last month of lab time finishing up the lab report and going through that list I shared earlier of HtB machines. I felt this worked out very well. While the lab is great, I learned a lot more from the variety that Hack the Box provided.

Test Day

Start your test day prepared, both physically and mentally. You'll be in it for the long haul, with 24 hours to hack five servers and do privilege escalation to get root/administrator access. No help, no hints, just you and your hacker wits.

Take care of your body, have the food and drink you need ready to go. Get a quick work out in for some energy. Sleep the night before. Mentally, TAKE BREAKS. Seriously, don't keep pounding on something when you're stuck. Stop, stand up, and walk away for five minutes, otherwise, you will panic and mentally exhaust yourself. If you're really stuck on a machine, even after a break, come back to it later, start another one. Time management is so critical when you're talking about a 24-hour exam!

You have the next 24 hours to finish and submit your report, detailing your enumeration of each machine, how you initially gain OS access, then how you did privesc to root. The report will need screenshots and enough context so someone can reproduce your steps, so take good notes the whole time. When you finish a machine, review your notes carefully and make sure you have everything you'll need for the report. Once those 24 hours are up, the VPN dies. If you're missing a screenshot, too bad.

With all that out of the way, it will be fun! You're just hacking boxes and getting shells, you wouldn't have made it this far if you weren't enjoying it along the way, so keep having fun with it! Once the 24 hours are up, take a nap, finish and submit your report, and you have finished the OSCP exam!

Once submitted, OffSec says you'll have your results within five business days. True to their word, I got my official pass notification after five gruelingly stressful business days. The satisfaction comes from accomplishing something so hard so amazing, and hopefully my experiences can help you get there too!