This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Introduction

Last Friday, March 27, I received confirmation that I had passed the OSCP+ with a score of 100/100. The purpose of this post is to share my experience throughout the process and explain what I believe is the right way to approach the certification.

Why OSCP?

OSCP has always had an aura of difficulty around it, and its “try harder” motto can make you feel as though passing on your first attempt is beyond your reach. Honestly, after completing the PEN-200 course and taking the exam, I can say that the main difficulty is not so much the technical content as time management and knowing how to approach the exam.

Today, OffSec certifications are among the most widely recognised by HR departments, which makes perfect sense. The exam is proctored, so someone is monitoring you at all times. This allows HR teams to trust that a certified person genuinely has the knowledge the certification represents.

Previous knowledge

I already had a fairly solid foundation. Apart from a few Windows client-side attacks, I had previously exploited or studied everything else through certifications such as the eCPPTv2 and CRTP. I would not recommend OSCP+ if your only goal is to learn. The PEN-200 course is good, but many other resources and certifications can provide a similar level of knowledge for much less money.

Knowledge required for the exam

OffSec stresses that any concept taught in the course may appear in the exam, except for AWS at the time of writing. If you already have prior experience, my recommendation is to review the entire course and note the types of vulnerabilities it covers. For example, SSTI is not covered, so according to OffSec’s guidance you will not face a direct SSTI exploitation challenge. Knowing this can save you from many rabbit holes. One lab contained a web application that, to me, was practically screaming SSTI. After spending quite a while on it and requesting a hint, I discovered that this was not the intended path. Had I known that PEN-200 did not cover that vulnerability class, I would not have wasted time or fixated on it despite all the signs that seemed to point towards SSTI.

Exam structure

To decide how to approach the exam, you first need to understand what you are facing. You need 70 points to pass, with 100 being the maximum score. The exam contains six machines: three standalone machines and three machines forming an AD environment. The points are distributed as follows:

  • AD environment: 40 points in total.
    • Machine 1: one flag, proof.txt, worth 10 points.
    • Machine 2: like the first machine, one proof.txt worth 10 points.
    • Machine 3 (DC): one proof.txt worth 20 points.
  • Standalone machines: 60 points in total, 20 points per machine.
    • Local.txt: every machine has a local.txt available to an unprivileged user, worth 10 points.
    • Proof.txt: accessible only with administrator privileges, worth 10 points.

Given this structure, the following scenarios would produce a passing score of 70/100 points:

  1. 40 AD points + 3 local.txt flags (70 points)
  2. 40 AD points + 2 local.txt flags + 1 proof.txt flag (70 points)
  3. 20 AD points + 3 local.txt flags + 2 proof.txt flags (70 points)
  4. 10 AD points + 3 fully rooted standalone machines (70 points)

The key takeaway is that you cannot pass without compromising at least one AD machine. Otherwise, you would need to compromise all three standalone machines plus obtain one AD proof.txt, which I consider the most difficult scenario. Failing to gain a foothold on just one standalone forces you to compromise the entire AD set: two standalone machines (40 points) and two AD proofs (10 + 10) leave you with only 60 points. Starting the AD environment under the pressure of knowing that you must compromise it completely can easily work against you.

In my opinion, the best approach is to start with AD no matter what. Since you must compromise at least one machine in the AD set, it is the most sensible place to begin. In the worst case, if you obtain only the first machine’s proof.txt and decide to switch to the standalone machines, you still have a path to passing. If one of the standalones resists you, you can return to AD and look for anything you may have missed. To be honest, however, the AD set contains the “easiest“ points. I found it fairly straightforward in terms of difficulty. The most important things are understanding the concepts and paying attention to detail. As in any real pentest, enumeration is crucial and must not be underestimated.

Preparation

There are many ways to prepare, and the right one depends on your starting knowledge. I will explain how I prepared and what I would recommend to someone starting from scratch.

Environment

I do not see enough people emphasising the importance of a good working environment, but I consider it essential. You need an environment in which you are comfortable and efficient. During the exam, you will end up with countless shells stacked on top of one another. Being able to keep several shells open in separate tabs and move quickly between them will save you a great deal of time.

My preparation

I worked through the course module by module, reviewing the content and making sure there was nothing new that could catch me by surprise during the exam. Whenever I encountered a vulnerability I already knew but felt rusty on, I completed the corresponding lab. With a solid foundation, this process can take about a month. Someone without previous experience in web exploitation, networking, privilege escalation, AD, and similar areas will need considerably longer, but that was not my situation, so I cannot give a reliable estimate.

My recommendation if you are starting from scratch

The most important thing is to develop your instincts as a pentester. This is undoubtedly the most valuable skill in the exam: knowing where to look next and recognising when you are in a rabbit hole. It is the difference between rooting a machine in 30 minutes and spending three hours on it. Practice is the only way to develop that instinct.

What would I do? I would follow the PEN-200 structure and, after finishing each module, find HTB machines that cover the same concepts to reinforce them. Many people say that Proving Grounds, essentially OffSec’s equivalent of HTB, is the best preparation. I have not used it, so I cannot offer a personal opinion. It is probably a very good option because people say its machines are similar to those in the exam. However, if you genuinely want to learn and improve your instincts, you should be able to transfer what you practise on HTB to simulation and exam machines. The exam is unlikely to contain one-to-one replicas of Proving Grounds machines, so adapting your exploitation process to whatever you encounter is crucial.

Whenever you are trying to pwn a machine, use as little help as possible. Remember that nobody will be able to give you a hint during the exam.

Preparing for the exam itself

For me, this is the most important part. You can have all the knowledge in the world, but without an exam strategy you may still fail. You need to know what you will face and how you intend to approach it. A PEN-200 subscription includes a set of Challenge Labs designed to test your skills. Once you feel that your knowledge is solid, I recommend completing Secura, Medtech, Relia and, if you have plenty of time, Skylark.

If you get stuck during these labs, you can use OffSec’s mentorship system on Discord. It is very useful when you need a small push to get past a blocker.

Exam simulations

There is no better preparation than simulating a real exam attempt. OffSec provides the OSCP A, B and C Challenge Labs, which are retired exams and give you a good idea of what to expect.

How should you approach them?

My exam was scheduled for Tuesday at 11:00 a.m., so on Friday, Saturday and Sunday I reproduced the exam conditions as closely as possible. If you follow this approach, the actual exam day will feel like just another practice session.

I completed a simulation on each of those three days and recorded how long it took me to root every environment. My average times were:

  • AD (3 or 4 hours): within that time I had completed the AD environment. Although it is not “difficult”, you must pay attention to detail and follow a clear methodology, because overlooking something can cost a great deal of time. I cannot say that having the CRTP worked against me, as it gave me a strong AD foundation. However, it did make me overcomplicate many things. My recommendation is to keep everything as simple as possible and stick to the vulnerabilities and reconnaissance techniques covered in PEN-200.
  • Standalone machines (1 hour 30 minutes): this is the amount of time I would allocate to each machine. Some may take 30 minutes, while others may take three hours because you overlooked something. If you are completely stuck, move to the next machine. When you come back, there is a good chance you will break through the blocker.

If everything goes well, you should therefore be able to complete the exam in roughly eight hours. Remember that rushing to root machines is not the same as proceeding methodically while taking screenshots and notes on everything you find.

OSCP does not only assess whether you obtain every flag; it also requires you to produce a competent report afterwards.

Exam

Exam day

When exam day arrived, having completed the simulations made the situation feel familiar. The only difference was that I had to be ready 15 minutes early to connect to the proctor and complete the initial steps before accessing the lab.

OffSec recommends completing a proctoring simulation so that you can connect to the web interface and verify that both your webcam and screen sharing work correctly. OffSec also recommends using X as the display server on Linux. I use Wayland (Arch + Hyprland), so I made sure I had all the programs required for screen sharing to work properly. I had no issues during the exam.

Once everything was ready, I began the exam. I obviously cannot discuss its specific contents, but I truly cannot overstate the importance of completing the exam simulations. By 3:00 p.m. I had finished the entire AD environment, including all the screenshots and notes I needed. I could put it aside knowing that I already had 40 points secured. I took a break and used the time to eat.

After a break of approximately 45 minutes, I started on the standalone machines. I was fortunate that I immediately understood the path for the first one. Although I had to do some research for the privilege escalation, I rooted it in around 40 minutes. After roughly five hours of exam time, I had 60 points and was matching the pace of my simulations exactly.

The second machine was where the problems began, if they can really be called problems. I simply failed to pay enough attention to detail, so it took longer than it should have. That is when thoughts such as “Am I really going to finish with only 60 points?” can creep in. If you enter that state of mind, I recommend reviewing your steps and looking carefully at the details before jumping to another machine. I resolved the issue, and by 7:30 p.m. I had reached 80 points.

At that stage, you have two options: stop the exam or try to pwn the final machine. In my case, mostly because of personal pride, I decided to attempt the third one. Being ahead of schedule and already having everything documented for the reporting day made that decision much easier.

The foothold on the third machine was not especially complicated, but I was completely lost on the privilege escalation. Every potential escalation vector I found led nowhere, so I decided to accept 90 points and stop wasting time. I began reviewing every screenshot and exploitation path to make sure nothing would be missing during reporting. While reviewing my notes for that third machine, I thought of one final thing to try. I connected two ideas that I had considered unrelated and then, boom, privilege escalation achieved. The feeling of reaching 100 points is difficult to put into words. I celebrated it as if someone had scored a last-minute goal.

Something that can help in both CTFs and certifications is to record anything that looks out of place or unusual in your notes. You never know whether reviewing it later will help you connect ideas and obtain a foothold or privilege escalation.

Reporting

Without exaggeration, this was the hardest part of the exam. OffSec expects the report to resemble one you would produce for a real pentest. At the time of writing, I have completed more than 40 professional reports, and in my experience a report is not merely a description of the attack path. It should document every vulnerability found so that it can be remediated, even if it does not directly result in a foothold, lateral movement or privilege escalation. My report ended up being 115 pages long, which is excessive. I do not think that level of detail is required to pass; clearly documenting how you obtained the flags would probably be enough.

I think the 24-hour exam format works well and provides more than enough time if you are properly prepared. Allowing only 24 hours for the report, however, pushes things too far. If a high-quality report is expected, I would allow 48 hours.

I uploaded the report at around 9:00 a.m. on Thursday, and by Friday I had already received the email confirming that I had earned the OSCP+ certification. I did not expect the result to arrive so quickly.

OSCP Certificate

Conclusions

OSCP is a certification you will probably need sooner or later if you want to improve your CV and qualify for better positions and salaries. If your only goal is to learn, however, there are cheaper alternatives. In my view, OSCP should be treated as an investment and a personal challenge that validates both you and your knowledge.

Contact

If you have any questions, feel free to contact me through X. I want to stress that I will not answer questions about the exam itself, but if you have any problems or questions about preparation, do not hesitate to ask.