My Path to OSCP

Zero to hero in 5 months

This is the journal of my path to obtaining the OSCP certification, outlining the background knowledge I learnt before attempting the PWK course, as well as the course, labs and the exam itself. With relevant IT background, you could skip forward to part describing the course.

I wrote this post in hoping to inspire someone who might be thinking about it but have doubts whether it is possible given their background or life circumstances. If you try hard enough (and have reasonable planning), you can do it too. I started from reading a blog post similar to this in fall 2019.

Disclaimer: From hello_world.c to the certificate it actually took me a little less than 2 years. The 5 months was meant to count from starting the course. Everyone learns at a different pace and it is by no means a flex about how awesome I am. I was very much humbled by the exam and only barely scrambled to get a pass. And I know I have much, much more to learn. The details here apply to the old exam (pre 2021) but it should not matter as I do not cover specifics anyway. Do refer to Offsec’s latest Docs for details of the new exam.

Pre-Infosec

I am in my late 20s and work in the medical field. I have had interests in programming and computers since college but had only self learnt python for a bit. Never gotten far.

COVID did not hit my city hard in 2020. Instead of battling day and night like colleagues elsewhere in the world, we had a lot of free time. In summer 2020 I did CS50 as the first introductory computing course (what a great course!) and wrote my first web app on python for its final assignment. This took me 4 months and many sleep deprived nights but taught me a lot in how servers handle requests, Sql, JS & HTML. I wrote the webapp on a Macbook so it was also a great intro on Git and version control, as well as unix-like cli environment.

Pre-PWK

In winter 2020, I was looking for the next thing to learn and LiveOverflow’s youtube video / post on how to get into infosec ignited my interests in the field (more like a childhood dream!). I realised I had some of the knowledge but still lacked a clearer grasp on inner workings of TCP/IP and at that point the Google Networking Course (a 5-hour long video) helped me fill that gap. It goes into details like how IP packets are constructed, what is a TCP handshake etc which are essential for pentesting. Also did some of OverTheWire’s bandit series and attempted a public, beginner friendly CTF to get a feel for the real thing in winter of 2020.

Fast forwarding first half of 2021 (as I was preparing for a medical examination and getting married) to late July 2021 when I finally bought the PWK course and requested one month off (had leave days saved up for this for 2 years). I did 3-4 boxes on TryHackMe before my lab time began, to “get a feel for things” after 6 months without hacking. In the grand scheme of things the TMH boxes were insignificant for me. I bought 4 months of lab time because I figured I could get it done in this time frame.

PWK course

Started PWK in Aug 2021 and the course took me 3 weeks of almost non stop work to complete. I know I should complete all exercises for the 5 points and from my limited tech background, to learn as much as I could from the course material. There were many instances when the course material tells you to use one tool and a certain command to achieve a certain goal, but it didn’t work (due to updated packages, language environments, etc). I visited the course forum and there were people complaining about the course being outdated and poorly QC’d. Others posted workarounds to those problems.

At times this actually became immensely frustrating as one’s lab time is limited, and you could spent a whole day without progress because of some library mismatch. At some point half way into the course, I thought, well it’s kinda like writing a web app, you debug things and align the libraries and python versions and stuff… could this be a representation of working in the field and is intentional? I still don’t have an answer but the process taught me a lot. There were a few extra questions that were quite a bit harder than the rest. If you have time, I do recommend completing the extras too. As for BOF, I spent 3 days give or take to learn the concept and be able to do a basic one.

The Labs

The Plan

In retrospect, sitting in front of computer for 3 weeks straight working 10 hour days to power through the course (so that I could have more lab time on the labs) was not the smartest thing to do. I had 10 days of leave left when I started with the labs and I got like 7 or 8 boxes total in the period.

I was pretty burnt out when I returned to work after the 1 month of non-stop hacking.

At that point I had Sept – Nov ie 3 months to do like 30-35 more boxes which would be the target I aim for before sitting the exam. On Offsec’s stats that’d be the cohort that has 60-70% passing rate. Knowing the reputation of the exam I wasn’t really expecting anything but was of course trying to formulate a plan to aim for reasonable odds of success.

Offsec’s stats

How it turned out

As said I was pretty burnt out in late Aug and progress was not good in Sept. I work 9-6 and being a Doctor is quite taxing on mental energy. Hacking 30 boxes in 3 months meant about one in 3 days, when having one overnight call in hospital every 4-5 days.

Here I have to elaborate on the boxes. Some were pretty easy if u have a systematic approach to recon-exploitation, and could be done in 3-4 hours. For the others, if you didn’t know how to proceed you could get stuck for like 10 – 12 hours with no progress. Managing frustration was one of the hardest part in the labs. I told myself repeatedly that going nowhere meant there was something for me to learn. I set up timers for 1,2 and 4 hours, and mandated switching approach if no progress in 1 hr, switching port of attack at 2 hr and visit the forums if no progress by 4 hours. I went to the forums to get just enough hint to progress. People spoke in funny riddles for hints lol.

If there’re 2 things I learned best during my lab time, they were to enumerate well and have no assumptions. There was one box that I needed hints for walkthrough from start to end. And it could well be the first box u tried in the labs or the first one you see in the exams. If you do not have discipline to enumerate well, and move on when nothing works, you will very probably fail.

Moving onto my progress, I had some 20+ boxes done by late Oct and thought there was no way I could hack 20 boxes in a month. I made the call that probably got me through the exam: I bought one more month of lab time and took another week off in Nov. During that week off I finally had the mental space and time to work on my checklists, scripts and wordlists, finalise template for submission and did some harder boxes and an AD chain, as well as some boxes that were buried deep inside of the subnets.

By the time I sat the exam in late Dec, I had 43 boxes under my belt. I didn’t do any of the big four (lol never got around to), but I redid the course BoF exercises in the course and felt confident in my process.

Exam day

I scheduled the exam to start at 9am. I made a strict time table to adhere to, with specific instructions on timings to stand up and stretch, drink water, take breaks and eat. Also I mandated myself to switch boxes if no progress for 4 hours (thank /r/OSCP for this tip!).

One interesting tidbit was that since you could not use mobile phones during the exam (except on breaks), I wrote a little shell script to play 5 seconds of music in every predetermined interval(set to 30 minute during my exam).

Before starting anything I started full port scans on all the targets without service or NSE scripts. This should be the more time consuming step so I started before working on the BOF.

The BOF was done before 11am, and the 10 pointer was done at about 1pm. Had lunch and continued on first 20 pointer at 2pm after checking all proof keys submitted for prior boxes. Before dinner, about 6pm I rooted the 20 pointer, so I only needed 10 points more to pass. I started scanning the second 20 pointer and the 25 pointer and had dinner with my family with the scans running. After dinner I went for a walk with my wife afterwards to clear my mind a bit.

With 12 hours to go and 10 points to pass I was feeling a bit confident but told myself to keep being impartial, as 10 point short still meant a fail. 8pm to 10pm I worked on initial access on 20 pointer and had no progress beyond some leads, then 10-11:30pm I worked on the 25 pointer, also without success. The 20 pointer had a web architecture on another port which I am not familiar with, so I starting googling “How to pentest XYZ” for like 15 minutes and it kinda went nowhere.. that was when I realised I got to rest.

Took a nap for 2 hours and actually couldn’t sleep much. During the time I was letting my thoughts crystallise and I thought to myself: trying to pentest a new framework that you have little knowledge and experience during exam almost guaranteed failure. Then I went back to the old path that I tried first when dinner was done. When I woke at 1:30am, I got the critical progress that I needed but still it took a further 3.5 hours to get to the low-level privileges for my (supposed) 10 points. It was 5am.

I never would’ve expected the last 10 points to be so hard (for me at least). From 5-9 I was exhausted already and found leads for privesc but couldn’t get it to work. Went back to check all screenshots and proofs that I obtained and redid every step to make sure it worked.

Slept till 2pm the next day, compiled the exam report and submitted with my lab report! I checked so many times everything was according to their specifications lol.

6 days later I got my email.