I tried harder | My experience with the OSCP certification

Sometimes, there comes a point in your life where you feel that you’re stuck in a routine, drowning in boredom and useless stress, your career is becoming dull, and you just feel that you’re no longer learning anything new; even worse, you’re no longer working on what you’re good at, you’re losing the skills you worked hard for, and there’s still so much more to learn. I hit this point in my life lately, and I decided to quit that job, get a certification, so it’ll enable me (hopefully) to get a better job where I can learn more advanced things that are relevant to my passion : Cyber Security.


This was going to be my first certification, I kind of had to chose carefully with which one should I start. I kept asking my friends, and choices got limited to CEH and OSCP. Eventually, I chose OSCP. Mainly, because I needed something to get my hands dirty on and apply my skills on real environments, not just memorize concepts and have a multiple choices exam; although that would be very beneficial to set theoretical knowledge straight in your mind, but not for now at least.

If you want something that’ll teach you how to think like an attacker in a professional manner, that’ll give you real life examples, I’d strongly advise you get on with OSCP.

Step zero : Registration

The certification prices include the course in PDF format, course videos of 8 hours total to complete the PDF, Lab time and the exam. Upon registration you get to chose the duration of lab time that will be enough for you to prepare and be ready for the exam. The duration starts from 30 days to 90 days. Before deciding which one I should buy, I had to optimize my chances, and chose a duration that won’t cost much and will enable me to pass the exam from the first try.

I checked the syllabus here, and I felt confident enough that one month would be enough for me, since I kind of work on that stuff on a daily basis as a passion and a hobby.

After the completion of the registration, and booking the date of the start of the course, I received an email containing the PDF of the course, an OpenVPN pack to use when you connect to the lab, and a link to a Kali VM image optimized for the exam and the lab. It is strongly recommended to use that image without any need to update it. In fact some people had problems with updated VMs, so don’t bother, just stick with the VM they’ll give you.

When I received that email, I knew things just got real, I felt a great rush that something’s awesome is waiting for me; many sleepless nights and hard work days. Especially that I was still with that company, I had to buckle up ?.

Step one : The course PDF+Videos

The videos, as I said, are of 8 hours in total. So you can finish them in a day if you have prior understanding of the material, otherwise, take your time to understand and research stuff you didn’t get or didn’t fully comprehend.

The PDF contains about 375 pages. It is recommended you work on the lab and the course in parallel, take your time with it and train on the things you feel you have weakness in. Research and research until you fully understand how things work. Spare no detail. This certification aims mainly at teaching you how to think like an attacker, to understand the basics and internals of things, and being able to exploit them; rather than just use tools and copy command line from tutorial.

When I was reading the PDF, it was so fun that I obsessed over it. I uploaded it on my phone, and would read it in any free time I have. I was able to finish the PDF in a week.

Step two : The real thrill, the lab

Where do I begin. The lab was a really fun adventure, full of frustration, pain, sufferance and the joyful rush of those moments when you have pure epiphany. It was the classic example of “The achievement is a reward in itself”.

The lab consists of approximately 55 machines, with different OSs, configurations, exploitation paths and purposes, distributed on 4 subnets : a public subnet accessible directly when you connect to the VPN, and 3 other subnets that you’ll have to penetrate using the machines on the public subnet.

Some machines were trivial, some were moderately advanced, and others made me so frustrated that, I couldn’t even see the simple answers. When I hit this frustration point I started browsing the forums to see what people are saying. I decided to get the names of the hardest machines according to most people and try to focus on them, in the hope that they’ll teach me something new, or train my way of thinking. Those machines were called : Bob, Humble, Pain, Gh0st and Sufferance. I spent a fair time where these machines, but I eventually gained root to the first 4 machines. But sufferance…Oh dear sufferance is still haunting me to this day.

However, during this lab time, I have picked up a few tricks and skills that would help me on the exam, skills that are both hacking related and non-hacking related. Since metasploit modules weren’t not allowed in the exam, I vowed to never use it during the lab time so I would be really prepared. This made me obligated at many times, to actually read the metasploit module that executes the exploit, and then rewrite on my own using python. Sometimes I had to patch up together different data from different places to finally have a working exploit, like for example a return address for a specific OS. So don’t expect to find online exploits that are working out of the box. Very often, you’ll find yourself obligated to tinker a little bit with the exploit scripts.

Other than that, I was obligated to be more organized than I ever was with my notes. I was using EverNote as a note keeping app. It is important to keep notes of every step you took, especially screenshots and a little description of what you did, it’ll help you greatly during report writing.

By the end of the lab time, I had succeeded in gaining root access to 30 machines, and I started writing the lab report. It was a really fun journey.

Step three : The exam

The exam is 23h45min long, with 24hours dedicated to write the report and send it. The day of the exam, you will receive another OpenVPN pack to connect to the exam environment, along with a report sample, a guide line to read very carefully before you start solving the exam. It is very crucial to read the guide lines, so you’ll avoid unnecessary point reductions. The guide has everything from the naming and the format of the report files, to the things allowed and not allowed during the exam.

You get a subnet of 5 machines, each machine has a number of point gained if rooted, and you have to get a total of 70 points in order to pass the exam and have your certification.

During the exam, I rooted 3 machines during the first 8 hours. I took organized notes. I was confident. And then, I got stuck in the 4th machine. I kept hitting false positives. Every vulnerability or exploit I found online on the services running on the machine were patched, or just not working. 4 hours have passed, I start to lose hope. I started to think this is it, I’ll have to retake the test. But I didn’t give up, not today. I kept retracing my steps, may be I missed a detail, something I didn’t consider. Nothing. Nada. Zut!

It was 6AM already, only 8 hours left, and I still have no idea how to approach it. I decided to get up of my chair, and just stop thinking for 10 minutes.

Those 10 minutes of refreshing got me hope, an intuition, I missed something. I looked again and I realized I did skip a very small detail that would change the course of the game. Realizing that small detail made get low privilege access in 15minutes ! I cursed myself for being so blind, for having lost so many hours. But it’s okay, the game is still on. Now the root. Believe it or not, same thing happened again, I had an intuition and I dismissed it immediately. But this time I retraced my steps quickly and tried to defy the urge of being lazy, and give it my best shot. Try Harder!

And it paid off. It was 11:24AM, and I had rooted the 4th machine. I got the total of the points required, I was relieved.

I didn’t succeed in getting around the 5th machine in those 2 hours left. But it’s okay, sometimes you can’t have it all.

After those long 23hours of adrenaline rush and panic. I decided to get some sleep before starting on the Exam report.

Got some rest, now reporting. I got my notes in EverNote, now it’s time to get all of that in a structured report. This is one of the things that I loved about the OSCP. They really emphasized the importance of organized reporting, because in the end, it’s the sum of your work, it’s what will reflect the true value of your pentesting assignment. It is the report that you will deliver to help the executives understand the weaknesses of their network, and to help the technical administrator to solve and patch up their vulnerable networks.

I used the sample they gave me, changed it a bit for more clarity. I reviewed it twice to correct any grammar mistakes, or rephrase any ambiguities. I converted the files in their required format, named it according to the guide lines and sent. Finally, the end of a very long enjoyable 47h45min.

Now we wait. Normally, it takes the 3 to 5 days business to review the reports and give you the results. But I was lucky enough to wake up the next day to a very exciting email, saying that I got my certification. The thrill of that success was unbelievable.

The work and investment I had put in this for more than a month paid off. It was a great adventure, it surely got me out of the routine i was in.

Some advices :

  • Obviously, don’t give up, always try harder. When you’re about to give up, that’s when you try even harder.
  • For both the exam and the lab, enumerate, enumerate, enumerate. Try to understand what that machine is doing in the network. What is its purpose. How is it connected to other machines. Remember that it’s just a machine, configured by a fellow human. What did you miss ? What did they miss ?
  • Train your privilege escalation skills. Here are some guides that can help you:
  • In the lab you have much more time than the exam. So you need to approach them differently. For the lab, it is much better to leave a machine and come back to it later if you’re stuck, because you’re still learning, and you might learn something for a machine, that you can use on the one that got you. For the exam, I found that it is better to concentrate on one machine at a time, so you wont lose focus, and you’ll free your mind and manage time accordingly in those 23h45min.
  • Organise your notes. It’ll help you manage time when you write the report.
  • During the lab, try to write scripts to automate some mundane tasks like port scanning, and ping sweep and other stuff. Automate anything you can. It’ll help you save time.
  • This one is dumb, but in the exam, launch the port scan, and read the guide lines meanwhile. may be it’ll save you some valuable minutes.
  • Always, start with the simplest tricks and then move on to harder ones. There’s no need to waste time in picking or breaking the lock, if the door is unlocked in the first place… Right ?

I hope you find this was a bit helpful. See you later…


Leave a Reply

Your email address will not be published. Required fields are marked *