PREFACE
I had purchased a LearnOne subscription at OffSec’s end of year sale to get my OSCP, but decided to get OSWP (included with this bundle) out of the way first. You can find that review here. If you want to see what I think about OffSec’s subscription plans overall, check here.
While it was nice (and well worth the extra $400 in my opinion) to have a full year of lab/course/proving grounds access and 2 OSCP exam attempts, this can also be a double-edged sword. As such, I don’t know exactly how long I took to go through any material before my exam attempt. Life stuff came up and I also had to put the OSCP on hold to tackle 2 other certifications that I had vouchers for that were expiring sooner than OSCP, one of which I unexpectedly failed my first attempt for and had to squeeze in a retake (reviews for those coming soon).
When I first received access, it was for the 2022 version of the course. During my access, OffSec decided to update the course and phase out the 2022 version (which they rolled out as a free update — more on this below).
DISCLAIMER
I will NOT be giving away any exam spoilers or answers here. Feel free to contact me with questions, however, I am not willing to discuss any exam specifics or give any overt hints.
THE COURSE
The accompanying course to the Offensive Security Certified Professional (OSCP) exam is the PEN-200 course, which is accessible with an OffSec subscription. The course goes into pretty good detail, but I don’t necessarily think it’s enough on its own to pass this exam.
The course topics include:
- Introduction to Cybersecurity
- Effective Learning Strategies
- Report Writing for Penetration Testers
- Information Gathering
- Vulnerability Scanning
- Introduction to Web Application Attacks
- Common Web Application Attacks
- SQL Injection Attacks
- Client-side Attacks
- Locating Public Exploits
- Fixing Exploits
- Antivirus Evasion
- Password Attacks
- Windows Privilege Escalation
- Linux Privilege Escalation
- Port Redirection and SSH Tunneling
- Tunneling Through Deep Packet Inspection
- The Metasploit Framework
- Active Directory Introduction and Enumeration
- Attacking Active Directory Authentication
- Lateral Movement in Active Directory
As mentioned above, OffSec updated and rolled out the course updates in the middle of my yearly access. As such, they began phasing out the course exercises, labs and content for the 2022 course. In order to qualify for the 10 bonus points, you had to complete 80% of either the 2022 or 2023 version of each of the course exercise modules (could not be mixed and matched) and at least 30 proof.txt flags from either the 2022 or 2023 (could be mixed and matched) before a certain date. Full details can be found here.
As I had already begun some of the exercises from the 2022 course, I rushed to finish the course exercises on this version before access was removed. I managed to knock them all out in about 2 weeks or so. I was not able to get through the old labs before they were removed, so I decided to start fresh on the 2023 version. The new version of the labs were definitely an improvement as they were no longer shared labs. Each student now has their own individual access, which makes total sense for the price that you pay. I did have quite a bit of stability issues with the VPN and challenge labs, which was kind of disappointing. While I did not even get through half of the 2023 course content, it seemed to be better structured and more relevant than the previous version.
After getting the 30 proofs that I needed to secure my 10 bonus points, I scheduled my exam. These took me about a month on and off to complete. I must commend OffSec on the improved way to qualify for the bonus points as I heard the previous version was super time-consuming.
EXAM PROCESS
This is a proctored exam and therefore needs to be scheduled for a specific date/time. You can log into the OffSec portal and click the exam tab under the PEN-200 course and choose an available date/time that works for you. Prior to the day of your exam, you will receive an email from OffSec outlining the proctoring requirements. On the day of your exam, you are to log in 15 minutes before your scheduled time to their proctoring software to select your webcam, share your screen(s) and do the whole verification process (have your ID handy). If you are in doubt whether your setup will work, you can request a test run from OffSec prior to your exam. You will log into the proctoring software with your OSID and an MD5 hash provided to you in the email.
Despite what I’ve read online, you can take this exam directly from a Kali Linux host machine and a modern browser (which is what I did for both OSCP and OSWP – review here). However, and with good reason, some recommend to take the exam from a virtual machine and have a backup VM just in case something breaks on your primary. This is entirely up to you and at your own risk.
At the scheduled time of your exam, you will receive another email from OffSec providing you with your VPN connectivity pack, VPN username and password, links to the exam control panel and instructions on where and how to upload your report. Once in the control panel, you will find the guidelines that will serve as your “letter of engagement”. This details your targets and where to submit your flags. It also informs you of the required task(s) to pass this exam.
You are given approximately 24 hours (really 23 hours and 45 minutes) in the exam environment to complete the technical portion of the exam. Once you finish (or the environment expires), you are given an additional 24 hours to write and submit your penetration testing report for review. Once you submit your report, receiving your results can take up to 10 days (this can vary, but in my experience, it is usually quicker than 10 days).
THE EXAM
You are given 6 targets total, 3 of them are part of the Active Directory set and must be fully compromised to receive the 40 points. This set is all or nothing. The other 3 targets are standalone targets worth 10 points for local.txt and 10 points for proof.txt (20 points total each). Partial points are possible with the standalones. Please note that buffer overflows are no longer included on this exam. The exam environment was stable for the most part, but I did need to revert at least one of the standalone targets (more on that below).
I began my exam at 11 AM and it took me about 12 hours (with many 1+ hour breaks) to compromise the selected targets, take my screenshots and submit my flags into the control panel. Once I had everything I needed, I asked the proctor to end my exam early (again, webcams make me nervous).
I started off with the AD set, as I knew that would be my best chance at securing 40 points right off the bat (50 with bonus points). I know some people mention “harder” AD sets and perhaps I lucked out with an “easier” one, but the initial foothold here was rather simple (pay attention to your nmap scans!), as was the privilege escalation. Pivoting, lateral movement and privilege escalation after this was even easier. I was done with the AD set in about 2-3 hours, including breaks. After I finished this set, I took a lunch break before proceeding to the standalone machines.
I ran my nmap scans on the standalone machines and messed around with some initial enumeration. After a little while, it became obvious to me which box I would attack first. This machine did give me some trouble and could have cost me the exam had I not been able to succeed on any other standalone. I almost gave up on the box before deciding to revert it. After reverting, I got the results that I was expecting. The initial foothold was pretty straightforward and I didn’t even need to modify the exploit. The privilege escalation here was even easier in my opinion. With this, I technically had enough to pass the exam, but I wanted a bit of a buffer just in case. I took another long break after this box before moving on.
I came back and looked at my nmap scans again and saw the way forward on another standalone. The initial foothold here became obvious to me pretty quick. The privilege escalation here was probably the most complicated that I encountered on the exam, but certainly nothing that I am sure you have not come across before and nothing out of this world. I took another long break after this box before moving on.
I had not gotten much sleep the night before and was getting kind of antsy being on the webcam, so after this last break, I was starting to feel a bit worn out. I looked at the nmap scans for the last standalone and saw what I thought might be the initial foothold. After some more enumeration and testing some things out, I wasn’t really getting anywhere. It was probably close to midnight at this point and realizing I had close to 90 points with the bonus points, I asked the proctor to end my exam.
I fully un-winded and got some sleep before tackling the report the next day. I usually take rough exam notes in Obsidian and then put my report together afterwards. For this exam, I decided to drop my screenshots and notes directly into LibreOffice Writer to save some time on the report. Some things came up the next day and I wasn’t able to get to the report until later in the night. Even with the template and my notes and screenshots already in LibreOffice, this report took quite a long time. I ended up running into quite a bit of frustrating bugginess and crashes in LibreOffice. It also took me several attempts at exporting the PDF to where it came out decent looking.
Once you are done, you can submit your report over at OffSec’s upload portal using your OSID and the MD5 hash provided to you at the beginning of your exam. OffSec has some strict guidelines for uploading, so make sure to take a look at their OSCP Exam Guide. I used the OpenOffice/LibreOffice template provided by OffSec and my report ended up being 50 pages long. It took about a day to receive my results.
OVERALL THOUGHTS
This was a fun exam that I had been putting off for quite a while. I won’t lie and say that I wasn’t intimidated by this exam (like a lot of people are) prior to sitting for it. But, at the end of the day, it turned out to be a pretty basic pentest exam. I’m not some pentest guru by any means and this may be somewhat controversial, but I didn’t do any of TJnull’s list, HackTheBox or Proving Grounds boxes prior to this exam. I had dabbled in TryHackMe in previous years, but it wasn’t all that extensive. Of course, I had already taken quite a few certification exams that I could definitely consider stepping stones to OSCP and some that I would consider more difficult.
The course update and challenge labs were a much welcomed improvement as was the new way to achieve the bonus points. The LearnOne subscription was well worth the price tag in this case, even though I didn’t need the included retake. I was glad to have the year-long lab access, but it does make you drag out the studying a bit more. Course PDF and videos can be downloaded for future reference (which I recommend) and hopefully I can use my remaining Proving Grounds access to do some walkthroughs.
EXAM TIPS
There is a time crunch on this exam, but if you have some type of methodology down that works for you, the allotted time is more than doable. Do not overthink and do not let the stress get the best of you. Make sure to eat well, stay hydrated and definitely take breaks and sleep if/when needed.
Make sure to have all of your notes and screenshots in order. Along with submitting your flags in the exam control panel, OffSec requires that the screenshots of your flags show specific details. I threw my notes directly into LibreOffice Writer and used Flameshot to take screenshots.
Take advantage of the course exercises and challenge labs, especially the OSCP-A, B and C labs.
While you are allowed to use Metasploit for at least one of the targets, I did not use Metasploit at all for my exam. Make sure to practice working without Metasploit for the most part.
If you can and need the practice, definitely do TJnull’s list, TryHackMe, Hack The Box, and/or Proving Grounds.
Make sure you know a few different ways to pivot i.e. proxychains, chisel, ligolo-ng, etc. and different ways to transfer files to and from compromised hosts (Windows and Linux) i.e. certutil, wget, powershell, etc.
Be comfortable with enumeration, finding/modifying exploits, Windows and Linux privilege escalation, and Active Directory attacks.
Most importantly, do not give up. It’s easy to feel defeated and discouraged if you fail, but your best is all that you can do. And if you have a LearnOne subscription, remember that you have an included retake.
Best of luck. Onwards and upwards!
RESOURCES
Other OSCP writeups (there are literally tons of these, so just throwing in a few):
Passed the OSCP, lets be blunt for a minute
How I Passed OSCP 2023 in Just 8 Hours with 110 Points Without Using Metasploit
OSCP 2023 – How I passed in 30 days
OSCP video reviews (there are literally tons of these, so just throwing in a few):
OvergrownCarrot1 Hacking – OSCP Review, Someone has to say it
Elevate Cyber – How I Passed the OSCP
Beau Knows Cyber – I passed the OSCP with 100 points (and so can you) + Active Directory
Tadi – How I Passed The OSCP On My First Attempt!
Report templates: