September 29, 2023

My OSCP (2020) Exam Writeup

The OSCP is a course and exam with Offensive Security that is widely recognised as a gruelling test of your abilities as a pentester. The objectives are to hack into and gain system access on five lab machines throughout 24hours, and then to submit a written report the next day.

When I first heard of this exam, I knew that I wanted to do it. The only way to complete this is to develop a sound methodology to even approach the exam with any semblance of confidence. You need to know networking fundamentals, python/bash/PowerShell scripting, a bit of shellcode/c, windows & Linux privesc and the rest seems like a list as long as your arm. Take a look at the course syllabus to check it out. I had so much fun going through the course and would really recommend it.

I went through all the lab exercises and wrote most of them up, apart from the real time-consuming ones. I took notes and saved them into my Gitbook. I spent a lot of time on the lab machines, developing my methodology and process. One thing I will recommend is not to just go for a kernel exploit to get root access on these machines. The learning is in the privilege escalation technique, not just uploading the .c or .exe and compiling it to get root/system access. The lab machines don’t count towards your final exam grading, so it doesn’t matter if you hack 5, 20 or all of them. You do want to have exposure to as many different techniques as possible though.

I booked my exam for a Saturday, so I decided to take a week off work before the exam to focus on the last days of lab time and to practice privilege escalation in the Windows (The Cyber Mentor) and Linux (Tib3r1us) labs on TryHackMe. I took a day off on the Friday from anything laptop/computer related to give my brain a rest.

I saved all my notes into a personal Gitbook, and my OSCP and Exam notes were saved into CherryTree.

I started my exam at 10 am and kicked off my automated scans and then immediately set to work on one of the machines using my notes from similar machines such as the OSCP guide machine or on Vulnhub etc. I was able to complete it at noon which gave me 25 points in the bag and a bit of breathing space to have lunch.

After lunch, I reviewed the results of the scans and started looking at each of the machines and reviewing the ports and making notes of versions and googling for anything that might stand out as an exploit, and then doing a bit of poking around.

I didn’t manage to get user shell on a machine until 19:30, so there were 7 hours of poking around and thinking that the exam was tougher than I thought it would be. I didn’t count for the mental aspect of the exam – some doubts start to set in, and you must work against these too. After dinner and a break, I managed to privilege escalate that to put me on 45 points total. This was a much-needed boost.

After another 2 hours of enumerating, I decided I was running on fumes and called it a night around 1 am. I set my alarm for 4 am, so I got a bit of sleep and then started again. I gained user access on the second machine shortly after 5 am, then I got root on the 10pt machine at 6 am, which meant I was on 65 points. This was a great boost for me to throw everything at the privesc for the 2nd machine. I managed to escalate and by my reckoning, I was on 75 points.

The final machine, I could not see a way in after all this time, so I decided to call it an end as I was brain tired and was mindful that I had a report to write the next day. I slept from 9 am to 3 pm and then had a light meal and coffee and started on my report. It ended up being about 65 pages, with 4500 words written. I found it helpful that I had used Cherrytree to save all the snapshots I had taken of each of my steps taken.

I submitted the report at 19:30 according to the exam guidelines and felt anxious if I had submitted it in the right format, whether it was correct according to the exam guidelines and hoped the marker was able to open it using the expected password. I realised this was outside my control so all I could do was wait. This was torturous! After 8 days, I had confirmation that I had passed the OSCP. Looking back, I spent a lot of time doubting myself and what I was doing, but I knew from the labs that my methodology was sound and that I just had to trust the process! Try harder!


I had the best results after my sleep so taking a break to sleep, even if it is just for a few hours, will help massively. When I woke up, I was looking at the final machines with a fresh set of eyes and I had new ideas and new things to try and it just all seemed to fall into place.

This whole process has been an intense journey. It has helped take my mind off the whole COVID 19 situation, and I used the lockdown as a good opportunity to get on with this study. I will take some time off now to give myself a break for a bit and to sort out the odd jobs around my house!

I might try for the Advanced Web Attacks and Exploitation course in the next year or two but for now, my brain needs R&R time 😀

I hope this helps you on your exam journey – the biggest breakthroughs may not come until the very end so do not give up. Tell the voice in your head to shut up. Take breaks.

Good luck.