OSCP - Round 1

My experience and takeaways from 6 months of study and my first exam attempt

Lab Time

When Trying Harder Isn't Enough

About halfway through my first 30 day lab extension I felt like I was hitting a wall and getting stuck more often than not. I would work on a machine, or a couple machines, and just get stuck. I kept bashing my head against the machines, over and over, trying to see what I didn't see before, think of what I hadn't thought of before, etc. I think the problem is in not knowing what you don't know. I knew the material presented, but I still had (and have) a lot to learn. It was at that point that I decided to be more liberal in seeking hints in the forums. If I got totally stuck on a machine, I would just look at the associated forum posts for inspiration. It's rare that the forum posts outright spoil the machine, and some of the vague hinting it more confusing than helpful, but if it gave me a new name of a tool, or technique, or something to try out, it was worth it because I would learn. That is what the lab is about: Learning, not Proving.

That's what the lab is about: Learning, not Proving

Lab Report

The lab report is an optional part of the whole learning experience that can grant you up to 10 bonus points on your exam score. In the end, demonstrating my abilities on 10 unique machines (4 of which were part of an Active Directory set) was small potatoes compared to finishing and documenting all of the required exercises for all of the class sections. Whether or not you plan to submit a lab report, making the lab report is well worth it. It forces you to practice the necessary documentation, and more importantly it forces you to actually do all the exercises yourself and learn the techniques, rather than just passively reading about them. And let's face it, if you're going to do the lab report, you might as well do a thorough job and submit it for the bonus points. More on this later though...

Exam Time

Practical Matters

I've read about people who completed the exam in well under the 23 hours and 45 minutes you're given. I've read the guidance from Offensive Security that the ~24hrs is given because you're expected to take breaks and to sleep. But I know this about myself: I'm slow and I get stuck. I occasionally get on a tear and really rip through things, but for whatever reason I just tend to go slowly. I fully expected to take all of the time. It's for that reason that I scheduled my exam for a day off from work, and got the thumbs up from my wife that she would take care of the kids all day and night while I was taking the exam. This turned out to be the right call as I worked straight through with breaks for coffee, food, and meals, but no sleep. I don't recommend it.

I removed an additional monitor that was not being used on my test machine, my work laptop, my phone, and even my Google Nest Hub. This was not only required, but helpful in ensuring no distractions.

I do have a dual monitor setup for my personal machine that I took the exam on. I tend to actually do the work on one monitor though. The rules require that if you are using multiple monitors, you share both monitors through the proctoring software. I had lots and lots of "drops" of the stream that the proctors would notify me about and then I'd have to refresh the page and re-share both screens. I don't know if it was because of the two monitors, but if I had to take it again, I would narrow down to one monitor and remove the other one in case.

Everything At Your Fingertips

I found that even though I had gathered my favorite tools, taken copious notes from the labs, and made a quick lookup of commands, ideas, and syntaxes, I still felt like I was hunting around for bits and pieces during the exam. Without my preparation I would have struggled even more, so I'm glad I put the effort in even if there was room for further improvement.

“If I only had an hour to chop down a tree, I would spend the first 45 minutes sharpening my axe.” – Abraham Lincoln.

Go Wide or Go Deep?

At the beginning of the exam I was trying to optimize my use of time by starting scans for all the machines and identifying what I thought would be their first footholds simultaneously. While I do think parallel scanning is worth it, once you get an idea on a machine, it's probably best to concentrate on it for a while rather than time-slicing among a number of targets. After realizing that I was thrashing my own thought process too much, I settled in on one target that would be an inroads to others. Another reason I chose to focus on that one machine was that it concerned a topic I felt could be my most challenging to overcome. Success on this machine snowballed and lead to some good progress. This, in turn, calmed my fears that were creeping in about really floundering.

YMMV, so do what feels best for you, but at least consider focusing. It takes deep work

“Less mental clutter means more mental resources available for deep thinking.” ― Cal Newport, Deep Work: Rules for Focused Success in a Distracted World

Wrapping Up

Exam and Lab Report Submission

I want to specifically call out a big mistake I made in submitting my materials after the test was over.

  1. Missed submitting one Local Proof
  2. Waited too long after the test was over to write the Exam Report
  3. Did not include the Lab Report in the same archive as the Exam Report

Local Proof

The most important thing proving you have accomplished the goals of the exam are to submit the proofs and also include the what, how, and proof in the Exam Report. Some of the proofs are called "Local" and are just part of fully taking over a target. Other proofs prove you completed control it. You really need to submit both, if applicable. It turns out that I had gotten one local proof and did not submit it via the dashboard before VPN access was ended.

Writing the Exam Report

I needed a break after my ordeal, and felt like I had taken sufficient notes and screenshots during the test to just write up the Exam Report quickly with no real effort. I left it until the following evening and then had to stay up late finishing it by the deadline. I put in a good effort here because I wanted to make sure I could get credit for as many points as I could. My guess at my score meant I couldn't afford to not get any of the points I had earned.

I think this contributed to my next giant mistake: I did not archive the Lab Report along with the Exam Report. For whatever reason, my blurry vision and foggy mind did not read the instructions correctly and thought they got submitted via the same web portal, but as separate archives. Once I submitted the Exam Report, it was all over and I could not amend it. I went back and re-read the materials and realized my mistake. That lab report was a lot of work, and I didn't get any credit for it. It was still worth it for the reasons I listed above, but what a disappointment.

The End of the Beginning

After it was all over, after I realized I would not get credit for my Lab Report, and based on what I guessed I would score on the machines I did submit, I felt like I was not going to pass unless I got every point for what I did submit. Lo and behold, I got an email 2 days later (Offensive Security says it can be up to 10 days to get results) with the extremely relieving news that I had passed!

Final Thoughts

As you might have guessed by the title of this blog post, "OSCP - Round 1". I planned to write something and made a draft assuming I had failed. Thankfully in the mean time I've gotten the good news and won't be taking the exam again. I've gotten some questions from friends and colleagues since then:

At the moment I am not "doing" anything with it. I am still employed as a software engineer at Twitter, and penetration testing is not part of my responsibilities. I think it's helpful to know more about different areas of expertise, and it's definitely worth it to pursue interests and education for yourself if it sparks something in you. That's what I did with this course, and it couldn't hurt if in the future I want to go further.

Nothing is next yet. I need a break after 6 months of pretty single minded focus on this, often through the night when it wouldn't interfere with work or family. There are other security topics I am very interested in, and other certifications I might pursue, but for the time being I am taking a well earned break from studying and pursuit.