top of page

Thanks for subscribing!

Want to get notified when I create new content?

  • Writer's pictureKyser Clark

How I Passed the OSCP on My First Try

Updated: Nov 25, 2023


OSCP Badge

I recently passed the OffSec Certified Professional (OSCP) exam and now officially hold the certification. In this article, I will discuss my personal OSCP journey and other relevant OSCP information you can use to help yourself pass the exam too. This includes:



How to Pass OSCP Summary

  • The OSCP is the gold standard for penetration testing certifications.

  • I obtained my eJPT certification before starting the OSCP course.

  • During the course, I watched all videos and completed all the topic exercises; I did not read the entire course PDF.

  • Don’t be afraid to ask the community for help during the course/labs, but first, try harder yourself.

  • I used plenty of help from the OffSec Discord during the challenge labs.

  • I was able to get 40 proof hashes from the OSCP labs before starting my exam.

  • I failed two out of three OSCP mock exams.

  • I passed the exam with 60 + 10 bonus points (70 total).

  • My passing scenario was: 40 pt AD + 1 proof.txt + 1 local.txt + bonus points.

  • I obtained the last proof hash at about 17.5 hours into the exam.

  • I spent another 1.5 hours re-creating my exploit steps, taking screenshots, and fine-tuning my notes.

  • I spent another 17 hours writing my 57-page report.

  • I took breaks and ate plenty of food during the exam, but I spent most of my time working on the exam/report.

  • I used the publicly available OffSec exam report template.

  • Prepare yourself to the maximum extent possible before starting your exam (see exam tips at the end of this article).

  • I thoroughly enjoyed my OSCP journey from start to finish, and I learned a lot.

  • I highly recommend the OSCP to aspiring penetration testers/ethical hackers.

  • I look forward to starting my OSEP journey.



What is the OSCP?

The OSCP is the gold standard in penetration testing certifications. If you search for “Penetration Tester” on job search websites, it doesn’t take long to realize that the OSCP is the #1 certification organizations ask for when hiring new penetration testers. The OSCP exam gives you 23 hours and 45 minutes to hack into 6 target machines. You don’t need all of them to pass, but you must compromise most of them. You need 70 points total to pass the exam, where the entire Active Directory (AD) set is worth 40, and each of the three standalone machines is worth 20 points in total. There are 10 points for gaining low-privileged (user) access and 10 points for having high-privileged (system/Administrator/root) access. It’s impossible to get partial points for the AD set; it’s 40 points for full domain compromise or nothing. Then after you are done with your penetration test (exam), you get another 24 hours to write and submit your exam report to OffSec. The report must be a professional penetration testing report showcasing the steps taken to fully compromise each target. The report must also list the vulnerabilities and the remediation of those vulnerabilities. Lastly, the report must contain other sections, such as a high-level summary and methodologies used. For more information about the OSCP exam and reporting structures, I recommend getting your information straight from OffSec. I started with this page:


And here is the OSCP exam guide:


These two sources also link to a plethora of other resources. Make sure you check them all out, but at the very least, I recommend reading these two sources entirely before even starting the OSCP course and then maybe re-visit them every now and again during your OSCP journey. In addition, you should re-read the OSCP exam guide entirely the day before your exam. The more you read about the exam, the better prepared you will be.



What I did before starting the OSCP course

Before I started the OSCP course, I successfully passed the eLearnSecurity Junior Penetration Tester (eJPT) certification. However, I did many things to prepare myself for the eJPT. If you want to learn more about my perspective on the eJPT, check out my blog post here:


The eJPT is a great, maybe even the best, way to prepare for the OSCP course. It teaches you all the foundational information you will absolutely use during your OSCP journey. I regularly re-visited my eJPT notes during the OSCP labs and the exam itself. If you have no prior penetration testing experience and are starting from nothing, I don’t recommend starting with the OSCP, and I would point beginners to the eJPT. You should have a security certification or relevant experience before starting the eJPT. eJPT, despite the name, is not for absolute beginners. Check out my eJPT blog post (linked above) for more of an explanation of why I don’t think it’s beginner friendly. Getting your eJPT isn’t the only way to prepare for the OSCP course; many people don’t do this. Other things you can do to prepare for the OSCP course include TryHackMe, Hack The Box Academy, TCM Security’s Practical Ethical Hacking Course, OffSec’s Network Penetration Testing Essentials (PEN-100), and PEN-103. The OffSec 100-level Penetration Testing courses may be the best way to prepare for PEN-200 (the OSCP course). However, OffSec’s fundamental courses are pretty pricey, so for that reason, I don’t think it’s the best option for most people, especially if you are on a tight budget. Lastly, getting your OSCP as a first certification is possible if you’re completely new to cybersecurity. Many people have done it, and I’m positive many more will. So don’t let my opinion of “start with something simpler” kill your motivation. However, know that the OSCP is very difficult and time-consuming, even for someone like me who held 10 other industry-recognized certifications before starting the OSCP journey.



How I tackled the OSCP PWK PEN-200 course

Important notice: I started my OSCP journey with the 2022 version of OffSec’s Penetration Testing with Kali Linux (PWK) (PEN-200) course. Just before I finished the course, OffSec released the updated PEN-200 course (2023 version), which I hardly touched since I already completed the 2022 version. That said, I still think the PEN-200-2023 course is an improvement over the 2022 course and should be considered as your primary learning resource. My primary learning source was the PEN-200 (2022) course. This is the course you must purchase to get an attempt at the OSCP exam. You can’t buy an exam voucher by itself. The training and exam attempt is bundled together.


I watched 100% of the course videos and completed 100% of the topic exercises. I didn’t read any course writings, as most of that information was in the videos. However, if I was stuck on something, I ended up going back and reading the relevant information and re-watching the relevant videos.


Many people don’t like OffSec’s training, and they find alternative ways to prepare for the OSCP. Resources I commonly see people use are TryHackMe, Hack The Box (main app), Hack The Box Academy, VulnHub, and TCM Security’s Practical Ethical Hacking Course. Why do many people not like OffSec’s training? From my understanding, many people don’t like OffSec’s training because OffSec doesn’t hand you wins. In other words, it’s very difficult and takes a lot of time to understand OffSec’s teaching methodology. As a result, progression can be very slow at times. This is OffSec’s “Try Harder” mantra at play, a critical mindset you must adopt to succeed on the OSCP exam. With the new PEN-200-2023 course, I think the topic exercises may be different and even a little easier (more hand-holding), but I can’t confirm because I hardly touched the PEN-2023 course. There are two main reasons why I decided to use the PEN-200 course (2022) as my primary learning resource.


1. I wanted the 10 bonus points heading into the exam.

You can earn 10 bonus points on the OSCP exam by completing 80% or more of the topic exercises in each learning module/chapter/section of the course and by submitting 30+ machine proofs from the OSCP challenge labs. There are 57 machine proofs to be found in the labs, so this means you must complete 56.2% of the labs to meet this requirement. You can learn more about bonus points here. Spoiler alert: These 10 bonus points were a game-changer during my exam. In fact, there’s a good chance I wouldn’t have passed on my first OSCP exam attempt without these bonus points.

The 10 bonus points are equal to a standalone machine’s low-privileged access (local.txt) or a standalone machine’s high-privileged access (proof.txt). Both objectives are 10 points each. In other words, each of the three standalone machines is worth 20 points in total, but you can get partial points (10 points) if you don’t gain full administrative access to the machine. These 10 bonus points are a huge deal because they give you more options and flexibility to pass the exam. For perspective, these are all the possible scenarios to pass the OSCP exam:

  • 40 pt AD + 3 local.txt flags

  • 40 pt AD + 2 local.txt flags + 1 proof.txt flag

  • 40 pt AD + 2 local.txt flags + bonus points

  • 40 pt AD + 1 proof.txt + 1 local.txt + bonus points (my passing scenario)

  • 3 fully completed non-AD machines + bonus points


Notice how you gain additional scenarios to pass the exam—especially the non-AD machines method, which is impossible without the bonus points.

2. OffSec’s training specifically prepares you for the exam objectives

Who better to prepare you for the exam than the exam creators themselves? Other resources may not cover the exam objectives or include content that isn’t an exam objective.


With that in mind, it’s important to know that sometimes you learn about tools and techniques elsewhere. For example, I learned about chisel (for network pivoting) by doing Hack The Box machines. I don’t pivot into networks the way OffSec teaches it, and that’s ok. Sometimes we can be more effective by trying out other tools and techniques. But despite me pwning a Hack The Box machine every week to complement my studies, I primarily used the PEN-200 course.


Note: I also heavily use TryHackMe. However, most of my TryHackMe learning was done before my eJPT attempt. I was doing TryHackMe daily during my OSCP journey. However, I was doing the Cyber Defense and SOC Level 1 learning paths, which are all about defensive security and don’t carry over to offensive security much.


As I went through the topic exercises of the PEN-200 course, I frequently got stuck and didn’t know how to complete the exercise. When this happened, I went to the student forums and, more often, the OffSec Discord server. I never needed to ask questions for topic exercises, as other Discord members/student mentors mostly answered my questions through other students' questions. Always do your due diligence and use the search feature to find hints to your problems before asking questions. Remember, no one is going to hand you answers. That’s not what the forums and Discord are for. Instead, the community will nudge you in the right direction to help you find the correct answer for yourself. This learning style may appear crude to some, but I believe it’s the best, perhaps the only way, to develop the Try Harder mindset. I enjoy the community not giving me the exact answers right away.

This method allows you to “figure it out yourself,” which is a crucial skill to passing the OSCP exam. Remember, the best path is the hardest earned. No one will be available to hold your hand during the OSCP exam, so you must learn how to get the correct answers rather than be given the right answers as you go through the course. This same thing applies when you go to the forums and Discord for a nudge on challenge lab machines.


That said, don’t think using the OffSec Discord is a weakness. That’s what I thought going into the challenge labs. In fact, when I started the challenge labs, I told myself that I wouldn’t use any help from Discord to “Try Harder.” Luckily some great people on Twitter told me I was shooting myself in the foot with that mentality and that I should use Discord. It is one of the best resources for learning OSCP exam objectives. Many people who have passed the OSCP have asked questions and sought help on topic exercises and lab machines. Several people say they hardly fully compromise challenge machines by themselves. Myself included. If you go into the OffSec discord, you can see me ask for help to many of the OSCP challenge lab machines in past messages. Moral of the story: Try to do things yourself first. If you get stuck for longer than an hour or two, then ask for help. Getting stuck on a challenge is par for the course; learn to enjoy it and learn to start loving the learning process OffSec has developed.


How I tackled the OSCP challenge labs

As mentioned earlier in this article, I was halfway through the 2022 version of the OSCP course when OffSec released the 2023 version. Because of that, I ended up pwning 13 of the legacy machines (from the 2022 labs) and 27 machines from the current (2023) challenge labs. In total, I had 40 proof.txt hashes submitted before starting the exam. My approach was to pwn as many of the legacy machines as possible before OffSec took down the 2022 labs. Then move over to the 2023 (current) challenge labs. Overall, I believe the current labs are an improvement over the old labs, despite the old labs having 18 more proofs to find. The reason why this is the case is for two reasons.


1. The new labs are private instances to only you

Before, the labs were a shared lab environment. This means you couldn’t really do the machines in the order you wanted. You kind of just did the machines no one touched for a while (because it’s rude to work on a machine someone else is working on). Furthermore, it’s possible for another student to revert the machine you are working on, which causes you to lose progress. I personally never experienced this, but it did happen in the past to other students. I didn’t run into this issue because I was working on the legacy machines while a good portion of the other students was working on the new challenge labs. The new challenge labs being private to you means you can work on whatever machine you want when you want, and you don’t have to worry about another student resetting your progress, so you can go as slow as you want. Sometimes it is best to take a break in the middle of your progress. With private labs, you can leave the target machine running while you take a break.


2. The new labs have three OSCP mock exams

The OSCP mock exams, in my opinion, were the most critical labs that led to my OSCP success. As the name implies, these challenges mimic the OSCP exam environment pretty well. My approach to these mock exams was treating them like the actual exam. I requested leave from work on three consecutive Mondays to treat these mock exams like real exams.


OSCP A: Three weeks before exam day. Fail

I needed a nudge to gain initial access to the first machine in the AD set and a nudge to gain initial access to a standalone machine. I could escalate my privileges on the standalone machine, and I was able to get into the 2nd machine in the AD set without Discord help. However, I needed a few nudges going from machine 2 to machine 3 for the AD set. There wasn’t enough time to work on the other two standalone machines; I finished them in the next day or two. Once again, I needed nudges for initial access, but I could escalate privileges without Discord help.

OSCP B: Two weeks before exam day. Fail

I was able to compromise a standalone machine fully without help. However, I needed a nudge every step of the way for the AD set. I actually ran out of time and had to finish the AD set the next day. I finished the remaining two standalone machines later in the week. Once again, Discord assisted with the initial foothold, but I could escalate privileges without help.


OSCP C: Two days before exam day. Pass

I fully compromised the AD set and one standalone machine without help in about 5 hours. This equals 60 points, but I consider it a pass because I had 10 bonus points for the exam. I used some nudges every step of the way for the remaining two machines. Since exam day was so close, I wanted to complete the last two machines quickly.


Medtech (challenge lab 1):

I finished Medtech 100% before I even started OSCP A. Sometimes, I needed a nudge, and sometimes I didn’t. Overall I would say half of the machines I needed nudges, and for the other half, I didn’t.


Relia (challenge lab 2):

I started Relia after my failed OSCP A attempt. I completed only about 45% of this challenge before exam day. I never made it into the internal network for this challenge.


Skylark (challenge lab 3):

I never started Skylark.


Challenge Labs Summary

I needed a lot of help to progress through the labs. Failing OSCP A and B made me think I would fail my real exam attempt. But after passing OSCP C without help, my confidence grew enormously. Also, don’t forget that I completed 13 machines from the 2022 labs. Once again, sometimes I needed a nudge, and sometimes I didn’t for each machine. Rarely was I able to complete a machine fully without getting help, though. I tried my best without asking for help for 2+ hours, but after trying my hardest for 2 hours without making meaningful progress, I went into Discord and searched for help. Overall, this was an excellent strategy to prepare myself for the real OSCP exam. I believe the only way to be more prepared would be to pwn more lab machines. The best way to go about the labs is by pwning as many machines as possible with your allotted lab time. Asking for help sooner rather than later exposes you to more tools and techniques you can use. However, you should try your best before asking for help. This will help you tremendously. If you go about the labs correctly, you don’t need to pwn every lab machine to be prepared to pass the OSCP exam.


You may wonder why I attempted my OSCP exam before completing the Labs 100%. This was because I wanted to see if it was possible to pass the OSCP in three months (90 days) while having a full-time job and being a part-time college student. This is because the 90-day lab access is the most affordable learning package, and even though I have the learn unlimited subscription, I wanted to know how achievable the OSCP in 90 days really was. Plus, having the learn unlimited subscription means I have unlimited OffSec exam retakes in a year, so I had nothing to lose. I also must get four OffSec certifications in a year to make the Learn Unlimited subscription worth it. If you do the math, that’s a certification every three months. Spoiler alert: I’m going after the OffSec Certified Experienced Penetration Tester (OSEP) next.


So is the OSCP achievable in 90 days? Yes absolutely. My results are proof of that. I also work 40+ hours a week and am a part-time college student (one class at a time). I put 3-5 hours of study time in after work daily to achieve this. I try to double that to 6-10 hours per day on the weekends and days off. I hardly took days off, but I didn’t work on the OSCP every day, either. If I had to take a good guess, I spent around 360-400 hours total preparing for the OSCP. This makes sense because OffSec lists the PEN-200 course at 300-500 hours completion time, and remember, I didn’t pwn all the machines.


My exam experience

I didn’t find the last proof hash needed to pass the exam until about 17.5 hours in. I passed with 60 + 10 bonus points. I did this by fully compromising the AD set (40 points) and by fully compromising a single standalone machine (20 points). I was unable to gain initial access to the remaining two standalone machines. If I didn’t have the 10 bonus points, I might have worked on the exam a little longer to gain initial access to one of the standalone machines to get the final 10 points. But I didn’t see the point in going further once I had enough points. Especially since I was exhausted and wanted to get a decent amount of sleep for the next day to write a good exam report, remember it’s the same certification whether you have 110 points or 70 points. And I’m not ashamed to admit that I struggled with this exam. In fact, I thought I was going to fail for most of the exam. I almost quit before getting the last proof hash I needed. But I hung in there, tried harder, and didn’t quit. I’m very proud of myself for not giving up, even though it seemed like a losing battle the entire time.


Even though I had all the proofs I needed to pass at about 17.5 hours into the exam, I used another 1.5 hours or so to recite my exploit steps and take relevant screenshots I missed along the way. I also used this time to write my notes more clearly. Remember, once you’re out of the exam network, there’s no going back. So, you want to ensure you have all the notes and screenshots you need for the report you have to write the next day.


I hardly took breaks. I drank a lot of water to stay hydrated and a lot of coffee to stay awake and alert. Because of this, I had a lot of 2-minute bathroom breaks. My cat threw up in about 7 different spots in my exam room, so I took a 20-minute timeout to clean that up. I ended up letting the dog outside for about 5 minutes during my exam (my girlfriend took care of her when she got home from work).


I spent about 20 minutes eating. And I may have taken a few other 5-minute breaks for snacks and a short rest. Overall, I probably only spent about 1.5 hours of my exam time away from my computer.


Checking into the exam was straightforward. However, it took over 15 minutes, despite everything being smooth. So, I probably started my exam about 3-5 minutes late. I’m not sure if this cut into my exam time, but I didn’t care as I didn’t think 3-5 minutes would make or break me for the exam. It’s worth noting that I started the check-in process precisely 15 minutes early (as soon as I could).


The proctoring software was easy to get going. The exam proctors were very nice and helpful. They all answered all my exam-related questions in a reasonable amount of time.


And I think that’s all I can say about the exam without getting my certification revoked and being banned from OffSec.


How I approached the exam report

I used the OSCP exam report template, which is publicly available on the OffSec website here. I changed the format slightly, but overall, it was pretty much the same layout, but with my exam machines as the subjects at hand. There’s no point in reinventing the wheel, so I think using OffSec’s template is best. It’s not perfect, but it gets the job done. Make sure you use the exam report template, not the lab report template. OffSec used to give bonus points by submitting a lab report along with the exam report. Getting bonus points in this fashion is no longer possible, so don’t even bother with the lab exam report information.


I watched this video made by Conda before I started writing my report:


Thank you, Conda, for the helpful information.


I spent about 17 hours writing my exam report (including breaks). Unfortunately, most of this time was spent formatting my report. Despite using OffSec’s exam template, I had to format every paragraph I wrote continuously. I’m unsure if the template I downloaded was bugged or If I made mistakes to mess with the formatting. Regardless, you want to ensure that fonts, font sizes, font colors, line spacing, paragraphs, headings, titles, labels, code blocks, screenshots, and everything else are consistent with each other throughout the report on top of your detailed step-by-step guide on how you exploited each machine. It’s a daunting task that should not be taken lightly. I regret “wasting” the first two hours of the day before starting my report. Did I need to spend this much time writing my report? Probably not. But since I had exactly enough points to pass the exam, I wanted to make sure my report was “perfect.” I couldn’t afford to lose a single point for a sloppy mistake I made in my report.


My report ended up being 57 pages long. Did it need to be this long? I’m not sure. I probably could have excluded some information, but with exactly 70 points, I would rather include too much information than not enough.



OSCP Exam Tips

  • Take care of your adult errands and chores before exam day. You don’t want to do anything except focus on your exam on exam day.

  • Clean your desk. Clean your exam room. Clean your home. Having a clean working area always makes me feel better.

  • Try a scented candle. Scented candles help me focus.

  • Eat a good breakfast on exam day, even if you don’t usually eat breakfast.

  • Prepare your snacks, breakfast, lunch, and dinner the night before your exam. Or have someone else do it for you. You don’t want to waste valuable exam time making food. Make sure it’s healthy and isn’t going to upset your stomach, give you heartburn, etc.

  • Drink lots of water. Staying hydrated helps you focus.

  • Take breaks when you need to and for as long as you need to, but don’t overdo it. Exam time is precious, and time management is crucial for this exam.

  • Drink the normal amount of caffeine you usually drink. Don’t overdo it. One time I drank double the amount of coffee I normally drink before an exam, and my heart rate went through the roof. It made a stressful situation even more stressful.

  • Take a lot of detailed notes during the course so you can easily replicate commands during the exam.

  • Read all instructions and exam objectives carefully. It doesn’t hurt to read things twice.

  • Take notes and screenshots during the exam so you don’t have to re-run commands to see the output. You will use these notes and screenshots for your exam report.

  • Take good screenshots; label/highlight the important information in them.

  • Return to your course notes when you can’t find a way into the machine. This will remind you of all the ways you have previously exploited machines.

  • Your exam notes and screenshots should have all the commands you tried. Don’t waste time re-running commands.

  • Spend a lot of time enumerating. You never know what piece of information will help you progress in your penetration test.

  • Don’t spend too much time on one machine. If you can’t make meaningful progress within 2 hours, move on to another machine. Remember, you don’t need to compromise every machine to pass. If you have extra time or get stuck on the other un-compromised machines, return to the machine later and try something different. Don’t keep trying the same thing that keeps failing over and over.

  • Don’t worry about compromising the hosts in a particular order.

  • Cleaning up is very important in real-world penetration tests, but not during your OSCP exam. So don’t worry about leaving files and configuration changes behind. You’re not being evaluated on clean-up. The only thing that matters is the proof hashes and ensuring you have good notes and screenshots for your report.

  • If a machine feels slow or sluggish, there’s probably something wrong. Revert the machine. And don’t feel bad if you have to revert a machine during the exam because you broke it.

  • Don’t store your notes on your attack machine VM. Instead, store your notes on your host machine.

  • Don’t be afraid to ask the proctors exam-related questions. Of course, they can’t help you compromise the targets, but they can answer questions like “Is x tool allowed on the exam?”.

  • Don’t forget to tell your exam proctor when you leave your exam area for a break and when you come back.

  • Let your proctors know when/if you are about to use Metasploit. Also, let them know when you are done using Metasploit. This isn’t mandatory, but they will appreciate it.

  • Remember, you can only use Metasploit to interact with a single target machine. This includes if running an exploit fails. So, for example, if you run a Metasploit module against target 2 and it fails, then target 2 is now the only target you can use Metasploit against.

  • Use Metasploit wisely. Try to compromise hosts without Metasploit first, and only use Metasploit as a last resort. If you notice a target vulnerable to a Metasploit module for a quick win, there is probably a public manual exploit you can try. Save your Metasploit target machine for last, if possible.

  • Stay persistent, don’t give up until the very end, and try harder.



Conclusion

I thoroughly enjoyed my OSCP journey from start to finish. I learned so much, and I can’t recommend the PEN-200 course and the OSCP certification enough for aspiring penetration testers/ethical hackers. I look forward to diving into the PEN-300 course and going after my OSEP certification immediately.


Disclaimer: All links to Hack The Box and Hack The Box Academy in this post are affiliate links. This means that if you make a purchase through these links, I may receive a commission at no additional cost to you. Furthermore, all links to TryHackMe in this post is my referral link. Signing up to TryHackMe through my referral link saves you $5 on your subscription and also saves me $5 on my next year's subscription.


Your support through these purchases helps me continue providing valuable content. Thank you!


Comments


Thanks for subscribing!

Want to get notified when I create new content?

bottom of page