TLDR: The mistakes committed and lessons learned in my OSCP journey that I could not find in other blogs and getting a free exam retake. My two cents on the updated OSCP and how it can be cracked in a smart way. The (MX) is to highlight the mistakes I did.

Background: I had 4 years of pentest and red teaming experience at the time of taking the exam. I decided to start my OSCP journey in 2019, but observing every next day someone getting OSCP certifed (LinkedIn feed was flooded) and then the exam writeups leaks, I did not felt that urge in OSCP and shifted my interests towards Cloud Security. 

Challenging the OSCP

When I heard about the updated OSCP and the exam machines being rotated and are difficult as compared to previous exam machines (Reddit feed), I got intrigued and wanted to continue with OSCP. I only did 10 machines of TJ Null HTB list as pre-prep as I of the opinion that I have sufficient hold on the techniques mentioned in the course curriculum and do not need any pre-prep (M1). I registered for the OSCP exam and did 25 machines. I felt that it would be sufficient for the exam (M2) and kind of wanted to challenge how difficult the exam is, more of a craze or self-assessment.

I did not get the chance to schedule my exam right after my labs ended and could not find a suitable near time slot because of which a gap came off 3 months (between lab end and exam date) and did not do any practice within this time frame (M3). With 3 months of gap and only 25 machines of labs done, I wanted to give OSCP exam a try.

Exam Day

Either it was the excitement or the madness to challenge the OSCP I could not sleep the night before the exam and went into the exam with 12 hours of no sleep (M4). I did the BOF machine in 20 minutes and had all the screenshots in the next 10 minutes. Jumped to the 20 point machine and rooted it in 3 hours. By now it was almost 16 (12+4) hours without sleep and dizziness started to appear. I knew it would happen and was mentally prepared.

After doing some enumeration I got pointers on the other 20 and 25 point machines. I started working on the 10 point machine and spent almost 4 hours but to no avail (M5). By now it was 21 hours without any sleep and almost halfway in the exam.

With no luck on the 10 point machine, though apparently, I was doing everything right, I reached to Chat to see if the machine was working as intended.  The Offsec representative was supportive and confirmed that the machine was not working as it should have been and they have raised it internally with the concerned Offsec department and will assign me a new machine via email. 

Chat Snipper with Offsec Chat

By now 22 hours have passed, thinking capability was completely negated and the exam was not as easy as I expected. I wanted to take some rest but could not as Offsec can assign me a new machine anytime via email so have to keep myself awake so I can start working on the new machine as soon as I get it. I continued on the 20 and 25 points machine in parallel and made progress. It was more than 32 (12(no sleep)+ 20(exam)) hours now without sleep and I dozed off on my workstation.

When I woke up with 2 hours of rest,  only 90 mins were left. I reached out to Offsec again for a new machine assignee but did not get any response. Worked on the 20 and 25 point machine and within 60 minutes I had a confirm initial shell attack vector. As soon as I was going to get the reverse shell, my exam time ended and at that time I realized the value of 5 marks. Sometimes all you need is 5 marks to clear the exam.

The Guilt

When the exam time ended, I was in a hysterical state and had various thoughts floating in my head:

1. The exam was not difficult and I was so close to clear it. I should have entered the exam with a fresh mind rather than with 12 hours exhausted.
2. If one of the machines was not being solved, I should have reached Offsec right away rather than spending 5 hours and then reaching Offsec. Those 5 hours were more than enough to clear the exam. (M6)
3. Should not have hopped between machines. Should have stuck with the 25 and the 20 pointers and could have easily cleared the exam when I had enough pointers from the recon stage. (M7)
4. More than 12 hours passed and Offsec did not assign me a new machine, though I reached out to them 3 times. If they had assigned me a new machine instantly, I would have taken a power nap, and maybe cleared the exam. 

Free Exam Retake

After 15 minutes of exam end and with all the above thoughts in my head, I got an email from Offsec that I can either submit a report or give a free exam retake and the 30 days cooldown period will not apply. I was so charged up that I wanted to schedule the exam on the very next day but there wasn’t a suitable time slot and the only apt was after 4 weeks.

Post exam attempt preparation

With 28 days’ time till the next exam, I wanted to practice a bit so that my enumeration and time management can be improved. TryHackMe and HTB were not suitable platforms to practice for the exam, they can be good for pre-prep but IMHO Offsec Proving Grounds provides the best exam preparation. I subscribed for one month PG and targetted to complete 3 machines per 2 days, keeping in view a full-time 9 hours job. My focus this time was to improve my enumeration playbook i.e if I come across a specific port/service, what should be my goto steps and get better at time management.  

In total I did 36 PG machines in 24 days and it helped me alot in preparation for the exam. The machines I did can be found here.

2nd Exam

This time I made sure to get a good amount of sleep and go into the exam with a fresh mind and do neither invest too much time on one machine nor do machine hopping. 90 mins is a decent time to give to each machine. If you are not making progress, either start again, read the scan results or move on to the next machine and come back to it later. Overall the difficulty level of the exam was high compared to my first attempt and got my OSCP completion email after 2 days of report submission. 

OSCP Certification Completion Email

The joy of being OSCP certified was peerless with lots of lessons learned and all charged up for OSWE.  

Cracking OSCP smart way

Rest assured the Offsec training content is unique in its own way (they won’t spoon feed you everything) and one should go through all of it. The following is in no way an alternative to Offsec training but If I had to do the OSCP journey again I would do the following:

Pre-Lab Preparation:

1. Boot2Root: Set a target to do at least 30-40 machines from the TJ Null OSCP List. The techniques are similar to that of the lab and will help in better lab time utilization. Also daily watch at least 1 walkthrough of Ippsec with a focus to learn his thought process and approach towards the boxes and how he solves them. Again focus on the thought process and enumeration game.  The Youtube playlist can be found here.
2. Privildige Escalation: Do the priv-esc course along with HTB or THM so that you can practice techniques learned in the course on boot2root machines. I did Tiberuius Windows and Linux privilege escalation and have heard good reviews about TCM so sharing both.     - Tib3rius Windows Priv Esc Course

    - Tib3rius Linux Priv Esc Course

    - Heath Adams (TCM) Windows Priv Esc Course

    - Heath Adams (TCM) Linux Priv Esc Course

1. BufferOver Flow: If you want to understand the in and outs and actually learn BOF, Pentester Academy has a good course on it. Exploiting Simple Buffer Overflows on Win32 Course Videos. If you want to automate it and just grab the uper understanding and still be able to clear the 25 point BOF machines in less than 10 minutes, Tib3rius BOF Prep is a good place to practice. Youtube THM Room

IMO, priv-esc would be comparatively easy after doing the above priv-esc course and the only thing you would struggle with would be getting the initial shell. Make sure you develop a good enumeration methodology (and that is the recipe to crack OSCP). 

OSCP Labs & Exam:

OSCP is all about challenging your limits, being humble, and understanding the “Try Hard” Mantra. What students usually confuse is “Try Hard” is not banging your head against a wall rather analyzing the wall systematically, finding where to hit, and then break it. A lot of OSCP students do 100+ boot2root machines but still fail the exam, the reason being, the number of machines is not an indication of the knowledge learned. After each machine, the goal should be to:

1. Do an introspection of where I stand, where I am lacking, and what areas do I need to further work on. Be honest with yourself?
2. The areas to work upon may not be just technical but also soft skills for e.g time management (can I do an intermediate machine within 3 hours, do I panic if I am stuck, etc)?
3. Is my enumeration skill being improved?

Try to make your own notes from scratch rather than baselining on someone else. Once you have made your notes, then compare with others to see if you are missing something. Using someone else notes as a baseline will damage your learning curve and OSCP journey experience.

IMHO one should try doing PG machines before attempting the exam as they mimic exam machines’ difficulty levels the most.

Lessons Learned & Tips

1. Just Do IT: Do the Pre-Lab Preparation shared and just register for the OSCP. Do not be afraid of whether you can clear it or not or are prepared enough. Just register for it, hop on the OSCP journey and you will have your shiny OSCP at the road end. 
2. Automation it but do not kill it: (nmapAutomator or AutoRecon) or any other automation tool is recommended as it saves your time and efforts but it should not come at the cost of your learning. One should know why the tool is running X command with Y flags when there is service Z running aka do not be a blind tool (script kiddie) operator and use automation for your benefit but it should not affect your learning.
3. Everyone has their own learning curve: Do not compare yours with others and enjoy your OSCP journey. I had 4 years of offensive security experience so did only 25 machines and was confident I would be able to pass the exam. For you it may not be the case so do not follow someone else track or footsteps. Learn from the team but do not mimic it blindly.
4. Use lab time not just to clear the exam but to learn whatever OSCP has to offer: The updated OSCP gives a touch base on Active Directory as well, though it does not come in the exam that does not mean one should not practice AD part. Utilize your time and monetary investment efficiently and get the most out of it.
5. Group Study: If you need the motivation to keep going, make a study group. There are tons of students in the Infosec Discord you can mingle with and make a study group.
6. Time Management: If you are not making progress, do not spend more than 90 minutes on a single machine. Take a break, re-read your scan or start doing another machine.
7. Never Give up: Do not give up till the exam time is over. You may get the passing point in the very last hour so keep trying and never give up.
8. Chat to the rescue: Though exam machines are thoroughly tested in my case one of the machines was not working as it should have been and reaching out to chat timely gave me a free exam retake. So, if you are stuck in the exam reach out to chat and request them if they can check the box for you. You can even request them to check all 5 boxes and they are very cooperative.
9. PTA VPN BAN: Pakistan Telecommunication Authority put restrictions on a lot of local ISPs because of which you can not perform scans even Nmap, in Offsec labs. I have discussed it in detail here with all the possible solutions. If you want to set up your own lab in a VPS, I wrote a quick setup script that you can use.