Before, During and After my OSCP
I passed my OSCP in June 2018, so this post is a little late. But honestly, I figured everyone else writes one almost immediately, fuelled by the joy/sadness of receiving the email from OffSec. I did think about writing one straight away but I didnât really know how it would differ to anyone else⊠âI passed. Exam was hard. Labs was fun. Well worth it. Woooooh.â
So a few months down the line, I figured I could post some points about my personal experience with OffSecâs PWK course (and ultimately, the very popular OSCP certification). I donât really want to sit here and recommend resources and pre-requisites for everyone to be able to one shot the exam. These kind of blogs can be found with a simple Google, infact â some people even dump an entire A-Z on Github, so Iâm sure if youâre good enough at Google then youâll find it. However, thatâd ruin the whole experience (in my opinion).
The following sections of this post contain 3 main topics âBeforeâ, âDuringâ and âAfterâ my time with OffSec, what I learnt and any recommendations I have regarding the entire course and exam. Again, to reiterate â this wonât be a âDo this box on Vulnhub and youâll passâ, itâs more of a holistic view of everything around gaining your OSCP certification. As well as these 3 main sections, I will break down my course purchase and conclude with any final thoughts.
A quick breakdown #
Lab time purchased: 90 days
Started: March 2018
Exam: End of May 2018
Exam Attempts: 1
Additional:
- Completed the lab report as soon as I could (possibility for extra marks)
- Spent ~2 hours a day chipping away due to work and University
Before my lab time #
- Started from scratch** on Hack the Box (HTB), and just about reached the âPro Hackerâ rank.
- Iâd been to 1 face to face CTF which I was terrible at.
- I had dabbled with very basic Buffer Overflows (no ROP, Ret2LibC, Canaries, DEP, ASLR etc).
- Had very limited knowledge of web exploitation (xss, no sqli).
- Awful at enumeration (pre and post), I successfully missed obvious things a lot.
- I thought long sessions of hacking and energy drinks were a good idea.
- I knew C, a bit of Python, no bash, and my Kali (linux overall) skills were limited (I knew various other languages which were of no use hereâŠ)
** When I say scratch⊠I mean scratch. I was googling how to âscan portsâ and âhow to hack WordPress.â I didnât even know what a reverse shell was, I just knew I wanted to get one. Trust me, I was clueless.
During my lab time #
- Enumeration became the key to my lab success.
- The PWK course material carried me through the lab.
- I used the rubber duck approach with non-technical beings. I talked to my lizard, tarantula and girlfriend about various systems and my approach, receiving 0 feedback. This made me explain it further and further until the answer was literally on the tip of my tongue. (Great technique for debugging code too!) *Metasploit wasnât the only option (99.9% of the time).
- C, Python, Bash and (minor) x86 asm is your friend.
- The âtry harderâ attitude didnât really help me, unless itâs used in a sense of âyouâre at the right door, just keep tryingâ. When itâs some kid who canât even sign up on HtB spamming it on discord, itâs just not worth reading it.
- Custom cheat sheets for my own tools/scripts, enumeration methods and overflow techniques really helped relieve stress when it came to using them against a target.
After I received my âpassâ #
- A nice sleep during the exam was literally all I needed.
- Enumeration WAS (and still is) the key to my âsuccessâ.
- Energy drinks just increased palpitations, eat and drink healthier stuff throughout. Donât enhance your stress!
- I wasted time banging my head against something I thought was going to work. I even told myself it wasnât going to work. I continued to hit it. Donât do that.
Final thoughts #
- DONâT be put off by the Buffer Overflow content. Itâs the best bit!
- The course materials will take you from 0 to OSCP, it just takes time and effort.
- The exam is difficult, and it should be âfearedâ but donât let it hinder your progression. If you fail, so what? Just re-book it, study up and hit it again.
Overall, enjoy it. Itâs 24 hours of hacking (if you donât sleep). OffSec care about their students, if you have any questions just ping them. I made heavy use of their live chat because Iâm smart enough to literally break everything, all the time. Youâll miss it when itâs over, I know I do. So make the most of it!
Good luck if you are planning to take the course and exam yourself. Itâs definitely worth the time and effort đ