How I Passed the PEN-200 OSCP Certification Exam on the First Try

Passing the OSCP was one of the hardest things professionally I've ever done. It put some real stress on my life and woke me up more than once with nightmares about pinging servers (for real). I wanted to quit more than once.

I was worried that I wouldn't be good enough on test day. I got anxious that I hadn't prepared enough, or I would get stuck and panic for hours.

But I don't regret the process at all, and I passed. I want to share how I prepared for the OSCP, what worked well for me, what I would do differently, how the lab helped me, and what extra cybersecurity training resources I used.

Pre-Game: What Do You Know About PEN-200 OSCP Topics?

It's really important to plan with the OSCP because time is money. OffSec bundles the Penetration Testing with Kali course, lab access, and the OSCP exam fee. 

The package costs between $1599 and $5499 depending on whether you want 90 or 365 days of access to the lab and how many exam attempts you want access to. OffSec says the course is self-paced and online, but the clock starts ticking once you gain access.

That's why you need to pre-plan before rushing to sign up for the course. Check out OffSec's OSCP page first. Under the prerequisites section, they recommend:

• A solid understanding of TCP/IP, networking, and reasonable Windows and Linux skills are required. 

• Familiarity with Bash scripting and or Python scripting is considered a plus.

In summary: You need to know networking. You need to know Linux. Programming seems somewhat optional, but it's not.

You can learn these things on the fly during your coursework, but it's better to brush up on your skills before starting the OSCP course. Remember, you only have so much time before you'll have to pay to extend. So, why not level up some skills before the clock starts ticking?

Before you even touch the OSCP practice labs, you should thoroughly learn networking, Linux, Bash, Perl, and Python.

Here's how I pre-gamed the OSCP.

Necessary Networking Skills for the PEN-200 OSCP

How are your networking skills? You don't need a CCNP or be a full-time network engineer. But you need familiarity with the basics like subnets, ports, DNS, pings, and TCP connections.

You might need a bit of a refresher, but I felt good about what I knew here, having done networking for years, being A+ and Network+ certified, and also having many years as a Windows Server admin under my belt.

How I Learned Linux to Prepare for the PEN-200 OSCP

Linux skills, however, I knew would be different. I was not so handy in a Bash terminal. One fantastic (and free!) resource I used was Linux Journey. It breaks down Linux basics into very small pieces, going through essential concepts like permissions, the file system, and processes. If you are used to Windows, you'll see the similarities quickly, but you need to know the nitty-gritty as you'll soon be on the terminal.

After completing the Linux Journey, I tackled Bandit from OverTheWire. This set of exercises takes some of the knowledge you've gained and applies it on a real VM that you'll SSH into. You'll have to complete a basic exercise to get a password for the next level. You'll learn lots about manipulating files and some tricks like exploiting SUID binaries and cron jobs.

Bash and Python Scripting for PEN-200 OSCP

After Linux, the final prerequisite called out Bash and/or Python scripting. I did some very basic work on Bash and Python scripts. Bash will be covered in the courseware later, and there are several Intro to Python websites. Just pick one that mentions network sockets and spend a few days on it.

You won't be writing any scripts from scratch; learn to follow the flow of an existing script, and you'll be more than fine.

How to Use Virtual Labs to Prepare for PEN-200 OSCP

If you're comfortable with networking, Linux, and scripting languages, then it's time to do some light hacking on platforms like Virtual Hacking Labs. This is a mini-OSCP. You'll drop $249 for three months. For that, you'll get courseware and a PDF. It's nowhere near as in-depth as the OSCP course, but it's a great starting point so you aren't overwhelmed later.

You'll get plenty of experience with the basics of enumeration and tools like Nmap and Netcat, plus putting all that networking and Linux practice to work.

How to Sign Up for Your PEN-200 OSCP Course

By now, you'll start considering when you want to start your OSCP course. One thing I did not know when I went to sign up was that you would not be able to start your course immediately after signing up. They space out their students, so you'll get some options for the next available open slot. The soonest I could start was three weeks out. I was ready to get going but disappointed to have to wait.

If you have a little pen testing experience, as I did, you should consider signing up for three months of lab time. That should give you plenty of time to get through the coursework and most of the lab and review areas where you feel like you need more practice (maybe privilege escalation or SQL injections).

Grab your schedule and find a three-month block where you don't have many commitments already. 

During those months, you'll need to devote at least a couple of hours most (if not every) days. I probably averaged around four hours a day and intentionally took Sundays off. I knew I could do one to two hours in the morning before work and grab anywhere from two to four hours during the day between other work tasks. I avoided studying after dinner, saving that for family time.

If this sounds like a lot — it is. You'll have to figure out how to make it work with your work schedule, family commitments, and social life.

Using the PWK Courseware

That day will finally come when you receive your courseware and VPN connection pack from OffSec. The courseware is good: they give you a long PDF and a set of videos. The videos reiterate what's in the PDF, just with less detail.

I skipped the videos and focused on the more comprehensive PDF, which starts you on the basics of working in Kali Linux. It also acquaints you with the basic tools you'll need in Kali and then some basic pen testing methodology. You'll quickly get into more specific and difficult concepts like buffer overflows and working with exploits. Just take it a step at a time.

Sprinkled throughout the PDF are optional exercises. Some of them are pretty straightforward ("run the tool discussed in this section on a lab machine"). Others will require you to go off independently, further researching a technique they only introduced. Documenting your work on these exercises forms the first half of a potential five bonus points on your exam.

The other half of the bonus points come from a lab report detailing how you compromised user and root on ten lab machines. They provide a template that's recommended to use. Fill it in for each machine with enough screenshots and code snippets showing how a technically competent person could recreate your steps. Complete this report and the exercises, submit them along with your final exam report after test day, and you'll earn five bonus points.

Is it worth it? Depending on your experience, you could spend a whole week or two just completing the exercises and then writing out your lab report later. It was a lot of busy work, but I don't regret it.

Some people say go for it, some people say spend your time hacking. Even if you don't plan on submitting the exercises, going through the coursework is still essential, it's very well written, very thorough, and full of helpful nuggets.

The Lab

The lab is the bread and butter of the course to help you prepare for the exam. You'll start on the public network with only a list of IP addresses. Start scanning machines, looking for low-hanging fruit, and applying what you learned in your coursework and research.

Eventually, you'll find a few multi-homed machines; they have a network adapter in both the public network and another network. Once you fully compromise those machines, you can use them to access these new networks with a technique called pivoting.

For my lab time, after about two months, I had a majority of the public network compromised and had gained access to two other networks. 

Test Day

Start your test day prepared, both physically and mentally. You'll be in it for the long haul, with 24 hours to hack five servers and do privilege escalation to get root/administrator access. No help, no hints, just you and your hacker wits.

Take care of your body, and have the food and drink you need ready to go. Get a quick workout in for some energy. Sleep the night before. Mentally, TAKE BREAKS. Seriously, don't keep pounding on something when you're stuck.

Stop, stand up, and walk away for five minutes. Otherwise, you will panic and mentally exhaust yourself. If you're stuck on a machine, even after a break, return to it later and start another one. Time management is so critical when you're talking about a 24-hour exam.

You have the next 24 hours to finish and submit your report, detailing your enumeration of each machine, how you initially gained OS access, and how you did privesc to root. The report will need screenshots and enough context so someone can reproduce your steps, so take good notes the whole time.

When you finish a machine, review your notes carefully and ensure you have everything you'll need for the report. Once those 24 hours are up, the VPN dies. If you still need a screenshot, too bad.

With all that out of the way, it will be fun! You're just hacking boxes and getting shells. You wouldn't have made it this far if you hadn't been enjoying it along the way, so keep having fun with it! Once the 24 hours are up, take a nap, finish, and submit your report. You have finished the OSCP exam!

Once submitted, OffSec says you'll have your results within five business days. True to their word, I got my official pass notification after five stressful business days. The satisfaction comes from accomplishing something so hard and amazing; hopefully, my experiences can help you get there, too!