In this post I want to document how I finally achieved OSCP certification. My journey started in November 2016, finally achieving a pass on my 3rd attempt in May 2018. Like others who have attempted to gain the OSCP, the road was bumpy and life often got in the way, and the usual excuses of having no time or financial resources to complete were often spoken.
OSCP is great at exposing any weaknesses, having failed my 1st attempt, which I blogged about here: https://chris-young.net/2017/04/25/oscp-fail-try-harder/) I soon realised where I needed to up my game. Soon enough the 2nd attempt came around and I failed that to, again it exposed my weaknesses.I thought to myself, why do I keep failing? I had utilised my lab time to the best of my ability, I knew my areas of weakness and worked on these, I had read and studied and used resources to do further practise, still I felt that there was something holding me back, but what it was, I couldn't quite put my finger on.
Time to reflect
Three things changed in the weeks leading up to my third attempt that completely changed my mindset.
Firstly, whilst at Bsides Scotland, I attended a fantastic talk which really resonated with me. Phill Kimpton talked about his experiences with failure and why we shouldn’t be afraid to fail and discussed how to create opportunity and most importantly, how negative thoughts hinder our success. It was a fantastic talk (watch it here), and afterwards I took the opportunity to chat with Phill who offered me some great advice. The closing keynote from Dr Jessica Barker about the importance of being ernest and optimistic struck another cord with me.
On my train journey home, I thought about everything I had listened to throughout the day, and as a result, I felt a uplifting experience in which a space cleared in my mind. The next morning, I woke up with a completely different mindset, and a massive feeling of optimism.
Secondly, a friend gave me a cheeky sticker to wish me good luck for my 3rd attempt, a TRYHARDER sticker from Offensive Security. As soon as I got home from Bsides, I stuck it on the top of my monitors to serve as a reminder. Cheers Paul!!
The final piece of the puzzle was the completion of a personal project I had been working on since November 2015. A car that I had been restoring and working on was finally able to leave my garage for its first drive.
At times it felt like this project was never going to be finished, yet here it was, sitting in the sunshine ready to drive, and I thought to myself, surely if I can accomplish this, then I can accomplish my OSCP.
In the week leading up to the exam, I practised some of the skills I felt I was lacking in, read my OSCP guide and generally tried to brush up my techniques. On the actual day of the exam, I woke up feeling calm and relaxed, which is something I hadn't experienced during my two previous attempts. Then before the actual exam started, I did a 5k run to help me focus my mind. During my run, I pushed myself hard to remind me what was possible with a little bit of determination and hard work.
Visualise the win
At 11am, the email from Offsec arrived and I began the exam.
Unlike my previous attempts, I decided to work in a methodical manner and above all, I tried not to get flustered and remained calmed. Having seen endless screenshots of people celebrating passing the exam, I continually visualised the email with my name on it, pushed on by the tryharder sticker on top of my monitors.
Hints and tips
Create yourself a template report that you can use as you work on each machine. I didn't use keepnote, instead I just used sublime text alongside my report template to keep note of the commands and tools I used. I took regular screenshots as per Offsec's guidelines, and made sure that all my work was being backed up to an external drive as I went along.
In previous attempts I had scheduled the exam to start earlier, however 11am worked better, I worked away for two hours, had some lunch and a break, then worked through until dinner time in the evening. Eventually I ended up in bed at about 2am on the Saturday morning, had a few hours sleep then returned to my computer at 5am. This meant I still had nearly 6 hours to double check my findings and recapture any screenshots that I thought I might need. I started adding more information to my report as I went along, pretty much repeating the machines so to ensure my notes were as complete as possible.
In regards to the actual report itself, use the template provided by Offsec or create your own in a similar style. Work which ever way suits your style of writing. Having previously written a few reports, I preferred using my own, if you do this just ensure you do it prior to starting the exam, no point in wasting time trying to format and style when your actually using exam time. In regards to length, I was just over 50 pages, which included an appendix, some additional images and a note of my final scan outputs. I felt I struck a fine balance between text and images.
Summing it all up
Studying for OSCP requires determination and hard work, there are no two ways about it. It will test your keyboard skills as well as your mental ability, it frustrates you at times and yet it can be accomplished by truly being determined. As you have already read, for me, it was all about overcoming my own fears and negativity, believing I could achieve what I wanted. Getting my head into the correct mindset helped me to succeed and get the certification.
Do I feel like some super 1337 hacker now? Definitely not, like any skill learnt, it has to be put into practise and used on a daily basis, and I know that there is still a whole variety of skills that I need to learn, however having now completed the OSCP, I am up for the challenge.
Thanks for reading.