It took me just under six months from starting my OSCP training to passing the exam. Through my work, I was fortunate to receive access to the 90-day PEN-200 course and an exam voucher. While the OSCP course content is solid, it's important to understand that it doesn’t fully represent what you might encounter during the actual exam.

Once my lab access ended, I subscribed to OffSec’s Proving Grounds and other community-recommended platforms to keep practicing. That extra effort proved essential in helping me pass.

Final Push Before the Exam

With less than a month to go before my scheduled exam date, I felt like I needed one final push. I decided to purchase the 30-day extension, mainly because I hadn't completed all of the Challenge Labs during my original 90 days.

Frustratingly, OffSec doesn’t offer standalone access to the Challenge Labs, they’re bundled with the full PEN-200 course content. I understand the business reasoning, but from a consumer’s point of view, this felt restrictive.

My Exam Strategy and Execution

I booked my exam for a 10:00 AM slot. I chose this time so I could sleep in, be well-rested, and have plenty of daylight hours to work. It also gave me a small buffer the next morning in case I needed extra time to finish any of the machines.

What I Achieved

Within 7.5 hours, I had gathered enough flags to pass. However, after that point I wasn't able to obtain another flag. Here’s what I accomplished:

• Fully compromised the Active Directory environment
• Fully compromised one standalone machine
• Retrieved the local.txt flag on another standalone machine

This left me with:

• One box where I couldn’t gain initial access
• One where I got access but failed to escalate privileges

Lessons Learned the Hard Way

Don’t Trust Your Tools Blindly

On the box where I failed to escalate privileges, I found a file that had piqued my interest. I opened it with a program I’ve used for years (even before getting into cybersecurity), and it appeared empty. Running strings returned barely anything useful.

Only after the exam did I test it using an online viewer and it opened perfectly. I also realized that simply running cat on the file would have shown the information I needed.

Lesson: Even if a tool has always worked for you, don’t assume it’s infallible. Always double-check using alternative methods.

Don’t Tunnel Vision

On the box where I couldn’t get in at all, I ignored trying default credentials. I had been misled by a honeypot and focused too long on the wrong path.

Lesson: If you're banging your head against a wall, take a step back. Make a checklist of things to try, sometimes the simplest techniques (like default creds) are the key.

Tools & Tips That Made a Difference

Ligolo-ng

This isn’t covered in the PEN-200 course, but it’s incredibly useful for port tunnelling and pivoting into an Active Directory environment. I highly recommend learning it.

script

This handy tool logs your terminal session. I used it during the exam to track every command and output. After the exam, I could cat the script file to review everything which was super helpful for writing the report.

Despite using script, I still made sure to take screenshots of every step, especially of flags and exploitation commands. Think of script as your backup, not your primary evidence.

Reporting

As a professional penetration tester, I’m comfortable with report writing. But even if you’re not, you can set yourself up for success by collecting solid evidence throughout the exam.

• Take screenshots often, especially of critical moments.
• Use the script tool to record terminal sessions.
• Create separate folders for each box to stay organized.

Remember: if it’s not in the report, it didn’t happen.

Passing and Looking Ahead

I submitted my exam report and heard back in just over 24 hours I had officially passed the OSCP!

While I’m proud of the result, I’m still slightly disappointed I didn’t get all the flags. That’s why I’ve already started preparing for my next certification: Hack The Box’s CPTS. From what I’ve heard, CPTS is a harder exam technically, even if OSCP carries more industry weight.

Final Thoughts & Advice

Here are my closing tips for anyone on the OSCP journey:

• Think critically - don’t get stuck on one idea.
• Learn tools like Ligolo-ng, even if they aren’t in the syllabus, just make sure they adhere to the exam rules
• Document everything - screenshots + script = strong report.
• Try the basics first - default creds, misconfigs, etc.
• Use checklists to stay on track during the exam.