updated on 20200502: restriction on screen recording during the proctored exam, click here for more details.


I was looking for internship for the summer holidays, but unfortunately I could not secure one, so I decided to get an OSCP certification instead. I chose the one-month lab and scheduled it on the last month of my summer holiday, partly because I am confident with my prior knowledge in pentest mainly because I am poor, and one-month lab costs 1100+ SGD already. (It is quite sad that I didn’t find an internship to earn money, but found another way to spend money.)


I solved 54 out of 55 machines on lab in about half of the month, I don’t have much to say wrt lab practice, but the way how machines are linking to each other is really interesting.(thumb up for offsec). So make sure to do the post-exploitation information gathering on every machines you rooted, because you might never know which piece of information is going to be useful to root another machine.

The reason I am rushing so much on lab is because I somehow managed to find an internship with dsta for the second half of the month, so I was doing internship for that two weeks, and I didn’t have time to do lab anymore. Anyway, doing lab is just a way to get you familiar with pentest and acquire the basic skills. But the most importantly, you should form your own structured way of pentest, which I believed to be the end goal of lab practicing.

I did the buffer overflow practice in https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/, which I felt to be useful, as practice makes perfect. 熟能生巧


I took the OSCP exam on 23rd August 2019 and got an email telling me that I have acquired the OSCP certification on 28th August 2019. They are quite efficient. =)


Due to the exam policy, I cannot talk about the exam machines, so I will just briefly describe the situation and give some useful tips(I wish) during my exam.

I took the exam at noon 12, I choose this timing so that I could have enough rest before the exam.

The exam started on time, and I headed to do the buffer overflow questions, meanwhile I used the nmap to scan the rest of the targets. nmap -T4 -p- -A -v -iL target.txt The buffer overflow was not hard, and I have a standard procedure to do it, I thought it won’t take more than half an hour, based on the past experience I have done with the practice, but I got the reverse shell from the target after two hours. =( because of some careless and stupid mistake I made during the exam, I kept crashing the program but not getting the calc.exe to pop. To make the things worse, my kali vm machine accidentally died half way and it was quite frustrating, especially I lost all the nmap scan result and I have to scan it all over again.

After I solved the bof, I went to touch another machine worth 25 points, and it didn’t take long for me to get an low-priv shell, I stucked on the priv-esc for some time. My guessing is that the exam probably won’t test you to use any kernel exploits to get root/system shell(should not be that easy, correct me if I am wrong), so I didn’t bother to test any kernel exploits online, and I just enumerate the process and put every process that I am not familiar with into google to search for relevant exploits, and I got the correct exploit in one shot, and boom, I got the system root back.

with 50 points in hand, 3 hours has passed, I went on to do the machine worth 20 points. I was thinking that I have three more machines to go, 20 * 2 and 10 * 1, I could pass the exam with one more 20-point machine rooted. But nmap kept giving me segment fault when scanning that machine over and over again with nmap -T4 -p- -A -v ip, which is very weird, so I leave it there and tried another 20-point machine.

It didn’t take me long to get a low-priv shell either, but getting the root shell was failing, by that time, I had approximately 60 points in hand.

I went on to check the nmap scan result of 10-point machine, and implemented some further enumeration on specific services, then left it running at the background. I went back to the 20-point machine which kept failing my nmap. I did simple port scanner with netcat on some common services and ports, and managed to get a low-priv shell, priv-esc did’t take long, and by the time I got a root shell, it was around 4:40 pm. At that point of time, I had total of 25+25+10+20= 80 points, which is enough to pass the exam.

I went back to the 10-point machine, and enumeration has finished, I got the root shell in about 10 minutes(10-point machine right?) At around 5pm, I had 90 points in hand.

I was quite tired by that time, but my ocd was forcing me not to take a rest before I rooted the last machine, I tried all the exploits which seemed quite promising, but could not get a shell. I went to grab a cup of water, washed my face, and sat in front of the computer, decided to do the enumeration all over again. It turned out to be a facepalm moment when I took a step back and examine the machine as a whole part from a higher level. And yes, at around 6pm, I obtained a root shell. And I solved all the five machines.

I told my proctor that I would like to take a rest, and ate my dinner. At about 7:30 pm, I came back and solved the machine all over again, to make sure I have enough screenshots for the report.(I was running OBS studio to record my screen all the time though, I feel more secure to that way). I checked I have submitted the correct flag to the corresponding machine for the last time, and told my proctor that I would like to end the exam early and wished him a good day, at about 12am.

I crafted my 40-page report the next day.(I thought it was detailed enough, but my some of my friends who had OSCP told me that his report was 100+ pages. I was like, “wtf???? seriously?”) I followed the guide to sent the report to offsec, waited three days, and got the email telling me that I have pass the exam.


Some notes I would like to share with you regarding the exam:

  1. rest is important, make sure you had enough rest before the exam.
  2. patience and carefulness is crucial. Otherwise you will be spending two hours on buffer overflow. =(
  3. take your time, 24 hours should be enough for most of people(I think)
  4. if you don’t have any clues during the exam, you can ask me enumerate more!!!
  5. sometimes you would be able to see it clearer if you don’t dive too deep into it.
  6. Try harder.

restriction on screen recording during the proctored exam

I just realized that offsec is not allowing screen recording during the proctored exam, and you can see the rationale behind that restriction here. But I was recording my screen during the proctored exam on 23rd August 2019 and passed the OSCP exam.

By referring to the archives on the Wayback Machine, I realized this restriction was enforced in 2020, as the archive on 14th Jan 2020 didn’t not have such restriction, but in the archive on 18th Feb 2020 had this restriction enforced. So actually I didn’t break the exam rules at that point of time.




本来是想在暑假找一份实习的,然而事不遂愿(《too bad》响起:事与愿违天天不断上演,无能为力的瞬间),所以就想着考个证吧,然后通过同学认识了另外一个NTU的朋友也准备考,就约着一起报名了,不过他报了两个月的lab,我只报了一个月的。lab开始时间是在七月七号,结束时间是在八月七号,想着开学之后可能也没那么多时间去练习了,就没报那么久的(说白了就是穷,贫穷让我上进)。没找到实习还算了,败家子又败了一千多新币去考一个跟一般人说起来都没听过的证。(/ □ \)


lab七月七号准备开始,然而那时候我还在澳门浪,等我回新加坡的时候已经十一号了,然后就开始昼夜不分的打lab了,大概花了半个月的时间吧,把lab里的55台机器中的54台机器搞定了(剩下一台臣妾真的做不到啊,看forum里别人都是在暗示17-010,然而我就是不行,就开了445,3389,难道要我去偷一个bluekeep的exp来?)在七月27号的时候,我把admin-network打完,七月29号我就去dsta实习上班了(就是这么神奇,被我找了个半个月的实习^O^ ),所以我前面才那么赶着做lab。


这里顺带提一下那五分是怎么回事。在oscp官方exam guide里提到的bonus point:


可以看到需要lab report和教程后面练习题的报告,lab report需要包含不少于十台机器的pentest report,这倒不是问题,但是还有offsec给我们的pdf的课程后面的练习题,那个就比较麻烦了,而且还费时,权衡一下我就决定不要那五分的bonus point了。


另外,做bof练习的话我参考了https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/ 里的程序,感觉挺有用的,毕竟熟能生巧,最后练习到一个bof能够在30分钟内搞定,我就雄赳赳气昂昂的上考场了。






考试是准时开始的,在考官验证了我的身份之后,我就直奔bof题目而去,同时我也在用nmap对剩下的四台机器做基本的扫描nmap -T4 -p- -A -v -iL target.txt bof题目本身不难,按照以往的经验,我应该能够三十分钟之内就搞定的。然而我在两个小时之后才拿到目标机器的反弹shell。在我骂自己瞎了自己的狗眼1024遍之后,我才在调试机上弹出了个计算器。更惨的是,在我做bof的中途,我虚拟机突然卡死了,然后我只能重启重来,包括nmap的扫描结果都没有保存下来,不得不重新开始扫描,心态那时候就有点崩了。

等我做完bof,我再去搞另外一台25分的机器,搞到一个低权限的shell没花多久时间,不过在提权的时候卡住了一下子。我当时想的是,考试的机器,系统都比较新,估计也会定期更新,那些内核exploit估计不得行,所以我也没去试这里的的内核exploit,到处翻了下没翻到啥能用的,就干脆去枚举系统进程, 然后把那些我没看过或者觉得可疑的进程放到谷歌上搜,加上关键字exploit,很快,我搜到的第一个exp就能用,直接给我弹了个root shell回来。(/ □ \)

五十分到手,三个小时已经过去了,我去做另外一台20分的机器。我想的是我还有三台机器要搞,两台20分的和一台10分的,我只要再搞一台20分的就可以考过了。很奇怪的是nmap扫描 nmap -T4 -p- -A -v ip 过程中就一直给我segment fault,从来没碰见过的事情,我就干脆把那台机器放在边上,去做另外一台20分的机器了。



回过头去看下那台10分的机器,扫描完了,很明显的一个洞,10分钟搞到root shell(十分的机器就该十分钟搞定?),五点左右的时候,90分已经到手了。


我跟主考官讲了下我要去吃晚饭。吃完饭躺沙发上玩了下手机,七点半就又坐回电脑前,我把所有机器重新做了一遍,确认我提交了正确的flag给正确的机器,然后把关键步骤都截图了(虽然我全程都有开着OBS studio录屏,不过双重保险总是没错的)。十二点左右,我跟主考官说我要提前结束考试,然后就把vpn给断了。





  1. 休息很重要,考之前要保证睡饱了。
  2. 耐心和细心,不然跟我一样在bof上花两小时?
  3. 慢慢来,别急,24个小时对于绝大多数人来说应该是够了的。
  4. 如果考试的时候碰到不会的,来问我,继续怼!
  5. 有时候钻的太深反而适得其反,跳出来可能看得更清楚。
  6. 跟朋友一起准备考试的话,做lab碰到不懂的可以相互讨论一下?




参考Wayback Machine中的网页存档,我意识到这个限制是2020年加上去的,因为2020年1月14号的存档还没有这样的限制,但是2020年2月18号的存档就已经有了这个限制。所以其实我是没有违背考试规则的。