How to Pass the OSCP

Update: 2 days after I published this article OffSec announced they are changing the OSCP exam to exclude the 10 bonus points. These changes will take effect November 1, 2024. To anyone taking the exam after this date, please disregard any talk of bonus points, I'm afraid you won't be getting any. The rest of the advice in this article should still be relevant.

My last article was a bit of a humble brag about my CISSP certification, so I figured I might as well go all in on the fake modesty and share my OffSec Certified Professional (OSCP) experience. The OSCP is a bit of a beast among cybersecurity certifications, and for good reason.

The exam itself is a 48 hour process divided into two parts. The first part, or first 24 hours, is all about hacking. You are given 6 IP addresses representing servers you need to fully compromise. 3 are standalone machines without dependencies on one another and can be solved in any order. The remaining 3 are part of the Active Directory (AD) set, and must be solved in order via AD exploits. Credentials compromised from one machine in this set can possibly be used on another machine. Compromising the final machine, the Domain Controller, is the ultimate objective of the AD set.

The second part of the exam, the second 24 hours, is all about report writing. You need to write a detailed report on how you compromised these machines including screenshots, code snippets, vulnerabilities found, remediation steps, and a high-level summary of the entire process. These reports are typically over 50 pages long (screenshots take up a good portion of them but still).

Does all that sound fun? Here are some more fun considerations:

You need a score of at least 70/100 to pass this exam. Each standalone machine is worth 20 points, and compromising the domain controller in the AD set is worth 40 points. The AD set is all or nothing, meaning you don’t get partial credit for compromising only some of these machines.

Access to all the machines is blocked after the first 24 hours. If you haven’t hacked enough machines to pass by then, I wouldn’t even bother writing your report because you are going to fail

The exam is open note and open internet, but you are limited in what tools you can use. You are only allowed to use Metasploit on 1 machine in the entire exam, any other machines you use it on are disqualified (sorry script kiddies). Also, ‘automatic’ exploitation tools like sqlmap and Nessus are banned completely. I recommend you verify with OffSec the entire list of banned tools.

You can take the exam at home, but you will be proctored via webcam and screenshare the entire time. Don’t even try to cheat.

So with all that out of the way, do you still want to attempt this exam? If not, I can’t blame you. This entire ordeal probably took years off of my life. If so, terrific! Read on.

So before I got started on this certification, I watched this fantastic video by ‘DarkC’ about the OSCP. I recommend you watch it too:

Since I’m already bragging a bit, here is a relevant comment on this video. See if you can find it (the man himself DarkC liked it):

Anyway, in this video DarkC lays out 3 steps to prepare for the OSCP. I’ll summarize below:

Take the ‘Practical Ethical Hacking’, ‘Linux Privilege Escalation’ and ‘Windows Privilege Escalation’ courses offered by TCM Security

Three easy steps! That’s a pretty short list but there’s a lot there. This is the exact path I took to prepare for the OSCP, and I can confirm it’s legit. I passed the OSCP on my first try, and I think if you really dedicate yourself and complete these steps, you can too. So let’s go through these steps one-by-one and break them down.

Step 1: TCM Security Courses

The Cyber Mentor (TCM), also known as Heath Adams, offers multiple hacking courses on his website tcm-sec.com. I’ll link below

Of these courses, there are 3 you should complete. ‘Practical Ethical Hacking - The Complete Course’, ‘Windows Privilege Escalation for Beginners’, and ‘Linux Privilege Escalation for Beginners’.

If time is a real issue for you, I’d say you could probably scrape by with just the ‘Practical Ethical Hacking’ course, but no guarantees. If you want to do it right, do all 3. Plus, each course gives you a certificate you can plant on that slick LinkedIn profile of yours.

All 3 of these courses fall under the TCM ‘All-Access Membership’ plan which is $30 a month. It took me about 2 months working full time on these courses to complete all 3. My honest opinion is these courses are well worth the money. There are no exams or anything, you just watch videos and follow along on your own. On a few occasions Heath will give you ‘Capstone’ challenges which are essentially vulnerable boxes to hack. I hope this goes without saying, but TRY YOUR BEST TO COMPLETE THESE CHALLENGES WITHOUT CHEATING. If you find yourself wasting hours of time doing the same thing over and over on these challenges, then don’t torture yourself and get help. You should always try your honest best on these boxes without watching the solution video first just to gauge how much you are improving. Also, I’d recommend writing brief walkthrough guides of your own on each ‘Capstone’ challenge as you go along. More on that later.

OK, so you’ve completed all 3 courses and cancelled your ‘All-Access Membership’ plan. Nice work. Onto step 2.

Step 2: Hack the Box

If you don’t already know, Hack the Box (HTB) is a subscription service that offers Capture the Flag (CTF) style challenges in the form of vulnerable servers or ‘boxes’. They give you a box’s IP address and you attempt to hack into it and capture its flags. I’ll link below

HTB offers both free and ‘retired’ boxes to complete. You really want to focus on the ‘retired’ boxes here since they have official walkthroughs on how to complete them and outnumber the free boxes by a wide margin. Unfortunately, this means spending more money. HTB offers a VIP plan for $15 a month which gives you unlimited access to ‘retired’ boxes. Although it’s tempting, I would strongly suggest NOT relying solely on free HTB boxes for preparation, since they don’t have official guides and focus more on recently discovered vulnerabilities. Plus, free boxes are plagued by high user counts and frequently crash or generally don’t work as expected. Suck it up and pay some more money, it’s worth it.

If you want a list of HTB boxes that are similar to the OSCP, I found this list on GitHub:

I went through about half the boxes on that list before my exam and can confirm they were pretty relevant. All together, I hacked about 40 HTB boxes prior to my exam. I’d honestly say this number is a bit high, 20-30 would probably be adequate enough.

Final note about HTB, WRITE BRIEF REPORTS ABOUT HOW YOU COMPLETED EACH BOX. This will not only look good on your resume, but also has the added benefit of enforcing good habits like screenshotting and documenting vulnerabilities as you hack. Keep in mind, on the exam if you miss a required screenshot and the first 24 hours pass, you are out of luck. Access denied. Get into the habit of taking plenty of screenshots and organize them so you can easily find them later when you write your report.

OK. Once you feel confident you can easily and consistently take down an ‘easy’ level HTB box, it’s time to cancel your HTB subscription and move onto step 3

Step 3: PEN-200 and the OSCP Exam

It’s time to sign up for the PEN-200 and the OSCP. PEN-200 is OffSec’s foundational course on ethical hacking, and serves as a precursor to the OSCP. I’ll link below:

If you’ve been grossed out by how much money you’ve spent so far, then I’m afraid I have some bad news:

As of 2024, $1649 is the lowest amount of money you can spend to get OSCP certified. There isn’t much you can do about that. Start a GoFundMe, sell an organ, do what you have to do. Important note though: once you sign up for the exam with this bundle you only have 90 days of lab access, meaning you need to sit for the exam within this period. Don’t commit to this until you are 100% done with the previous 2 steps and feel prepared. There are other bundles offered without this strict time limit, but they are pretty expensive. I won’t even share numbers, it’s bad.

So once you pick your exam date it’s time to get cracking on PEN-200. The good news is that this course should feel like a breeze. Much of the material within should be review at this point, I still recommend reading through all of it though. That brings us to our most important topic on this step: the labs.

Throughout and after PEN-200 there will be labs which are optional to complete. my advice is to COMPLETE ALL OF THESE LABS. Why you ask? This is why:

As of 2024, completing 80% of the labs throughout PEN-200 and submitting 30 flags from the PEN-200 challenge labs gives you 10 BONUS POINTS ON THE OSCP EXAM. This doesn’t sound like a lot, but I assure you this could very likely be the difference between a pass and a fail (it was for me). Let’s break it down:

Without the 10 bonus points, compromising the Domain Controller in the AD set is 100% mandatory on the exam. Without those 40 points, assuming you fully compromise the 3 standalone machines, you can only achieve a maximum of 60 points. Fail. The only path to success is to fully compromise the Domain Controller and then compromise at least 1.5 standalone machines (the user flag counts for 10 points on standalone machines, another 10 for the root flag) totaling 70 points (40+20+10=70). This is a pretty stressful premise, especially since quality AD experience is hard to come by without paying even more money. Most of your experience at this point will be with standalone boxes, so AD will be pretty intimidating.

With the 10 bonus points, however, you have the option of ignoring the AD set completely and focusing on the 3 standalone boxes. Compromising these 3 boxes plus the 10 bonus points puts you right at 70 points (20+20+20+10=70). Pass. You can also compromise the Domain Controller and then you only need to fully compromise 1 standalone box (40+20+10=70). Another pass.

I’ll be frank with you and say if you don’t have these 10 bonus points going into the exam, I’d recommend postponing your exam to a different date within your 3 month window until you have them. They are that important. If you need help with any of the labs, then the OffSec Discord is the place to go.

Regarding report writing on the PEN-200 challenge labs: I’ll leave that up to you. I acknowledge it will take a lot of time, time you may not have at this point. I’ll say it is good practice, especially if you use OffSec’s pentest report template. This is provided on the Exam Guide I linked to before:

There should be 3 OSCP-like prep labs within the PEN-200 challenge labs. I’d recommend doing each of these just like you would the exam. Block off 48 hours to hack each set and then write a report on them using the OffSec template. How well you do on these will tell you if you are ready for the exam or if you need to review steps 1 or 2.

At last, we come to the exam itself. Rest up before the exam, don’t burn yourself out on hacking the day/night before. Clear your calendar as much as you can for your 48 hours of hell, you may need to use nearly all of it. Have meals/snacks prepped so you don’t waste time cooking/deciding what you want to eat. Drink water. Be sure to take multiple breaks throughout the exam whenever you start to feel burned out. Consider setting a timer to go off every hour or so to tell you when to step away. Go out and get some fresh air whenever you can. Exercise, even if that isn’t your thing. Finally, be sure to read and thoroughly understand the rules/procedures regarding taking the OSCP. OffSec is pretty picky about what is/is not allowed during the exam, as well as how they want flags submitted in their portal and on your report. Don’t fail because of a minor oversight.

So if you’ve followed all my advice then hopefully at this point you’ve pwned all the boxes on the exam, written a report Neo himself would be jealous of, and submitted your report EXACTLY how OffSec wants you to. What next? You wait.

I’ve heard varying reports on how long it takes to hear back with results, everywhere from hours to a full week. For me personally, it was 1 day:

This email still brings a tear to my eye

There you go. So was all that worth it? If you are seriously interested in penetration testing and want to do it for a living, then I’d say yes. The OSCP is still in my opinion the gold standard for pentesting certifications, and likely will be for awhile. Certifications aren’t everything when finding a job, but they certainly don’t hurt. If you followed this guide exactly, then you should also have some example pentest reports to share with potential employers to compliment your shiny new cert. If you are considering cybersecurity in general and aren’t sold specifically on pentesting should you get it? Hell no! Start with the Google Cybersecurity Coursera certification and then move into CompTia Security+ or other entry-level certification. Don’t suffer on the OSCP if you don’t have to.

Anyway, there’s my two cents. To anyone that is considering taking the OSCP, I wish you luck. If you ever feel discouraged or are really struggling with the material, remember: just Try Harder 🙃. Have a good day.