My OSCP Experience — As an 18yo

I received confirmation that I have passed the OSCP certification on the 10th of January 2021(24 hours after I submitted the report) with 5/5 machines completely exploited. It’s basically obligatory to talk about your experience after you’ve passed the exam, so here are my thoughts.

I did the majority of my OSCP Prep during lockdown period right after high school had ended and college hadn’t started, so I had a ton of free time on my hands, I even completed the CEH certification in this period (Will talk about that one too sometime )

Pre-OSCP

I’ve always been interested in “hacking” in general. Gone through the whole script kiddie phase, from hacking subway surfers to get more coins to injecting TheFatRat meterpreter payloads on applications. In 11th grade, I was introduced to Capture the Flag events via the John Hammond Youtube channel. Decided to participate in a high school level CTF and somehow managed to win. I have been at it ever since.

Things I used to study before registering for the OSCP:

1. Offensive path of Try Hack Me — https://tryhackme.com
2. Easy/Medium Hack the Box retired machines — https://www.hackthebox.eu
3. Hours and hours of watching ippsec “do things”(even if you don’t follow what he is doing step by step, watch his videos whenever you can, you’ll learn a lot) — https://www.youtube.com/c/ippsec
4. TCM Security Practical Ethical Hacking and Windows Privesc(https://academy.tcm-sec.com/)

The PDF

I opted for the 2-month subscription for OSCP Labs, my strategy with the pdf was to complete is as fast as possible and get into the labs. I ended up spending about a month completing the PDF along with documenting everything along the way(OneNote + Greenshot = win), and my lab report ended up being 200 pages long. I honestly enjoyed going through the PDF and solving the exercises, learned many new things and would 100% recommend completing the PDF before jumping into the labs.

The Labs

I had about a month to exploit as many machines I could in the labs. Ended up completing 25 machines and had low privilege access on 5 of them. I made sure I documented/took notes of everything I did on the machines to practice for the real exam.

The Exam

I scheduled my exam on the 20th of December, but there were some issues with one machine, so Offsec offered me a free retake. I don’t think they would want me to detail the issue, so let’s pretend that never happened. All I could do in that exam was the buffer overflow and the 10 point machine.

I scheduled my retake exam on the 9th of January(Saturday) 1:30 PM. I planned to work all day and sleep at 1:30 AM Sunday to get a few hours of sleep and then continue at 6:00 AM to 1:30 PM on Sunday.

I logged into the exam portal 15 minutes before the exam started. The verification process took about 10 minutes, and the exam started at exactly 1:30. The proctoring system is very well done. I honestly forgot that there was a proctor an hour into the exam.

I started with the buffer overflow and ran Autorecon scans for the remaining machines in the background. For some reason, the IP of the BOF was the same as my first attempt, so I felt I might get an easy win with the same exploit. Wasted about half an hour trying that, concluded that I was stupid and should not have assumed that, did the BOF from scratch, got root in another half hour. After that, I proceeded to get the 10 point machine in another 15 minutes with a quick Metasploit module. So about an hour and a half into the exam, I had 25+10=35 points in the bag. I took a short break, went out for a walk, came back, chugged half a bottle of coke at started working on the remaining machines.

I would always recommend that you go through all the Autorecon output at a surface level before diving deep into enumerating any port. By doing this, I was able to identify a vulnerable application by its name that I had exploited before and quickly gained a low priv shell. Got root on this machine in another 5 minutes. So now I had 35+20=55 points and just needed another user shell to pass(with my +5 points with the lab report)

I probably spent about 2 hours enumerating the other 20 point machine and found nothing. Took a short break, came back and instantly found my way to the low priv shell(Take Breaks!) I spent about another hour on the privesc and had root on the other 20 point machine. Now I had more than enough points to pass 5 hours into the exam.

Spent 2 hours going down rabbit holes on the 25 point machine. Eventually understood what I had to exploit to gain code execution and spent about 1 hour getting the low priv shell. I knew what the privesc would be as soon as I got the user shell. Spent another half hour on the privesc and had administrator access on the box. In about 8 hours of hacking, I had pwnd all machines, so I spent the next 2 hours ensuring that I had everything I needed in my notes for the report and went to sleep.

Next day I got up at 10:00 AM, wrote the entire report, rechecked it about 10 times, attached the lab report(I spent a month writing it someone better read it 😆) and sent it off to Offsec at 4:00 PM about two and a half hours after my exam ended. I didn't close my VPN connection early if I missed something and had to go back to get screenshots. I got my result 24 hours later, and I had passed.

Email from Offsec

Overall, studying for the exam and giving the exam was an enriching experience. I’m now looking forward to a summer internship to get some real-life pentesting experience. I plan to improve my web exploitation skills by completing the pentester academy challenges, and I will eventually give the OSWE.

I tweet about random things from time to time so if you’re reading this give me a follow maybe? — https://twitter.com/dhruvagoyal

FAQs

Q. Is it worth documenting the course exercises for the extra 5 points in the exam?
A. Yes, as tedious as it may be, people generally tend to learn things better by documenting/writing things down rather than just reading through books/pdfs. Other than that, even though I didn't need the 5 points, in the end, having them during the exam helped me handle the mental pressure(OSCP is built in a way that those extra 5 points can decide if you pass/fail so just having the backup 5 points helps you calm down)

Q. When should I use Metasploit?
A. As much as people think Metasploit is magically going to give you access to any machine in the exam, that is completely false. My strategy with Metasploit on the exam was 1. identify the vulnerability 2. check if there is a Metasploit module for it(generally there isn't one) 3. Look if an exploit is available on GitHub and spend exactly 15 mins making it work 4. If it does not work, use the MSF script for a quick win, forget that Metasploit exists and move on. Never use it ONLY for a privesc. You don’t need to use Metasploit for anything on the exam, but if you do see the opportunity to use it, don’t hesitate.

Q. I have trouble doing windows boxes what should I do?
A. Watch a lot of ippsec windows exploitation videos, do the TCM Security Windows Privesc course and you will eventually realise that windows boxes are generally easier than Linux machines in the OSCP.

Q. OSCP v/s CEH
A. Since I have both certs, I guess I am eligible to answer this common question my fellow Indians have. CEH and OSCP are completely different exams and are mostly unrelated to each other. CEH does not give you any practical experience and is a “120 MCQ questions get 80%ish marks to pass” kind of exam. The only way the CEH certification helped me is that it improved my technical vocabulary in cybersecurity. On the other hand, OSCP is very much practical and way more challenging than the CEH certification. I feel in the long run the OSCP is going to have more value than the CEH(apparently, some people still give jobs if you only have the CEH, I don’t know how)

Q. How do I avoid rabbit holes?
A. My exam was FULL to the brim with rabbit holes, every port seemed exploitable to a certain extent, and I’m still not sure how I managed to avoid most of them. The primary strategy to follow to avoid rabbit holes is to have an enumeration plan, mine was:

1. Go through every single Autorecon output line and check if something immediately stands out.
2. Start enumerating every port(follow a cheatsheet checklist) starting from the lowest ports(skip web ports)
3. Enumerate the web ports after you’re a 100% sure that nothing else is exploitable. You can go down the web exploit rabbit hole for 10 hours and eventually realise that FTP was what you actually had to exploit.

Q. When do I know I am ready to take the exam?
A. Most people generally give a vague answer for this, but I’ll give you a quantitative one. If you can consistently tell the privesc exploit in a machine just by looking at the unhighlighted win/linpeas output, you’re probably ready to take on the exam. Other than that make sure you can enumerate properly, which is just something you learn with practice(THM, HTB, Labs)