How I Passed OSCP and OSWP in 2022

Hi all! My name is Andrey and I would like to share my experience of taking the Offensive Security Certified Professional (OSCP) at the end of 2022. There are already several reports on OSCP on Habré, for example, one, two, three.

But lately the course has undergone a lot of changes and my experience may be useful to someone.

Part 0. My background

I have been living and working in Germany since 2013, after studying at the university I got a job as a programmer in a small company that provides services, including in the field of information security. Since in Russia, before moving to Germany, my studies and work were related to information security, and this was more interesting to me than pure programming, I wanted to develop in this direction. My immediate supervisor was doing small pentests periodically (mostly web applications) and I started to get involved in this topic with him. And when I learned German to a level that was comfortable for work, I realized that I wanted to completely switch to pentest. In 2020, I decided to see what certificates there are in the field of pentest. I found two of the most famous at that time: CEHv11 from the ECC Council and OSCP itself.

Decided to start with CEHv11 and it was an absolute waste of time. Everything technical that was in the materials, I more or less knew. I had to memorize all the theoretical and legal nonsense, and in general I learned practically nothing new. The exam was 4 hours long and consisted of over 100 questions (sometimes vaguely worded).

In fairness, it is worth saying that a couple of years ago, CEH Practical appeared, which consists of practical tasks. I haven’t tried it, I don’t know.

After that, I began to look towards OSCP, and when Offensive Security got a subscription for a year (Learn One), then without hesitation, I asked my boss to pay me for this training. It cost $2000 then, now it costs $2500. You can also buy a three-month access to the labs for $1600, but Learn One has other advantages besides time, namely:

  • access to Proving Grounds Practice is included (it costs 200 per year separately, more on that later)

  • two attempts of the selected exam (in my case OSCP) instead of one

  • access to materials and attempt to pass OSWP (Offensive Security Wireless Professional, PEN-210) and KLCP (Kali Linux Certified Professional, PEN-103)

Access for a year instead of three months was important for me – it was 2021, there was enough stress without an exam (corona, work from home, lack of kindergarten for two small children, workload …)

After payment and registration, a little more than a week passed and I got access to all the materials on the portal.

Part 1. Preparation

After accessing the portal by installing Kali Linux in Virtual Box on my work laptop, I started preparing. I have heard about a lot of materials and tasks, but I have a whole year! On the portal, you can read the material, perform exercises and train online (labs). The material can be read online, it is divided into chapters, well structured. You can generate pdf and download. Here here you can see the table of contents of the current version. In 2022, you could get 10 bonus points by writing a report on:

I thought it would be much more pleasant to start the exam with 10 points than with 0, so I decided to write this report. The benefits of writing were definitely there, but not commensurate with the time spent. My report contained 200+ pages, the closer to its completion, the more I hated it and MS Word (yes, I know about Latex, but I thought everything would be easier, insert screenshots for yourself) combined. By the way, this system was abolished and now you can get bonus points by completing 80% of the online exercises on the portal and hacking 30 machines on the network. Much more fair and simple rule 🙂 More here.

The material itself was adequate and useful, though not 100 percent up to date. But in my opinion and according to the experience of more experienced colleagues, it is worth running through it in any case, even with experience in pentest.

You can find about 70 virtual machines of various levels of complexity on the network. There are dependencies between some (by hacking one, you can get some useful information about the other). Initially, the student has access to one network, 3 more networks are available after hacking certain virtual machines and setting up access through them. I’ve rooted about 30 machines, partly by myself, partly by the community. By the way, about the community. Two official sources: discord and forum. Both other students and mentors can help there. I also wrote there a couple of times when I got completely stuck. But I used it more as a passive source of help – most get stuck in the same places and it was enough just to look. From the unofficial reddit, where without him. Virtual machines are definitely useful as an exam preparation, especially for people without practical experience. The main thing is not to get stuck for a week, but either postpone it until later, or look for clues. But for me personally, they alone would not be enough to pass the exam.

Of the minuses:

  • Virtual machines were shared by all students, which is why they can interfere with each other. Or someone is constantly resetting the VM while you’re trying to get a shell without success. As far as I know, now this has changed and students have dedicated virtual machines.

  • most of them are outdated (both the OS itself and the ways to get root)

  • due to dependencies, it is not always clear whether to dig deeper or dig elsewhere.

From last year’s recent changes, the exam no longer has 5 separate machines with the mandatory Buffer Overflow, but three and a domain consisting of three machines (Buffer Overflow may be among them, but not required). For training with Active Directory, there are two domains in the training network. In my opinion, the exam only got better and probably more difficult because of this. A Windows domain can be found in almost any company during a pentest, but Buffer Overflow is no longer so relevant and the process of exploitation on the exam was standard and was considered easy prey 10 points.

The third training opportunity is PG Grounds Practice. Also virtual machines available via VPN, but much more modern, complex and diverse. A definite plus is that each has three tips and an official guide (albeit with a limit on opening guides per day for unhacked cars). A little more than 100 virtual machines are available, both Windows and Linux. The network is flat, without dependencies. The complexity of virtual machines is different and the real one does not always coincide with the Offensive Security classification. Luckily, there is a Community Rating that reflects reality much more accurately. Many cars similar to the exam. Which one to choose – I was guided by the popular table from NetSec Focus with a list of virtual machines. In my experience, the cars in the exam were between Intermediate and Hard in the community rating.

By the way, there is also PG Grounds Play. Free access for 3 hours a day, simpler machines and Linux only. But as an additional (or preliminary before the start of the course) training – more than approx.

From other platforms, I’ve used HackTheBox, but only when reading the WriteUp machines from the list above or watching videos from Ippsec on Youtube (they are very useful both in terms of utilities and in terms of a general approach).

Part 2. Passing the exam

It is advisable to book the exam time at least a couple of weeks in advance (and even more is better) in order to get the desired time. Weekends usually sell out quickly. I chose Saturday at the end of November at 8 am. I had access to the portal until the end of December, at least 4 weeks should pass between attempts, and I wanted to have a fallback in the form of a second attempt. On the site you can read the requirements for hardware and software and even ask for a test session. I decided to donate from a working laptop and asked support if it was possible to donate from a non-administrator. The answer was “not desirable, but possible.” There was nowhere to put my children and wife for 24 hours, and I didn’t have a separate office, so I set up a temporary workplace in the basement. The workplace looked pretty epic:

Workplace for 24 hours in the basement

Workplace for 24 hours in the basement

During the exam, the camera was turned on all the time, the screen was recorded. Once I had a problem with Windows, I had to restart the laptop. Once there was a problem with the examination machine, I wrote to support, they checked the machine, did a Reset, it was ok. Otherwise, every couple of hours I paused to eat, take a walk, relax. The exam has 3 separate virtual machines (10 points for shell, another 10 for root) and an Active Directory domain consisting of 3 machines (40 points for the entire domain, no partial points). You need 70 points to pass. 2 hours after the start, I got the first root (20 points), another hour later the second shell (+10 points) and stuck for a while with the root. I decided to try the third virtual machine, at first glance I did not see the obvious ways, and after a break for lunch, I switched to the domain. And somewhere in 5 hours I took the domain controller. In total, I had 20 + 10 + 40 + 10 (bonus for the report) = 80 and I decided first of all to guarantee me these 80 and not chase 100. I started writing a report and finished it by midnight, I decided to end it there. Downloaded the report and went to bed. Theoretically, 24 hours are allotted for the exam and then another 24 hours for the report. But I didn’t want to stretch it out and so I decided to finish it off in one go.

After 2 days, the answer came with the cherished

Part 4. (Bonus) Passing OSWP

If you buy a Learn One subscription as a bonus, you get access to Offensive Security Wireless Professional materials. I had a month of access to the portal and I decided to try it anyway. After running through a fairly easy material for a couple of days, without doing the exercises, I passed a 4-hour exam. The exam gives access via ssh to a machine with a WLAN, that is, locally, of course, no equipment is needed. There are three scenarios, to pass you need to complete 2 of them. Everything on the exam was like in the materials – nothing more is needed to prepare. Yes, and after OSCP this is a very easy exam 🙂 For practical use, the value is doubtful, but for broadening one’s horizons, it’s ok, especially when they give it for free.

Part 5. And now what?

During the preparation, I definitely upgraded my skills, created a methodology and a collection of good online sources. After the exam, self-confidence strengthened, the impostor syndrome let go a little. They began to write more on Linkedin with job offers. In general, this is such a distinction that a person knows a little about pentest and you can talk to him. Of course, the presence of OSCP does not guarantee that a person will be a good pentester. As well as the absence does not mean that a person is a bad pentester. The exam has been criticized for being artificial and being pressured by the 24-hour limit. For me, it was a test of myself, but I did not bet everything on passing. I know cool specialists who did not pass the first time. The exam is like an exam in general. But in any case, it was interesting to be part of this community with the motto Try Harder for a while. As it turned out, this is a whole subculture with its own slang and even song. Well, I’ll probably go read the material on OSWE with a 48-hour exam …

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *