OSCP Exposed Part 1: How I passed the exam in merely 7 hours
On 31st July 2024, I finally passed the much-hyped OSCP!
This will be a four-part series in which I will discuss my exam experience, how I prepared for it, why it is such a hyped-up certificate, and how my life changed after I finally obtained it. Let’s kick off with my exam experience!
Disclaimer: I can only share so much. Offsec has strict guidelines and I don’t want to lose my hard-earned certificate & money.
I had scheduled my exam on the 31st of July at 11:30. This was the ideal time to choose as I’m very much energized in the morning. Before the exam, I had completed all the 3 practice machines & Lab Environments i.e., OSCP A/B/C, Medtech & Relia (I also completed much of Skylark but not all of it). This was my progress before the exam:
I had completed 99.5% of the total course content & had already unlocked the 10 bonus points. This greatly relieved me because I only needed to score 60 more points to pass. Fast forward to the judgment day, I had pre-ordered at least 10 sachets of Bru Coffee because afternoons were my weakness, and I would usually fall asleep around 14:00–15:00, eating away my valuable time.
Formalities & Pre-Checking
At 11:30, the proctor arrived. They checked my government ID, which I provided with my Aadhar card, and then gave me a Powershell script to run to get the system information & the processes running on it. They then performed a full 360-degree scan of my room to ensure that no one else was present.
Kick-off Time
Around 11:45, I received the exam VPN and my credentials. The instructions are pretty simple and straightforward. Root the machine, retrieve the flags, and place them in the control panel. My exam strategy was to dominate the AD set and a standalone machine, but for some reason, things took a completely different turn.
Machine 1
I began scanning the ports on the machine, and after some enumeration, I discovered the attack vector. I never expected this type of attack to appear in the exam, but I had seen it on one of the practice machines and it was one of my favorites to perform! It took me a while because I needed to go over my notes again to fully understand the exploitation. But I finally got initial access and found my 1st flag in less than an hour.
Then came the difficult part, Privilege Escalation. All I can say is if this was a normal day of me solving this machine, I would’ve definitely looked at the writeup. I had never seen this kind of attack on any machine I’d solved. I kept researching, went on the 3rd-4th pages of Google, and I finally found it! Hacktricks saved my fuckin life! I got the root access & submitted my 2nd flag. It took me around 3 hours to solve the first machine & after that, I took a lunch break of 30 minutes.
Machine 2
I resumed at about 15:00. My initial plan was to solve the Active Directory, I don’t know why but for some reason I went on to the 2nd standalone machine. This machine was another menace. The initial access was unlike anything I’d ever seen. And again, HackTricks came to my rescue. This attack was mind-boggling & I had no idea it even existed. I finally got the initial access & found my 3rd flag. The Priv Esc part wasn’t that difficult & I got the root shell effortlessly; thereby gaining my 4th flag. This machine got pwned entirely at around 17:00.
Machine 3
My confidence skyrocketed & without taking any rest, I started the 3rd standalone machine. While port scanning, I immediately understood the attack vector. I ran the exploit & got the user access. The privilege escalation was simple enough to carry out with Metasploit, and this is where I finally used it, resulting in an easy Privilege Escalation, thereby getting my 5th & 6th flag. I didn’t even realize the time but around 18:30, I had 70 points and finally PASSED THE EXAM!
That was probably one of the happiest moments of my life! The song Shaabaashiyaan kept playing in my mind! This 4-month long struggle finally led to the end goal. I took an hour-long break & completely relaxed myself before moving to the final section, Active Directory.
Active Directory
Lol what can I say? This was too easy. I’m not even kidding, I realized the path to the Domain Controller as soon as I saw the BloodHound results. I’m still surprised it was this easy. Just some public exploits, password spraying & BloodHound was all I needed to attain the 40 points. I wasted a lot of time using other tools, such as adPEAS and PowerUp, which are quite useful but did not contribute anything worthwhile to the exam. Around 12 a.m., I pwned all of the machines in the exam and fell asleep!
Post Examination
I was taking screenshots while also solving the machines, so the following day was spent simply reviewing all of the necessary screenshots.
Make sure to take all the screenshots, even the ones were you transfer files onto the target machine like uploading Mimikatz, Powerview, linpeas, etc.
It took me the entire day to make the report because I didn’t want to miss any screenshot or minor details. This led to an 85-page-long report. I submitted the report that night & finally went to sleep.
Result Day
I had been waiting for the report all day, and it finally arrived at night. I was about to go to sleep when I received an email confirming my OSCP Certification!
However, the email does not include your total points, so I sent another email to challenges@offsec.com requesting them to reveal my total points. And they did respond, stating that I had received 100 points plus a bonus of 10, for a total of 110/100 points!
Thank you for reading this article. In the next part, I’ll go over how I prepared for the exam, which labs did I solve, which platforms did I use, and also my time management techniques in detail. Stay tuned for the upcoming posts!
