My OSCP Journey — A Review

This post describes the journey that I went through while studying for the Offensive Security Certified Professional (OSCP) certification.

It outlines my personal experience and therefore is very subjective. I don’t go into any details about the OSCP labs and exam due to restrictions set by Offensive Security. Instead, I’ve structured it in such a way that it gives the advice that I wish I had gotten when I first started the certification.

When It All Began — Or So I Thought…

I first enrolled in the OSCP certification at the beginning of last year. I had just finished a Master’s degree in Computer Science and started my first full time position as a Security Assessment Analyst.

At the time, I had a background in web security; however, I recognized that there was a huge gap in my knowledge of the entire process of penetration testing. This is what piqued my interest in the OSCP certification.

Without doing much research into the prerequisites of the certification, I enrolled in the PWK v1.1.6 course and made the incorrect assumption that it would be like any other course I had taken.

And boy was I wrong.

The course material did not go in depth on techniques required to compromise a host or escalate privileges. Despite completing most of the exercises, I felt completely lost in the labs.

Between starting a new job and finishing a Master’s degree, I didn’t realize how burnt out I already was. I let my lab time (and exam attempt) expire and decided to focus on my job.

Advice #1

I would not recommend enrolling in the OSCP course unless you have previous experience with:

  • Reconnaissance
  • Initial foothold
  • Privilege escalation

This experience can come from work or self-study platforms such as Hack The Box (HTB).

Pre-Preparation — TJ_Null’s List to the Rescue!

Fast forward to the summer of last year, I decided to start studying again but was still intent on not extending my lab time until I felt fully prepared.

The most useful resource I came across was TJ_Null’s list of OSCP-like Hack The Box machines.

Around that time, I also led a study group where I designed the syllabus and facilitated discussions.

Each week consisted of:

  • One chapter from the CompTIA Pentest+ book
  • Two Hack The Box machines from TJ_Null’s list

The group unanimously agreed that the Pentest+ book was not helpful, while IppSec’s methodology was invaluable.

I began publishing writeups for each box, which helped reinforce my own understanding and anticipate questions.

Advice #2

If you have the time, blog your box writeups. If not, take detailed notes. Don’t solve a box and immediately move on.

OSCP Labs — Second Time’s a Charm

After completing all 47 boxes, I enrolled in PWK v2 with a one-month lab subscription.

PWK v2 was a massive improvement over v1. The course material was more thorough and assumed less prior knowledge.

I completed the lab report, resulting in a 285-page document, and spent the remaining time compromising approximately 25 machines.

Advice #3

Complete TJ_Null’s list and watch IppSec’s videos. You won’t realize how accurate the list is until you start the OSCP labs.

Advice #4

If possible, enroll in the 3-month lab option. The additional time is invaluable for Active Directory and pivoting practice.

OSCP Exam — The Dreaded 24-Hour Exam

Before the exam, I did multiple dry runs suggested by the community.

Advice #5

Doing a dry run helps you refine your methodology and accept that getting stuck is part of the process.

I scheduled the exam the day before and passed within the first 9.5 hours, despite hitting a wall later.

Advice #6

Stay calm during the exam. Don’t be afraid to use Metasploit strategically when appropriate.

Within a week of submitting my report, I received confirmation that I passed on my first attempt.

Parting Thoughts

OSCP is a beginner certification that is achievable with time and effort. If you’re struggling, that’s okay — many others have been there too.

Commonly Asked Q&A

  1. I’m a beginner, how do I get started?

    Start with easy HTB boxes from TJ_Null’s list and learn through repetition and guided walkthroughs.

  2. Which service should I enumerate first?

    Scan all TCP and common UDP ports first, then prioritize unusual services before common ones like HTTP.

  3. How do I avoid rabbit holes?

    Develop a checklist per service and move on once you exhaust all reasonable vectors.

  4. I struggle with Windows boxes.

    Focus on shell quality and privilege escalation methodology.

  5. How do I improve at privilege escalation?

    Practice structured enumeration and consider dedicated privesc courses.

Resources

This section compiles all tools, courses, and references mentioned throughout the blog.