The Exam

I took my exam on July 28 2023 and by August 1 2023 I had received confirmation of passing the certification exam.

A lot of people start their exam early into the morning to get done with the certification the same day working hard and overdo it and worn off themselves and probably fail the exam. I didn't really like the idea of spending 10+ hours hacking without a major break. So I decided to start 2PM that way I have until Saturday afternoon to finish the exam and it would feel like a 2 day pentest at my daily job.

So I started the exam as expected at 2PM and started getting the information about the scope, 3 standalone machines and 3 machines in an Active Directory network.

Beforehand I had prepared a little document to help me throughout the exam, you can find it here: OSCP Enumeration Handbook

In the first 3 hours I already had the Domain Admin account compromised totaling 40 points out of the 100, and I took a 30 minute break to snack and lay down for a bit.

I went back to the exam and started looking at the autorecon output for the standalone machines and got stuck in a rabbit hole for 2 hours. Looked back at the output reading carefully, and with that I found the path into the first standalone machine which had a pretty straight forward way to pwn it.

At this point I have 60 points and only 6 hours have passed so I was doing pretty good timewise. I proceeded with the next machine, and within 20 minutes I was inside the machine and obtained 70 points required to pass the OSCP. I could have had stopped at this point, almost 7 hours in, do the report and rest but I wanted to keep going and see how far I could get.

After enumeration on this second machine to find the privilege escalation path, I though I had it, but the exploit wasn't working... tried everything I could to exploit this path but it didn't work.... it was 11pm so I decided to go to sleep and continue the next day...

it's the next day, 9am, time to hop in back into the exam. I reviewed all the information and I was 100% sure that the exploit I was trying to run the night before should have worked right away, so after a couple minutes of fidgeting with this exploit I decided to reset the machine until the exploit worked. It took me like 3 resets before the exploit worked, I didn't change anything, just reset the machine until it worked, so I could say that if you believe that an exploit should 100% work then stick to it. Of course this confidence comes with 2 years of penetration testing experience, for you it might be harder if you don't have the experience.

it was 10am and tried getting the initial foothold on the last machine for 3 hours. In short I couldn't... So I took a break at 1pm for lunch and decided to just finish the exam at 1:45pm and get done with the report from 3pm to 4pm.

What's Good about the OSCP?

The best thing about the latest OSCP version (2023) is that they introduced 3 practice exams into the Labs which resemble the most to the exam itself. These practice labs will teach you the way to "try harder" and make your life easier for the exam.

That's it... the only good thing I have to say about OSCP.

Shortcomings...

I struggled a lot to study for the OSCP, since I have a full time job, have life to take care of and also volunteer some of my time to Raíces Cyber, but one thing that really pissed me off is that the platform kept going down for MULTIPLE days for entire days in some occasions, here are some that I took note of:

04-04-23 > General Outage

11-04-23 > PEN-200-2023 labs stuck in Starting Soon

12-04-23 > PEN-200-2023 labs stuck in Starting Soon

14-04-23 > PEN-200-2023 labs stuck in Starting Soon

16-04-23 > PEN-200-2023 labs stuck in Starting Soon

18-04-23 > PEN-200-2023 labs stuck in Starting Soon intermittently

19-04-23 > PEN-200-2023 labs stuck in Starting Soon

09-05-23 > VPN Outage

12-05-23 > Intermittent Outage - start/stop of VMs was unreliable for me, it worked some times. 15-05-23 > Problems with VPN where I had to redownload the VPN multiple times to get it working

17-05-23 > Patch for the above was released

13-06-23 > General Outage

14-06-23 > General Outage from the day before (caused by DoS attack according to Discord announcement)

This is unacceptable for a platform that charges over $1.5k USD for 3 months of access to the course and labs. Giving credit to OffSec I emailed support and they gave me 10 extra days for me to be able to complete the labs. However, they still need to fix their infrastructure.

That problem aside, I believe the OSCP should have an objective re-focus. Let me explain myself, it is perfect for teaching you the CTF mindset and exploiting the exploits that OffSec likes. But they need to include exploits that are more commonly used in real life, I would love to see more relay attacks on the exam, because that's one of the main attack vectors in real life pentests.

Also I would like for the OSCP to treat more privilege escalation paths for both Windows and Linux as I find both of those sections to be lacking. As well as common Active Directory privilege escalation techniques.

Is this the result of negligence?

The thing I dislike the most about the course is that it's made in a way to waste your time, making you go through multiple machines that you have to wait a minute for them to boot up just to answer one question you get the answer for running one command when you could have perfectly prepared a machine that they could have used to answer all questions regarding a section, or even a topic.

Another example that I can give is that they would use the same machine to make questions in different sections, but guess what? you can't answer the question unless the machine is spawned from within the section the question is in. Doesn't matter if they are the same machine, with the same IP, with the same configurations... You have to turn off the machine, then wait thirty seconds to wait a minute for the same machine to turn on again so you can answer the question that you already had the answer from the machine you had on from the previous section.

As someone who has been a teaching assistant in the past and has helped professors develop courses and exams, this is an unacceptable way of teaching something. Making the students "suffer" eternal waits when they could have been spending time on the keyboard learning.

A LOT of people have to recommend skipping the course completely if you don't need 10 bonus points (which I didn't get) for the exam. I also recommend skipping the course content and exercises, just download the PDF and Videos and go mostly on your own.

Still wanna go for it? This is what I recommend

I described my experience with the certification If you still want to go for the OSCP certification I would recommend doing the following:

• OSCP A, B and C practice exams

• HTB Windows Machine: Forest

• HTB Linux Machine: Precious

• Take Tib3rius Privilege Escalation courses

I recommend these HTB machines because they taught me methodology more than anything else, it doesn't mean that the exploits will be in the exam.

I recommend the Tib3rius courses because it teaches everything you might need briefly and it's easy to understand, I completed the courses in 2 days because I was practicing and taking notes, you can take them in 1 day.

Do I recommend the OSCP?

Personally I don't recommend it. Go for other certifications such as the TCM's PNPT and/or the HTB's CPTS as they are much cheaper and they cover way more content with better designed courses in my opinion.

However if your employer is paying for it or you wanna have it to bypass those damn HR filters, then definitely go for it. I didn't pay for the voucher, it was won through a CTF.