After investing thousands of hours into becoming a computer hacker, I’m still overwhelmed with how much there is to learn. Sometimes I’m so lost that I wonder if I have learned anything at all. This makes it hard to feel like I’ve improved. For me, the OSCP was about validating my growth and proving I belong in the field I love.

Note: This is the story of my OSCP Exam day. For my full OSCP guide including how I prepared, recommendations, and exam strategy, check out my 2023 OSCP Study Guide.

Let’s Begin

I began the exam at 11 am. Enumerating the Active Directory set revealed a unique machine, which became my focus. After thorough enumeration, I found a simple exploit that gave me a user shell by 1 PM. I needed the confidence this shell gave me; part of me had feared that I would not get a shell on any machine. With gratitude, I began escalation.

Manual enumeration? Yes, for a little, but laziness prevailed as I defaulted to running WinPEAS. Both my enumeration and WinPEAS pointed towards the same path. Pursuing a technique well documented in the OSCP textbook, I gained SYSTEM access an hour later. 

Uh Oh

Dread crept through my fingers as I enumerated the next machine. I discovered I had received the “hard/impossible” AD set that the r/oscp community had been raging about. While contemplating life and wondering if this was the end, dread became replaced with excitement. I knew this AD set could cause me to fail the exam, but the challenge was now exciting. This same love for challenges pushed me toward this field three years prior, and now I put it to work.

The AD exam set was much harder than any set in the lab. This one felt more like hacking a real network than an OSCP lab and required pieces from all aspects of the course. I struggled for hours trying to pivot. Finally, I saw the vulnerable path. Remember in ‘Avengers: Endgame’ when Captain America reached out and grabbed Thor’s hammer? That’s how I felt at 5 PM when I finally pivoted to a user shell on the second machine. At this moment, I knew I was going to pass. Not that it makes sense why I would feel that confident when I still had zero points. Maybe I was just manifesting.

Battling Privilege Escalation

That high was followed by my lowest of lows. The next privilege escalation was a seven-hour slog. I would perform an exploit, and it would work. I would try it again, and it wouldn’t work. I would perform another exploit, and it would work. Etc. This escalation was less Cap grabbing Thor’s hammer and more like the hulk smashing through a building in downtown Manhattan, except I was the building. 

I am still unsure if the attack I used was the intended method. It required a trick I had never seen before. But finally, at 9 PM, I achieved SYSTEM. Thirty minutes later, I gained domain admin on the third machine and secured my forty points. 

Linux? Please

Mind spinning, I took my first long break. I was working from the back corner of a strength and conditioning gym, so I cleared my head by working out and taking a cold shower.

Mind refreshed, I enumerated the only Linux machine given to me. To prepare for the exam, I read every OSCP guide I could find. I even made my own guide for the new exam format. Reading those guides saved me now as I knew to enumerate thoroughly before attacking. This machine had a huge attack surface, and I could’ve spent the rest of my exam time lost in the labyrinth of rabbit holes. Thankfully thorough enumeration revealed the intended path. Thirty minutes later, I was in. 1:30 AM, 60 points. 

Linux privilege escalations are a dream compared to Windows; twenty minutes later, I had root. Time for my second food break and then back at it.

Chasing 100 Points

I remember reading an article at the beginning of my OSCP preparation about a guy who scored a full 100 points on his exam. At the time, I wondered how that was possible and why anyone would keep going after achieving a passing score. Now that I had 70 points (60 machines + 10 bonus in the new format), I knew why he had continued. He kept going because he could, and because “100 points” simply sounds badass. With nine hours left and only a moderate migraine, I decided to do the same.  

The next box I thoroughly enjoyed. It felt good to play with my food after serving the OSCP lords for so long. Combining a bunch of minor vulnerabilities, I finessed my way to a user shell. A neat privilege escalation led to a root shell thirty minutes later.

3 AM, 80 points. One machine away from the 100-point holy grail of OSCP. The last remaining machine was the buffer overflow– the easiest section of the exam. I followed my militant overflow methodology and popped the machine in an hour and a half. Disbelief set in as I sat there with an exuberant number of screenshots and a hundred points.

When I was five years old, my teacher made me draw a self-portrait and describe myself underneath. Five-year-old John wrote only one sentence, ‘I am a learner.’ My Mom still has the picture hanging in a closet back home in Vermont. Even after earning my OSCP certification, I often still feel like I don’t belong– I think everyone feels that at some point. But there is always knowledge to be gained. And thankfully, hacking is for the learners.

Want to hear more? Subscribe to the official John IV newsletter to receive live, monthly updates of my interests and passions.