Sunday, January 31, 2021

My OSCP Write-Up AKA Cyber Security's "Dark Souls"



Hello dear readers. Before I dive deeper into what did it take for me to complete my OSCP I would like to give a background about myself. On the professional side, I currently work as a Senior Security Operations analyst. I graduated with a degree in electrical engineering and from there I worked as a SCADA Controls Systems engineer for a few years before I have moved into a full-fledged role in OT cybersecurity. My journey in the OT security space did not continue for long as I had to move on to other ventures in IT security. I have about 11 years of experience that varies between Industrial Control Systems and IT.

Why did I attempt to write my OSCP

The number 1 reason that comes to mind is to become a better defender. I'm a firm believer in the fact that becoming fluent in red tools / red teaming / pen-testing would help me as an analyst to become a better defender. If I know how to execute an attack against a certain system, I will know how to stop it and build measures against it.

The number 2 reason that comes to mind is the fact that I embrace the challenge. Ever since I embarked on my journey in infosec I would always see posts on how hard the OSCP is, and how it is the diamond standard in Penetration Testing Certificates. I would tell myself at those times, "Hey, why not !?"

Why The Dark Souls Comparisons

Any FromSoftware avid gamer would probably appreciate the reference. While Dark Souls is a very hard and challenging game it very much like the OSCP experience. The way From Software approaches its games is as follows:

1- They put the player in their world with no story information. 

2- Expect you to explore on your own, with no map, no clear indication of a "Level" progress, and finally no sense of direction.

3- The 'Git Gud' meme. Since you will die a lot in the game, the only way to beat the game is to get better at it.

That being said, the game is truly not cheap. If you mess up, you will get punished simple and plain. sometimes their developers will do it for the LOLs but most of the time it's fair.

Much like the Souls Games, The OSCP will:

1- Put you in a vast lab environment with no navigation in sight (other than the course notes)

2- They expect you to embrace the challenge and solve all their boxes.

3- and Finally, Off Sec's own motto "Try Harder" . in a sense very similar to the Git Gud meme. 

Journey Details

I started my PWK journey in early January 2020. at the time I opted for the 90-day course and lab access. As I read many blogs before signing up for the PWK, a lot of people encouraged to go through the course materials before going into the labs, and so I did. It took me about a month to go through the course materials. As soon as that was complete I started working on the labs.

Labs were really hard. Even though I did a couple of HackTheBox machines before signing up. Going against that beast of a lab was a task and a half. To put in perspective for the following two months my schedule was as follows:

Monday to Thursday:

  • Working day started at 8:30am and ended at 5pm.
  • I would have dinner with the family, sit the kids a little bit until 7pm.
  • From 7 pm to 11 pm usually on average was dedicated time for the OSCP labs.

Friday (No After Hours work)


  • I would work for 5 hours at night


  • Allocated 8 hours between the morning and the afternoon.

The final Tally of boxes completed during those two months were 22 including 3/4 of the incredibly hard BOSS like machines. I have also completed all exercises that were in the course material to gain extra 5 points over the exam if I needed.

Exam Time (Take 1)

April 22nd, 2020 I started my first attempt at the OSCP. My exam was scheduled to start at 10am. unfortunately due to some technical difficulties with my monitor at the time, I did not start until 12 pm.

I started my exam working on the Buffer Overflow machine. Knocked that one out of the park in about 3 hours. I was going slow and I did not want to make any mistake or miscalculate a step along the way. (Scored 25 points!)

While I was working on the buffer overflow machine, I was running parallel scans across the other machines to have those ready for when I was done with the BoF. The next machine up was the easy (but super tricky 10 point machine). The machine took me a couple of hours, it was easy but you had to think really hard about it. (Scored 10 points!)

I was taking few breaks here and there but by the time that I started working on the third machine, it was around 7pm. I tried to go about solving any of the next 3 machines with 0 luck in sight!

Between 10pm and 3am I was able to only get users on one of the 20 point boxes. For the life of me, I couldn't figure out how to get root privileges on that one.

At that time of the night I decided (what a great idea it was at the time) to pull an all-nighter. Going against all the tips and tricks and writeups that suggested to avoided it. For the next 6 hours or so I did not solve anything (surprise surprise!)

I simply gave up before my exam time ran out. I still remember the moderator telling me "you can try harder". In my head, I was like, accept defeat and come back better prepared.

Journey to the Second Attempt

Failing or in this case not scoring enough points to complete the exam will take a toll on you. especially after the amount of time you took and the hours poured into it. But the real question you need to ask yourself is: Was this really my best? if you can honestly answer that question you will find a deep voice within you telling you to Try Harder (Git Gud).

Just remember this "You will only fail, if you stop trying" 

I took all of the next 2 months off. at the beginning of July, started ramping up my studies. I did not want to re-signup to an extension with OffSec so instead, I took what was available on the net.

What Did I Do Differently

One of the main things that I did differently was to study slower and try to ingest more concepts at my own pace. If I don't get anything I should take my time and try to understand the theory behind it. I tried to focus more on my weak points. I summarized those as :

1- Being faster at Buffer Overflows

2- Practice more Web App Pen-Testing

3- SQL Injections

4- Linux PrivEsc

Between July and November (when my second attempt was scheduled ) I was able to achieve the following:

1- Completed the Buffer Overflow room in TryHackMe. This room was perfect as it runs you through a very similar problem to the ones presented in the OSCP. At the time I was able to cut my time to 1 hour and 30 minutes for each buffer overflow problem.

2- I practiced more Web App PenTesting via the Port Swigger Web Security Academy by the author of the famous Web Application Pen-tester workbook.

3- Completed more SQL Injection problems and understood the concept inside out.

4- Finally I signed up for a VIP account on HackTheBox and I was able to complete 61 machines by the time my exam time was nearing.

Exam Time (Take 2)

November 26th, 2020. I started my exam at 7am this time around. I wanted to start as early as possible to grasp the day from the beginning. Of course though my start was as rocky as the first attempt, possibly ALOT worse. So the exam started I still had difficulties. In the beginning, I was using Firefox to launch the exam, however, it was rendering my rig unusable during that time. This is crazy as I do have a beefy rig with 32gig of ram and a 9th gen i7 processor. switching to Chrome did not solve the problem, actually made it worse because I had to downgrade the version of my chrome. Troubleshooting the problem and finally agreeing on using only two monitors as my laptop screen would not be picked up whatsoever by the proctoring software took about 5 hours. I legit started my exam around 12 pm. GREAT!

Same strategy as my first attempt I started with the BoF machine while doing scans to the others. I worked fast and diligently but for some reason, I was not able to get a reverse-shell back on the machine. By 4pm I realized I may have failed again. I kept on trying why I don't have a reverse shell, did the machine literally again from scratch. Until I finally realized my brain Fart. I was so mad at myself for not paying attention to my OWN tunnel interface IP. It was 6pm and I just knocked off that beast. that's (20pts)

Started working my way on the other machines, this time I did not go to the 10 pointers. Instead, I started with the first 20 point machine. Finished that in a couple of hours. I was feeling super confident in my self and I was riding a huge high. From there I went to the other 20 point machine, I was also able to get both flags off that machine. It was 11pm, I was like ok let's get that last 10 pointers and at least guarantee the passing mark!....and.....the 10 pointers fell in about an hour and a half.

Here I was super happy, before taking an extended break I made sure all my screenshots are taken and accounted for.

Took a break for a few hours and came back to try and work on the last machine. unfortunately, I was not able to solve it for the 100% mark but that was ok.

Report Time

I took my time with this one. I made sure that everything is clear and concise that will allow them to replicate my steps to gain access to all the machines I unlocked. my only tip here is to read the exam guideline and the reporting guideline to make sure you don't miss any important details.

Passing Email

Tips & Study Guides:

While everyone has a different style, level, and way of learning I will mention the stuff that worked for me to pass this exam:

1- Complete TJnull's HackTheBox like machines. TJNull's full guide was amazing and great to follow. Completing those machines gave me that extra boost of confidence and practice:

2- If you need to practice more Buffer Overflows, TryHackMe got your back. All labs are ready for you no need to install anything or prepare the environment:

TryHackMe | Buffer Overflow Prep

3- To practice more Web-App PenTesting the best resource I found was PortSwigger Web Security Academy:

Web Security Academy: Free Online Training from PortSwigger

4- For HackTheBox OSCP like machine solutions I highly highly recommend following IPPSec's YouTube channel :

5- Take a lot of rest during the exam

6- Note-taking is a skill, make sure you practice that during the Lab machines or after if you opt to complete some of the HackTheBox machines. Anything you try during the exam make sure you note it down even if it did not work out!. This will save you time in not circling around the same method you tried before and failed.

I will add my cheat-sheet later on to this website as well. 

Final Comments

In all honestly, after I reached my final destination I realized that it was not about that final goal. It was about the journey to get there. It was one hell of a journey full of ups and downs but well worth it in the end!

Thank you for reading if you got this far.

This Blog Will be Dedicated to Security posts related to:

  • DFIR
  • Red-Teaming
  • Purple Teaming
  • ICS or OT Security in general.

Stay Tuned!

1 comment:

  1. I found one successful example of this truth through this blog. I am going to use such information now. Sophos XG Firewall Support


My OSCP Write-Up AKA Cyber Security's "Dark Souls"

  WHOAMI Hello dear readers. Before I dive deeper into what did it take for me to complete my OSCP I would like to give a background about m...