Cracking the OSCP

How to practice and pass OSCP from scratch! | by Shubham Khichi | Medium

When it comes to certification’s the OSCP is the gorilla sitting in the corner. It’s a behemoth of an exam, testing your technical abilities, mental strength and creative thinking skills all under the careful eye of a proctor for 24 hours. Add to that, Offensive Security is super tight lipped about the exam and for good reasons, the integrity of the exam is what makes this certification hold so much weight in the job market. So how do you prepare for something like this?

Knowing what you’re getting into

When I first decided to pull the trigger on the PWK (the OSCP course from Offensive Security) I searched the web doing as much research I can about people’s past experiences, reading over 25-30 reviews just like this one. There were a few that always stood out to me and offered me advice I deem monumental in my ability to pass the OSCP on the first try. So I will post their links below and reference what it was that caught my eye:

  • hyd3sec – talks about the time commitment (including talking to your significant other)
  • Rana Khalil – her TJNull list prep, along with her machine writeups are so legit
  • Joe Helle – his exam mindset, taking breaks

This is not an exhaustive list but do your research and know what you’re getting yourself into. The OSCP will gobble you up if you treat like any other certification exam.

Roadmap – Pre-PWK

Once you’ve made the decision to take the exam, it’s time to get to work, it’s time to hustle. There’s a well known “list” of machines that you should be attempting and clearing on a regular basis. You can find that here : TJNull’s List . You don’t need to complete every machine on this list but at least half is fine. The objective here is to get a feel for the methodology used to crack these machines. Also I will add, don’t be afraid to use walkthroughs! Especially with the HTB machines, if it’s been 3 hours or more, check the walkthrough for a hint and move on. The goal here is to get exposure to different techniques, tools, footholds and privesc methods.

Course Time – PWK

Once your lab time starts, it’s pedal to the metal. You’ve already talked to your family, created your study plan and are armed with a fresh set of CTF skills. The PDF you get is around 800+ pages and comes packed with exercises that you can do for extra points on the exam. My recommendation is that you read that powerpoint at least once, take notes and do exercises on any topics you’re not strong in.


The PWK comes packed with an entire network of labs including multiple subnets that will you need to pivot through. The labs are fundamental in teaching the mindset and methodology that is the OSCP. You need to hit this hard and be prepared to fail and just staring at the screen hours trying to make something click. It’s here where you’ll grow the most as a hacker, pentester and offensive security professional.

During the labs take notes in a clear and concise matter. Use tags to keep track of commonly used payloads. How to transfer files, exfil data, reverse shells, crack hashes, you name it.

The Secret Sauce

I cracked about 50 machines in the PWK lab, which I felt was a great number to be at. I had pivoted into 2 different subnets and even hit the 5 retired exam machines in the IT network. From here, I needed something more potent. Enter…Proving Grounds. The 2 weeks leading up to the exam all I focused on was Proving Grounds Practice. 2-3 machines a day sometimes 4 if I was in a groove. If I spent more than 2 hours on any point I would look for a hint but I hardly ever needed that nudge, maybe during PrivEsc point I needed 2 or 3 over the course of 40 machines.

Exam Day

Let’s start with the day before.

The day before the exam I took off. I got my exam template downloaded and I reorganized my notes just ever so slightly. I also opened up a few blogs that had useful commands in it, so that on the morning of the exam I had nothing to do but hack away.

Now back to exam day.

The exam started off bright and early at 7am and if you run into any trouble with your VPN, Offensive Security support and team is there every step of the way. I took multiple breaks during the day, about once every two hours for about 5-10 minutes, to refresh my water/coffee. Around 9:45 pm I had enough “points” to pass the exam and I went absolutely nuts in my room, I’m talking jumping, fist pumps, there may have been tears I don’t remember (I remember). But I needed to make sure I was in the clear. And 5 hours later I had secured a few more points on another machine and it was time for bed I slept 4 hours, woke up and made sure I had all my screenshots and got right to work on my report. I submitted my report that evening and got the answer back 5 days later that I successfully pass the OSCP exam.

Looking Ahead

The OSCP transformed me into a different person, or maybe it unearthed the person that was there all along. This exam is as much of a technical one as it is a mental one. Within 24 hours, you need to showcase your skills, deal with the stress or someone watching over you and handle any issues that come up during that time. I will never forget this experience, the ups and downs, the late nights falling asleep on the keyboard and telling my wife just 5 more minutes. Hats off to OffSec for a fantastic exam and course content. I am beginning the OSEP course, Evasion Techniques and Breaching Defenses in just a few days. And when else fails remember to Try Harder!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: