In March 2023, I passed the OSCP exam, to become an OffSec Certified Professional. Combined with the CPSA, this also made me a CREST Registered Penetration Tester (CRT).
The OSCP is sometimes described as an “entry level” pen testing certification, which can be a bit confusing. It’s certainly not aimed at beginners to IT! For context, I’ve passed 40 other IT exams on my first attempt; this is by far the hardest exam I’ve taken, and it took me 3 attempts to pass, after 6 months of full-time study.
However, the OSCP is entry level for pen testing, in the sense that it’s a de facto standard. There are lots of job adverts which list the OSCP or CRT as requirements. I’ve previously done the PenTest+, OSWP, and eJPT: those are all easier exams (i.e. more accessible to beginners) but none of them helped me to get any job interviews.
The OSCP is also entry level in the sense that there are more advanced certifications out there, e.g. the OSEP (OffSec Experienced Pentester). So, this certainly isn’t the end of my learning journey; it’s a new beginning.
Before I dig into details, just a general note. There have been various changes over the past few years, e.g. the exam format changed in Jan 2022, and the syllabus changed in Mar 2023. So, if you’re looking at blog posts, Reddit threads, YouTube videos, etc. then keep an eye on when they were published; the information might have been true at the time, but no longer relevant. (That also applies to this post.)
Also, at the risk of stating the obvious, I’m not going to share anything that would breach the non-disclosure agreement. In particular, I’m not going to reveal any details about my exam machines, so please don’t ask!
Training (costs)
With most exams I’ve done (e.g. Cisco and CompTIA), you can choose between doing a training course or self-study. OffSec is different: if you want to do an exam, you have to pay for their course first. You don’t have to use the training material, but you might as well (since you’ve paid for it). In this case, the PEN-200 course leads to the OSCP exam.
There are 3 ways to do the course:
- A standalone course costs $1599. This includes 90 days of lab time and 1 exam attempt. You can then get a 30-day lab extension for $359.
- A Learn One subscription costs $2499. This includes 1 year of lab time, 2 exam attempts, and the fundamentals (100-level) training courses; it also includes the PEN-210 training and 1 OSWP exam attempt.
- A Learn Unlimited subscription costs $5499. This includes 1 year of lab time, “unlimited” exam attempts, and all the OffSec training courses except for EXP-401 (which is only taught in person).
(That’s just a summary; see the Learn Subscriptions page for full details.)
If you need to do additional exam attempts, they cost $249 each.
In brief, I’d recommend a Learn One subscription.
NB In Nov/Dec 2021, OffSec reduced the price of a Learn One subscription to $1999 (i.e. a 20% discount). They did the same thing in Nov/Dec 2022. I don’t know whether they’ll run the same promotion again in 2023; if they do then it’s worth considering, but only if you can devote time to it right away (see below).
In 2019, I paid $450 to do the OSWP course/exam, so the discounted Learn One course is cheaper than the standalone OSCP + OSWP (if you can do both within a year). You should also consider the cost of extending your lab time and/or additional exam attempts, i.e. the standalone course might end up costing you more in the long run.
I think that having a year to do the course will also give you more peace of mind. The lab extensions average out at $12/day, so if you go away for the weekend then that feels like $24 down the drain. In terms of mental health, I don’t think it’s good to have the “taxi meter” running continuously, i.e. you need to be able to take a break without it causing you extra stress. If the year’s subscription will give you more time than you need, you can take breaks with a clear conscience.
In my case, I started with the 90 day standalone course in Jul 2020. (At the time, this cost $1349.) After 6 weeks, I’d got about halfway through the topics, and my lab report was 133 pages long (where I wrote up my answers to each of the exercises). I hadn’t even touched the labs, and I got quite bogged down in the modules for buffer overflows.
At this point, I was working full-time, so I was trying to fit the course into evenings and weekends. That was a challenge, and I wound up getting distracted by real life obligations (e.g. house renovations), so the remaining 6 weeks went to waste, and I never used that exam attempt.
In Dec 2021, I started a Learn One subscription for PEN-300.
NB That’s the OSEP course, not the OSCP course. That’s partly because I begrudged paying for the PEN-200 training material twice.
My cunning plan was that I’d start with the fundamentals courses (e.g. PEN-100) which were part of the Learn One subscription. I’d then do a 90 day lab extension for the PEN-200 course (i.e. repeating the duration of the original course) and pay for a new OSCP exam attempt. Finally, I’d switch back to the Learn One subscription to do the PEN-300 course, and take the OSEP exam by the end of the year.
Spoiler alert: things didn’t go according to plan…
In the past, OffSec used to offer 3 versions of the standalone course, with a choice between 30 days, 60 days, and 90 days of lab time. Similarly, they offered 3 versions of the lab extension (30 days for $359, 60 days for $599, and 90 days for $799). In March 2022, those options were streamlined: the standalone course only had a 90 day option, and lab extensions only had a 30 day option.
I waited until the last day that the old options were available, then paid $799 for a 90 day lab extension, along with $249 for an exam attempt. My theory was that this would be more cost effective than doing 30 day extensions. However, I didn’t actually use that lab time at all (due to other commitments), and the exam attempt timed out before I could use it. So, all that money went to waste.
In August 2022, I made a conscious choice to take a career break so that I could focus on full-time study:
- In August, I started with a 30 day lab extension ($359).
- In September, I paid for another 30 day lab extension ($359) and an exam attempt ($249) which I booked for October.
- In October, I paid for another 30 day lab extension ($359) and rescheduled my exam attempt for November.
- In December, I paid for another exam attempt ($249) after failing my first attempt.
- In January, I paid for another exam attempt ($249) after failing my second attempt.
Looking back at my Learn One subscription, I think that the Fundamentals modules were worthwhile (just to plug some holes in my knowledge), but I didn’t really touch the PEN-300 content. I.e. in practical terms, that subscription was only useful to support the PEN-200 course.
So, that’s a total cost of $6220. ($1349 in 2020, and $4871 between Dec 2021 and Mar 2023.) Let’s focus on the second figure:
- If I’d chosen PEN-200 instead of PEN-300 for the Learn One subscription in Dec 2021, that would have cost me $1999 for Learn One, and $249 for each of my second/third exam attempts (after the subscription ended), so the total cost would be $2497 rather than $4871.
- If I’d waited until I was ready to start studying full-time, then paid for a full price Learn One subscription (PEN-200) in Aug 2022 ($2499), that would have covered all my lab extensions and my first two exam attempts. I’d then have paid $249 for my third exam attempt. The total cost would be $2748 rather than $4871.
- If I’d done a Learn Fundamentals subscription ($799) instead of Learn One ($1999) in Dec 2021, then paid for the same lab extensions and exam attempts, the total cost would be $3671 rather than $4871.
- If I’d done a Learn Fundamentals subscription ($799) instead of Learn One ($1999) in Dec 2021, then only paid for the lab extensions and exam attempts in Aug 2022 onwards (i.e. skipped the wasted lab extension and exam attempt in Mar 2022), the total cost would be $2623 rather than $4871.
So, all four options would have been better than what I actually did! The only consolation is that my method still worked out cheaper than Learn Unlimited ($5499).
The reason I’m sharing all this is so that other people can hopefully avoid making an expensive mistake.
If I buy a book or a Udemy course, but I don’t look at it for several months, it’s not going to cost me any extra money; the worst case scenario is that the material might be a bit out-dated, but even then books are relatively cheap to replace. By contrast, OffSec lab time is more like a gym membership, i.e. you’re paying for it whether you use it or not. So, make sure that your good intentions are realistic.
Related to that, you need to consider your other commitments. The obvious ones are work and friends/family, but also think about any other studying you’re doing. E.g. in my case, I paid for the Learn One subscription in Dec 2021 and I paid for the 90 day lab extension in Mar 2022. However, I also did the CISMP exam in Mar 2022, the Project+ exam in Apr 2022, and the CPSA exam in May 2022. So, the time I spent preparing for them is time that I didn’t spend in the OffSec labs.
It’s good to have long-term goals (e.g. the OSEP) but don’t get ahead of yourself. Focus on PEN-200, and worry about other courses later.
Bonus points
You can earn bonus points by doing at least 80% of the exercises in each topic and getting root access to at least 30 lab machines. This is handled by submitting flags in the portal, then your points will be added to your exam score automatically.
NB This method replaced the old lab report, so I discarded the work that I’d done in 2020. I think that the new method is a lot easier for students, because it removes ambiguity about how much detail you need and you get instant confirmation that your answers are correct. It’s also easier for staff, because the portal will calculate the points automatically so they don’t have to read a long report.
At the time of writing, OffSec have just released the new PEN-200 2023 syllabus, and there’s a phased migration to it. Please read their blog post to understand how this affects bonus points. The key point is that your exercise progress from the old syllabus won’t carry over to the new syllabus. So, if you can’t finish enough exercises in the old syllabus by 18th April 1st July, you’ll have to start over from 0% in the new syllabus. (Hopefully it won’t take long to repeat the exercises in the early modules, if you’ve already learned the concepts.)
These changes have sparked off some lively discussions on Discord. According to OffSec staff, the original purpose of bonus points was just to motivate students to complete the exercises before doing the labs. They also wanted students to practice on lab machines before attempting the exam. So, it was almost a paradox: if you did the activities to gain the bonus points then you wouldn’t need the bonus points in the exam, because all the extra studying would improve your score enough that you’d pass without them.
None of the other OffSec exams have bonus points, so are they acting as a distraction here, and doing more harm than good? Should students take a more relaxed attitude, and just focus on learning the material?
When I started the course in 2020, the lab report was only worth 5 bonus points. In the exam, there were 5 machines, adding up to 100 points:
- 2 x 25 points (1 buffer overflow and 1 “hard” machine)
- 2 x 20 points
- 1 x 10 points
The pass mark was 70, so the bonus points would only be relevant if you scored exactly 65. (Any higher and you’d pass anyway; any lower and you’d fail anyway.) Without the bonus points, you could skip at least 1 of those machines, i.e. any combination of 4 would give you at least 75 points.
In Jan 2022, the exam format changed to have 6 machines, which also added up to 100 points:
- 1 x Active Directory set worth 40 points
- 3 x standalone machines (10 points for each low-priv shell, 10 points for each root shell)
The pass mark stayed at 70, but bonus points are now worth 10 points rather than 5 points.
The OSCP exam FAQ lists the possible scenarios to pass the exam:
- 40 pt AD + 3 local.txt flags
- 40 pt AD + 2 local.txt flags + 1 proof.txt flag
- 40 pt AD + 2 local.txt flags + bonus points
- 40 pt AD + 1 proof.txt + 1 local.txt + bonus points
- 3 fully completed non-AD machines + bonus points
So, if you don’t have the bonus points, you must complete the AD set. This is a change from the old format (where none of the machines were mandatory). It’s also different to newer exams like the OSWA (where none of the machines are mandatory).
NB The AD set doesn’t simply rely on AD techniques, because you have to get an initial foothold (like the standalone machines). If you can’t get the foothold, you could be the world’s greatest expert on Kerberoasting etc. but it wouldn’t help you.
Based on that, I would strongly advise all students to get the bonus points, so that you have a safety net during the exam.
My advice to OffSec is that they should restructure the exam to avoid this bottleneck, and I can see 2 approaches:
a) Add a 4th standalone machine, so that you could get 70 points without doing the AD set.
b) Give the student credentials for an AD account at the start of the exam, corresponding to an “assumed breach”. (This is how the CRTP exam works.) You would then need to demonstrate your AD skills in the AD set, and demonstrate your foothold skills on at least 2 of the 3 standalone machines.
If either of those changes were made, OffSec could remove the bonus points, and simply encourage students to do the exercises and lab VMs for the sake of learning new skills.
Training (PEN-200 content)
After my false starts (see above), I started from scratch in August 2022 with a 30 day lab extension. I went through all of the topics and exercises before I touched the lab machines. This took me 31 days in total (i.e. all of my original extension and the start of my next 30 days), plus 5 minutes on day 32:
Module | Topic name | Sections | h | m | Days |
---|---|---|---|---|---|
1 | Penetration Testing with Kali Linux: General Course Information | 11 | 0 | 15 | 1 |
2 | Getting Comfortable with Kali Linux | 8 | 1 | 30 | 1 |
3 | Command Line Fun | 11 | 3 | 0 | 1-2 |
4 | Practical Tools | 7 | 2 | 45 | 2 |
5 | Bash Scripting | 9 | 3 | 30 | 3 |
6 | Passive Information Gathering | 17 | 1 | 40 | 3 |
7 | Active Information Gathering | 8 | 2 | 35 | 3 |
8 | Vulnerability Scanning | 5 | 1 | 25 | 4 |
9 | Web Application Attacks | 12 | 5 | 10 | 4 |
10 | Introduction to Buffer Overflows | 4 | 5 | 30 | 5-16 |
11 | Windows Buffer Overflows | 4 | 14 | 45 | 16-17, 20-21 |
12 | Linux Buffer Overflows | 9 | 10 | 15 | 18-19 |
13 | Client-Side Attacks | 5 | 3 | 5 | 19 |
14 | Locating Public Exploits | 5 | 1 | 40 | 19 |
15 | Fixing Exploits | 4 | 1 | 30 | 20 |
16 | File Transfers | 4 | 3 | 30 | 20 |
17 | Antivirus Evasion | 5 | 3 | 0 | 20 |
18 | Privilege Escalation | 5 | 5 | 45 | 21-22 |
19 | Password Attacks | 6 | 6 | 0 | 22 |
20 | Port Redirection and Tunneling | 7 | 5 | 0 | 22-23 |
21 | Active Directory Attacks | 7 | 31 | 0 | 24-26, 29 |
22 | The Metasploit Framework | 8 | 9 | 0 | 27-28 |
23 | PowerShell Empire | 5 | 3 | 30 | 30 |
24 | Assembling the Pieces: Penetration Test Breakdown | 11 | 7 | 45 | 30-31 |
25 | Trying Harder: The Labs | 9 | 0 | 5 | 32 |
That’s 133 hours and 10 minutes in total. The time might be different for other people, especially with the new 2023 syllabus, but this is a rough guide. (That doesn’t include the time I spent on other resources, e.g. doing the EXP-100 course in the middle of module 10.)
NB If you know how long it will take you in total, and how long you can spend on it each day, you can calculate how many days it will take you. Similarly, if you know the total time, and you want to complete it in a certain number of days, you can calculate how many hours you’d need to do each day.
Topic 10 is definitely the outlier, i.e. it’s 5½ hours spread over 12 days! It took me a while to get my head around buffer overflows, and I think I wound up going into more detail than the course really needed, because I wanted to understand the topic properly. As part of that, I made a video walkthrough for one of the exercises.
Buffer overflows have now been removed from the 2023 syllabus, so if I was starting now then I think I’d complete the topics a lot quicker. However, I enjoyed buffer overflows once I understood them, so I intend to do the EXP-301 course (for the OSED exam) at some point.
After I finished the topic exercises, it took me 46 days of lab time to do 30 out of 75 lab machines (i.e. enough to qualify for bonus points). This took me 200 “active” hours, but I’m not including the time when I left tools running in the background (e.g. for a brute force password attack).
OffSec have shared some statistics: A Path to Success in the PWK Labs. Basically, the more lab machines you do, the more likely you are to pass the exam on your first attempt.
The main difference is that topic exercises are typically focussed on whatever you’ve just been taught. E.g. suppose that you have a section about cookies, then an exercise which asks you to bypass a login page. In that scenario, you’ll probably need to modify a cookie to complete the exercise. By contrast, the lab machines are open-ended: “here’s an IP address, off you go”. That mirrors what you’ll see in the exam, and in a real life pen test.
I think that practicing on lab machines is worthwhile, and I wrote more about this in a previous post (OSCP: Try Harder). However, when I did the PEN-200 course, the lab used shared VMs, i.e. all the machines were constantly running and there would probably be other students connecting to them at the same time. This caused a few complications:
- If you’re halfway through the machine, you might get kicked out because someone else has reverted it. You then need to repeat your previous steps. As a silver lining, this taught me to get into the habit of writing a “speed run” summary for each machine (avoiding dead ends), which is what you need to do in your exam report.
- You might find that a machine is easier than it’s supposed to be, because someone else has made changes. For instance, when you’re doing privilege escalation on a Linux machine, you might check the /etc/passwd file and see that the root account has a hash stored in here (rather than in /etc/shadow), and then crack this hash using the rockyou list. Great! However, suppose that someone else has already used the Dirty COW exploit to overwrite the original file (i.e. they changed the password for the root account). In that case, you’ll get the flag without actually learning the right technique, and you might not even be aware that you’ve taken a shortcut.
- Similar to the previous example, if you get a low privileged shell on a machine and then see that another student has stored “dirtyc0w.c” in the home folder, that gives you spoilers about what the priv esc vector is likely to be, and it deprives you of the opportunity to figure that out for yourself.
- Conversely, you might find that you can’t solve a machine because another student has broken something. E.g. I saw one machine where the /etc/passwd file had been overwritten with a single line, which effectively deleted all the existing user accounts.
In those last three scenarios, you could revert the target before you start working on it. However, that’s going to be disruptive to other students, similar to the first point that I mentioned.
The shared environment is why I stopped after 30 machines. However, one of the big changes to the new 2023 syllabus is that each student gets dedicated VMs (similar to TryHackMe and HackTheBox). That’s a significant improvement, and I think it will give a much better learning experience. If I was doing the course now, I’d try to do more than 30 machines.
Training (other resources)
After I failed my first attempt, I used the remaining time in my lab extension to prepare the buffer overflow walkthrough video, but I didn’t do any more lab VMs. I also didn’t extend my PEN-200 lab time before subsequent attempts. Instead, I looked at other places where I could learn, to supplement my existing knowledge:
- TryHackMe
In Dec 2021 and early 2022, I went through the “Advent of Cyber 3” room and the “Jr Penetration Tester” learning path. In Dec 2022 (after my first failed OSCP attempt), I went back to TryHackMe to do the new “Advent of Cyber 4” room, along with the first 2 “Advent of Cyber” rooms (from 2019 and 2020), and I did 66% of the “Offensive Pentesting” path. After my second failed attempt, I got up to 99% of the “Offensive Pentesting” path and I did all of the “Compromising Active Directory” module. I also did a few other rooms, particularly the ones with badges linked to them. - HackTheBox Academy
I’ve been doing the “CREST CPSA/CRT Preparation” skill path, in parallel with the “Bug Bounty Hunter” and “Penetration Tester” job role paths. There’s a lot of overlap between them, and I got up to about 40% completion on all of them before my third attempt. - Tib3rius has 2 courses at Udemy (£20 each), which are well worth your time:
NB I haven’t done much at the “main” HackTheBox site; I’ve only completed 2 easy machines (“Lame” and “Heist”). In particular, I didn’t have time to do TJ Null’s list, but I would have started on that if I’d needed a 4th attempt.
I definitely benefited from this extra training. Since those websites are significantly cheaper than the PEN-200 course, maybe it’s best to start there? However, I did these after the PEN-200 course, and maybe I’d have struggled with them if I didn’t have that prior knowledge?
I’m not sure of the optimal route (especially now that there’s a new syllabus for PEN-200), and the answer will probably vary from person to person. So, just keep these in mind.
Booking the exam
If you do the “standalone” 90 day course, this includes 1 exam attempt, which can be used up to 120 days after your lab time ends. If you buy a 30 day lab extension during that time, it pushes back the deadline for the exam. If you don’t use the exam attempt within those 120 days, you lose it. (A few years ago, you’d get a new exam attempt bundled with each lab extension, but that’s no longer the case.)
If you have a Learn subscription, you have to use your exam attempt(s) within that year, otherwise they evaporate.
If you buy an extra exam attempt, that’s valid for 120 days from the day of purchase, and lab extensions don’t affect this deadline.
NB OffSec have an exam retake policy, which is particularly relevant to Learn subscriptions:
- If you have Learn One, you have to wait at least 4 weeks after your first attempt before you can try again. That means that you should do your first attempt by the end of month 11, in case you need to do a second attempt in month 12.
- If you have Learn Unlimited, you have to wait 2 weeks after your first attempt, then 4 weeks after all subsequent attempts. That means that the number of exam attempts isn’t actually unlimited, i.e. you could do a maximum of 14 attempts within the year. (Potentially you could do different exams in parallel, e.g. the OSCP and OSWA; I assume that the retake policy is per course. However, I’m focussing on the OSCP here.)
It’s also worth noting that you can only book an exam when there’s a slot available. This is because the exams are proctored, i.e. you have someone watching you through a webcam. In practical terms, that means that you should try to book in advance rather than waiting until the last minute, particularly if you want to do the exam at a weekend. Related to that, I don’t think there are any exam slots between Christmas and New Year.
The trade-off is that if you book the exam a long way in advance then you’ll have to guess at when you’re going to be ready. OffSec will give you 3 chances to set the date, i.e. you can change your mind twice. If you use up all 3 attempts, you can email them, and they might allow you another chance, but you can’t keep changing it every week.
When you book an exam, the portal will tell you which time zone it’s using (e.g. “Europe/London”). Make sure that matches what you’d expect it to be. However, there’s an extra complication for daylight savings. Basically, the OffSec algorithm goes like this:
- Take the time of day that you selected.
- Convert that from your local time into UTC (Coordinated Universal Time) based on today’s date.
- Convert the UTC time back into your local time, based on the date of the exam.
Taking my first exam attempt as an example:
- On 21st October, I booked an exam for 11:00 on 14th November.
- The clocks changed from BST (British Summer Time) to GMT (Greenwich Mean Time) on 30th October.
- OffSec converted 11:00 (BST) to 10:00 (UTC), based on 21st October.
- OffSec converted 10:00 (UTC) to 10:00 (GMT), based on 14th November.
So, my exam was actually booked for 10:00 rather than 11:00. To be fair, this was shown in the confirmation email right away; it didn’t change later. This seemed like a glitch, so I emailed OffSec support to report it, but they said that this is the intended behaviour. That seems like a weird approach, and I haven’t seen any other exam booking systems that work like this, but just be aware of it so that you can add/remove an hour if needed.
My exam attempts
The basic concept is that you get 24 hours for the exam, followed by 24 hours to write the report. More precisely, you start the check-in process 15 minutes before your exam, then you have 23h 45m for the exam itself, then another 24 hours for the report.
NB You can take breaks whenever you like (e.g. to eat, sleep, or use the loo) but the clock is always running.
In theory, that means that you could do the exam over a weekend, e.g. starting on Friday evening and finishing on Sunday evening. In practice, I’d recommend that you allow 3 calendar days for this, which might mean that you book a Friday or Monday off work. In my case, I took a career break to study for this exam, so I did each of my attempts mid-week.
The next question is what time of day you should start. Looking at my 3 attempts:
- Attempt 1 started at 10:00 and finished at 09:45.
- Attempt 2 started at 12:00 and finished at 11:45.
- Attempt 3 started at 16:00 and finished at 15:45.
As you can see, I gradually shifted later in the day, and this worked well for me. In particular, you need to think about rest breaks. When I was 20 years old, I could pull an all-nighter and feel absolutely fine the following day. Now that I’m in my 40s, that’s no longer the case! So, my advice is that you shouldn’t think of it as a 24 hour exam; treat it more like a 14 hour exam.
The OffSec website has some advice on time management:
- 2-3 hours for each standalone machine (3 machines in total).
- 4 hours for the AD set.
So, that’s between 10 and 13 hours in total.
Suppose that you start the exam at 08:00, and spend the next 16 hours working on it, then you go to bed at midnight to get 8 hours of sleep. That means that when you wake up the next morning, the exam will have finished. So, your last usable exam time will be from about 22:00 until midnight, when you’re feeling at your most tired. If you’re struggling at that point, it’s not going to get any easier!
In my first attempt, I stayed up until 05:30, then went to bed for about 4 hours. I came back at 09:20, which gave me 25 minutes until the end of the exam, and I didn’t make any progress during that time.
In my second attempt, I got up at 09:00, started the exam at noon, and stayed up until midnight. I then went to bed for about 5 hours, did another couple of hours in front of the computer, and went back to bed for another 2½ hours. After the exam finished, I spent 17 out of the following 24 hours in bed.
The key issue here is that I was feeling ill before my second attempt. If this had been a “normal” 3 hour exam then I could just fortify myself and push through it. For a 24 hour exam, that wasn’t practical, and in hindsight I should have rescheduled. I wanted to pass the exam as soon as possible, but failing that attempt meant that I had to wait 8 weeks until I could try again. The exam itself was a miserable experience, because I was sitting in front of the computer with a headache thinking “I don’t want to be here, I’d much rather be in bed”.
NB You need to give 48 hours notice before cancelling or rescheduling an exam. If you don’t give that much notice, you’d lose the attempt. However, in my case the $249 was a sunk cost, i.e. I’d spent that money regardless of the outcome. Cancelling the exam (without a refund) would have been better than risking my physical health. Please learn from my mistake!
In my third attempt, I got up at 09:40 and had a leisurely morning. I did my check-in at 15:45 and started the exam at 16:00. By 22:00, I’d got 4 flags, i.e. I’d rooted 2 out of 3 of the standalone machines. I worked through until 03:20 with no more progress, so I went to bed for about 5 hours. I got up, had breakfast, and resumed the exam at 09:00. At this point, it was reassuring to think that I still had 6h 45m left, which is almost a full working day. Although I didn’t have a full night’s sleep, I’d slept for long enough that I felt normal. At about 13:00, I rooted the final standalone machine, which gave me all the points that I needed to pass the exam. I then spent the remainder of the exam time working on my report, e.g. I repeated my steps and made sure I had all the necessary screenshots.
Overall, my exam time (23h 45m) was split like this:
- 14h 10m to get 6 flags
- 7h 00m for breaks (including sleep)
- 2h 35m for the report
So, the third attempt was a much better experience for me, and I think that choosing the right time of day definitely helped (along with the extra studying I’d done). I’m not saying that you should necessarily start at the same time of day, but give some thought to the time that’s best for you.
I heard of someone else who could only get an exam slot which started at 03:00 (local time). So, they got up in the middle of the night, did the check-in process, then immediately told the proctor that they were taking a break and went back to bed. As a variation on that, you could start the exam an hour before you go to bed, then do the “low brain” activities (e.g. initial port scans) while you’re not very productive, and do the more creative tasks the following morning. Again, this will be an individual choice about what’s best for you.
Aside from timings, here are a few logistical issues to be aware of:
- You need to have a webcam which you can pan around to all the corners of the room at the start of the exam. If you’re using a laptop with a built-in camera, you can just pick it up and turn it around. If you’re using an external camera, make sure that the USB cable is long enough for you to do this! (If not, you might need to get an extension lead.)
- You don’t need headphones or microphone (i.e. you won’t be talking to the proctor). However, if the proctor sends a message then it’s helpful to hear the chat go “bing”, particularly if that window isn’t visible on your screen.
- You need to show your ID to the proctor. In my first attempt, I held up my passport in front of the webcam, but the camera wouldn’t focus so the text was too blurry to read. I then fetched my phone from another room to take a photo, but my phone just appeared as a glowing rectangle on the webcam. I had to email that photo to myself, then display it on the monitor (while sharing my screen). In subsequent attempts, I had the photo on my desktop PC ready to go, so I displayed that and then held up the passport.
- It’s worth taking proper meal breaks, but don’t order food delivery (because you’ll have to wait for it to arrive). Instead, have some food that you can prepare quickly, e.g. cereal, soup, or pasta. Save the takeaway pizza for when you’ve finished!
Exam report
NB OffSec will only give you a score if you fail the exam, not if you pass. (I assume that’s because they stop reading the report once you’ve got enough points.) If you don’t submit a report, you automatically score 0.
In my first exam attempt, I got 2 flags (20 points) by rooting one of the standalone machines. Combined with my 10 bonus points, that gave me 30 points in total. The pass mark was 70, so I knew that I’d failed. However, I decided to submit a report anyway, for a couple of reasons:
a) I wanted to confirm whether my report writing was good enough. I.e. if my score was lower than 30 then something was wrong, and I’d need to do things differently in future attempts. (Similarly, this would verify that I’d met the requirements for bonus points.)
b) Part of me was hoping that when I presented my report, OffSec would say “That’s weird, you should have got different output from that command. Our exam VM must be broken.” (Unsurprisingly, they didn’t say this, i.e. their exam VMs were working correctly and I just didn’t find the weak spots.)
I spent a while poking at the report, but I was also chatting on Discord, and generally feeling in a bit of a slump after I’d failed the exam. I finished it at 04:00 and went to bed, but I decided to submit it the following morning, i.e. I wanted to proof-read it with fresh eyes after some sleep. However, I didn’t get up until 09:00 the next day, and this put me in a bit of a rush.
NB The deadline for submission is 24 hours after the exam ends, not 48 hours after it starts. In this case, my exam started at 10:00 and finished at 09:45, so the report deadline was also 09:45. I thought that the deadline was 10:00, so I tried to submit the report at 09:58, and I got a “time elapsed” error message. At 10:00, I then received an automated email:
“We regret to inform you that you did not meet the requirements to obtain the OSCP certification as we did not receive your exam documentation within the allotted time frame.”
I emailed OffSec, and they agreed to allow a late report “as a one-off courtesy”. So, I submitted the report, and I received my results a day later. This had a score of 30, which is what I expected, so at least I knew that this aspect was ok.
After my second attempt, I knew that I’d failed, i.e. the flags I’d submitted were only worth 10 points. Since I was feeling so tired, I didn’t bother submitting a report, because I wouldn’t have learned anything. I then received the same automated email as before.
After my third attempt, I knew that I had enough flags to pass, so I needed to submit a report. As I mentioned above, I started this while the exam was still running. I continued working on the report after the exam finished, and submitted it at 18:45 (3 hours later). Altogether, I think it took me about 5 hours (excluding breaks).
I was keen to get it finished as soon as possible: the sooner I submitted it, the sooner I’d get my results. I also wanted to get the information down while it was fresh in my mind, and it would be easier to relax after I’d submitted it (rather than having it hanging over me). Since I’d missed the deadline after my first attempt, I didn’t want that to happen again!
When I did the report for my first exam attempt, I included all the machines, whether I’d gained access or not.
When I did the report for my third exam attempt, I only mentioned the 3 standalone machines (where I’d gained access); I ignored the AD set, because I didn’t have anything useful to say about it, and it wouldn’t affect my score.
There isn’t a fixed format for the report, but mine looked like this:
- Cover page
- Table of contents
- Executive summary
- Vulnerabilities
- Recommendations
- (Repeat following sections for each machine in turn)
- Steps to reproduce
- Enumeration
- Exploitation
- Privilege escalation
- Clean-up
- Proof (screenshots of flags)
- Steps to reproduce
As practice for this, I recommend writing a report for each lab VM that you do.
I wrote my report in Word, then saved it as a pdf. Make sure that you read the OSCP exam guide carefully, particularly the section with submission instructions. People have apparently failed their exam for using the wrong filename! However, as long as you’re careful, and double-check what you’ve done, the steps are straightforward.
CREST equivalency
CREST have an equivalency program, where they recognise the OSCP as a substitute for the CRT exam. As soon as I got my OSCP exam result, I emailed them. They said that the process is expected to take 5 weeks, but it was actually a lot quicker for me:
- Sat 4th March – I emailed CREST.
- Tue 7th March – CREST emailed me back, and sent me a registration link for their membership portal. I used the portal to enter my CREST ID and OS ID, and confirmed that I’m registered with Pearson Vue. I also had to sign their code of conduct (i.e. print it, sign it with a pen, and scan it back in).
- Mon 13th March – CREST sent me an invoice for £100 (+VAT). This had “net 30” payment terms, but I paid it immediately.
- Tue 14th March – I received my CRT certificate.
I wonder whether the 5 week turnaround is because people often wait 30 days before paying the invoice? Or maybe I just got lucky.
I did the CPSA exam in May 2022, and the CRT certificate has been backdated to match it, i.e. they’ll both expire in May 2025. So, it might have been better to delay the CPSA exam, but I can live with that.
ISC2 CPE
When I passed the exam, the notification email said:
“As you have successfully passed the OSCP exam, you may now qualify for 40 CPE points. If you hold an ISC certification, you can register the OffSec training at the ISC2 website.”
Ideally, these would be submitted automatically; that’s how it works at HackTheBox. However, for now you need to do it manually. (I had to go through a similar process after my OSWP exam, but the ISC2 website has changed a bit since then.)
Here are the steps I took, in case they’re useful to anyone else:
- Dates
The start date is when you started the course, and the end date is when you started the exam.
(In my case, I used the start date of my lab extension in August 2022, not the original course from June 2020.) - Category & detail
- Category: Education
Subcategory: Courses and Seminars – Other - Title: Penetration Testing with Kali Linux
Training Provider: OffSec
Credits: 40
Summary: I took the PEN-200 course and passed the OSCP exam. - Supporting documentation: I saved my email from OffSec as a pdf and uploaded it.
- Category: Education
- Domain
- There are 7 domains for group A. I checked the box for “Systems and Application Security”.
- Review
- Confirmation
Conclusion
This has been a long blog post, even by my standards! So, congratulations if you’ve made it all the way to the end, and I hope it was useful to you.
Despite the various setbacks, I think that the PEN-200 course was worth the time and money that I spent on it, and I feel a sense of achievement now that I’ve passed the exam. I learned something from each exam attempt (pass or fail).
Thanks John for the detailed summary of your OSCP journey. I must say that similarly your doscord advices waas very helpfull for me specifically for Windows BoF exercises with which I felt often beaten and doubtfull I ever made them. Thank you mentor.
John, thanks for sharing so much about OSCP. I was studying for it the same timeframe as you (I passed in April 2023), and really appreciated the way you helped everyone on Discord. You got me unstuck quite a few times as I was learning how to try harder. Thanks!