How I Passed OSCP with 110 points in 7 hours(First Attempt) Without Metasploit

G S Nagendran
12 min readJul 31, 2023

Hi Everyone, this is Nagendran G S back again with a blog on passing OSCP (PEN 200–2023) in my first attempt in 7 hours without Metasploit.

OSCP Digital Certificate — https://www.credential.net/9aa04fcc-cde5-438c-9560-d93892aa69fe

Like everyone else, I had doubts about whether I could pass OSCP with my current skills. How would I know if I never tried? It all began while searching myself from a tough situation and when my friend successfully passed OSCP in January 2023. At that moment, all I needed was the self-motivation to embark on this journey. OSCP is not just a certification or a rigorous 48-hour exam; it was a transformative six-month journey for me. In the end, I had to prove myself and demonstrate my capabilities. With the fear of failure weighing heavily on my mind, I couldn’t help but worry about the consequences of losing both my investment of $1599 and confidence in my skills. Later, I took my dad’s advice to heart: “It’s either a win or a lesson, never a loss, son”. The price was too expensive considering my financial background. I had to weigh both the risk and worth of this plan, hoping it would end in success. But I would never know if I didn’t try :)

With initial research I understood opinions differ on OSCP: Is it an entry-level or intermediate-level certification? It stands apart from others in the industry due to its hands-on approach, making it a challenging and valuable credential in cybersecurity.

Preparation:

Jan — March 2023

I began my journey by reading blogs of individuals who recently passed the OSCP certification at that time. And whichever blog it was I saw TJ Null’s OSCP List as reference for preparation. It provides a list of vulnerable machines from platforms such as HTB, Vulnhub, PG-Play, and Practice for practice purposes. Before purchasing the OSCP 90-days Lab Subscription for $1599, I wanted to familiarize myself with the basics of approaching a machine, such as what to do, check and where to look. With my current job , I had to prepare regularly after my log-off hours and during the night or early morning. Nevertheless, I had the weekends during which I dedicated the majority of my time to preparation.

After practicing TJ Null’s Vulnhub List for a few months, I acquired a foundational understanding of how to approach machines. Despite having five years of learning experience in cybersecurity, I initially faced challenges in solving machines entirely on my own without any hints or write-ups. However, I believe it’s completely acceptable to consult write-ups when needed. Before doing so, I made sure to exhaust all the knowledge and techniques I have at my disposal. Once I figure out the solution, I’ll add it to my notes as a part of my learning process.

Note Taking:

I had two types of notes — Theory and Practical. I used notepad for Theory, where I simplified the content for better understanding. I used Microsoft One-note for Practical notes which consisted of commands and included additional explanations or reminders to help with comprehension. Google won’t help us with everything and its really hard to remember everything we learn in this journey. In the end its our notes that’ll help while solving labs and during exam, since OSCP is an Open-Book exam.

No More BOF:

OffSec’s announcement on March 16, 2023 revealed the new update PEN-200–2023. The update included the removal of old labs, introducing new ones, and making changes to the PEN-200 course, specifically focusing on Buffer Overflow. Buffer Overflow was officially removed in PEN-200–2023 Course and Exam machines. This was also applicable for those who scheduled their exam on that day. This was surprising for me as I spent a few weeks learning and practicing Stack Based Buffer Overflow(Windows & Linux). The intense practice I took helped me to gain a shell in 15 minutes by exploiting Buffer Overflow which gave me the initial confidence for cracking OSCP.

OSCP Exam Structure 2023: (No More Buffer Overflow)

  1. AD SET — DC and 2 Clients (40 Points — Need to pwn DC as Domain Admin to gain full points)
  2. 3 Standalones (20 points each — 10 points for low privilege and 10 points for root/system privilege shell access)
  3. 10 bonus points — if completed 80% of each module in course material and submitted 30 proof.txt by solving Challenge Labs

One needs a minimum of 70 points to Pass OSCP. It’s either pwning — AD + single standalone + Bonus Points or 3 Standalones + Bonus Points. Thus Bonus points will be of huge help if one can’t complete AD set in exam. My primary target was the AD set which would give me 40 points, so I focused a lot more on AD during my preparation phase. I believed that I could crack 1 out of 3 standalone which would enough for my passing score.

Basics of AD:

I know I would learn AD from scratch if I purchased the PEN-200–2023 course, but who did curiosity spare? I ended up learning the basics in TryHackMe like what is AD and how it works. At that time I was new to AD and it was quite interesting to understand how it works for identifying and abusing the flaws in it. But the AD attacks in TryHackMe covered a lot that were beyond the OSCP Course. It was my friend in the end who said “Always, stick to the course”.

The Game Is On:

April 2023

I purchased the 90-days lab Subscription for OSCP, which cost around $1599, approximately Rs.1,31,xxx + 5k tax at that time. After completing verification, it took me a week to gain access to the PEN-200–2023 section in OffSec Portal. My plan was to complete the course within a month. To make my study process more efficient, I skipped videos and used the text version, which was more comfortable for me. Upon analyzing the course, I realized that it started from scratch. I chose to skip some contents which I was already familiar with and solved the exercises that required a basic understanding. I made sure to complete 80% on each module in Course material. The OffSec mentors and the support had my back whenever I got stuck while solving exercises or faced any issues in VPN or the environment. As I had plans to pass OSCP without Metasploit, I didn’t spend too much time on it. I had to solve a few exercises just for the sake of Bonus points. It took me exactly a month to complete the course with my schedule, and I felt well-prepared for what’s ahead (Challenge Labs).

Challenge Labs:

May — June 2023:

This is when the game begun, I was ready to test my skills like getting initial foothold and pwning a machine with just my notes. However, the lab experience was different from what I gained in the course. For instance the foothold might be from anywhere in course, its up to the us who identifies it. I asked a lot of hints from OffSec mentor and some friends who wished to collaborate with me while solving labs whenever I got stuck after trying everything I’ve got. I never felt bad for asking hints after trying everything because once I know the hint and fix the part where I got stuck it’ll eventually end up being in my notes. So I can use it the next time if I get stuck similar to the one I experienced before. Eventually, I realized that dedicating my time to OSCP Course + Labs was the key to gaining the confidence I had hoped for before purchasing the course. I was able to complete the challenge labs in 2 months and I made sure to take a separate notes for Challenge Labs, creating a complete walk-through. This helped me a lot to recall the Challenge labs in OffSec portal especially OSCP A, OSCP B and OSCP C which emulated the exam environment.

Tips I Received Before My Exam:

  • Keep it simple
  • Remember the machines are designed to be hacked
  • The answer is in front of you just keep calm be cold blooded and take a deep breath.
  • Move to another machine when the time is over for that part. Come back later
  • Be prepared. Not in “technical” way, but in moral. Take rest before exam, prepare food you like, have water and snacks on your table.
  • Take breaks. Go for a little walk.
  • Document all things on the way. I know that it is very exiting to get root or Domain Admin quickly, especially if you see a path to it, but stop and document all the things.

The Big Day:

July 4–21 2023:

By 4th of July my Lab Subscription ended. I made sure to practice the machines again that I found challenging before the deadline. I had around 18 days left for my exam. I just wanted to stay relaxed as I had both my notes and the confidence that I can crack the exam. However, hearing about people failing after 4 or 5 attempts sometimes made me nervous. I knew that it would be challenging for sure, but I didn’t want to lose hope. I felt like I came this far to see that one email from OffSec stating that I passed this exam successfully. I kept myself relaxed whenever I had time. I started to test my skill in Pg-play machines where I had a limited time of 3 hours/day. I was able to solve most of the machines without a hint in a maximum time of 1 to 1.3 hours. This gave me a boost of confidence that I’ll clear my exam.

July 21–22 2023

The day before the exam, I thoroughly checked my notes to make sure I didn’t miss any crucial information. I scheduled my exam at 5:30 AM IST to maximize my daytime to avoid feeling tired. I had to wake up at 4:00 AM to check my Kali VM and other stuff to prevent last-minute troubleshooting. Everything was perfectly fine and I completed my Proctor Verification in 20 minutes. I had a 5 minutes free time before starting the exam. All I can hear was my heartbeat and an inner voice saying “You got this!”.

Once I got access to the portal I saw the list of targets. Just by looking at them, it was easy identify which one was the AD Set and which were the Standalones. I started the exam with AD Set, initiated the Port Scan and began enumerating based on the results. This was the toughest part for me. I started around 5:30 AM and for an hour and 45 minutes I had no lead. I’ve been hitting a dead end after using whatever stuff I had in my notes. I even googled and looked up Ippsec’s page for any different approaches but nothing worked. I remembered this was the crucial part where I had to be relaxed. I attempted resetting my mind about the box and started to look into the Nmap results once again from scratch. I stayed so relaxed that it helped me think straight and to find that one way to the user shell.

Once I got my user shell in 2 hours, I wanted to take a 30 minutes break before attempting to pwn the DC as I felt hungry. It was around 8 AM when I resumed back from my breakfast. Time was around 9 AM and it took only and hour to pwn the complete AD Set 🫡. Speaking precisely, it took me 3 hours to complete the AD Set in exam.

And now I had 50 points (40 points for AD set + 10 Bonus Points). With no waste of time, I started looking for the Nmap results of the first standalone. It took me an hour and 16 minutes for getting the initial shell access and 36 minutes for gaining high privileged access. So it took around 1 hour 52 minutes for pwning the first standalone. It was around 10:22 AM when I realized I passed my OSCP exam with minimal points. (40 + 20 + 10 = 70 points). I couldn’t express the level of confidence and happiness I had that time. All I could do was request the proctor for a short break and turning off the Web Cam to make a Chandler dance move.

I started enumerating the next standalone and this time it took only 58 minutes to pwn the second standalone. It was around 11:40 AM where I had 80 points and I proceeded further to pwn the last machine. This was the hardest of all machines in that exam. So it took around 2 hours and 7 minutes to pwn the machine. The time was around 1:47 AM when I completed AD set and 3 standalones. Starting from 5:30 AM to 1:47 PM it took around 8 hours 17 minutes to complete the OSCP exam with 110 points (40 + 20 + 20 + 20 +10). Essentially, I solved all machines in the OSCP exam in 7 hours and 7 minutes, taking a short break each time I successfully pwned a machine, which on average totaled about an hour. I never imagined that I would pass OSCP, and to my surprise, I achieved 110 points in just 7 hours without using Metasploit in any of the machines.

I made sure to check the screenshots which were helpful while creating the report. OffSec provided 23 hours and 45 minutes for exam and 24 hours for submitting the report. As I finished my exam earlier than anticipated, I immediately began working on the report right after lunch. It took me around 10 hours to prepare and review the report. I completed my report submission at midnight (12:00 AM). Feeling utterly exhausted, I longed for a good night’s sleep.

Hardest Part:

Initially I thought preparation was the hardest part. Somehow I managed to complete my preparation phase in a timely manner. Post preparation phase, I thought the exam would be the hardest part, whereas I aced it. I never knew that the result phase would be the hardest of all. I heard the results would appear sooner in portal while the mail would take some time. So I had to check both the portal and email twice a day, sometimes even thrice. As per OffSec it takes around 10 business days to receive the results of exam. For me it took 5 business days. It was one good evening, 28th of July I got my results.

It was a dream come true moment. Behind the pursuit of this happiness, there were several sacrifices. I felt this moment was worth the money I spent, the effort I put and the dedication I had for OSCP. For that moment I was proud to say that I’m officially an Offensive Security Certified Professional.

A wise woman once said to me “Don’t think too much..Focus on putting your best effort..Results will Follow”. In short that’s all I have to say for those who are pursuing or yet to pursue OSCP. In fact the first one helped me get AD initial foothold after a struggle for 2 hours 🙃

In the final part of my blog, I want to share the deeper motivation behind my OSCP journey. Life took an unexpected turn when I faced a challenging personal situation and heartbreak. Though it was tough, I decided to channel my emotions and energy into something constructive. That’s when I gave thoughts about OSCP. I believe my OSCP success was not just about passing an exam, but a journey of self-discovery and resilience.

To conclude, I am immensely grateful to my friends, family and colleagues who are my Baymax.

Resources:

  1. https://onedrive.live.com/embed?resid=4149EBCF4A8A1BD0%211849&filename=OSCP_Notes_NagendranGS.pdf&authkey=!AE_gXz4ANnMhJIc
  2. https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology
  3. https://burmat.gitbook.io/security/hacking/domain-exploitation

Socials:

LinkedIN – https://www.linkedin.com/in/nagendrangs

--

--