It’s a painful, yet wonderful and fun journey in summary. It’s full blown practical. You can’t just read some books, practice some multiple choice questions and pass the exam. You have to immense yourself in practice, practice and practice. It’s roller coaster in emotion. It’s frustrating, depressing and humiliating when I get stuck and going nowhere. On the other hand, great joy gushes out from within when I finally rooted the box (even though I didn’t do the de facto root dance).
I spent about 3 months to obtain my certification. From not owning any box, to rooted 87 machines right before my OSCP exam.
Dedication is needed. Stay healthy is also needed. You need to devote most of your free time to practice, research & learn. Yet you also need enough rest to let your body recover both physically and mentally.
I am going to layout what I went through for this journey and hopefully this would be helpful to those brave souls who are ready to take the challenge. While it took me 3 months, time needed for others vary. Some need less while some need more. There’s many factors affecting the time needed: background, experience, free time availability & etc. Other blogs suggested about 300-600 solid hours practice which I think is a fairly good estimate.
Before my course begin (about 2 weeks)
I signed up in mid September and the course won’t start until late September. So I have roughly 2 weeks to prep before the actual course starts.
I started preparing like I described in How and where to start preparing for OSCP. I read big parts of Georgia Weidman’s book (A Hands-on Introduction to Hacking) that are within the scope of OSCP.
After the warm up CTF challenges, I moved on to Vulnhub.com to start getting a taste of rooting boxes. I picked the easy ones from Vulnhub CTF Difficulty list. Since they all have writeups, I could refer to the writeups when I am really stuck. But I tried to avoid as much as I could and only to read them after I rooted the machine to see how other people did the box and learn from them.
abatchy’s blog has a list of OSCP-like Vulnhub VMs if you like more OSCP style. I aimed to root about 10 vulnhub VMs before moving on to HackTheBox.
During this prep period, I rooted 5 vulnhub VMs. On average, it took me about 4-5 hours each.
OSCP course – First month
When the start day arrived, I received emails from Offensive Security to unlock the course materials: course pdf, video clips and connection pack to the lab network.
During this month, I didn’t jump on any lab machines trying to root them. I didn’t feel ready to take the plunge right into the lab machines yet. I would rather get better equipped first. So instead, I took my time going the through the course materials, doing the exercises and documented them.
While studying through the course materials, I continued to spend time trying out vulnhub VMs. I rooted another 5 VMs to a total of 10 vulnhub VMs. After that, I moved on to HackTheBox. Rooted 20 retired machines (mix of easy and medium) picked from TJ_Null’s OSCP like boxes list. I also made sure the boxes I picked has the corresponding video walkthroughs from ippsec. His walkthroughs are amazing and I learnt a lot from him even only watched after I rooted the boxes.
By the end of the first month, I finished reading & watching the course materials; rooted 30 machines (mostly easy ones) and completed about 70% of the course work exercises. The remaining 30% requires interaction with lab machines so I save it after I worked on the lab machines.
OSCP course – Second month
Tib3rius’s AutoRecon – Highly recommended. A multi-threaded network reconnaissance tool which performs automated enumeration of services. This tool will automatically start nmap scanning and launch subsequent enumeration tools based on available services on the target machine. This can save you a lot of time and it’s allowed to use in the exam.
While I didn’t try to tackle any machine during the first month, I did use AutoRecon to perform scanning for all the machines I had access to. I did it gradually (like 2 or 3 machines at a time) so that it won’t overwhelm the network. But be caution that this pre-scanning may not be accurate in some boxes because the boxes were not in fresh startup state. To obtain the most accurate enumeration results, always revert the box first and then do the enumeration.
although I already had scan results for each box, I was facing a sea of machines and feeling no clue as to where to start. I ended up checking out the scan results quickly, box by box and picked the box that I felt more familiar to start with.
My efficiency probably didn’t improve much but I was able to move forward gradually and steadily. There were a lot of getting stuck moments and so were a lot of ‘gotcha’ moments. So my emotion was like a sine curve.
This is where you developed your methodology, how you approach a machine and what tools to use in different situation. There’s lot of researches, fails, retries, learning. Keeping notes of what you learnt and used is very important. I kept detailed notes of each and every box I rooted. After researching a bit, I settled with Microsoft’s OneNote. It’s not perfect but it serves my purpose. Other people also recommended notes keeping tools such as CherryTree (available in Kali) and KeepNote. Organize your notes well and it will help you become more efficient.
Within this second month, I managed to root all 54 intended vulnerable boxes in 4 different networks. There were a whole lot to learn and experience. There are a bunch of scenario, tools, techniques that may not be applicable in exam. But don’t skip them, great learning opportunities.
OSCP course – 2 weeks before exam
I finished the remaining 30% exercises and completed the lab report with 10 unique compromised machines (important: read exam guide for requirements about the lab report).
I then went through the notes of every boxes to consolidate the methodology I used and better organized the notes for quick access.
I also rooted several more HackTheBox oscp machines with medium difficulties.
For the last couple days, I relaxed a little bit and made sure I have enough rest to handle the exam.
This is my very first 24 hours practical exam. Also my very first proctored exam through Webcam. Quite anxious and not sure what to expect. Fortunately, I made it through!
I am not going through how I sweated & teared through the exam. But rather some tips about better prepared for the exam:
UPDATE: Screen capture is no longer allowed in exam. Again, please check out the latest rules of the exam to ensure you know what are allowed and what are not allowed.
- Work on Buffer Overflow machine first and at the same time use AutoRecon to scan other machines. This would save you some time.
- OBS Studio: Screen capture software. Used it to record kali screen at 5 fps. In case you missed screenshots for your report, you can try to locate from the recordings. But don’t rely on it, try to capture all the screenshots you need during exam.
- Machine Revert: if your exploit doesn’t work and you are confident about it, revert the box and try again. The machine maybe in a non-responsive state after your previous attempts.
- Time management: Don’t get stuck on a box for too long. Work on a box for 1.5 – 2 hours. If no progress, move on to other boxes, then come back later. (It’s good to practice this during labs)
- Metasploit: could be the life saver. Since we can only use it on 1 machine, suggest not use it early. Try manual exploit on all machines first before deciding which machine to use it on (if you need to use it).
- Report: It is very IMPORTANT. Make sure you read the exam guide and exam objectives thoroughly. Don’t miss anything.
- Prepare some good snacks/drinks at your reach.
- Good rest before exam and take breaks & sleep during exam to keep your mind fresh.
This is my flow. Hopefully can benefit some fellow OSCP takers. You can do it!