This course will take you to the limits of your mental abilities. I want to clearly state that technical knowledge is only a part of what will be tested. Your emotional resilience, patience, persistence, time management, personal relationships etc. will all be tested. Offensive Security performs a penetration test on your mind and trust me when I say that they WILL succeed in finding a vulnerability. Embrace the honest discovery of where you can improve, and invest the necessary effort to adapt and succeed. Whatever comes to light, remember that you’re here to learn and improve.
After making payment the confirmation e-mail come through, and I felt nervous. I read so many reviews about the course, and what I could expect from the next few months of my life, and it was an overwhelming thought. Once the excitement settled, I scoured the internet for clues on how to prepare. As I am sure you must have seen by now, the internet is full of reviews and there is no shortage of tips and advice. Some good, some not so useful, and others seemed out of date. If you’re reading this then you’re likely in the same position that I was, so instead of adding to the problem of information overload, I’m going to distil the truly essential that makes the most sense in terms of time invested and reward.
The key to preparing is to firstly acknowledge that the course is a mile wide and an inch deep. You will receive very little benefit from spending months trying to master python as a means of preparing for the course. Instead, spend a bit of time getting to know the basics of a wide variety of subjects.
Hindsight: If you do nothing else, make sure that you buy and go through “Penetration Testing: A Hands-on Introduction to Hacking” by Georgia Weidman. This book covers pretty much all the aspects of what the OSCP entails. The book is very clearly written and delivers the concepts in bite-sized chunks that would be perfect for any acolyte. I so wish that I knew about the videos on cybrary that pairs with the book when I started. You can find them here: https://www.cybrary.it/course/advanced-penetration-testing/
This book and video series made such a profound difference in my learning that I intend to write a separate review for each of them soon. If your preparation only consisted of going through these two resources, then you are well armed.
Offensive Security provides you with a couple of hours’ worth of videos along with a fairly sized PDF to get you started. When I received mine, boy was I ready. The quality of both are good, and I enjoyed the process of going through them. There are two classic pieces of advice that I want to echo to anybody starting out. Firstly, do the exercises as you work through the book and document them as you go. Submitting a report with your exercises can score you up to 5 additional points in the exam which could very well mean the difference between a pass and a fail so make sure you do them. Secondly, make sure that you do this before you hit the labs. Yup, it will take an enormous amount of restraint, but take the time to work through the PDF and videos to the very end, before going into the labs. You will save yourself a great deal of heartache in the long run.
Hindsight: That being said, I have to take a moment to highlight that this is, in my opinion, a bit of a ‘flaw’ with the course structure. Your lab time starts as soon as you receive the PDF and steadily counts down in the background while you’re not in a position to make progress because you’re going through the material. It is for this reason that I recommend you invest a significant amount of time into getting through the material as quickly as possible. The average time it seems to take a student seems to be about 8-12 days.
The Student Labs
This is where the true value of the course is in my opinion. You get to unleash your new skills set against 50+ machines in a safe and controlled environment. Some range from being a walk in the park to others that will drive you to the edge of sanity and require many hours of research and late nights. It truly was an amazing experience that I will always treasure.
Hindsight: Where possible, try to stay away from any tips of spoilers. You’ll find some students in the #offsec channel in IRC swopping solutions, and there will be many times where that will seem like a good idea when hitting your head against the desk. I was there myself, and yes, I reached for the spoilers a few times, but let me assure you that I walked away disappointed in myself. There is only one way to pass the exam, and that is to go through the process of practising in the labs. The process of researching your way into a root is where the true learning happens. Trust me on this!
A lot of students also get caught up in trying to exploit everything by hand and to stay away from Metasploit because of the restrictions in the exam. I want you to rest assured that it’s really not necessary. In fact, during my exam I didn’t use Metasploit even once. The opportunity just never came up and was never required. Coming to think of it, I don’t think I would have been able to use Metasploit even if I wanted to (but that was just my experience of the exam).
The exam is what puts the title of OSCP in the hacking hall of fame. You are given 24 hours to hack 5 machines various difficulty and each rewards a different amount of points. You need 70 out of a potential 110 points to pass. Yes 110, because while the exam can award you up to 100, you can gain another potential 10 by submitting your exercise and lab report.
Very few people pass the exam on their first attempt. From what I can tell, it seems to be about 20% of students. If that scares you, then keep reading because there is a section coming up written just for you.
On my first attempt, I estimate (because you never know for sure) that I totalled around 65 points including my documentation. Not enough. I spent nearly 90 days in the labs, and during this time I gave it my all. Monday to Friday, I spent around 2-3 hours every night, and on Saturday and Sunday I spent at least 8 hours on each day. It was not for a lack of trying, and definitely not for a lack of preparation. I got up, dusted off my knees, rolled up my sleeves and got back to work. A month later, I would write my exam again. I spent a whole day carefully going over my notes to see exactly what my weaknesses were and came up with a detailed learning plan on how I could improve. During the month to follow I learned more than any month prior.
At this stage, I managed to pwn 48 machines in the lab before my new exam date came rolling around. I created detailed notes, watched hours of tutorial videos online, rooted several machines from vulnhub, read two books cover to cover etc. Surely this will be my time to shine! After 24 hours in the exam, I walked away with around 40 points. How could I possibly have done worse than my first attempt? In hindsight, it came down to a single factor. Frame of mind. I didn’t believe in my own abilities, and the self-doubt took over. When the clock counts down and panics sets in, you blind yourself to potential solutions. Two days after my second failed attempt, I recognised this fact and knew what needed to be done. I scheduled my third exam for the soonest available date I could book, which gave me two weeks to get my ducks in a row.
Coming to think of it, it was like one of those lame Rocky movie moments where I knew what needed to be done. You could almost hear the 80s theme music. I got back up and immediately took up daily meditation routine again to get me into the desired frame of mind. I made detailed CHECKLISTS of what I needed to do in the exam. While a significant amount of my enumeration was scripted at this stage, I made lists of things to look out for and things to do when I would identify certain ports. I made checklists for both linux and windows privilege escalation, both of which made a huge difference. The beauty of having these checklists is that they tether you to reality and provide an anchor with which your mental resources are freed up to work on the deeper problems of the exam. I printed them out in physical form so that I would literally tick them off as I went along.
My third attempt rolled around and I knew I was ready. Within the first 12 hours of my exam, I had 90 points in the bag. When that last root dropped, I took my headphones off, calmly walked out of the room, and returned with a beer in hand. At that stage, I couldn’t care less about trying to root that last machine given the ecstasy of the moment.
I enjoyed the brew and went to bed for about six hours (I was dead to the world). Still having a few hours left, I decided to start writing my report and making sure that I had all the screenshots and proof files that I needed. A few hours after the exam VPN dropped, I submitted my report and the wait began. After a million F5’s and 30 hours later, I received this gorgeous e-mail:
Now that the dust has settled and the celebrations are over, I can’t help but feel a bit nostalgic. When I started, I found myself in the company of two other guys that also started at the same time (we met in the IRC channel). As the course went on, the three of us formed a working relationship like no other. We learned from each other’s strengths and challenged each other’s weaknesses to encourage learning. We pep talked each other when we were struggling, and we celebrated each other’s victories. Without their support, I don’t think I would be where I am today. For that, I tip my hat to you @ozzie_offsec and @carbonated. I look forward our first CTF as a team.