My journey passing the OSCP+ exam first attempt

Written by: Mohammad Al-Adwan - Jan 9, 2025

As the title suggests, I have passed my OSCP+ in December of 2024 from the first attempt, and this post is to outline my journey from start to finish so buckle up!

TLDR

Enumerate thoroughly and exploit simply

Overall, I believe the knowledge gained from Hackthebox’s CPTS path, and other certificates like CRTP/CRTE from Altered Security is much more in-depth, professionally suiting and super effectively priced. As much as I disliked preparing for the exam, I dislike the price point of the OSCP more. I believe the only reason you should get it is for bypassing the HR filter and the reputation it holds. Best case scenario is to get sponsored by your employer if possible.

I recommend gathering as much knowledge in all Infosec domains as possible, and learning network penetration testing from other sources, hopefully landing a job to fund the OSCP/OSCP+.

Personal Background

I’m a penetration tester for a job, however during my day-to-day I focus on APIs and Web/Mobile applications more than network penetration testing. It made me familiar with the lifecycle, report writing and such but the technicalities of the exam had little to do with my day-to-day. My background comes from having multiple certifications in the same domain, being:

• Certified Red Team Expert (CRTE): I believe the assumed breach scenario goes well with me having this certificate before taking the OSCP/Starting prep
• Practical Network Penetration Tester (PNPT): I took this certificate in September of 2023, helped with the pivoting part and made me comfortable in Active Directory environments
• Web Application Penetration Tester eXtreme (eWPTXv2): Since the OSCP has a web portion, it has served me well being comfortable in Web application attacks I have also done way plenty of boxes on Hackthebox prior to starting my preparation, for learning purposes. I have also done the CPTS path on Hackthebox Academy, Finished more than 80% of Portswigger Academy and have a solid foundation in CTFs. This all helped me prepare as little as possible for the OSCP specifically, as my goal was not the certification itself, I took plenty of routes to learn System administration, Web development and other IT related topics, whenever I felt I had not grasped the full picture of where a specific topic falls within the IT operation scope. Do I recommend this? I’d say it depends on your goals - My goal is knowledge and not a piece of paper, and from my POV I saw the course not in-depth enough to satisfy my thirst, thus we’re here.

Exam Background

Since the latest updates which introduced the OSCP+, the format didn’t change much and the material stayed the same. If you’re unfamiliar, the OSCP exam is a 24-hour practical exam in which you have to hack 6 targets which are separated into:

• 3 Standalone targets worth 20 points each not connected to each other which have 2 flags for low privilege users and high privilege users (local.txt and root.txt), which can be a mixture of Windows and Linux based hosts.
• 3 Inter-connected machines in the form of an Active Directory set, each machine has a root.txt flag. The workstation flags are worth 10 points each and the DC is worth 20 points. (40 Points for the entire AD set)
• The OSCP+ format now allows for partial points for AD.
• The OSCP+ also follows the assumed breach scenario (Like Altered Security’s CRTP/CRTE), which means you will be given domain user credentials in your exam portal.

You still need 70 points to pass which have 4 different scenarios according to OffSec:

• 40 points AD + 3 local.txt flags (70 points)
• 40 points AD + 2 local.txt flags + 1 proof.txt flag (70 points)
• 20 points AD + 3 local.txt flags + 2 proof.txt flag (70 points)
• 10 points AD + 3 fully completed stand-alone machines (70 points)

Exam Limitations

OffSec also limits the use of auto-pwn scripts, and automated exploitation in general. This includes tools like sqlmap, Burpsuite Professional, db_autpwn..etc. Vulnerability Scanners are also disallowed, and so are AI chatbots.

I believe the above limitations are a double-edged sword, so let’s take a deeper look.

Automated exploitation tools like SQLMap are industry-standard, but I believe disallowing their use is a positive in order to assess the understanding of the concepts used by these tools - effectively attempting to stop exam-takers from taking shortcuts that will weaken their basics. So I’m with this approach

My opinion is the same for automated vulnerability scanners, even though they are heavily utilized in the industry and we use them during our day-to-day, I believe - and since this is a 200 level course in terms of OffSec levels, you need to prove that you can find and exploit basic vulnerabilities manually instead of relying on automation. But they are also disallowed for PEN-300 and WEB-300, which makes less sense since you wouldn’t attempt such certifications unless you had a great amount of experience with the field, and/or are a professional.

Regarding AI chatbots, it’s a complete miss from my POV, it makes 0 sense to disallow their use when it’s becoming more and more prominent in the industry, and will have a serious effect on it’s future.

My Exam Experience

For preparation, I didn’t really have any. I’m not saying this to brag, but based on the background I shared above, I didn’t really find any topics I didn’t deep-dive into before in the course, so I didn’t do the course labs or material. I did Zeus, Secura, Medtech, 30% of Relia, OSCP A-B-C and around 30 machines over the course of a month from PG Practice. I had already done TJNull’s list in 2023 as part of the PNPT prep. For OSCP, I used Lainkusanagi’s OSCP-Like Machines; the PG Practice portion specifically, but I did some HTB machines aswell.

As you know - I can’t share much regarding the exam itself, but it wasn’t anything that you didn’t see before, and it closely follows the methodology of the PG Practice machines, so give those priority. What the exam challenges is not your technical skill, but your ability to manage time and effort, and not get stuck in rabbit holes (or dig yourself deeper into one). Be confident (through your diligent preparation) and keep thinking about the bigger picture and entire attack surface.

The day before the exam you should relax, and sleep well, and minimize time on your device after making sure your connection is working well, your VM is ready and you have a backup snapshot, and you make your setup ready for the proctoring.

Exam Day

My exam was booked for 1PM, I was out and about during the morning to take the nerves off, and connected to the proctoring session at roughly 12:50PM, which then took around 15-20 minutes to conclude and get access to the VPN. I finished the Active Directory set within the first hour, took a long lunch break and then came back to finish the remaining machines. My exam took around 9-10 hours total, around 4 hours of those were breaks. I concluded the first day around 12 AM, and spent a few hours gaming, then went to sleep. I woke up the next day with around 4 hours to spare, made sure I took all the proper screenshots the day before, and then re-ran the scenarios again to take more-than-necessary screenshots.

The exam feels quite long, and takes up a whole day in your mind regardless of if you finish it early or not, but I found the best strategy to pass is to keep-on with your routine as usual (My routine consists of ungodly amount of hours spent studying so it might be easier to say than do for me), and this is regarding any practical exam in any field, not just OSCP or CyberSec exams.

The key takeaway is:

The exam is made to assess all aspects of your methodology not just your technical skill. Your time management and mindset management skills are as essential, and might be more important in real life engagements.

Tips and Tricks

Below I will share what worked for me, and hopefully works for you!

• Develop a note-taking methodology: I use Obsidian for taking notes, I like taking visual and colorful notes, so it’s the best for me, especially for Canvas. You should also look into mindmapping, it will make your methodology easier to follow and visualize.
• Take LOTS of breaks: The 24 hours you have for the exam are more than enough, OffSec wants you to understand how breaks and fresh-eyes are crucial parts for your success as a Penetration Tester/Security Researcher.
• Utilize PG Practice: PG Practice is way better than Hackthebox for preparing for the OSCP, Lainkusanagi’s List is priceless in this regard, take deep notes and update your methodology according to the scenarios you face in these machines, you might find the same application/product in the exam (Or in the real world).
• Volume: This one is especially important, OSCP is all about volume. Do as many boxes as you can to always have a new idea regarding how to enumerate/exploit a specific scenario, and where the logic might be
• Configure: An underrated tip that you might not find in alot of OSCP reviews, and it might not be entirely relevant to pass the OSCP exam, but it’s meant to enhance your overall skills and comprehension of different attack surfaces, especially the large enterprise ones. Learn the basic sysadmin duties of configuring web servers, dealing with nginx, Apache, configuring file shares, AD Domains..etc. Hackthebox Academy’s CPTS path is strongly recommended for this one.
• Concurrency: Run Multiple recon tools at the same time for different machines/services.

Resources

• Lainkusanagi’s OSCP-Like
• TJNull’s Ippsec playlist
• AD Security Blog
• TCM Security’s Practical Ethical Hacking
• hakluke’s ultimate OSCP guide - OUTDATED
• Reverse shell generator
• OSCP Subreddit
• Helpful OSCP Review

Thank you for reading, and keep on hacking! :)