5 Things I Wish I Knew Before Taking the OSCP Exam
I passed the OSCP exam on my first try with the new exam grading format (10 bonus points awarded by submitting 30 flags from lab machines). I was part of the first year of Learn One students, with the new course format (exercises and VMs directly in the course). The course, labs and additional training took roughly 600 hours to go through before I booked my exam.
As someone with no cybersecurity background and only IT/dev knowledge, I took the whole 12 months to go through the course and lab machines.
I passed with a score of 100 points out of 110 possible points including bonus points. I was pretty stressed throughout the exam process and obtained my result roughly 49 hours after I submitted my report. Needless to say, I might have DOSed the Gmail servers while eagerly awaiting the result. I even got my heart to stop beating for a second when I received an email from Offensive-Security... marketing a new course (that I might take soon).
When I started preparing for the Offensive Security Certified Professional (OSCP) exam, I had no idea what to expect. I had completed the online course and felt relatively confident in my knowledge, but I wasn't prepared for what was ahead. After passing the exam and earning my certification, here are a few things I wish I had known before I began:
Lab Machines Will Teach You a Lot of Things, But Beware of a Few Rabbit Holes
While you practice in the Lab, you'll see a lot of machines that seem outdated. Don't fall for the "I'll use this kernel exploit on the 5 next machines" plan. These machines have multiple flaws, and you should try to find what the machine is there to teach you. Try not to abuse the old kernel exploits unless necessary and try to learn about other, less popular exploits, rely on exploit-DB and thorough enumeration to find the right flaw to exploit.
If you ever get stuck, jump into the official forums and the Discord channel (use the search function a lot). Keep in mind that although you'll learn a myriad of new exploits and methods in the Lab, some of it could be out of scope from the course material, so make sure to study the course material as it's what the exam is based on.
Understand and Test Your Report Template Thoroughly
One of the most important aspects of the OSCP exam is writing a detailed penetration testing report. This report must be clear, concise, and complete, and must include a detailed description of each step of your penetration process. It is what Offensive Security will review, after all. I used a markdown report template made by Noraj for my exam report, which can be found on GitHub at https://github.com/noraj/OSCP-Exam-Report-Template-Markdown.
It is critical to ensure that text contained in code blocks is not too long (think shellcode), as the lines will be cut at the page's width and will not have linebreaks once you generate the PDF report. If possible, test the report with dummy data and text months before your exam, so you are confident that everything will be displayed as you expect it to. I had to manually fix linebreaks/word wrap during the exam and it caused me severe stress that could've been avoided entirely.
I made a small, custom generate.sh
script to make the process of generating the PDF smoother (since I must've generated it 100 times during the exam). Here is the snipped that I used:
#!/bin/bash
# Only works for the folder below!
ruby /home/jhf/OSCP_Templates/noraj/osert.rb generate -i /home/jhf/OSCP/Report/OSCP-exam-report-template_whoisflynn_v3.2.md -o /home/jhf/OSCP/Report
Take More Notes While Going Through the Course Material
The OSCP course is very dense in content, and it's easy to feel overwhelmed by all the information presented. That's why it's important to take notes while you go through the course. These notes will be helpful during the exam when you need to quickly recall different techniques and tools you have learned. It is imperative to have commands ready to be used straight in the notes, so you don't have to look through the commands' help menus to find the correct syntax and it saves you a headache during the exam. Take the time to write detailed notes and review them regularly to make sure you fully understand the concepts presented.
Exam time
Start with the Active Directory (AD) machines first
The AD machines are now worth 40 points. I recommend tackling these machines first when starting the exam since the passing grade is 70 points. Everything you need to know for the AD part is covered in the course material, and the lab's AD sets were great to practice what the course teaches in that regard. I must remind you that everything you need to know is covered in the course material.
Take More Notes During The Exam
I missed a few screenshots and a couple of commands/notes during the exam... only to find out after I had lost access to the machines. Remember to screenshot and copy/paste your commands, their result and the flags. Yes, copy-paste the flags into your notes. You do not want to manually type a flag based on your screenshots because you forgot to note it down, especially after a grueling 24+ hours without sleep.
Take Plenty of Breaks, Drink Water and Eat
During the exam, I made sure to take a lot of breaks, whether they were 5-minute breaks or hour-long breaks. There are no limits to how many breaks you can take. I took the full 23h45 minutes to go through the exam, slept for two hours, and then wrote the report and submitted it after a total of 36 hours since the beginning of the exam. It's important to take breaks and give your mind and body a chance to rest, as this can help you stay focused and avoid burnout.
Put Aside a Couple of Hours to Review Your Notes
I started my exam at 6 a.m. At around 2:30 a.m. I was done (except for the flag I never got). At this point, I reverted all the machines and started over strictly following my notes. The process should be fairly straightforward. It'll allow you to note anything you might have forgotten, or debug whatever is not making sense in what you wrote down. From 2:30 a.m. until about 5 a.m., I struggled with specific points I hadn't noted thoroughly enough. I could feel anxiety rise in my body as time passed by.
Proofread your report
Before submitting your report, make sure to proofread it carefully to catch any typos or mistakes. A well-written, error-free report is preferred, but most importantly, making sure all the code blocks and screenshots are there is what matters the most. Do not forget the proof/flags.
In Summary
If I had known these things before taking the OSCP exam, I would have been better prepared and would have felt more relaxed during the whole exam process. If you are about to take this challenging exam, make sure to prioritize the Active Directory machine set, understand and test your report template, take detailed notes while going through the course material and exam, take breaks as needed and walk through your notes while you still have time to ensure you get the points. By following these tips, you will be on your way to passing the OSCP and becoming a seasoned cybersecurity professional.
Let's Get In Touch
If you have any questions, or want to share your own experience about PEN-200/OSCP, join Offensive Security's Official Discord Server, or feel free to tag me on LinkedIn (in a public post, so we can share tips with everyone), let's connect! Keep in mind I can't talk in detail about the exam.
Note: The cover image was generated by myself through Midjourney, to make sure I was not using the copyrighted PEN-200 dragon head image. If you are from Offensive-Security and I shouldn't be doing this, get in touch through Linked In and I'll swap it for something else!
Subscribe to my newsletter
Read articles from Jeff Noël directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Jeff Noël
Jeff Noël
Recently became OSCP. Hunting another cert soon. Curious about: Cybersecurity Red/Blue/Purple Team (haven't decided yet) Crypto Marketing Investing