Hi, so this is my fourth blog post about my OSCP journey.
I have to tell you that I feel so relieved and happy that I passed it on my first attempt.
How was it? First I took the official offensive security live course:
I’m greatly impressed by the Offensive Security team/company. They were super professional and I never hear the “Try Harder” motto in a bad way. Every question was answered in the most helpful and pleasant way (you need how to ask questions, more of this below). If you understand what they are trying to teach you, the exam is pretty easy. I passed in 8 hours while doing my report at the same time. My main take away points are:
- The team is important, find someone to do the process with. I did it with three other friends and is super helpful. If you dont have “live” friends you can also find other people online doing OSCP.
- Having questions is normal. There are a lot of chances that you are not the only one with that problem so check the forum and google before asking.
- When asking a question (especially in the forum) dont complain about how hard it is or say that you will stop trying or with any negativity. Tell them what you tried, what you find without spoilers and ask if you are missing something. The moderator or any other user will help you. An example of a question can be. Hi, I discovered a very high number port, I am trying the vulnerability there. I think that im making progress and have limited command execution. Im having a problem with X. Is that the correct way or Im missing something else in the puzzle. I read the forums and I see that people recommend x and y but I dont seem to find the way. Can someone PM me please? Thanks 🙂
- Find out as much as possible of the exam before doing it. There are tons of post of that online, google is your friend.
- OSCP is a challenging certification and you should take it seriously and with respect. I´ve seen very very smart people fail it. Is not easy. If you do it with respect life will be easier. I did CISSP in a month and CEH in a week and they are very different.
- Learn how to use mona compare. This is not in the course but is really need it. https://mexicanpentester.com/2019/11/21/buffer-overflow-bad-characters-con-mona-en-espanol/. The buffer overflow machines are 25 free points. You should get this box in under an hour. If not the exam will be uphill.
- Do a lot of hack the box +30 machines. Is fine that you just follow ippsec videos at the beginning. I dont know how people passed this without HTB. Without them and Ippsec this is way harder. This is the list of OSCP related boxes that i did https://mexicanpentester.com/2019/10/14/maquinas-en-hack-the-box-que-se-parecen-a-oscp/
- You will know after 8 hours if you will pass. Essentially there is a mental barrier at 50 points, if you can skip that you will pass in that attempt or the next ones. If you cant make 50 points go back to the labs or to hack the box.
- Is normal to fail your first (or firsts) attempts is not the end of the world. Just keep trying.
- Use exploitDB is maintained by Offensive Security there are a lot of chances that the exploits you need are there.
- Dont run code that you dont understand. They will make you change it a little. They dont want script kiddies. Again understand what you are executing and the vulnerability you are trying to exploit.
- Prepare your exam template and use some kind of redundancy on it. My kali virtual machine crashed at the middle of my exam. I didnt lost anything because I was reporting while I was hacking but if not that would had been the end of my exam.
- Do the lab report. Both the questions and the 10 machines (do at least 20) and document the OSCP way. After the 5th machine, it will be automatic. The 5 extra points can be the difference between passing or not.
- Plan your exam and work toward that date. If you have a deadline you will not fool around much. Also the good time slots are very difficult to get.
- Don´t stop if you think you passed your exam with 70ish points. That is not enough I regret stopping at 82.5 points. Aim at 105 points.
- You can use metasploit one time. Use it, but use it wisely. This is very important for the exam.
- Enjoy the ride, is hard but fun.
I recommend the live course but is not 100% needed. It just makes life way easier. If you live in the Netherlands they come often. I did it with https://www.tstc.nl/