OSCP Exam – Preparation, Exam Day & Report Day

In December 2016 I set the goal of achieving the OSCP certification by the end of June 2017. I have been in a development role at my current employer for 8 years – they’ve been incredibly good to me and I love working there – but I want to move into more of a security focussed role so I figured I would need a serious certification to achieve this. I’d love to stay with the employer I am with, and our current security team has said my skillset is such that I compliment their skills, and would be great to assist our other developers with security.

This week I achieved that goal!

Now that I have completed OSCP, I thought I’d pass on what worked for me, not only on the day of the exam, but in the time leading up to it, and the day after during the exam report preparation day. The format will split into headings that are X days from E-day, with E-Day being the exam day.
Everything below will be very individual. I am not an authority on the subject, I’m only willing to pass on a few things I personally found that assisted me.

I had 2 months total PWK lab time.
The first month, I was doing 50+ hours a week in the labs, plus working 40 hours a week in my dev role. Despite that, I really enjoyed that whole month!
The second month, I averaged around 20 – 30 hours a week. I concentrated on the areas I was weak in, such as Windows privesc and buffer overflows, but did a few Linux boxes so I could access the IT and Dev networks.

I had my first exam attempt early in February, which was unsuccessful. During my first month in the PWK labs, I concentrated on my strengths. What a douche move that was. I was fucking delusional at this point (given 50hrs a week on labs, it’s not surprising in hindsight) and I actually thought “Hey, I’m really strong on Linux and I can pwn anything Linux in sight, and privesc to the moon and back! Who needs to learn Buffer Overflows!”

Yeah. Bad move. Don’t be me. Don’t ignore buffer overflows.

It’s hard to know when you’re ready to do the OSCP exam. Each person is different, different skillsets, strengths and weaknesses.

OSCP exam is 24 hours – but it’s really much more than that. Budget 72 hours for the exam itself (24hrs previous to make sure you’re rested, 24hrs for the exam, 24 hrs for the report writing itself). The 24hrs of the day before is flexible, but use it to put yourself in exam prep mode.

30+ Days from E-Day.
Decide if you are going to submit your exercise answers after the exam.
Consider if you are going to submit the exercises from the course in your lab report. These are also worth 5 points in your lab report. These are a reasonably significant task, to do a good job you will need to take your time and probably need most of the remaining time (if starting from scratch) to prepare your responses.

Do you think you need any enumeration scripts?
Now is the time to start on their development. What do you need to know when compromising a host? Python is a great language for this task.

Book your exam day.
OffSec apparently prefer exam bookings at least 3 weeks out, so bear this in mind. I’m not sure if their system is setup to only permit this, or not. On each exam attempt I booked time during the week, and this required me to book rec leave at work. Keep this in mind – your employer may have requirements you need to consider here.

What time should you book your exam for? It’s an individual choice. For me, I decided to book the start for a time just after I would normally leave for work, that way the house was empty and that I could concentrate as much as needed for a decent 8 hour stint of time before having to prepare dinner etc, then hack late into the night.
But I also considered that it might be wise to start about 8pm, work until 1 or 2am, before going to bed until 7am. That might work better for you, and I was going to try that if I still didn’t get through.

How are you with buffer overflows?
These are an important part of the exam! Once you understand them, the process behind them and how they work, they are to be quite honest, an easy 25 points for your exam. Don’t skimp on these! I have a post to come shortly with a number of practice applications I used – these are invaluable. Now is the time to make sure you’re well skilled up on BoFs.
Do you need more BoF practice? I suggest spending as much time as needed to learn it, and that dostackbufferoverflowgood is a damn good place to start! In my opinion, this is easier to follow than the OSCP buffer overflow information included in the videos – and has better suggestions to follow (pop calc, sub esp,0x10 etc) that will really help.
Make sure you know how to pop calc with msfvenom! It’s very handy.

14+ Days from E-Day.
Decide if you are going to submit your lab-machine report after the exam.
Consider that you need to submit at least 10 hosts in the report to get the maximum 5 points for that part of the report.

I decided this 7 days out, and although I got to root on 20 hosts in the labs due to time I only added 10 hosts to my report. This was not detrimental in any way to my result, but you may wish to add more and thus will need more time.

7 days from E-Day.
Check you have satisfied the documentation requirements.
If you are submitting the 10 machines minimum in your lab report, and if you still have lab time remaining, make sure you can re-compromise the hosts in the report using the documentation you have in the report. Revert the hosts, re-compromise all the way to root, making sure each works as expected. Update your notes and report as needed.

3 days from E-Day.
Sugar. Caffeine. Sustenance!
I needed this. I’m mid-30s and I can’t do an all-nighter these days very easily. You might be as lucky as the 17yo I know who passed OSCP in 2016 and said to me “Yeah, I just stayed up for 48 hours and got the exam and report all done” – but I’m betting that’s not the case!

If you’re doing OSCP, there is every chance you’re not new to IT. You’ve possibly done a degree with plenty of late night cramming, or if you’ve been in the industry a while – enough late nights fixing production issues that you know what you need to keep you going. Now is the time to get that from your supermarket.

Red Bull? Coca-Cola? Espresso? Nespresso Pods *shudder*? Consider this now, and purchase an ample supply.

Sugar! Sugar will be required. My choice, being down under, was Tim-Tams and Natural Confectionary Company party mix! So good. I’ll touch on distribution of these in the 0 day section.

Final chance to tidy up the lab machines in your report!
Check the documentation regarding reporting requirements, make sure you’ve got everything you need, and that it’s all documented. If you have lab time left, jump in now and grab what you need.

Music Playlist.
On exam day you’ll need to concentrate – if you’re the kind of person who requires silence then skip this part. Otherwise, compile a playlist of your favourite uplifting uptempo music in the few days before the exam. I queued up 16hrs of liquid drum and bass – with some Dual Core in there too – for my exam and playing through my wireless headphones this was exactly what I needed to concentrate at my best – all day.

Plan your Exam-Day
This is a good chance to consider HOW you plan to attack the exam. I did my Buffer Overflow first, as do many others, but from there it’s an individual decision on what hosts to do next.

I knew what it would take me to do the BoF (the passing exam was my 3rd go at it), and then a reasonable idea what it would take for a low point host from there and made my plan around that. You might wish to change things around to suit.

In my plan was: BoF complete “Stretch and Walk around the block: 10 mins”, Next host, Lunch break – stretch and walk, Another host, Dinner break – stretch and walk, Another Host (If enough points, sleep) otherwise keep pushing.

Plan Exam-Day lunch and dinner
What will you do for lunch and dinner? It’s best to go for a low fat high fibre meal in both cases, due to the rest of the diet during the exam being absolutely shit!

Never Give Up!
Set a Calendar reminder for 11pm, 1am and 3am for the video: https://www.youtube.com/watch?v=KxGRhd_iWuE Don’t watch it yet! Just trust me! It’s not a rick-roll or any of that lame shit. It’s just what you need to hear at 11pm, 1am and 3am when the enthusiasm is starting to wane.

Kali Shell Buffers
Set your terminal emulators to have the maximum buffer history (or unlimited if you can), and DO NOT close them during the exam! I use terminator myself, which is great and can have unlimited buffer size from memory. Don’t reset your terminals, don’t clear your terminals, don’t close any of them. Don’t even close them until the report is submitted. Just trust me on this one 🙂

1 day from E-Day.
Get some rest. Spend time with the family/SO. Get an early night!
Lots of hard work is done. You’ve learned all you’re going to learn, and tomorrow is the big day. Reflect on what you’ve achieved with a quick run through your report document, don’t be excessively pedantic but make sure you haven’t made any obvious mistakes in your lab hosts. Do a PDF export to check for issues.
Make sure you get an early night, and take it easy on the booze – if you need to organise with your partner/significant other to sleep in another room (if you have disruptive kids who refuse to sleep all night for example) then this is probably the time. Ok, maybe this needs to be raised a few days earlier, this depends on the couple of course.

0day from E-Day. – The following is based around my routine, yours might be slightly different.
Exam day is here!
Get your morning routine out of the way in good time, relax – there is no rush! Have a leisurely breakfast with your normal amount of coffee. If you’re running 5, 10 or even 30 mins late, this really means nothing for the exam at this point. Chill, relax, deep breaths 🙂
Today you get to hack the planet, and you have all day to do it! I can’t think of many days which would be more enjoyable!

Morning routine out of the way – scheduled exam time is here – it’s time to hack!
Grab the exam email from OffSec, and get connected to the VPN. Do you have any enumeration scripts to run? Kick them off now.

Well, that’ll happen if you picked Coca-Cola to drink! But Burp Suite is also good – get it setup at the beginning of the day and run ALL your HTTP/HTTPS requests through it. You never know when you’ll want to refer to a request hours later, and burp allows this – but only if you’ve been running it.

That playlist? Now is when it comes in handy! Get it playing, but don’t enjoy it too much – you’ve got hacking to do!

Buffer Overflow
This is a great first target while you’re fresh. If you’re across the steps you need to take to successfully perform a stack buffer overflow, then this is a great place to start! I love buffer overflows as they’re easier to understand than many vulns.
Make sure you check the OffSec reporting requirements and that you satisfy them. Take more screenshots than you need – it’s better to not use them than to need them on reporting day!
I like to run rdesktop with -g 1280×1024 – this doesn’t really work well for screenshots though, so perhaps go smaller – 800×600. Or, take full screenshots during the exam and then crop them for the report.
Pop calc. Do it. Thank me later.

BoF done, What’s next?
I can’t say. You might be more comfortable going with a low point host. You might prefer a high-point host. Ultimately that’s your decision!

Popped a shell? Reached a milestone?
Take a break. I’m serious! It only has to be 2 – 3 minutes. Get up, stretch! Legs, arms, back & lungs (a few deep breaths will do you good!). Walk a lap of the block if you can do so safely – otherwise star jumps are a great replacement if needed. Have a drink of water (yes! Hydration allows your grey matter to work as intended!).

Annoyed? Things not going to plan?
Take a break. I’m serious! It only has to be 2 – 3 minutes. Get up, stretch! Legs, arms, back & lungs (a few deep breaths will do you good!). Walk a lap of the block if you can do so safely – otherwise star jumps are a great replacement if needed. Have a drink of water (yes! Hydration allows your grey matter to work as intended!).
(The two above intentionally match – it’s important in either situation to have a small break)

Have Lunch/Dinner.
Organise your time so that the machines fit around your breaks, and that your meals are reasonably healthy with fibre and vitamins. Vitamin supplements have been proven to be a waste of money – so a balanced diet with fibre and vitamins in the meals are more important.

This will be constant! Red Bull/Coca-Cola, Tim-Tams and Natural Confectionary Company party mix! Have a swig of coke as needed, a snake, a Tim-Tam. If you don’t get OSCP, at least you’ll have diabeeeeetus! (I jest, but that’s really not a good thing. Take Care of yourself!) But as the day goes on, especially as it gets later, get the caffeine and sugar into you to keep you going. I tried Red Bull on exam number 2, it didn’t work for me very well – but this could also be because I slept poorly and woke up a few times thinking I was going to barf (I was actually a bit crook, not nerves).
Exam 3 I had a 1.25L bottle of Vanilla Coke – that helped me a huge amount compared to RedBull. I don’t understand why – but RedBull does nothing to keep me awake despite the quantity of caffeine in it. It never has (I still like their Formula 1 team :))

This guide would be pointless without mentioning that you need to Try Harder! Especially in the first few hours of the exam, you really do need to Try Harder – to achieve your OSCP certification. Try Harder is something that is hard to explain. It’s intangible. It’s hard to describe. It’s something you need to do in the first half of the exam, to make the last half easier.

Check your progress
How are your points looking? If you’re 16hrs in, and only popped a couple of shells – perhaps it’s best to kick it in the guts and sleep. I am of the opinion that by the 12th hour you’ll have a good idea of where you stand, considering also that as you go on it gets slower and harder, so the chance of earning points at 3am are much lower than at 3pm.

Have you used your Metasploit credit?
You can use ANY feature of the Metasploit framework on one single host – have you used that yet? There is no point in throwing in the towel until you have – MSF is a great tool to get shells on certain systems – don’t leave those points on the table!

+1 Day from E-Day
It’s the day after the OSCP exam. Did you get enough points?

You need 70 points – but this isn’t always easy to determine. If you straight up get root on enough machines to make 70 points, then you’re fine. But, did you get closer to 60? Did you get 10 lab hosts and possibly completed the exercises? Put in your lab report! It won’t hurt, and you can ask for feedback on your report if you didn’t get enough points.
But, if you get root on a couple of hosts, but only low-privilege on a couple of others, it’s harder to determine how many points you’re up to, as the points given for low-privilege shells on hosts are not made public. In this case, I’d prep the exam report and submit it anyway – the worst that could happen is no worse than not submitting at all – so it’s totally worth trying!

Not even close? Sleep in.
Shit happens. It’s a seriously tough exam to get through! Sleep in as much as you feel like, then chill for the day. Easy breakfast, then chuck on your favourite movie/s and grab your favourite take-away. No one makes their first jump (and most don’t even make their second or third!) Chin up – have a day to yourself (you deserve it!) and then start planning for the next attempt!

Yes, or, it could be close! No sleep in – up and at ’em!
HELL YES! Congratulations! Well, you’re in for a fun day! Make sure you’re up early, and you’ll probably need some more sustenance from the previous day – RedBull/Coke/Lollies – but you do have a little more freedom today than yesterday. If you’d completed the lab hosts and/or exercises before the exam then you will have a reasonable head start – but you do still need to document the compromised lab hosts from the exam.
Got a favourite takeaway? Fit it into your schedule and reward yourself – I’m pretty sure you deserve it!
You will be exhausted and tired today. But today is the day an OSCP is made! You could hack the whole planet on exam day, but without your report it’s worth nought!
Keep focused, keep pushing, keep documenting!
It’s not uncommon to write 8000 words today, documenting the process of exploiting the systems you encountered in the exam. This is a lot of work! Like I said, you’ll need sustenance, and you’ll need comfort food. It’s a serious day of documenting!

Those Shells…
Don’t forget you might have missed something in your documentation on exam day. This is now where all those shells and burp suite come in handy. If you missed the execution of a tool to deliver an exploit, then if you haven’t closed your shells from yesterday you can still get access to them.
Naturally you need to be taking these screenshots on exam day – but it is very easy to miss them in the adrenaline rush of getting a shell.

+3 Days from E-Day
Got enough points? Got the report in on time?
Well, check your email – you’ve probably got a surprise waiting!

Got some bad news?
Damn.. Sorry to hear it! It’s happened to just about everyone who’s tried at least once, you’re actually in good company.
What were your weak areas? Where did you do well?
Keep practicing – jump back into the PWK labs if you can, otherwise keep practicing locally and keep pushing! Get that resit booked in ASAP unless you have major stuff to work on!

Well. That turned out much longer than I expected! I had 3 goes at the OSCP exam, but I don’t profess to be any kind of expert – I just know what works for me  to help me concentrate, having been a developer for 15 years.

I hope you might get some tips from this, and hopefully it helps some people out.

One thought on “OSCP Exam – Preparation, Exam Day & Report Day”

  1. Ooh good call on the shell buffers! I’ll keep that in mind when I get around to the OSCP, thanks 🙂

    Congratulations again on passing!

Comments are closed.