Intro#

Hello all! It’s been a minute since I last posted, but I’d like to announce that I very recently took and subsequently passed the OSCP exam on my first attempt! In this article, I’d like to discuss my exam experience (without disclosing any of the details of the actual exam, mind you) and my tips and recommendations for people that are preparing for taking the exam.

My Exam Experience#

Overall I found the OSCP to be definitely pretty challenging without feeling prohibitively difficult, which is an impressive feat of balancing to do over the course of several boxes.

I started with the Active Directory set, as Active Directory compromise is very much my strong suit, and was able to obtain all of the flags relatively quickly. I then moved onto the standalone boxes and ended up struggling a bit more there, which was more or less what I expected.

There was only one box that I was well and truly stuck on for an extended period of time that I ended up finishing in the morning, a couple hours before the end of the exam. This is where the open-note nature of the test really came in handy- I was only able to get past the part I got stuck on by doing enough research to turn up something relevant. The other standalone boxes I was stuck on briefly, but managed to push past and was able to fully compromise those boxes as well. All in all, I managed to get 100% of the flags on all boxes.

During all of these I was also taking live stream-of-consciousness notes in Obsidian, copying down the relevant commands I was running in the output and taking screenshots of major steps in addition to the text content. I typically do the same whenever I’m working on a CTF or writeup so I can reference my thought process & commands later, but in this case I made sure to be extra thorough. These notes became the rough draft of my report, as I polished up these thought fragments into a fully realized narrative with a cohesive structure. Finally, I finished my report after a couple hours of writing and submitted it to OffSec! I received my exam results and certification a couple hours later.

Tips and Recommendations#

• As I mentioned prior I have the habit of taking notes whenever I do a CTF box/network/etc, which came in handy since I was able to quickly search my vault for certain keywords and phrases to see what I’d done prior.

• In addition, I also recommend taking notes ahead of time for different services, types of attacks, and tools, and writing down something in them every time you learn something new. I find it very useful to be able to check what sort of tools I might have in my toolbox at any given moment - what can I do with read-only access to SMB? What can I do with SQL injection? Et cetera.

• With regards to tools specifically, many docs and wikis for popular pentesting tools are written in Markdown or otherwise copiable as Markdown, which already works well if you’re using an Obsidian vault. This saves you the trouble of having to go to the tool’s wiki every time you want to look something up - hardly necessary but it’s a nice convenience to have.

• To elaborate on note taking for the report, I need to emphasize that you should take notes of and record the commands/screenshots for everything you’re doing- even failed approaches! You can clean it up into a cohesive narrative for the report later, but you definitely don’t want to miss any important steps.

• In terms of study material and exam prep- I’d followed along with a lot of the guides for recommended boxes to prep for the exam prior to actually taking the PEN-200 course. You don’t have to take the PEN-200 course to take the exam, but I found the Challenge Labs study materials to be a much better source of exam prep than just doing the recommended boxes (though I do recommend doing at least some of them as well). It might be possible that the HackTheBox pro labs are more comparable since those are multi-machine networks as opposed to solo networks (practicing AD exploitation where you just start right on the DC is a pretty significant different from traversing through the network to reach the DC), but I wasn’t willing to shell out that much cash to experience them, at least for now.

• If you’re not going to take the PEN-200 course, though (and even if you do), I do feel as if there’s something important I should emphasize that I haven’t really seen discussed. The vast majority of recommended practice boxes are from HackTheBox, and while I love HackTheBox, there’s a fairly significant difference between HTB and OffSec:

The design philosophy of HTB as puzzle boxes means you’re almost never going to encounter ’low hanging fruit’ solutions (bruteforcing logins, kernel exploits, etc.) and the solution is typically something more roundabout. These types of solutions are explicitly on the table for the OSCP and Challenge Labs!!

I couldn’t tell you how many times I got stuck in a Challenge Lab, looked up info in the Offsec discord for help, and metaphorically facepalmed because I’d totally forgotten I could just… do that. Definitely try to keep that in mind while doing the Challenge Labs and exams.

• Lastly, read and remember the requirements carefully! In particular, you’ll want to get not only the flag, but the hostname and IP address in each screenshot as well. I screwed up a couple of these by only grabbing the flag, and though it wasn’t enough lost points to cause me to fail, it was an easily avoided dumb mistake on my part.

Afterword#

Since getting the OSCP was a major milestone in my offensive security career, I’m not quite sure what my next step is going to be yet. I’m definitely going to take some time to rest and recover, but eventually I’d like to get back to having some kind of goal to pursue. I’ll probably start looking around to find some kind of personal pet project in 2026 - I just haven’t found anything that’s really hooked me enough to look into it deeply yet. I’ll most certainly eventually get back to doing HTB writeups, though, so please look forward to that!

Bye for now!

Missingquery :)