After 200 hours of studying over a period of 90 days I finally took the OSCP exam and passed on my 1st attempt!
If you want to read about my journey take a look at all posts in this series.
In this post
- Tips for a good exam
- Exam day
- What is next?
Tips for a good exam
Some general tips for the exam that helped my pass my exam:
- Rest well: your mind needs to be clear when you start.
- Regular breaks & Fresh air: your mind needs to reset every few hours in order to get ready for the next hard task
- Schedule your day as if it was a work day: your body (and mind) are used to that routine.
- Switch machine regularly: to stop you from digging deep into a rabbit hole it is important to switch around every few hours.
My Exam day
On Thursday, May 10th, we had a holiday in The Netherlands. An ideal time to take the 24 hours for the exam. I decided to schedule the exam as I would a normal working day. Generally I work from 8:30am until 5pm-ish and then go home and eat. On study days I would then start studying for OSCP after dinner until early in the morning (max around 1am).
By scheduling the exam to fit this pattern my body is already used to the routine. Granted, the adrenaline of the exam is somewhat different from your normal day-to-day routine, but after a little while you get into the groove and your training takes over.
Before the exam day
The day before the exam I sat down and thoroughly read the OSCP Exam Guide. This document outlines what you may and may not do. I had read it at the start of the course, but it gets updated regularly so it is wise to read it just before taking the exam.
I had already created several scripts to make sure the documentation is up to spec (take a look at reporting in week 4). In the end you need to upload a 7z archive with your report, so I created a script to create this archive and tested it. All these menial tasks are easy to get wrong when you are tired, so automating it might save you one time.
I created a small checklist based on the steps outlined in the guide. This helps to ensure you don’t skip a step. There are 4 sections that cover the Submission of your report. Having the steps in easy to follow TODO items ensures you don’t need to re-read the document.
I also setup my note-taking files. I use Emacs with org-mode for all my notes (and TODO items). See week 6 for more details on my workflow. For each machine (I know I am getting 5) I setup a section with the basic steps in my methodology. This ensures you do not forget to do something. This is the same approach I took for each machine in the lab.
Each machine has sections covering Scanning, Enumeration, Analysis, Exploitation, Post Exploitation and Privilege Escalation. During the lab time you gather several scripts that you will like to run to do any of these tasks. I basically just put placeholders for these scripts in each step.
And then off to bed at a reasonable time. I did sleep quite well and woke up rested.
So at 9am I was just finishing my breakfast when the email arrived from Offensive Security. The exam had started. I went into my office, read the email and started moving the notes you get on each machine into my documentation system. There are specific steps you need to hit for each machine, so they became TODO items in my file.
Each machine gives you a number of points, there are 3 brackets of points, lets call them high, medium and low point machines. I picked the first machine on the list worth the most points. This was a “regular” machine and I followed my methodology. After a little while I was looking at my first low privileged shell. I jumped for joy, which is kinda silly for a low privileged shell, but the fact that my nerves did not make me stupid was worth something. During post exploitation I got stuck trying a lot of things I learned in the lab. Nothing worked. I thought to myself; it is a high point machine, it will not be easy.
At noon I decide to leave the machine, grab some lunch and take the dogs out for a walk. This helps to clear my head. I decided to start work on the other machines.
So the next machine was obviously the other one in the high point bracket. It seems to be common knowledge that the Exam contains a Buffer Overflow machine. I tend to like writing buffer overflow exploits, so this machine was a fun exercise.
I did work dilligently and documented each step for the report. So it took me about an hour to an hour and a half to work through it. Then I tested it on the actual machine and it actually ran!
Time for a coffee break, grab a cookie and take the dogs out for another walk. Resetting my mind for another task.
After picking that machine off I started exploring the medium bracket machines. The first one went down quite easily, the 2nd one baffled me. It had so many rabbit holes that I got lost in my head. I worked on this machine until dinner (Pizza!) was ready (delivered).
After dinner I decided to take a look at the low point machine. I was quite amazed that after 15 minutes I was done. It was a happy dance moment. At this time I did not have enough points to pass. I had 3 machines, but not yet enough points. So I started working on the medium bracket machine some more. After a few hours I still had no foothold.
Then my wife came into the office to wish me a good night, I thought to myself that I was in a very bad spot, time had passed so quickly and no progress was made. I need one of the 2 machines to pass, but both I am stumped on! I explained this to my wife, told her that I probably should spend time on elevating my privilege on the 1st machine. Then she said the most amazing thing; “if you are so stuck, why not just start again?”. I did just that.
I ran another enumeration on the server and after reading the output for a little bit I finally found what I was looking for!
At about 1:30am I finally rooted the machine. The feeling was amazing. I knew I had enough points to pass the exam.
I spent the next hour and a half going through my screenshots, renaming them to sensible names, highlighting specifics in them (red boxes and underlines) until I was satisfied I had all that I needed. I then went to bed and slept till 8am. I grabbed a cup of coffee and went over my notes a last time, to make sure I did not miss anything crucial. At 8:45am my exam connection terminated and it was done.
The final report
With all the notes and screenshots the report has become quite extensive. I ended up writing about 40 pages (lots of screenshots). I ran my scripts to package it up, add the lab report (another 300 pages) and submitted it to Offensive Security. Pretty soon after that I got an email confirming they had received it.
The next day I received my notification that I had passed!
What is next?
I have a million notes on various techniques. I am thinking about structuring them into a notebook for everyone to read. I found the various websites and blogs very useful when studying, so this would be a good way to give back to the community.
Otherwise my digital life has been on hold for the last 3 months, so there is some catching up to do here as well. I have a long list of things to look at, so I will start picking those off one-by-one I think.