The OSCP Is a Mental Game

Well, I got my OSCP a couple of weeks back and it was quite an experience. The last 3 months of preparation paid off and the main challenge wasn't even the technical stuff. It was the mental ability to keep trying and not give up.

I'll touch on the prep approach and resources, but the main thing I want to talk about is your mental state during the 24 hours of the exam. There are literally an infinite number of blogs and walkthroughs out there covering how to prepare and which resources to use (I looked at them and you will too), which is great, but I won't bore you with more of the same.

Let's get into it.

Background

Before we get into it, a bit of context on where I'm coming from.

I'm currently a graduate student in Cybersecurity with around 2 years of professional experience in AppSec and DevSecOps. Offensive security isn't my forte and my background is on the defensive side but I've kept my hands dirty through HTB, THM, and occasional CTFs, which gave me a reasonable foundation going in.

Before attempting the OSCP, I also completed the PNPT certification, which I'd recommend as a stepping stone. It gave me a structured way to think about penetration testing methodology before diving into something more complicated. You can read more about that experience here.

Preparation

A. PEN-200 and Proving Grounds Practice

My prep spanned around 3 months, split between the PEN-200 course material and Proving Grounds Practice machines. And no, I didn't complete everything.

For the machines, I followed the OSCP LainKusanagi list with ratings rather than bouncing between multiple lists and resources. This is something I'd recommend: pick one list, commit to it, and resist the urge to constantly second-guess whether the grass is greener elsewhere. Chasing the perfect resource list is its own rabbit hole, and one you want to avoid before the exam even starts.

Did I finish every machine on the list? No.

Managing a 3-month OSCP subscription alongside graduate studies doesn't leave a lot of breathing room, and I had to align myself with that. If you're coming in with little prior experience, seriously consider the 1-year subscription and go at your own pace.

A few things that worked for me on the machines:

• Try it yourself first. Always. If you're stuck for a meaningful amount of time, look up the writeup for only that specific step, not the whole box. Then put the writeup down and continue on your own.
• Keep notes on what worked and what didn't. Not just commands that worked, but your weak areas, gaps in understanding, and things worth revisiting. I kept a simple running list of areas to improve on, an example of mine is below.

The goal isn't to grind through every machine. It's to understand why things work, so you're not lost when the exam throws something slightly different at you.

B. Active Directory

Having completed the PNPT, I already had a grasp of the base knowledge needed for the Active Directory section, though PEN-200 does go a bit deeper in its coverage. Even so, I felt I needed to grind through a fair number of AD sets beforehand to get comfortable with the OffSec methodology and with time management.

First things first: get comfortable running netexec, BloodHound, and mimikatz. These are the core tools you'll be leaning on throughout the AD portion.

Here are the main resources I used:

• Hacker Blueprint's Labs: https://hackerblueprint.com/labs

I went through the first 4 of these. They're useful for getting familiar with the AD environment, though they don't really cover the pivoting side of things that you'd expect in the exam. Still a solid resource. Feel free to pick up some of the later labs as well, since I've heard the pivoting is better covered in those.

• Derron C's AD Playlist: Playlist Link

These sets are more closely aligned with the OSCP exam and do demonstrate pivoting as you'd see it on the day. Watch them and add the techniques to your notes as you go.

• My GitBook (notes and cheatsheet): https://gokulkarthik.gitbook.io/pentesting-checklist

Everything I took down throughout my prep got consolidated here. You don't need to use it, but it was all I needed to quickly pull up commands during the exam, especially for the Windows and AD side of things.

C. Challenge Labs

Save the challenge labs for the final stretch, ideally 1 to 2 weeks before your exam date. These are the closest thing you'll get to the real experience, so treat them as dress rehearsals.

• Secura — AD focused, and in my opinion a bit easier than what you'll see in the exam. Still good practice for building confidence.
• Medtech — A larger network with more techniques than the OSCP actually expects, but it's fun and great for sharpening your skills.
• Zeus and Poseidon — More difficult and complex than the expected exam difficulty. Only take these on if you have time to spare, otherwise consider them optional.
• OSCP A,B,C — The closest to the actual exam in terms of difficulty and structure. Do these as near to your exam date as possible, and time-bound yourself to mimic the real exam conditions. Treating them like the real thing is the best way to test your stamina and pacing before the day itself.

D. Pivoting

For pivoting, I relied on ligolo-ng, which I'd strongly recommend. Beyond pivoting itself, it covers two other use cases that are just as important on the exam:

• Transferring files from your attacker machine to a host inside the internal network.
• Catching a reverse shell back to your attacker machine from a host inside the internal network.

Both of these, along with the full ligolo-ng setup, are documented in my GitBook if you need a reference.

That said, ligolo-ng isn't the only option. Feel free to fall back on tools like proxychains or chisel if the situation calls for it, though I'd treat those as a last resort.

The Day of Reckoning

The day had finally come, and I was about to learn what "Try Harder" really meant 😣

The Strong Start

I started on time and went straight for the AD section, which I felt more confident in compared to the standalones. Got admin on the first machine within half an hour. Riding that momentum, I moved on to the second machine and… hit a wall.

I chased an entry point that turned into a full-blown rabbit hole after a ton of enumeration.

Lesson: If something doesn't work, maybe it was meant to not work. Don't force it. The actual path forward is often something else entirely.

Almost 3 hours gone, no progress. So I took a break.

Lesson: Take breaks when you're burnt out or stuck. Stepping away clears your head, and you almost always come back with fresh ideas.

Pivoting to the Standalones

With AD giving me grief, I switched over to the standalones to change up the pace.

Over the next 2 to 3 hours, I got shell access on a couple of them, but no root yet. The third standalone became its own headache: I found the entry point but couldn't exploit it. Hours disappeared trying to break in, and by now I was almost 8 hours into the exam.

The dread started creeping in. This was my only shot, and the investment I'd invested was sitting in the back of my mind too. So I took another break. When I came back, I realized the entry point was something embarrassingly simple. No complex attack required.

Lesson: The OSCP isn't an obscure technical exam. It won't throw unknown exploits or weird attack chains at you. If a path seems overly complicated, it's probably a rabbit hole. The real way in is usually simpler than you think.

From there, the privesc fell into place and I got root.

The Crossroads

By this point I still didn't have enough points to pass, and my eyes were seriously starting to droop. I had two options:

• Complete the Active Directory set, or
• Get root on the two standalones I already had shell access on.

I made an estimated call: I had a better chance of finishing the AD set than rooting those standalones. So I decided to sleep for 5 to 6 hours, wake up the next day, and dedicate my final 4 hours to AD.

(You can imagine how restful that sleep was. 🫠)

The Breakthrough

I woke up still groggy and got back on. I started fresh on the second AD machine and threw every vector I could think of at it. Finally, with about 3 hours left, something clicked. I was in.

From there, it took just 30 minutes to get admin on the second machine and compromise the DC. My heart was racing. That single vector was the entire exam's "Try Harder" moment. If I'd given up on it, I'd have been done.

That's the 50 to 80 point swing in half an hour, after being stuck for the better part of a day.

Wrapping Up

Exhausted but relieved, I made sure all my screenshots were in order and went straight to sleep. The next day I used the official OSCP report format, finished writing it up, and submitted. My result came back a couple of days later.

A pretty wild couple of days. 🙂

One last thing: Take screenshots of everything. You never know when you'll need them. Keep rough notes as you go too, don't leave documentation until the end when you're exhausted and trying to reconstruct what you did hours ago.

Tools & Resources Used

1. revshells — An online reverse shell generator for quickly creating reverse shell payloads in just about any language or format.
2. netexec — People say this can practically one-shot the AD section of the OSCP if you master it. An absolute must for AD enumeration.
3. bloodhound — You've got to walk the dog. Gives you a clear overview of all the users, groups, and attack paths in your AD environment.
4. mimikatz — One of the most common tools for post-compromise credential dumping and lateral movement.
5. penelope —Catches reverse shells and auto-upgrades them, so you don't have to do the hard work manually.
6. pspy — Gives you an inside look at Linux processes running on a machine that might not be visible from the outside.
7. linpeas — The classic Linux enumeration script for privilege escalation.
8. linenum — A solid Windows enumeration script for privilege escalation.
9. powerup — A PowerShell script that hunts for common Windows privilege escalation misconfigurations.
10. LainKusanagi List with Ratings — A modified version of the original OSCP machine list, this one with difficulty ratings to help you prioritize.
11. Friend's OSCP Medium Post — A friend's OSCP medium post which helped me prepare for the OSCP.

Final Thoughts

Looking back, the OSCP taught me less about hacking and more about persistence. The technical skills matter, of course, but plenty of people with the right skills still walk away without a pass. What gets you through those 24 hours is the willingness to keep going when you're stuck, exhausted, and convinced the path forward doesn't exist.

What worked for me might not map perfectly onto your situation. I went in with a defensive background, prior CTF experience, and the PNPT under my belt, and I still got humbled for the better part of a day.

A few things I'd leave you with:

• The exam rewards patience, not panic. Almost every wall I hit had a simpler answer than I was giving it credit for.
• Take breaks. Genuinely. Some of my clearer ideas came after stepping away from the screen.
• One breakthrough can change everything. I sat at 50 points for the better part of a day. Thirty minutes was all it took to get to 80. Don't give up before that moment arrives.

If you want to learn more or just chat about the OSCP journey, feel free to reach out to me on LinkedIn. I'm always happy to help where I can.

Good luck, and go earn it. 🙂