OSCP Exposed Part 2: How I Aced the Exam with Only 4 Months of Preparation
Disclaimer: The title is somewhat of a clickbait. Yes, I prepared for the OSCP in just four months, but I had a lot of experience in the field. I ranked in the Top 1% on TryHackMe, had over 11,000 points on PicoCTF, completed all server-side labs on PortSwigger Academy, and worked as a Team Lead in Red Teaming (Fellowship) at my previous company, Deepcytes.
Let’s go back to January 2024, when I planned to take the CEHv12 certification. I received a call from the EC Council and discussed the course price with them. It cost ₹50,000! That was significant given the course content and how basic the certificate is. In addition, one of my friends had completed the CEH but was still looking for work. This caused me to rethink my decision. I also contacted one of my seniors, but they advised that OSCP would be too difficult for you and that you should instead pursue CEH. But I didn’t want to waste my money on this basic certificate; my college fees were already 4 lakhs per year, so I had to make a very wise choice. After much thought, I decided to skip the CEH and go straight to the big prize!
My Roadmap
I watched a lot of videos regarding the OSCP Roadmap. The best one I discovered was by Ansh Bhawnani Sir, popularly known as Bitten Tech!
My entire OSCP Pre-Preparation was based on 4 platforms:
- HackTheBox
- Proving Grounds Play (PG Play)
- Proving Grounds Practice (PG Practice)
- Youtube
I obviously did not solve every machine on this platform; instead, I used TJ NULL’s OSCP-like machine list.
TJ Null’s OSCP List: NetSecFocus Trophy Room — Google Drive
PG Play
Link: OffSec | Challenge Labs
My pre-preparation begins in January 2024 with PG Play, a completely free platform with some OSCP-like machines. These machines were straight from VulnHub, except they were hosted in the cloud, so you can avoid the hassle of installing them locally and save a few hours. TJ NULL’s list had about ten machines, but I finished those pretty quickly, so I went ahead and completed all 51! I know it sounds crazy, but I actually had a lot of time in January. If you don’t have that kind of privilege, I won’t recommend doing the same.
Benefits
- All the machines are free & taken from VulnHub
- Super simple UI
Drawbacks
- Only Linux machines are present, no Windows machines :(
- The machines are free but only for an hour, you gotta pay if you want them longer than an hour
- Bruteforcing takes a lot of time, and I mean a lot! I think this is more of an India-centric problem because the servers are located in the US. To solve this, I simply downloaded the machines from VulnHub & ran them locally
Fun Fact: One of my inital attack vectors in the exam were similar to a machine in PG Play!
HackTheBox
By the end of January, I’d solved all of the machines at PG Play. So it was time to switch to the ultimate platform: HackTheBox. I purchased a one-month subscription with the intention of completing the entire list within that time frame. HTB machines are significantly more difficult than PG Play, and even more difficult than those found in OSCP. I remember it was a struggle to escalate the privileges because every machine was so unique! It took me a long time to figure it all out. On top of that, the company where I was interning gave me a shit load of work. Plus I had my ISE exams (unit test) in March, so I couldn’t complete the entire list. I think I could only solve about 50% of the machines in the list before the access ended. Regardless, I believe this is the best platform for learning and developing the mindset needed to solve OSCP machines.
Benefits
- Contains Linux & Windows machines, even AD machines
- Preparation will be on a higher level than OSCP
- Never faced any unusual glitches with the machines
Drawbacks
- Retired machines aren’t free, you have to pay for it
- Overwhelming UI, you’ll get intimidated if you are an absolute beginner
- Again, not the best platform for absolute beginners. Go on PG Play first before coming here
Youtube
February and March were completely consumed by exams and internships, so let’s fast forward to April. Active Directory was a little difficult for me to understand. So, rather than hacking it, I created my own home lab. My laptop at the time had only 8 GB of RAM, so I upgraded it to 16 GB, installed a Windows Server and a domain-joined Windows 10 machine. I practiced all of my attacks in that lab environment, which cleared up my AD concepts. For the attacks, I watched two YouTube playlists.
- Active Directory for OSCP by The Cyber Expert (Harshit Joshi)
- Kerberos Playlist by VbScrub
PG Practice
Link: OffSec | Challenge Labs
My End-of-Semester Exams (ESE) were completed in early May. I was finally free to focus solely on my OSCP. This time, I didn’t take any breaks and went straight into PG Practice. The labs here were of medium difficulty; not as difficult as HackTheBox, but not as simple as PG Play. It had both Linux, Windows and DC machines for AD practice. I spent the entire month of May on this platform, and I also completed the entire TJ Null list of PG Practice. This is also where I ranked among the Top 400 on Offsec’s platform!
Benefits
- Machines difficulty is of Medium level
- Didn’t face any issues unlike PG Play
- Simple to use UI like PG Play
- Contains retired exam machines
Drawbacks
- Paid Platform
Time to Buy the Course
I’d finished almost all of the labs on TJ Null’s List (with the exception of a few HTB machines), so I felt prepared for the endgame. On June 11th, I finally purchased the OSCP course. It was valid for 90 days, so the end date was September 10, 2024.
But, to my surprise, I finished the entire course content, including the exercises in each module, in just 16 days! This demonstrates the value of a strong pre-preparation. My next step was to complete all of the course’s challenge labs, which included Medtech, Relia, Skylark, and OSCP A/B/C.
Medtech
I struggled a lot just to get the initial access vector. To put it simply, I had no prior experience hacking in a real-world corporate environment. The crazy part was post-compromise enumeration, which I’d never done on any of the practice machines before. However, if I had just nudged a little more, I believe I would have compromised the entire environment without the assistance of the Offsec Discord server.
Relia
Another difficult environment, with more machines to solve. It was in this machine that I realized the importance of taking detailed notes. There are simply too many attack vectors and credentials to remember. You need to take precise notes. I also wrote down my failed attempts so I wouldn’t have to try them again. Offsec has created a masterpiece of a machine!
OSCP A/B/C
These are the machines whose patterns will be similar to the OSCP Exam machines. I treated them like a mock exam and created an exam environment in my home, giving myself 24 hours to solve these machines. So, did I manage to solve all of them without any hints?
On OSCP A, I was able to easily compromise all the 3 standalone machines. My only problem occurred in the AD environment where I forgot to try a simple password-spraying attack on a specific port; otherwise, I would have solved the entire set!
On OSCP B, I compromised all the machines easily. The AD part was very similar to that of OSCP A so I didn’t have much issue.
On OSCP C, I easily solved the AD part but failed to solve that single standalone machine because the exploit was not working properly and required significant changes. But even so, I had compromised enough machines to pass the exam.
Skylark
Before solving this machine, I had scheduled my exam on July 31st. I still had a few days left, so why not go beyond OSCP? According to Offsec, this machine is well above the current level & rightlfully so! On most machines, the difficult part might be gaining initial access or escalating privileges or pillaging. But here, the most difficult part here was Port Scanning! No, I’m not kidding; please solve the machine on your own to understand what I mean. I used a hell lot of hints to solve this environment & even then, I couldn’t solve all of it. One machine was still left, but I figured out it was enough practice. I knew what kind of attack vectors may be asked, how to find those vectors, and how to exploit them. I had solved a whole lotta machines. I finally felt ready for the exam!
Important Note: It was also during Skylark that I experienced burnout, which I discussed in the article ahead.
Time Management
A definitive question would arise, how was I able to balance my college studies, internship work, and my health whilst studying rigorously for the OSCP?
This was definitely not easy, but I cut off all the unnecessary time spent. I identified some patterns where I would become completely immersed in the fun & forgot to study. One of the main triggers was Instagram. If I started the application, I wouldn’t leave it for at least an hour. To tackle this, I installed the Minimalist App!
This app shot up my productivity levels instantly! I was no longer addicted to Instagram & in fact, I deleted the app from my phone! Do give it a try, this was my best decision for time management.
Escaping the Burnout
When I brought the OSCP course & started solving the labs, I completed all of them in a quick rush. My entire day was spent studying & solving the OSCP course. Things were going fine, but then during Skylark, I started feeling lethargic. There was a privilege escalation vector which was super easy to perform, yet I couldn’t even notice it. That was the moment when I realized, I had burned out. My mind became my own enemy. I was solving too much & getting little to no rest!
The solution — Very simple. I took away some time from the screen, started my bike & went on a ride exploring Mumbai. It was such a joy visiting different locations which indirectly cleared the clutter in my mind.
This concludes Part 2. I hope you liked my roadmap to prepare for the OSCP, my time management strategies & my technique to avoid burnout.
In Part 3, I’ll be exposing the OSCP course for real.
- Why is it so over-hyped?
- What the OSCP will never teach you?
- Why the OSCP is somewhat disconnected from a real-life pentest?
- Which certifications are better than OSCP?
All of these questions will be answered in the next part. Until then, Thank you for reading 🙏
