The OSCP
The OSCP is one of the most sought-after certifications in the pentesting market. It is uncommon to come across anyone in the industry that does not require this, or an equivalent, for any open positions. That is what pulled me towards completing this certification in 2023. I have had an interest in pentesting since 2018 during my introduction to Hack the Box. I was then directed to the PEN-200 and OSCP by friends as a way to make this into a career. Fast forward to the early months of 2023, I planned out 3 months for the PEN-200, the course attached to the OSCP, while working full time. Here is how I managed to pass the exam in 120 days using the course and external services, and why I recommend avoiding this method.
Before the PEN-200
I began my journey months before paying for the PEN-200 course. I started in October of 2022 with a goal of completing TJ Null's list for the OSCP in Hack the box, HTB, and Offsec's Proving Grounds. This was a great foundation and starting point for me as I had created notes with each method and exploit. I went through as many machines as I could in the Proving Grounds list to make sure I had a good process for identifying and exploiting.
PEN-200 Course
I purchased the PEN-200 in March of 2023 with a start date of April 2023. This gave me a bit of time to prepare ahead of time with the TJ Null list I mentioned above. On the start date, I went through the house-keeping type sections to make sure that I could hit the ground running in the modules as soon as possible. By day 2 I had already started on the technical modules. I continued working on these for the entire 2 months. I pushed myself at first to finish a module a day which then turned into more like a module a week. They pick up in intensity and difficulty quickly, so expect to take some time on each one.
PEN-200 Lab
After I reached about 90% completion of the PEN-200 course, I then started working on the labs. I followed the labs in this order:
- MedTech
- Relia
- OSCP A
- OSCP B
- OSCP C
- Skylark (incomplete)
I treated OSCP A, B, and C as the exam. I set a timer and would time myself while working on it with a goal of completing it in 24 hours on the timer. This gave me a good idea where I can make improvements to my enumeration process. The other environments I completed as far as I could. I completed about half of Skylark before reaching the end of my time on the Pen-200 platform. I gave as much time as I could on all these environments over my last 30 days and secured the 10 bonus points.
Post PEN-200
After running out of time in the lab, I continued working on the last few TJ Null boxes in Proving Grounds. During this time, I scheduled my exam for one month out into August to give myself time to practice and prepare for the 24 hours. During this time, I started gathering commonly used commands into a cheat sheet to use later. There are likely hundreds of these cheat sheets out there so I will not be sharing mine, but I can say that it contains commonly run commands from the PEN-200 later chapters. I also prepared what I was going to take notes and screenshots of. This was to make sure that I remembered to grab enough details to reproduce the exploitation. Two days before the exam, I stayed off the computer as much as possible to give myself time to not think about the exam day and to do something unrelated to tech.
Day of the Exam
Following their guide, I was ready and setup 15 minutes before the exam at 9AM. The proctor joined in and had me show my room using the web cam. This included under my desk and the doors. I was then sent the details to connect to the VPN and start enumerating.
Exam
I started off with the Active Directory set to make sure I could secure the points right away. This consists of 3 boxes, one externally facing, one internal box, and a domain controller. I was able to get user access on the first system in 20 minutes which surprised me right away. However, this excitement was short lived as I got stuck at this point for 5 hours. I managed to overcome this challenge by noticing that I was overlooking something in the enumeration script which gave me direction for the administrator access. I will note that this is when I used Metasploit on the exam. I say this to make sure that everyone understands that sometimes this is the best way to move forward in the exam and is nothing to be ashamed of using. After getting administrator on the first machine, I quickly moved to the second box and finally to the domain controller in 30 minutes. I completed the AD environment by the evening after taking many breaks to compose myself and eat.
After completing that, I started working on the standalone set. I collected as much information as I could for a few hours before going to sleep at 11PM that night with no additional points. I woke up at 3AM and restarted my enumeration. At this point, I was in the mindset that I was going to fail due to lack of footholds. I then found that I had missed something in my enumeration which gave me an idea on what to do. I struggled for a few hours with this information before realizing that I have everything I needed, but I had to apply it differently which easily gave me remote access and privilege escalation.
During the many hours between the AD machines and the standalone box completion, I had been working on trying to get into each of the other two standalone boxes. I found potential exploits on both, but I was unable to get them to work properly to get a foothold. After submitting proofs, I went back and made sure that I had a screenshot of everything I could need to write the report. That put me at the end of the exam time, and closed out the test with my proctor.
Post Exam
I can say at this point I was exhausted and decided to sleep for a few hours which turned into most of the day. After getting up, I wrote up my documentation following the exam write up template and pulling out the unnecessary sections. It took around 4 hours to complete the documentation before I submitted to Offsec. 24 hours after I submitted, I found that I had passed by visiting the PEN-200 purchase page. I was then provided my certification a day later by email.
Words of advice
While I was able to complete the course and exam in 120 days, it was a struggle. It required many sacrifices to time with my family and friends. I was often exhausted after working my normal 9 to 5 while also trying to do the training. This led to long days and sometimes even longer nights and weekends. I can say with certainty that if I had to redo this entire course and exam, I would be spending more money to get the full year subscription. This would provide an on-demand type of learning while also giving time to understand more of what is being taught.
I suggest for anyone looking to do this exam to make sure you are comfortable with your enumeration process as this is key to passing this exam. Work on Proving grounds, Hack the Box, or Try Hack Me for months before deciding to pay for this as this will give you a good foundation. Lastly, use hints and walkthroughs when you have tried all you can while learning. They are really helpful tools, and you cannot hack what you don't know.