As is customary, I thought I would do a review of my OSCP journey (as I can't divulge too many details about the actual exam and such). I got all five boxes and did it on my first try - I was still nervous, though, as the report was an unknown.
TL;DR: The OSCP is a entry level certification, but you really earn it as you can't just memorize content and then regurgitate it on a multiple choice exam.
You actually do the work. And your ability to absorb knowledge in the moment and be creative about the use of said knowledge will get you over the finish line.
I would have loved it if contained (laugh out loud - pun) more material around what I encounter daily - such as containers and kubernetes which presents their own challenges.
I sniffed around the OSCP for a while, but I always ended on "Can't do it, need to practice more". My story is basically: I'm a potato; I work with everything. I have worked with networking, servers, routers, programming etc. Back in high school, I enjoyed reading through assembly source code of viruses and modifying them for my own amusement and learning how they actually worked. I would say my strength is that I can read messy code and see a red thread through it - debug fast.
So, in a rather stressful work period, I decided I needed something fun for myself and signed up for the OSCP lab. I was excited! And, spoiler alert, I loved it.
Your first crossroads on this path is the amount of lab time you sign up for - 30, 60 or 90 days. As I had no idea what was involved, I was very worried about the amount of days until I realized you can just buy extensions if you need them.
I say "just" very casually - it all depends on who floats the bill - in my case, my employer did, but I still was a bit cautious as I didn't want to waste company money. It's cheaper to go for 60 or 90 than buying extensions from 30.
I went for 30 days - towards the end I wanted to extend just because I was enjoying it so much. Instead, I was getting giddy (yes, giddy) about the exam and the challenges that would bring so I scheduled my exam on the very day my lab time would end. Not because I am some sort of 1337 haxx0r - just because I felt the lab had given me what it could and the exam was the natural next level challenge.
One thing that got me compared to other certifications I've done was that nobody told me "After doing this exercise, connect to the lab network and perform the following operations". There is no hand holding.
You get the PDF course material, the videos and VPN package. After that, its up to you how you progress. You are given the subnet range and then you actually have to find the boxes. Some are easy and the PDF will more or less give you a step by step solution to them (but you still have to do proper recon and enumeration to connect the dots and realize it).
There is "help" to be found on the forums (you will get access to those when the lab time starts) in the forms of encrypted hints such as "seek the rider of the apocalypse and they shall guide you to the r00t". So, mostly the same as "try harder" ;)
Seriously, though, after decoding (at least close enough) the hints I did make use of some of them and used them as a learning experience.
There are four "boss" boxes in the lab and they are aptly named Sufferance, Pain, Gh0st and Humble (humble as in "you will eat humble pie"). They are rather nice challenges that will prepare you for the exam.
And, in my opinion, the lab is where the certification starts to divert from others (at least the ones I've done).
It all ties into the "Try harder" motto. It's not about tools (the famous ones that do most of the work for you are not allowed on the exam or at least restricted) - it's about your thought process, your exploration and most importantly your curiosity.
Because of that, I did most of the lab boxes without using tools such as Metasploit and also trying to avoid kernel exploits as those are patched in the exams (all the exam boxes I got were patched, updated and running fairly new versions of the OS). Aaaand here's a little contradiction: Don't be afraid to use Metasploit and the likes during the lab - you're likely to use them in your day-to-day anyway, so get used to them. Just don't rely on them.
I didn't do the write-up on the exercises and lab machines as there is only a certain constellation of points that will make those 5 extra points worth anything. But, it's a good way of practicing writing a report.
As I mentioned, my exam started the same day my lab time ended - I was really excited as it's a different format than what I'm used to. I went to work as usual and my exam started at 19:00 (7 PM) - much to my fiancee's annoyance as that meant she couldn't use her computer for 24 hours (we share a home office). I lined up some Red Bulls and tested my web cam and such to make sure the proctoring would go smoothly.
I went through the OSCP exam guide one, two, eight times to be sure I got it all. Read too many scary stories ranging from network issues to bad webcam resolution that qualified for automatic fail on the exam.
The proctoring was smooth as a powdered marble kitchen counter - the pre-checks flied by and I was "stuck" waiting for 10 minutes for the e-mail with the exam VPN package before I could begin.
Furthermore, the "scary" proctoring is very unobtrusive - just give them a little "I need a break" and they will acknowledge and wait for your return. "Hey my dear, I have indeed returned!" and they respond with a happy "thank you for letting me know and good luck with the exams as you proceed!"
There are 5 boxes you need to deal with on the exam and one of them is a known challenge - the buffer overflow. Don't worry about it - the course material will prepare you for it.
I, however, was a victim of hubris... I glanced at it and went "pft, I know this" and made a whole lot of assumptions and as we all know: Assumptions makes an ass out of you and mptions. I tried to fast track to get more time for the other boxes - I ended up entangling myself in weirdness and in the end I had to back track and do it properly. Could have been done in half an hour-ish - spent 1.5, oh well.
So, lesson here is: Work the problem and don't assume it is the same run of the mill as every other similar problem. And, uhm, don't skip the lesson on bad characters.
There is one other observation I want to share: Don't be afraid to revert early.
The instructions say that you don't have to revert the boxes as you start, its already done. But I was quite disheartened when I tried the low point box and found that I couldn't penetrate it. I tried several paths and ended up on the same every time and it just wouldn't work - spent a lot of time on this.
In the end I was so frustrated I just thought "I'll just revert it like I did in the labs when something wasn't working" - I did and then I tried the same thing I initially did and aaaaaaaaaaaah (angelic song) it worked on the first try!
You have plenty of reverts on the exams - 24 to be exact. And you can ask for a reset one time (I think). But I used almost a handful so I'm thinking revert to be safe - you can afford it.
I spent around 20 hours on the exam and a lot of that time was "wasted" in the sense that I had the vulnerabilities down, but I spent a lot of time fighting the state of the machine (the previously mentioned angelic song) and also getting a stable reverse shell. I will also encourage that you practice Windows privesc.
I will admit that there was a period of time where I was thinking "Is this it? This is all I can do?" But then I reverted, I switched tactics and around 04:00 AM I got a boost and from there it was smooth sailing.
And this is what I think the meaning of "try harder" is: Anyone can run a exploit script, but once the script fails it all comes down to your skill and knowledge, you have to understand the vulnerability. You don't give up - you push on and change your perspective. You try harder. Because as the world moves faster and faster into the digital arena, it becomes harder to secure it all. And its more important than ever.
During the exam, I recorded my screen the entire time as well as using OneNote to capture notes and screenshots.
I used the format of the suggested report, changed a few things, but the essence is: What did you find, how did you find it and what are the corrective measures to avoid this.
After all, this isn't a CTF (as Offensive Security will tell you over and over) - it's a penetration test and after the exam, you will have real clients trying to secure real assets and they will want to know where they can improve and how.
Still, the report was what worried me the most - not the content necessarily, I felt I had that covered even though I could have added more detail on certain sections.
It was the submission part - make sure you follow the guidelines on how you submit your report. It is very detailed and any failure will result in automatic exam fail.
Anyway, that is my take on the OSCP - I hope it was helpful 😁