In preparation for the OSCP, these are the boxes that I went after (in this order) after my first failed exam attempt. This list is mostly based on TJ_Null’s OSCP HTB list. There’s 39 boxes in this list, but this is a great example of trying ‘harder’ and going beyond the course material.
I watched all of Ippsec’s YouTube videos on these boxes before I attempted any of them.
I’ll publish walk-throughs of all of these boxes in the coming days for you to see my methodology, where I messed up, etc.
Some of these boxes are active, so I will have to wait until they retire to publish those ones.
The day before the exam I really didn’t do much. I spent maybe an hour on the computer and that was just organizing folders on my VM, making sure I had OneNote organized (that’s what I planned to use to take notes, organize screenshots, etc.).
I printed out a visual affirmation and put it above my monitors against the wall. It said “OSCP – YOU GOT THIS!!” along with other things like “There’s a way into all of these boxes. You can find it.” and “Don’t get frustrated. It’s supposed to take time… and you have plenty of it.” I know a thing or two about psychology and affirmations do help. They serve as helpful reminders and positive support and reinforcement, especially when you’re stressed during an exam. Your mind will need an escape. Trust me on this.
That’s about all I did. I tried to study but honestly at this point, I told myself if you don’t know it by now, you won’t know it for exam day. This is about methodology and how you think more than actual tactics.
Exam day.
I woke up at 6:30 as usual, but skipped my regular coffee. I told myself that I wasn’t going to have coffee, energy drinks, or anything like that unlike last time. Last time I took this exam, I wanted to sleep but I couldn’t fall asleep because I drank too much coffee. It was a horrible feeling and I wasn’t going to let it happen again.
I cleaned up a bit around the house, ate a late breakfast (9:00 or so) and then sat down at my desk at 10:15. I just checked some emails, read some news, and then logged into the proctoring session at 10:45. They were there and already waiting. I got done with the verification in 5 minutes and then sat around until the exam package was sent, which it was promptly at 11:00 (my exam start time).
I assumed I was starting with 5 points because I planned to submit the lab report and exercises.
I powered up my automation and began to enumerate in the background while I worked on one of the 25 pointers. That one was done by 11:45 a.m. 30 Points. Awesome.
I then moved to the 10 pointer. I knew in my last attempt I was able to get this fairly quickly as well so I took a shot at it. 2.5 hours later, I got nowhere. I knew the way in but I just couldn’t figure out how to work at it. I stopped, ate lunch and took a half hour break. I was getting frustrated. When I sat back down, my eyes caught the affirmation that I had posted above my monitor. I had 30 points and it was 2:45 p.m. Still plenty of time.
I took a shot at one of the 20 pointers. After working at it for 1.5 hours, I got user. Awesome. Up to 40 points. I was back to where I was in my last exam attempt and it was 4:15 p.m. Forced myself to take another break.
At 4:30, I sat down again. I took a stab at the other 20 pointer, and after another hour I got user. 5:30 p.m. and I have 50 points. Almost there. I went back to the first 20 pointer, and looked around. I found what I had to do; within 45 minutes I had rooted it. 6:15 pm and I had 60 points. I started to feel a rush. I remember thinking to myself… You’re so close, you got this. Go figure… the visual affirmation I had says “OSCP – YOU GOT THIS!” Hmmm… Comparing it to my last performance, I remember thinking “How the f is this even happening? And so quickly?”
I went at the other 20 pointer and I looked at it. I knew the way to root, but I was just missing something. But what? I couldn’t figure it out. Okay. It’s 6:45 p.m. and you have 60 points but you haven’t even touched the monster 25 pointer. Come on.
I took a stab at it. I saw the rabbit hole and started to go down it. I couldn’t get anywhere. I took a step back and took a quick break. I remembered the basics and importance of methodology that the PWK course material and PTP (eLearnSecurity) course material had taught me. I looked at everything from a different perspective. I poked at something and I immediately had a hunch. I followed the proverbial ‘string’ I found and kept tugging at it… and what do you know… It’s 7:30 p.m. and I got user. 72.5 points. I had enough to pass. Holy $@%^
I ran downstairs and celebrated quickly with my family. Wow, what a relief. And it was only 7:30? This is crazy. This exam got the best of me last time though, and you know what? I want to see how much further I can get. This isn’t just about getting the OSCP. This is about me. I didn’t just want to barely pass. I came back upstairs, enumerated the 25 pointer and knew right away what I had to do to get root. At 8:30, I rooted the monster and had 85 points. It took the least amount of time to root the hardest machine… and it was all because my mindset completely changed. It had nothing to do with skill.
I went back to the other 20 pointer but couldn’t understand what I was missing. I looked everywhere but came up short. Then I went back to the 10 pointer. I was almost mad at myself for not being able to get this one. I used my Metasploit usage up on this box finally, but I still came up short.
I tried for a while, but promised myself I’d stop if I felt getting frustrated like I did in my last exam attempt.
At 9:30 p.m., after making sure that I had everything I needed for the report, I terminated my VPN connection. I decided to start the lab report but after working on it for about an hour, I was getting tired and fell asleep. I napped for 4 hours, which was probably the best 4 hour no-pressure nap I’ve had in a long time. I woke up, and even though I was tired, I felt great. I put in a few more hours of work and finally had some coffee. I submitted my report that morning.
A day and a half later, I received confirmation. I was now an OSCP.
So I heard about eLearnSecurity through Heath Adams (The Cyber Mentor), and looked at their syllabus. They cover a ton of stuff, network attacks, system attacks, reconnaissance, web application attacks, etc. etc.
I’m also a big believer in return on investment, and eLearnSecurity’s programs are a lot more affordable than others. I think this is because eLearnSecurity is still relatively new, but they are definitely gaining a lot of traction in the industry and very up-to-date curriculum.
Decided I wanted to do PTS and the eJPT. But I wasn’t sure, so I actually went on their website and I got the barebones edition for free, which gives you all the slides, but nothing else. I studied the slides and realized they include a lot of good information, even stuff that is relevant but not necessarily on the exam. I waited for Black Friday before I bought the PTS and ended up getting the PTP course and the eCPPT exam because the deals were so good.
I bought the PTS Full and the PTP Elite.
The PTS Full course comes with 30 hours of labs and one exam voucher plus a retake. It also comes with really good videos. The 30 hours was more than enough. I went through all the slides, practiced the labs three times or so, and only used about 8 or 10 hours of the lab time.
My best advice if you go this route and go for the eJPT, go through all the slides and take notes. Then go through all the videos twice and take notes on the videos. After all that, go through the labs, and take notes on the labs. Take the labs as many times as you feel in order to get comfortable with doing what you need to be doing. When you feel ready, just go ahead and take the exam.
I’m not going to give away anything about the exam but I will say this: the 72 hours that they allocate is more than enough time. Take your time, be patient, and don’t get stuck going down any rabbit holes. What they cover in the labs and the course is more than enough information to pass the exam, I assure you. I ended up only getting one question wrong and I completed the exam in less than 6 hours and that was with my VM crashing once and taking a couple breaks here and there. I’ve never had more fun taking an exam before.Huge shout out to Heath Adams and his zero to hero pen testing series which really helped spark my interest and a huge shout out to elearnsecurity for putting together a great course. Their customer service is actually really good too and very responsive. I had a few issues but they were resolved really quickly and the company seems to always care to make things right.
hyd3sec's Blog 