Hola , hacker world! Hope you all are doing fine these tough COVID times.
Ohkay so, I have been waiting for 723 long days to finally be able to write this blog. MY OSCP JOURNEY. I can't promise this to be the best one you will find out there, but I do assure you one thing, it's unique and almost anyone can relate to it. OSCP (Offensive Security Certified Professional), is a dream of every guy who enters this amazing(probably the BEST 😉 ) field of cybersecurity. The main purpose of writing this blog is not only to share my experience but also to throw some light on common problems faced by almost anyone but is not talked about. Hope this blog to be helpful for you, here it goes….
I am Charchit Verma, an engineering student in his final year of college. I am a : 20 yr old student (at the time of writing this blog), nerd, a techie, and most importantly, a cybersecurity enthusiast 😌 with big bold dreams of thriving in this field. Enough intro, lets jump in!!
What is OSCP? (Offensive Security Certified Professional)
Its a 24 hr rigorous test which is proctored the whole time. In this time frame ,you have to compromise 5 vulnerable virtual machines, with proper methodolgy. Its a completely hands-on practical exam. Next 24 hours are given to prepare a detailed report for what you did. To pass the exam , you need to score a minimum of 70 marks out of 100. Marks distribution among the machines is : 25 + 25 + 20 + 20 +10. (=100)
Now that you have an idea about what OSCP is, let's get into it. Shall we?!
My encounter with this beast!
My exam was to begin at 6:30 AM, so I got up at 5:00 . Got freshen up, took a bath, prepared some coffee, then connected to their VPN and then went through the ID verification. It all ended till 7:00, and then the exam began.
Started with the 25 points buffer overflow machine did it in 1.5 hrs and then immediately moved to 10 points machine which seemed pretty straightforward so it took only almost an hour to finish. I was 2.5 hrs into the exam and i had 35 points(25+10). This got me a little carried away, and i relaxed which i should not have done.
Then i got back and started doing the another 25 pts machine, spent 4–5 hrs in it, and got its initial shell. Then at around 1:30 PM, i took another break, had some coffee(yes, again 😅) and maggie and then started the 20 pts machine.
Spent 5–6 hrs on it, and completed it. Now it was around 12 hrs into the exam , i had 55 pts and needed 15 more to pass. Although i was tired but giving up was never an option. So with this spirit i sat back on the 25 pts again, spent a couple of hrs on it, and literally cried from the inside 😢 because i was already a zombie 👻 by this time and i was getting nowhere in it 😫.
Then with all the confidence destroyed and zero hope of passing , i came out all broke, had some coffee 😅 and then again continued on that one. At this point around 11:00 PM (15 hrs into the exam) , i could not think straight and was in no condition of starting the new 20 pts machine, so i continued on 25 pts only. And at 2:15 AM, i finally hit the jackpot, and completed that 25 pts pain in the ass.
Now i had 80 pts, and i was already too exhausted to even stay still i dared to give some time on the last 20 pts machine but like i said you can not think straight or produce new ideas when you are already all fried up both mentally and physically , so i left that one with no success. Then i spent the next 3 hrs taking the screenshots for the report. And finally with 40–50 mins left for my exam time to finish, i was done with all the necessary screenshots.
Slept for around 2–3 hours and then the next day prepared the report and mailed it to Offsec.
This was my experience in a nutshell. Damn it was one hell of a roller coaster ride. Its no joke. Now there are some realisations and conclusions to draw.
Lets have a look at those:
OSCP is tough. The first thing you need be very well aware of. It requires hours and hours of grinding on your craft, and even that can’t ensure that you will pass the exam. It is so damn unpredictable. No matter how many boxes you have done on vulnhub or hack the box, you can never be sure of whats gonna appear in exam. So dont’t get carried away too much based on what you have done so far before the exam. Expect the unexpected.
You are never ready until you are. Before taking the exam, I did almost 163 machines inclusive of vulnhub + hack the box + PWK labs. This number seemed pretty considerable to me, but still I was very nervous to sit for the exam. This was with me, and i can say this happens with a lot of OSCP wannabes out there. So don’t think too much before taking both , lab and the exam as well. Follow your instinct and go for it.
You will never know your limits until you cross them. It is very well said that our only limitations are those set by ourselves in our mind. It seemed pretty daunting to me , the idea of being awake for 24 hours, thinking about ideas and solutions to break into the system and handle the mental pressure the whole time. By the end of 15–16th hour, i was 15 points away from passing and I was already a zombie(😫) and I could not think straight, but my resilience got the better of my tiredness and if you are determined enough to get it done, then you are likely to do things even you never expected you would do. (😉)
Learn to be patient even when things are not working out for you and everything seems to be failing. You are most likely to feel at some point that you have tried all that you knew and nothing worked. You will begin to doubt yourself and will find yourself in a pothole so deep and dark that it would seem impossible to come out of it. Yes, that was me at 17th hour into the exam.(😓). When you hit this point, take a break, come out for 10 minutes, (yes it would sound crazy to take a break of 10 minutes when you are already running of of time, but this works! ), have some coffee and get back in the game. Chances are you have overlooked the possible solution , so you are likely to get it this time.
You are going to run out of ideas before you run out of time. This is so true. 24 hours is sufficient time for you to break into the systems but OSCP is a big mental game, so you should know how to handle pressure. I don't hesitate to tell that I was not so good at it, but this exam taught me that as well.
Is it right to refer to the walkthrough of a machine when you think you have tried everything you knew but you don't seem to be getting anywhere?!
Short answer to this question is Yes and No. Now this question is very very important to talk about, because this strikes everybody’s mind but no one seems to talk about it. There is a way of looking at walkthrough. Keep these points in mind whenever you refer to any walkthrough:
- scroll down to the exact point where you are stuck and stop right there
- now that you have already seen what needs to be done, reverse the steps and figure out how could you have come to this solution, how could you have figured it out by yourself, what could you have searched on google so that eventually you would have landed on this solution?
- now that you have figured the steps to get to that solution, write it in your notes and try that in every machine you try from that point on! This is important.
- watch walkthrough only for learning purpose not just for the sake of completing the machine.
You don’t need to feel guilty (like i used to do 😅)for watching walkthrough after you have spent 5–6 hours on that machine already. We are all here to learn , right? One way to fight the habit of jumping right to the solution is that you pick up another machine, and start doing. And when you are stuck on that one too for quite a long then come back to previous one, this time you are likely (but not necessarily )to find the solution as you will have a different perspective this time. This way you will be able to do multiple boxes and that too without referring to solutions.
Try not to get too much carried away, when you score points in the exam. I had 35 points when I was only 2.5 hrs into exam, this got into my head a bit, and I was relaxed. That was a big blunder i made. Stay calm, no matter whether you are scoring points or not as you never know whats the exam got for you. Anything can happen, like seriously anything!!!
Relation between PWK lab and exam. The lab machines are no match for the exam. The exam is way more complicated and unpredictable than lab machines. I did 63 out of 65 machines in my lab time, that too before my lab was over, (27 days, I guess) so the exam should have been easy for me, but it was nowhere near easy. The same goes with the number of machines you did on vulnhub and hack the box. You can do 100+ boxes and still fail and you can do only 40–50 boxes and still pass!
It takes time! Digest this truth no matter how. It is a long journey indeed, if you are new to this field and are planning to go for OSCP then it would take time. There are a lot of things that you will get to learn and it takes time to absorb all that in. It took me almost 1.5 yrs (due to the COVID-19 outbreak )to finally be able to even think of taking the exam. So don't get misguided by those who say it just took 8–6 months, NO! Those who say this are already having some experience in this field, so don't think a little of yourself if you think you are taking longer than people out there. Better to take longer time than to rush into things, it gets messy. It's OK, even you don't know your potential! 😉
Takeaways and resources :
It would be unfair to say that OSCP is just a month long journey,NO! Its a long long journey and journey is often more beautiful than destination, hence proved by this exam. I lost a lot of sanity on my way to OSCP, pulled my hair off , banged my head against the wall, cried , laughed, and got frustrated countless times, that’s how i got here! & I am proud of it! At times like these talk to your loved ones, in my case I had my parents, my big brother(coach carter), my mentor (of course he was there ) and my friends(can’t thank you guys enough) . I am so grateful to have all these people(😊), if it were not for them, I would not have made it this far. Then after this much, comes the day when I receive this :
Feeling on top of the world! 😌
OSCP is just the beginning, a lot more achievements to go after, and a long road ahead! Stay safe and keep smiling!
HAPPY HACKING FELLAS!!