Passing the OSCP Exam Without Metasploit

 March 7, 2024
Share: TwitterFacebookLinkedin

The Journey

Back in May 2022 I made a post about starting my OSCP journey. The intent, at the time, was to use open source resources such as Hack the Box and TryHackMe to help prepare prior to enrolling in Offensive Security’s PEN-200 course. Well, life had other plans because shortly after the journey started it had to be put on pause. More important and pressing responsibilities took up most, if not all, of my free time.

It was not until August 2023 when the journey was able to be resumed. At that point it was decided to dive into the deep end and enroll straight into the PEN-200 course. After four months of preparation and two exam attempts later, I passed the OSCP!

Hack the Box, eJPT, PNPT, Oh My!

Looking back on my journey, I believe the PEN-200 course is all you need to pass the OSCP exam. This may differ from person to person based off technical knowledge and time constraints. Some recommendations I have seen online are to complete the Penetration Tester Path from Hack the Box Academy, INE’s eJPT, or TCM Security’s PNPT prior to the OSCP exam. If time is not a concern then this strategy could work. But between work and personal responsibilities it was not feasible for me to complete the Penetration Tester Path AND the PEN-200 course prior to sitting for the OSCP based off my timeline.

This is by no means a knock against Hack the Box Academy or any other course/certification. After passing the OSCP I actually decided to start the Penetration Tester Path in pursuit of Hack the Box’s CPTS certification. And so far the material is fantastic. But ultimately the PEN-200 course and associated lab environments are all that is needed.

From August 2023 to October 2023 the focus was on reading all the material and completing the accompanying exercises. While doing so I was diligent about taking quality notes. In my opinion, this is crucial for successfully passing the OSCP exam! Note taking is so important that it gets its own section.

Since the OSCP exam is very technical it is imperative to apply the skills as they are learned. Reading or watching the videos alone will not be enough. As an aside, Offensive Security has created a PEN-200 learning plan that can be followed and used as a way to hold yourself accountable.

Document Successes… and Failures

Having good notes will prove beneficial on exam day, that is certain. Obsidian was my program of choice for taking notes. Regardless of what software is used it is the content of the notes that matters. My notes were broken down into two categories – writeups and cut sheets.

Each exercise or lab had a corresponding writeup. All actions taken were annotated along with the thought process and I mean all actions were annotated. This includes actions that led to rabbit holes and the actions that led to the successful completion of the exercise or lab. This approach proved beneficial because it helped me understand why I went down rabbit holes and aided in the development of my penetration testing methodology. Common pitfalls that led to rabbit holes was lack of proper enumeration or overlooking a key piece of information after enumerating.

Cut sheets are also as important. Think of them as cheat sheets or quick reference guides on how to perform a task. Being able to copy a command and replace a few arguments is less time consuming then having to sift through help menus or man pages each time a particular task needs to be completed. Nothing is more annoying than knowing what needs to be done to gain access to a system and struggling to remember the exact syntax needed to cause the desired effect. Especially when a similar situation had been encountered previously and was resolved only to not have annotated the solution for future reference. Suffice to say, have a list of commands that are frequently used and are known to work to help save time on exam day.

Try Harder with Challenge Labs

After completing the PEN-200 course it was time to move onto the challenge labs. They were completed in the following order – Medtech, Relia, OSCP A, OSCP B, and OSCP C. On a side note, completing all the PEN-200 reading material and exercises in tandem with the challenge labs helped secure the 10 points for the OSCP exam. Medtech was a reality check and made me question everything. Looking back it is to be expected however, since it is the first time all the skills learned in the PEN-200 course were being applied in a dynamic setting.

Remember to take good notes and run through the challenge labs multiple times. Use this as an opportunity to test your penetration testing methodology. Doing so will pay dividends on exam day, trust me. Another suggestion is to use one of the OSCP sets as a practice exam since they are retired exam machines. This will help gauge your level of readiness.

Do not be afraid to ask for help on the Discord server! There is the mantra of “Try Harder” which has its time and place. But “Trying Harder” for hours with little to no progress being made is just dumb in my opinion. Trust me, I learned that the hard way. What I found to be helpful is setting a time limit. If after 60 minutes of “Trying Harder” and no progress is made then look for a hint on the Discord server. The keyword is HINT, do not seek the answer from someone. Seeking the answer without putting in the effort to come to that conclusion is a disservice to yourself so stave off that temptation.

Exam Take 1 – When Trying Harder Fails

After three months of preparation the first attempted was schedule and I ended up only getting 30 points. Initially, the exam went well and was able to get 20 points in the first hour quite easily. In an attempt to secure the final 40 points needed to pass I moved onto the Active Directory set. This is when I ran into a brick wall for the next 22 hours.

With the clock ticking down and no progress being made for several hours the pressure started to mount and I started to flounder. Instead of taking a break to reset, the “Try Harder” mentality was embraced to the fullest extent and, in hindsight, that was my downfall.

This failure taught me a few things. The first is to take breaks during the exam no matter what. Give the mind a chance to rest and reset. The second is to spend no more than 60 minutes on a particular exploit, vulnerability, or machine. If no progress is made after 60 minutes it is time to reassess the situation and move on. And finally, the third thing it taught me was that my penetration methodology was not fully fleshed out. This was made evident when presented with a lot of information following enumeration. It was difficult to decipher what should be prioritized, what actions should be taken, and in what order.

Even though there was no way to pass the OSCP after the first 24 hours elapsed, a report was still created and submitted. Writing the report gave insight into how notes could be more detailed and organized to streamline the report writing process. The last thing I wanted was to retake the exam and get hung up on the report so I took it seriously.

Proving that Failure is Not an Option

At this point I took a step back and reassessed the situation. There was a four week cooldown period before I could take the OSCP exam again. So how was the next month going to be best spent? It was decided that the best course of action was to take a week off then solely focus on Proving Grounds Practice machines and to better develop my penetration testing methodology.

Around this time TJ Null dropped an updated list of practice machines for OSCP preparation. Ended up completing the majority of the Proving Ground Practice machines. For each machine a writeup was created and cut sheets were update.

At first it was frustrating. Gaining initial access was proving to be more challenging than expected and required asking for more hints than I care to admit. At times it felt like I was reliving the first OSCP exam attempt day after day. But after a week or so something just clicked. Instead of taking hours to root a single machine it was taking under an hour. At this point I knew it was time to schedule the second attempt.

Exam Take 2 – Redemption

The day arrived and it was time to redeem myself. Similar to the first attempt, 20 points were secured in under an hour. After a short break I went onto the Active Directory set. At the 3.5 hour mark 70 points had been secured. Breathing a sigh of relief, another break was taken before going over my notes and ensuring all required information was documented for the report. The remainder of the first 24 hour window was mostly spent on drafting the report. The following day was spent going over the report and polishing it up. A day after the report was submitted I received the notification that I had passed and ended up with 90 out of 110 points.

TLDR

  • The PEN-200 course is all you need.
  • Take good notes – create writeups for the labs and have cut sheets.
  • Do the challenge labs then do them again.
  • If stuck for more than 60 on a lab ask for a hint on the Discord server or look at a writeup. For the exam, it may be time to reassess what is being done.
  • Develop a penetration testing methodology.
  • Take breaks during the exam.
  • Keep it simple.
  • Spend time doing Proving Grounds Practice machines and check out TJ Null’s list.