In July 2022 I took and successfully passed the OSCP exam on my first attempt. I went into the exam feeling extremely confident owing to many months of preparation. For those of you that like to over-prepare and leave as little to chance as possible the path I present here should ensure that you pass the OSCP exam on your first attempt too.
As you will see, my approach was to learn by doing, completing as many lab machines as possible. For those of you reading this post who have yet to try and hack a vulnerable lab machine on Hack The Box or Proving Grounds, expect each machine to take 3-8 hours to complete.
Pre-Course Preparation
Purchasing a subscription to Hack The Box will provide you access to over 350 retired lab machines. Between December 2020 and October 2021 I did 59 Hack the Box lab machines. The majority of these machines were completed with some form of assistance, either by following along with a YouTube video or a write-up. I found the follow-along method of learning very effective, because whilst I may not have understood every command I was typing or why I was typing it, I was exposed to a broad range of tools and techniques as well as the thought-process behind it.
| Easy | Medium | Hard | ||
| Driver | Blunder | Forest | Seal | Static |
| Bashed | ServMon | Blue | Intelligence | Tentacle |
| Mirai | Granny | Netmon | Dynstr | — |
| Blocky | Grandpa | Jerry | Schooled | — |
| Beep | Bastion | Legacy | TheNotebook | — |
| BountyHunter | Bastion | Spectra | Time | — |
| Forest | Nest | ScriptKiddie | Bucket | — |
| Traverxec | Cap | Lame | Ophiuchi | — |
| OpenAdmin | Heist | Luanne | Tenet | — |
| Writeup | Remote | Laboratory | Passage | — |
| Shocker | Love | Academy | Ready | — |
| Active | Armageddon | Doctor | — | — |
| Explore | Access | Delivery | — | — |
| Bounty | Arctic | Omni | — | — |
| Frolic | Optimum | — | — | — |
| Tabby | Devel | — | — | — |
Penetration with Kali Linux (PWK) Course
In December 2021 I got access to PEN-200, the ‘Penetration Testing with Kali Linux Course’ with a Learn One subscription. Over the holiday period I read all of the course material and did some of the lab questions.
I then started working my way through the lab machines. I did a total of 42 lab machines between February 2022 and May 2022. I was not particularly successful in the labs and completed less than half without any assistance from the forums. I found the labs to be extremely temperamental and sensitive to the actions of other users, which made troubleshooting difficult and the entire process very frustrating. Expect your experience to be the same. Try harder.
I made comprehensive notes on my process for completing each machine, which was very useful for the exam. It is not necessary to write a polished report for each one, but it is very good practice to do so, at a minimum I would take screenshots and make clear notes with reproducible steps for each technique performed. I suggest using Gitbook or a similar platform to organise your notes. I chose Gitbook because it was easily searchable and allowed me to access my notes from anywhere.
Proving Grounds
Proving Grounds is the best training to pass the OSCP exam. The machines in Proving Grounds most closely resemble machines that you will encounter in the exam network. In total between April 2022 and June 2022 I did 58 machines in Proving Grounds. I averaged around 4-8 machines per week, this required me to work on a lab most evenings after work and every weekend. I again took comprehensive notes for how I completed each machine. At the start of this phase I was still struggling to complete machines without hints but by the end, I was completing as many as four machines in a single day without assistance.
| Access | Hunit | Roquefort |
| Algernon | Internal | Shenzi |
| Authby | Jacko | Sirol |
| Banzai | Kevin | Slort |
| Bratarina | Meathead | Snookums |
| Cassios | Medjed | Sorcerer |
| ClamAV | Metallus | Squid |
| Clyde | Mice | Symbolic |
| Craft | Monster | Tico |
| Dibble | Nickel | Twiggy |
| DVR4 | Nibbles | UT99 |
| Exghost | Nukem | Vault |
| Exfiltrated | Payday | Walla |
| Fail | Pelican | Webcal |
| Fantastic | Peppo | XposedAPI |
| Fish | Postfish | Zenphoto |
| Heist | Quackerjack | Zino |
| Helpdesk | Readys | Dawn |
| Hetemit | Resourced | — |
| Hutch | Robust | — |
Final Preparation
I spent the final two months leading up to my exam doing more Hack The Box lab machines and some modules in Hack The Box Academy. I did 27 machines in total. All of these Hack the Box machines are significantly harder than what I encountered on the exam even though they are rated as easy. Hack the Box machines are less straight-forward than machines in Proving Grounds and typically take much longer to complete. In this phase I was sharpening my sword and completing machines felt like I was just repeating a process. It also provided an opportunity to check all of my tools were up to date and that I had all of my notes, commands and wordlists readily accessible.
| Easy | Hard | ||
| Nibbles | Bank | Pandora | Blackfield |
| Knife | Return | Toolbox | — |
| Previse | Buff | Sauna | — |
| Horizontall | Paper | Irked | — |
| Secret | GoodGames | Curling | — |
| Validation | Love | Friendzone | — |
| Antique | Timelapse | SwagShop | — |
| Nunchucks | Backdoor | Late | — |
| Valentine | RouterSpace | — | — |
To give myself a break from machines I also did a small number of Hack the Box Academy modules. The Active Directory modules are exceptional and cover the entire process of Active Directory enumeration, exploitation and lateral movement in a more comprehensive and hands on way than PEN 200. I would recommend that you do them also.
Taking the Exam
The OSCP exam lasts for 23 hours and 45 minutes, with an additional 24 hours to write and submit the exam report. I booked my exam for late July 2022, 8 months after starting the course. I recommending choosing a start time which will have the least impact to your normal sleep schedule.
I started the exam promptly at 0800hrs and began scanning the machines on the exam network. I wasted close to 4 hours trying to find a foothold into the AD domain, with no success, missing out on what should have been 40 easy points. Not being able to get a foothold on the AD Domain put me in the unfortunate position of having to exploit all of the stand alone machines on the network in order to pass. I spent the next 13 hours doing just that, getting the user and root/system flags on the three remaining machines. This netted me 60 points and with the additional 10 points from my lab report I knew I had achieved the 70 points required to pass. I went to sleep for around 3 hours and upon waking decided to re-exploit the three stand alone machines to double check I had all the necessary screenshots, commands and code snippets for my report. After finishing the exam I got a few hours of rest and submitted my final report early evening on the second day.
I received an email approximately 36 hours later informing me that I had passed. I tried harder.
Was it worth it?
PEN-200 is not a good course, but what you really signing up for when you register for PWK is the opportunity to take the OSCP exam. This exam is difficult and that is a good thing. If everyone could pass the OSCP it would not be as valuable as it is. I strongly recommend that if you are serious about getting a cyber security job or progressing in your cyber security career that you commit to taking and passing the OSCP, you will not regret it.