On Becoming OSCP Certified

Last year (in 2022), I successfully passed my OSCP exam. So yes, this will be yet another blog post about OSCP and the PEN-200 course :). That being said, I’ll try to give you a different perspective and overview of my experience. I also linked other blog posts that I used myself at the end of this text.

What is PEN-200 and OSCP?

This question has been covered by multiple other blog posts, so I will make this very brief. Please check out those other blog posts for more details.

What is PEN-200?

The course and labs that will prepare you for the OSCP exam
The course is the theory (knowledge). Each chapter in the course has a set of exercises to complete.
The labs give you hands-on experience in hacking standalone machines and active directory sets.
Complete enough exercises and lab machines to be eligible for 10 points on the exam score (see OffSec’s OSCP exam guide for official details on that)

What is the OSCP Exam?

A 24-hour exam (The timer does not stop. You are expected to eat, sleep, take breaks, etc.)
You have to break one active directory set (i.e.: become domain admin) and a certain amount of standalone machines.
You must own enough exam machines to get a passing score (see the exam guide for more details)
You then have another 24 hours to write and submit a professional pentest report. Fail to do so and you will fail the exam (even if you hacked all the exam machines). It is very important, again, to read the exam guide.

Why OSCP?

Like for any certification, it is important to ask yourself, why do you want to do it? What will it bring you? Your time is limited, so make sure you spend it on things that are worth it. The reasons you come up with are probably valid because they are your own. That being said, here is a short (and incomplete) list of why one should do the PEN-200 course and OSCP exam:

Kickstart your career as a pentester
Learn new pentest concepts
Pass the HR process during job searching
Certify that you can pentest (e.g.: it would help to get clients as a freelancer)
And more …

You may have heard from other sources that OSCP is an entry-level certification or that it is a minimum to get into cybersecurity. In my opinion, this is completely false. OSCP is not an entry-level certification in the cybersecurity field. But it kind of is on the minimum requirement spectrum to get into offensive security. Don’t get me wrong, I don’t think everybody who wants to be a pentester should have it. But anyone who wants to do this job should have the equivalent knowledge at minimum. Moreover, it does not have to be your first certification. Pentest+ would be a real entry-level certification for that role (and cheaper).

In other words, if you want to get into application security, vulnerability management, incident response, or any other cybersecurity field, you should probably spend your time on another certification (at least at first). Here is a great roadmap of a decent amount of available cybersecurity certifications: https://pauljerimy.com/security-certification-roadmap/. The certifications are organized by fields and level of difficulty. While that last point can sometimes be subjective, notice that Pentest+ is at the beginner level and that OSCP is almost at the expert level.

About the New Exam Format

In 2023, a new PEN-200 course and lab was released. I know people who are going through the new material, but since I have not done it myself, I will not comment on it. However, I did go through the “new” (it’s been a few years now) OSCP exam format.

In the earlier version of the OSCP exam, it was no secret (but I don’t think it was officially disclosed by OffSec) that you would have to exploit a buffer overflow on one exam machine. This is now completely removed from the exam and even the course itself. In my opinion, this makes sense. You won’t find basic buffer overflows to exploit in the wild anymore. This warrants its own course.

This has been more or less replaced by active directory exploitation. Most (if not all) enterprises use active directory. Knowing how to exploit that is a must. It does have the drawback of adding a decent amount of new material to the course though. That being said, I think this is a good change and gives a better value. Going back to the exam, this means that you will have to break one (small) active directory set during the exam (meaning, become domain admin).

This also means that there are now 6 machines (3 in AD and 3 standalone) to exploit to get the 100% mark. This can sound daunting when you have 24 hours to exploit them, and it kind of is. It can be done though, we will see what was my strategy in a moment.

Prerequisites

From what I have heard, the new PEN-200 format makes it more approachable to people who have less background in cybersecurity. (Yes, this also means that the course takes longer to complete) That being said, here is a quick bullet point view of what I consider the bare minimum to must have before jumping into PEN-200:

Advanced Linux and Windows understanding
Beginner scripting and coding skills
Beginner to advanced networking knowledge

Here is now my highly recommended list of prerequisites:

Owned a few machines on Hack the Box (or equivalent platform)
Beginner active directory knowledge
Beginner web exploits knowledge
Beginner infrastructure exploits knowledge
Beginner privilege escalation (both Windows and Linux) knowledge

With that said, I just want to tell you that there is no one true and correct way to get there. You may even do it a few years into your career. My background is in software engineering. Because of that, it was very natural for me to get into cybersecurity through application security (AppSec). At some point, I decided to pivot toward offensive security (e.g., pentesting). This is when I decided to do the OSCP. Because of my background, everything related to scripting, understanding and modifying exploits, etc. was extremely easy. I did have to brush up regarding active directory though. While lots of people have a networking background going in PEN-200, this is not the only way.

Work, Life, Family, Study, Balance

This balance is not mentioned often. What you will usually hear is that guy who did PEN-200 in a month of grinding and then got 100% in the exam. I am here to tell you that, while it can be done, it does not have to be like that. You take the time that you need to prepare for the exam. Period. If you are a student or are single, good for you, this will be way easier.

However, if you are like me and have a family on top of your job, this gets a bit more … interesting. When you have a wife and kid(s), you can’t just shut them off for a few months while you focus on your OSCP. Your family is your priority, then comes your work (so that you can help provide for said family), and THEN comes OSCP. Somewhere in between those 3 elements, you need to keep some time for yourself, so that you don’t get burned out (:. If this is your situation, this is how I did it without going insane.

First, there is no silver bullet, it takes time to complete the PEN-200 course and its lab. It took me between 8 and 10 months to complete both. This is mainly because I could not spend 20-30 hours every week studying.

In order to succeed, you must be prepared to wake up very early or study in the evenings. I preferred to wake up at 5am 3 times per week. With 2 hours of study per session, it gave me about 6 hours per week. The reason I did that instead of the evenings was simply that I was too tired after a full day to be focused. Starting the day with that made sure that I was 100% into it. It also meant that the toddler was still sleeping.

Having an employer that allows you to study during working hours can be a big deal. I was able to study for about 3 hours every Friday afternoon. This was a big help.

But even with all that, I still needed a few weekends to work on my studies. This is where your wife/husband must be involved. I would not have been able to do it if my wife and kid hadn’t gone out of the house for days at a time during the weekends. We didn’t do that every week, but for me, it was necessary to complete multiple lab machines in one session.

This brings me to the next point: this is not your project, this is your family’s project. They are involved in it almost as much as you are and you will need them to succeed. Another example where your partner will be needed is during the exam. On my side, my wife took the kid out until bedtime. If you do not have the luxury of not having your kid with you, I will not lie to you, that’s going to be hard. The only tip I would have is to follow your predefined exam schedule (more on that in a moment).

During all that, you must freeze some time (evenings, days, weekends) to spend with your family but also with yourself. I did not stop gaming during that period, I just did it less often :).

The Exam

Again, there are lots of other blog posts that go into details about the exam. That being said, here is my take on a few things.

As a reminder, the exam is 24 hours long (the time you have to exploit the target machines). Because of that it is very important to think about the time you want to start the exam. This is personal to you, choose what would make you more efficient. On my side, I decided to start early in the afternoon (1 p.m. or 2 p.m.). I decided to do this because it forced me to sleep, and I still had plenty of time on the second day before the exam finished. I had a passing score at about 8 p.m. or 9 p.m. It was then less of a challenge to sleep a bit, before going back fresh in the morning to get more points.

And that’s the thing, remember that the exam is designed so that you can complete it in (give or take) 12 hours. After all, you are expected to eat, sleep, take breaks, etc. Therefore, if you couldn’t get at least a passing score in 12 hours of active exam time, you were not ready for the exam. I would personally argue that if you needed to do an all-nighter to get a passing score, you were not ready either.

My last recommendation for the exam: MAKE A SCHEDULE AND FOLLOW IT. Most people would tell you to take breaks and take time to eat. But for me, it is not enough. I would suggest that you write down a (flexible) schedule, and stick to it. This will *force* you to take breaks when you should, according to your preferences. As an example, here was my intended schedule (which I pretty much followed):

Exam from 2 p.m. to 6 p.m.
Diner
7 p.m. to midnight (extend to 2 a.m. max)
Sleep
7 a.m. to midday (earlier if possible, depending on when you stopped)
Lunch
12:30 p.m. to 2 p.m.
Take breaks every 2-3 hours (except maybe the first afternoon).
Do not spend more than 2-3 hours on a given access level for a given machine. After that, take a break and move on to another machine.

I also decided to start with the active directory set. The idea was to complete it when I was at my best and forget about it after that.

My last point is to think about all the little “details” in advance. One example is food. You wouldn’t want to lose exam time by making food right? All of my food was already prepared, all I had to do was warm it up. This was a huge time saver.

The Report

After you have completed the first 24 hours, you have to write a report. I don’t have much to say about it, but here are a few things.

Using and following the provided sample report is worth it
Take screenshots as you go through the exam, do not wait until the end
Take comprehensive notes during the exam (how you did things, commands, scripts, etc.), this will streamline the redaction of the report. Some people even just take their notes, put that in the sample report, clean it up a bit, and they are done.

Last Thoughts

The course PEN-200 and the OSCP exam mix well together because they provide different values both for you and your employer or clients. Completing the PEN-200 course (and its labs) will give you practical knowledge. Passing the OSCP exam will prove that you can work in a stressful environment, that you are efficient, etc.

While I definitely think that this certification is one of the best there is, it is not without drawbacks. For one, having to complete the exam in 24 hours (48 hours if you count the time allocated for the report) is challenging when you don’t have any obligations, it can be brutal when you have a family, and I can’t think of how it would be for a single mom/dad.

Another thing that I did not like is how they teach in the PEN-200 course. Of course, I am talking about the previous version of the course. I’ll let you be the judge of the new version. I found their teaching skills to be subpar compared to other resources (e.g. the Cyber Mentor). I am not saying that the content of the course is bad. Everything that you need to know is there. But the issue was how they approached it. That being said, I heard from people doing the new course that it is better now.

Hopefully, this was useful for you. Otherwise thank you for reading this far :). Here is my last tip: Don’t try harder, try smarter.