On May 28th, after three tries, I finally passed my Offensive Security Certified Professional (OSCP) certification. So in this post, I will go over my experience, how I prepared and could pass the exam. This story is not going to be one of “passed on the first try and here is how”, but rather how you can do anything in this world with persistence, hard work, and constant improvement of yourself.
Background
If you are not familiar with my background, I graduated the University of Toronto in information security. So the first thing I wanted to do is find a job somewhere in cybersecurity. That is when I first learned about OSCP. I understood that I had to acquire this certification when why the recruiters told me to get OSCP first and then come back to them. Unfortunately, I could not afford it during that time being a recent grad, so I had to keep pushing forward to find a job.
Sometime later, I could start my career as an information security consultant as a junior. So during the first 8 months of my work experience, I was learning all of the industry standards, hacking, and all the necessary stuff to be a successful penetration tester. I am going to go over what I did for preparation later in this post.
I mentioned that this story is not about “passing on the first try”, but rather passing on the third try. And you know, I am proud to pass on the third try, because this way, I really can show my path, what I did to prepare, what I did when I failed, and how I motivated myself to stand up after each failure and retake the exam.
First Try
Preparation
When I bought the exam pack from the OffSec’s website, I did not know what to expect and how to prepare. The material looked very overwhelming and repetitive. Why repetitive? Before buying the course, I took and studied the training courses for PNPT from TCM Security. I believed that the material is much more well-presented and explained than the OffSec one: the videos were amazing, the methodology is well delivered and etc. So, instead of going over the course material AND the labs, I decided to focus on TryHackMe and HackTheBox. Big mistake number 1…
I went to the web, grabbed TJ_Null’s list of HTB boxes, and went on to do them all. And I did. Keep in mind – the way I study is first I have to understand and be shown how to do something, and then I will be able to reproduce it. So my first boxes were – “What is this? Okay, solution, please”. After going over the solutions on some boxes, I got an idea of what I needed to do for hacking the machines and was trying to master my methodology. I did around 70 machines total and felt ready. Big mistake number 2…
Because I was working and studying at the same time, I was quite limited in allocating myself for the certificate prep. 30 days of included lab time (keep in mind, this is the end of 2021, before the huge update), and I had to take the exam soon. So I scheduled it and decided to go in and try it out. I was super nervous, I felt like I was not ready, but I decided to take it as well.
But then midway, the update with the Active Directory set came out… So I panicked… I was not ready to take the AD set at all under me and was struggling to get myself around it. I decided to take the PNPT exam first – it is a good AD set exam guiding you through the penetration testing methodology of Active Directory. I took the exam, passed it successfully, and felt like ready for the OSCP.
The Exam
As you could figure, the first try went really sideways. I was nervous before the day of the exam, and could not sleep properly as well. I went into the exam, took a look at the boxes, enumerated them, and could not figure out what to do there. I set there straight for 17 hours there and got 0 boxes and hashes under my belt. So I just terminated the exam with a huge sadness…
You can probably figure out how I felt. I was demotivated, confused, and angry. So my impulsive brain decided to go and buy eJPT to take later just to show myself that I am not that bad. What I ended up doing is taking the exam the same night and passing it in 3 hours. Well, at least I was a bit more calm and went to sleep with at least some understanding that I was on the right track.
Aftermath
Well, I was sad after the exam. I felt so drained, tired, and angry. I started to hate myself and the exam, not knowing the mistakes I did. It took me a year to even consider retaking the exam. And even when I finally understood that I am ready to come back and retake the exam, I was postponing it most of the time. But I am thankful that one day I woke up and just said “it is time” to myself.
Second Try
Preparation
Guess what I did this time? You are right – logged in to the account, bought labs time and the exam retake, and started studying… Studying hard… I had 30 days of labs, so I really had to squeeze all the machines in those days. The grind was real – on average I had 3-4 machines a day! I pushed hard, learning, studying, and figuring all of the material out. I only focused on labs, because I did not want to go over exercises. I already knew the basics.
The month of lab time went really fast. In the end, I got 3 out of 4 networks done in full, only the admin network was left (that was before the update to the lab structure). The exam was scheduled, and I felt ready to go in and just DO IT :D! And that is what I did.
Exam
So, the exam day… I had a nice sleep and woke up with the mentality to just come in and destroy the machines. I had so much motivation and really wanted to pass.
Exam starts. I started enumerating all of the systems at once and went with the first on the Nmap finished enumerating first. And that was not the AD set’s first box, unfortunately. That was the biggest mistake of this take…
8 hours into the exam, I had 40 points and 2 computers with full compromises on them. I felt really strong and kept pushing. I went into the first AD machine, got stuck but rooted it at the end, and went to the second one. But… that is where I got stuck.
I could not see the path there, at all…! I just did not see it. Sat there for around 9 hours and just gave up. I decided not to waste time and go to sleep to prepare for the work the next day.
The biggest thing I learned during the exam is that… I was capable of doing it. I understood that over the year of my break, I grew as a penetration tester, acquiring 3 certifications and advancing in my knowledge. I believed that the mistake was in my box and time management, I simply started with easier boxes rather than harder ones. So what I decided to do is NOT stop there. My motivation was at the highest level ever, I felt confident and wanted to redo it as soon as possible.
Third try – the charm!
Preparation
This time I decided not to come back to the labs. Even though they just got updated at this time, I did not feel like buying the new ones and taking another 30 days to grind the new set. So instead… HackTheBox! I decided to explore it a bit more and came across the ProLabs. “Dante” looked really familiar to the PEN-200 labs, so I decided to try it.
I had to grind the lab set for 2 weeks straight. It was not easy though, I would say similar to PEN-200 lab machines. But it was really interesting, I learned a lot and improved my methodology in penetration testing and AD abuse. I highly suggest doing this ProLab before your OSCP attempt to test yourself outside OffSec environment.
After finishing Dante, I decided… not to do anything. I took a vacation and a break for around a month. This was the biggest winning strategy for the third try. I allowed my brain to cool down a bit and focused on my personal life.
Exam
On May 28th, I started taking the exam again at 8:00 am. This time – different strategy. I started doing AD set first and told myself that I would not attempt any other machines before I clear out the set. And that is what happened.
The first AD machine was cleared in 2 hours, whereas the second machine was a bit of a rabbit hole for me. So what I did is… took a break and took a totally different approach instead. And in another 3 hours, the second machine was in my pocket. Totally, it took me around 6 hours to clear the AD set first. I cannot express it more how happy and proud of myself I was. I was on so much hype, that I actually had to take a break to calm myself down a bit.
I took an hour of break, went for a walk, and grabbed some coffee. Came back, ate some food, and continued. 2 hours in, I got the 1st standalone machine’s local user, but then could not escalate. I dropped that box just not to waste any time and moved on. In another two hours, I got the 2nd box in full and took a break.
I already had 70 points, which I could just write the report on and be done with the exam. But I was not feeling confident enough and decided not to take chances. So after an hour of break, I came back and got the 3rd box in full in another 2 hours. It was 10 pm already, so I decided to start writing the report.
I started reading the requirements for the report and proving the exploits and figured out that my screenshots with proofs were wrong. So what I did is I reverted all machines and ran the attacks again, taking better screenshots and writing the report alongside. This was my best decision ever. I found that one of the commands did not work and I had to come up with a new one so that it works constantly. But after some time I was done with the report.
The biggest mistake during this exam try was using Google Docs to write my report. I had so much pain with it… Oh my God… I regret this decision in full and do suggest using at least Word or Markdown for this. It took me 6 hours to write the report, wasting so much time fighting with Google Docs. But around 4 am the next day, I terminated the exam and went to sleep.
After sleeping around 6 hours, I woke up with a fresh brain to go over the report. I enhanced the wording and made sure that all of my commands are in copy/paste style. I cleaned it up as much as I could, and at 1 pm it was sent.
Conclusion
After two days of waiting, today, May 31st at 6:30 am, I received an email from OffSec confirming that I have successfully passed the exam. I felt relieved, happy, and all possible positive emotions a human can have. I have finally got my OSCP after 2 years of hard work, non-stop learning, and stable persistence.
I will not be giving any tips on how to pass the exam on your first try, I hope that my experience outline will help you with that. Instead, I want to show how important persistence and hard work are. I would not pass the exam, if I had no motivation, if I did not study like crazy during the half of the year. I strongly encourage you to pursue your dreams, doing everything you got to achieve what you want. Everyone is capable of achieving their goals. So if I could do the exam, everyone can.
I wish every taker of the exam good luck in the future, manage your time and box appropriately and take good notes! Do not give up if you failed on your nth attempt. Failing is a part of the learning process, and everyone has to go over this mentality. You will come back stronger than ever and crush every obstacle on your way.