Disclaimer: I am not allowed to share any details about the exam I took, so it will be more a general view of it.

Preparation

Although I have some experience with pentesting, I did not want to underestimate the exam. Before I bought the course from Offensive Security, I already completed 100+ boxes on HackTheBox. I also completed four ProLabs from HackTheBox; Dante, Zephyr, Offshore and Rastalabs. These boxes and prolabs thought me basically everything I needed to know for the exam

In the beginning of 2023, I told myself to do the OSCP exam in 2023. I waited for the end of the year sale from Offensive Security, which started around December 2023. But I could only schedule my exam in January 2024. So I scheduled it for 19-01-2024.

Proving grounds & challenges

Offensive Security also provides a practical learning environment to test your hacking skills. I did some of the proving grounds and felt ready to try one of the challenges. I started with one of the bigger challenges, that can be compared to a hackthebox prolab.

The challenge had a lot more machine’s then the actual exam. I liked that because I guess it could be stated “harder” then the actual exam. So if you would be able to complete that without any nudge or guide, it would be reasonable to say that you are ready.

After completing that challenge, Offensive Security provides some OSCP like challenges, that could be compared to the real exam. I of course made sure to complete them all before the exam. The active directory sets of these challenges were not that hard for me. At this point, I was very convertible in taking the exam.

I scheduled my exam 16:00, because I thought that I only had 24 hours to complete the hacking part and the report part. But after reading the exam guide one more time, I noticed that I have another 24 hours to complete my report, how nice 🙂.

Tools and my plan for the exam

For the reporting part I installed https://github.com/Syslifters/sysreptor with docker desktop. I made sure to write a mock report on one of the OSCP challenges to test the software. Sysreptor also includes a OSCP template based of the official template from Offsec: https://github.com/Syslifters/OffSec-Reporting.

I also have a directory in my Kali where I host all my binaries to upload. In this directory, I saved for example mimikatz, godpotato, winpeas, linpeas, pspy and my ligolo agent. If you host a webserver in this directory you can easily upload them.

I also made use of a lot of my scripts and aliases, which you can find here: https://notes.incendium.rocks/pentesting-notes/tips-and-tricks/tips-and-tricks#make-use-of-aliases-and-examples.

My plan was to start with Active Directory since it is mandatory to pass the exam without the bonus points. I also made sure to keep very detailed notes in sysreptor so the report was no big deal.

Exam day

At 15:45, I was able to login to the proctoring environment of offensive security. The proctor was very clear and there were no problems. Make sure to leave your digital devices out of the room except for your own PC to prevent accidentally using your phone. Also make sure your webcam is long enough to show all corners of the room and under your desk.

At exactly 16:00 I received a e-mail containing the VPN information and a URL to the flag submission/machine revert site. I just followed the guide for the exam for this part. After confirming the connection worked with the proctor, I was allowed to proceed my exam.

Active Directory

I started with the AD set to even see if I needed to write a report. Within 10-15 minutes or so, I had initial access on the system and my first flag. So far, so good. Then I had to escalate my privileges. This is were I got stuck very long. I ended up being stuck for 5 hours. I decided at one point to move to one of the standalone machine’s. But I just couldn’t focus on it since I was not able to escalate privileges on the AD set. So back to AD then. I started thinking instead of panicking and finally found my way forward 😀. From there I got the AD set done in 30-45 minutes and decided that it was time for some sleep.

Long break

At this point it was 23:00 PM. I had hoped to get about 6 hours of sleep. I kept my monitors and PC running to make sure that my proctoring was not getting interrupted. I did pause the webcam here. Sleeping was hard and I think I got about 3 hours of actual sleep. Good that coffee is a thing ☕. I continued the exam 7:30 AM.

Standalone machine’s

The standalone machine’s were quite fun. I don’t think you should underestimate them, but also not over complicate things. I got my other 20 points in about 2 hours and grabbed some more ☕. The last machine was also finished quickly after that quick break. At this point I had 80/100 points and 4 more hours to go for the hacking part. I was not able to find my way in the final machine.

Report

I decided to start working on my report with the 4 spare hours to check if I missed something to in my notes reproduce my steps. After checking every step and every proof screenshot, I decided it was fine. I completed my report before diner. After diner, I took a walk and after coming back from it, read the whole report once again to see if I missed anything. I fixed some ugly formatting problems in my code blocks and decided it was good to go. I submitted the report and got my confirmation e-mail of receival shortly after.

Results

After 5 business days, I received my results and I successfully passed the exam.

Tips

From my personal experience, here are some tips for you to make it past the exam.

  1. Chill out. You should be thinking, not panicking about the time or such.
  2. Take breaks. If there is one golden tip, it is to take breaks. It will help your brain to get back on track.
  3. Write a mock report. Writing a mock report will confident you in the report part, so that you can focus more on the hacking part.
  4. Practice, practice, practice. Only when you feel ready and are confident that you will pass, schedule the exam.
  5. Read the exam guide. For example, your proof screenshots should include the IP-adres of the host with either ipconfig or ifconfig.
  6. Try harder. At one point I was stuck for 5 hours, but I did not give up, would you? In real life engagements you will also be stuck on finding anything, so be prepared to take the long sit.