1. Good news
Hi everyone!
Recently I passed my OSCP (PEN-200) exam after my third attempt! I was able to obtain 80-point clearing one Active Directory (AD) set and two standalone machines.
2. First attempt experience
My first attempt was in August 2021 at 9am I think. Back then, it was the old format where there was only one Windows 10-point, two Linux 20-points, one 25-point Windows machine, and one Windows buffer overflow (BoF) machine worth 25 points. I only received 25 points from the BoF machine which I completed in 20 minutes and was stuck for the rest of the remaining time. Back then, I was not prepared at all. I only did a few easy and medium machines from HackTheBox and completed 40 PWK lab machines. I did not have enough methodology build-up to be ready for the OSCP exam as I came from a reverse engineering and exploitation development background.
3. Second attempt experience
Before my second attempt, I started to try machines in TryHackMe to gain more knowledge to build up my methodology as well as attempted 22 Proving Grounds (PG) Practice machines from the TJ Null OSCP list. However, before I could book my exam, I received the bad news that Offensive Security decided to change the exam format to the current format where Active Directory (AD) was included in the exam. As a result, I only practised a bit of Active Directory in TryHackMe as well as the three AD machines in PG Practice.
In March 2022, I went for my second attempt which started at 7am. I learned my lesson to start early as I would not be able to sleep anyway the night before. Therefore, it is better to start early than to wait until 9am when I will feel tired in the afternoon.
During the exam, I decided to attempt the AD set first as everyone on Reddit said it was very easy. I was able to get the initial access to a machine in the AD set in half an hour before privilege escalated to NT AUTHORITY/SYSTEM in 10 minutes. However, I spent the next 9 hours trying to pivot but failed. I was totally not prepared for the AD set as you can see.
Finally at 7pm after dinner, I decided to attempt a standalone machine which I rooted the machine by 11pm. After clearing that machine, I returned to the AD set as the other standalone machines were very hard and I was already too tired to search for the initial access method for them.
As a result, I failed my second attempt with only 30 points (including a bonus of 10 points).
4. Third attempt
I took more than a year’s break from OSCP and focused on my reverse engineering job before deciding to attempt OSCP again. During that period, I was too demoralized to attempt OSCP again as I lost all my confidence. However, in October 2023, I forced myself to attempt OSCP again as my job’s contract was coming to an end and I will need the OSCP certification for job hunting.
Before I went for my third attempt, I spent one-month attempting machines on Proving Grounds (PG) Practice listed in TJ Null’s OSCP list. After my one-month subscription ended, I purchased a month of PWK lab extension where I worked on the PWK’s OSCP set A, B, and C challenges which simulated like the OSCP exam. Each set has an Active Directory (AD) set and three standalone machines.
During my one-month PWK lab access, I tried to utilize the time to brush up on my AD enumeration and pivoting skills. I worked on using Impacket’s tools, Mimikatz, BloodHound, crackmapexec, and Chisel. Many might say that using BloodHound is overkill for the OSCP exam. Who knows it might be useful for your exam? It is better to learn to use that tool well since you already paid for the PWK lab with an AD environment to practice using it.
Sadly, my bonus point was no longer valid as my exercise report was the pre-2022 version. Therefore, I had to clear one AD set and 3 initial access or 1 full pwn and an initial access.
For the same reason, my exam started at 7 a.m. (Thursday). However, due to some administrative stuff at the start of the exam, I was only able to start working on the machines at 7:30 a.m. I started off attempting the AD set. The initial access was hard which took me 3 hours to find the initial access method. After that, privilege escalation and pivoting were smooth sailing. I finished the AD set around 12:30 p.m. before having my lunch and taking a short nap.
At 2:20pm, I attempted my first standalone machine which I pwn it at 3:30pm. By then, I had hit 60 points. I was feeling regretful I did not attempt to get the bonus points. Otherwise, I would have passed.
I took half an hour’s break before attempting the last two standalone machines. By 4:40pm, I pwn another machine. I had a total of 80 points which I hit the passing score that requires a minimum of 70 points. I was so happy and celebrated, feeling so relieved after failing terribly during my first two attempts.
At 5:30 p.m., I decided to work on my exam report to secure my points. I wrote down every single step’s commands, the screenshots of their output, and an explanation of why that command was needed. I even included the installation steps of certain tools. After completing the report, I reverted all of the machines and copied & pasted all commands in my report to make sure it could be replicated and I did not miss out on any steps. By the time I was confident of my exam report, it was already 1 a.m.
I tried to attempt the last standalone but I guess I was too tired to work on it. At 3 a.m., I took a nap before waking up at 6 a.m. I checked my report for the final time before the exam ended at 6:45 a.m. However, I was still afraid that I would mess up the report. I slept until 1 p.m. before checking my report for the final time and submitting it.
5. Results
By the next Thursday evening after my exam, I received an email from OffSec that I passed my OCSP exam! I was so worried as my friend who already passed his OSCP exam had a debate with me about the requirement of the screenshot of the proof flag. He mentioned that students have to print the flag file via the full flag path.
# cat /root/proof.txt
However, I argued that OffSec specified that we have to show that we are using a root/admin shell and printing the flag from its original location. Therefore, I showed using the following method:
# whoami root # pwd /root # cat proof.txt ***********************
Most of my friends and colleagues who have OSCP or OSWE usually receive their results after taking the exam over the weekend. However, mine took a while which got me worried wondering if I failed due to missing steps or incorrect screenshots of the proof/flag.
I hope that this post on my OSCP journey provided some tips and help in preparing for your OSCP exam. If you are currently like me feeling demoralized after failing the exam, don’t give up! Who knows you might pass it in your next attempt!
If you like my content, do follow me via email. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂
Lamecarrot 