OSCP: PEN-200 Course & Exam Writeup

Posted on Jun 1, 2023

I recently earned OffSec’s OSCP cert having completed the PEN-200 course and passed the exam. I’ve benefited massively from reading blogs and posts in r/oscp, so I’ll write a few lines outlining my OSCP experience in the hopes that someone will find it useful.

Prep

Courses I studied in preparation for the exam:

The PEN-200 course was updated right before my exam so I didn’t have time to go through all the new material, but I found the old SQLi and PrivEsc materials were lacking which is why I supplemented them with the courses above. TCM’s Practical Ethical Hacking AD content was a nice supplement to PEN-200, and HTB Windows Privesc had a great section on Windows Privileges which explained them way better than PEN-200 and in a more structured way.

Boxes rooted in preparation:

  • PEN-200:
    • about 15 of the old lab machines (pre-April 2023)
    • all new labs except Lab 3 (which is beyond the scope of OSCP)
  • The following machines on TryHackMe & Hack the Box, in chronological order:
Name Platform
Simple CTF THM
Vulnversity THM
CmesS THM
UltraTech THM
Lazy Admin THM
Anonymous THM
Tomghost THM
ConvertMyVideo THM
Brainpan1 THM
Chatterbox HtB
SecNotes HtB
Access HtB
Arctic HtB
Bastard HtB
Alfred THM
Bastion HtB
Querier HtB
Precious HtB
Photobomb HtB
Soccer HtB
Legacy HtB
Netmon HtB
Inject HtB
Silo HtB
Cache HtB
Active HtB
Sauna HtB
Friendzone HtB

I spent the last 3 weeks before the exam exclusively in PEN-200 labs, and felt pretty well prepared by the end.

The Exam

The practical portion of the exam is 23h 45m long, then you have another 24h to submit a report detailing all the steps taken, with screenshots. I’ll give a vague outline on how it went, avoiding any specifics of the exam machines.

  • 09:00-10:00: The exam started really well. I decided to attack the AD set first and within an hour I already had a user shell and one flag submitted.
  • 10:00-13:00: The good times didn’t last. I tried every attack my enumeration suggested, but could not escalate privileges on that machine. Took a break for some food.
  • 13:30-15:30: Rooted two standalones with no problems whatsoever. So close to having enough points to pass . . .
  • 15:30-20:00: . . .yet so far. Couldn’t even get a foothold on the third standalone. Felt time ticking by quickly at this point.
  • 20:00-20:30: Food break.
  • 20:30-00:00: At this point I’m stuck on the last standalone and the AD set. I decided to focus on AD again. Finally escalated privs on the first AD machine and compromised the domain shortly thereafter.
  • 00:00-04:00: Sleep!
  • 04:00-06:00: Just the last standalone left to do. With a fresh perspective, it was obvious what I had to do for the foothold. Privesc followed smoothly. 100 points in the bag!
  • 06:00-10:00*: Re-exploited everything, made sure I had all the commands and screenshots saved, made sure I submitted all the flags and they matched the screenshots.
  • 10:00-21:30: Prepared the report, with breaks interspersed. It seems like a long time to spend, but after 24 hours of rushed note taking, there’s a lot of fat to trim and tonnes of work to do to get a cohesive report.

*I got a 90 min extension as one of the machines had a technical problem and wasn’t exploitable. They reset it and confirmed exploitability in the early afternoon.

I got email confirmation that I had passed 3 days after submitting the report.

Course Tips

  • join the Discord straight away! Make sure you’re added to the private rooms for PEN-200 students and the labs. They are so useful for hints as there are some problems that require more than a small leap of logic to solve. Also some pivoting tools and other resources that are absolutely essential yet not mentioned in the course material. You have to request to be added in Discord, then wait for a mod to invite you to a private chat. It can take more than an hour for someone to pick up your request and if you don’t see the alert, it disappears after 20 minutes, so keep a keen eye on it.
  • take detailed notes and organise them well! I use Obsidian and have a private git repo so nothing gets lost. Apart from more verbose notes on different topics, I have a file for every TCP & UDP service I come across. Every time a command or technique worked for me on that service, I added it. Over time this becomes an extensive list of commands and techniques that I’ve personally had success with which, for me, is way better than searching for cheat sheets and finding commands I haven’t personally tested time and again.
  • track your boxes in a spreadsheet! Add the columns ‘Name’, ‘Platform’, ‘OS’, ‘Difficulty’, ‘User Access’, ‘How User Access was Gained’, ‘Root Access’, ‘How Root Access was Gained’, ‘Used Hints?’, ‘When Hint Needed?’. The final two columns are the most useful because they’ll show you where the holes are in your methodology. Over time, they become a checklist of steps to take when you’re stuck. The rest serves as a pro-memoria so, for example, if you test a live box that reminds you of a lab box, you can find how you rooted it quickly.
  • do the labs! The OSCP-A-C sets represented the exam difficulty level pretty well and are good for gaining confidence that you can actually do this.
  • get the bonus points! Personally, having them in my back pocket helped take the pressure off in the exam.

Exam Tips

  • talk to the exam proctor! If, during the exam, you’re unable to exploit something and your enumeration is telling you that it’s the intended path, it may very well be the machine is faulty. Ask the proctor to check the machine’s exploitability. It might cost you a couple of resets but it’s worth it.
  • take regular breaks and prepare your food! If you’re working for 14 hours solid it’s difficult to think straight. Go for a walk, take a break for food and to look at something that’s not a screen. Try not to think about the exam and you’ll have a fresh perspective when you get back to it.
  • relax and enjoy it! The exam demands creative solutions and if you’re not relaxed it can be difficult to think creatively.
  • DON’T use LibreOffice for your report! Just don’t. I had taken it for a test-drive before the exam and it seemed fine, but when your file is 80 pages long with as many screenshots, things get . . . unpredictable. While writing the report it randomly moved all my images around and refused to undo. I was git committing all throughout the exam so I knew I hadn’t lost anything, but it slowed me down a bit. In the end I had to open the file in Google Docs and finished it there with no problems.

Thanks for reading, as always feel free to connect or get in touch!