My name is Daniel Morris and go by the alias of dmw0ng. This is not me being in any way negative about the OSCP, it is only my own thoughts about how I felt about my process.
I see a lot of horror stories about the path to becoming an Offensive Security Certified Professional, and even though there are plenty of reviews out there, I thought I would share my own experience.
Being in the security industry for a number of years, I perform pentesting on some big UK government and private oganisations. But I will start from the beginning.
I started off back in 2011 by signing up for the original eCPPT over at eLearnSecurity. This was my introduction into learning about web and networking “weaknesses”. This was a huge learning curve at the time and one that I thought I would never be able to master. I persisted with the effort of gaining the original eCPPT and when I sat the exam, I found out a few days later that I had passed. The relief was incredible. This was all back in the days of BackTrack (now Kali) and really sparked my interests further into the field.
My interest in Offensive Security was high even at that point, but I needed something to get my mind deep into. A couple of small testing jobs with extremely small companies and nothing happened for a few years after.
Although my interest out of work was still there, it really hit a high point when asked to perform a pentest for an extremely big UK government organisation to wet my appetite. My first big find was an IDOR (Insecure Direct Object Reference). Utilising this, I managed to obtain all customer information. Now, my lips were wet and I wanted more.
I started out with machines at Hack The Box, with Netmon being my first. I remember being active in the forums asking for help. And this is something I feel very comfortable with. If I am stuck, I will always ask after my mind has exhausted what I believe to be all other options. I continued with it for roughly 2 years where I eventually ended up at one point being 4th. Not a bragging point, but a little self achievement.
Even though I had put the effort in for so long with HTB, I still felt I was out of my depth with the OSCP. I was completely wrong.
I purchased the labs on the 1st January after a little too much celebrating the new year. I got my access on the 10th of January and immediately took to the labs. I spent a couple of days in the labs, but through no fault of OffSec, I got a little bored. I just wasn’t enjoying it. I originally booked the exam for the 1st March, but changed it to the 7th Feb to get it out of the way. I just wanted to know if I could do it I guess. I booked it for 7am.
After the initial setting up and getting the identification confirmed. I started on the Buffer Overflow. I had this compete by 08:06. I then moved on to the second hard machine. I quickly had the foothold and then rooted the machine by 10:25. So that was 50 points in the bag. 3.5 hours in and I felt it was going really well.
I decided to hit the 10 pointer next and had this pretty quickly and rooting it at 11:00. I was now on 60 points and knew that I only required an additional 10 points. At this point, I had a 15 minute coffee break. I then got started on the first 20 point machine to try and get myself over the pass mark. This seemed to be yet another quick machine and rooting this by 13:05.
So by this point, I had all of the points required. I decided to take a break. My beloved Wales were playing Ireland in the rugby and decided that was more important. I then come back to it at around 17:00 and simply decided to quit. I pretty much thought to myself there was no point going on. I had already got the required pass mark and could just relax, have a good evening without the stress and write the report the following day.
Was this me giving in? ‘No’. I simply believe that if I have done enough in this exam to pass, then I will stop and ease the pressure on myself. I submitted the report by 11am the following day and got the result within 36 hours.
For something I dreaded for so long, it was actually, not that bad at all. In all fairness, I had done a lot of boxes from HTB, documented every single one of them and have the folder with hard copies. This was not a hard exam, it is just the fact that so many people seem to worry about it for some reason. Myself included.
If you spend the time, and commit to the learning process, then this is an exam that you can be proud to have obtained. Good luck on your own journey.