Post

OSCP Experience Shares

Posted Updated
By wzwr1029 5 min read

Preface

When I started looking for internships in my senior year, I kept seeing the keyword OSCP in security-related postings. After some research, I learned it’s a well-known penetration testing certification with a strong reputation and quality standard—so I decided early on that I would pursue it.

By chance, I later saw a TSC × OffSec × DEVCORE promotion on Facebook: if enough people registered, we’d receive nearly 30% off. With scholarship savings and TA income, I finally had the budget—so I took the opportunity and enrolled.

I chose the 90-Day Course & Cert Exam Bundle for the PEN-200 course and exam because:

  1. It offered solid value for the price, not because i cannot effort more expensive one…QQ
  2. A 90-day window would force me to stay focused and curb procrastination.

I scheduled the course to begin right after the Lunar New Year in early March, and set my exam date for late August, before the semester started.

The Course

I’ve taken multiple security courses and played quite a few CTFs (no standout results yet—teams welcome!), so the course material felt approachable. For me, PEN-200 acted as a structured refresher with hands-on labs that helped build muscle memory. It also reinforced the difference between CTF and penetration testing: a real engagement is more end-to-end—scoping targets, network discovery, service enumeration, vulnerability identification, exploitation (the “CTF-like” part), and then privilege escalation to fully compromise the machine.

However, some modules were still new to me, such as Phishing and AWS-related topics. I also strengthened my Windows knowledge—especially Active Directory—which had been a weaker area before.

Preparation

Like many others, I followed the community-recommended TJ Null OSCP List and worked through the machines. I posted my solutions on my blog where appropriate—feel free to check them out if you get stuck or just want to compare approaches. The course also provides mock challenges; due to time constraints I completed Challenge 0, 4 (OSCP A), 5 (OSCP B), and 6 (OSCP C), which were enough to understand the exam environment.

Throughout prep, I maintained and refined detailed notes so I could quickly find commands and techniques. I strongly recommend this—good notes are invaluable during the exam. Use a tool with strong search and indexing (e.g., Obsidian or Notion).

The Exam

The days leading up to the exam were busy with the NSSPC preliminary round, but I had planned ahead: most of my revision was completed two weeks earlier. The day before, I warmed up with a few Hack The Box machines and went to bed early.

My exam was at 2:00 PM (Taiwan time). About three days beforehand, OffSec sent reminder emails with proctoring software documentation and exam rules. Set aside 2–3 hours to read and note the essentials. Remember: AI tools are strictly prohibited—don’t rely on ChatGPT or similar. On exam day, I woke up around noon, grabbed brunch, and chatted with friends briefly to relax. Fifteen minutes before the start, I closed all messaging apps and joined the proctoring session. The proctors verified my ID, asked me to show the room with the webcam, reiterated rules (e.g., you must notify them anytime you step away), and then provided the exam portal link. The exam environment included:

  1. AD environment: multiple Windows machines forming a domain; you need Domain Admin and the flags to pass this section.
  2. Three standalone machines: similar to typical HTB boxes—gain foothold, then escalate to root/system for full credit.

Because the AD portion is often critical for passing, I focus it first. Most steps went smoothly, but one host stalled me for 2–3 hours until I realized the correct approach; within an hour after that, I achieved Domain Admin privileges. With the AD done, I took a dinner break, grabbed coffee, and worked through the remaining machines. If you’ve practiced enough, these are very manageable—focus on details, stay curious, and think like a real attacker rather than “just solving exam.” After another 4–6 hours, I finished all machines for 100/100.

I then decided to stayed online to write the report because:

  1. While the environment was still fresh—useful both to verify reproducibility and to avoid procrastination.
  2. POE2 new season will start at the next day of submitted exam deadline, would not want to delay my grinding of first day of season due to OSCP XD

I used Sysreptor with its OSCP report template, which lets you focus on clarity and reproducibility rather than formatting.

I submitted the report around 6:00 AM (Taiwan time), said goodbye to the proctors, and went to sleep. Make sure you receive the submission confirmation email. My results arrived in about a week (I submitted on the 29th and received the results on the 3rd).

Reflections

I’m very happy to have achieved a certification I planned for long ago. OSCP was genuinely enjoyable and very beneficial, even if the 24-hour format is mentally taxing. Next, I’m considering OSWE or OSEP, but the cost is not trivial—OffSec bundles are expensive for students—so I’ll likely wait for a group discount or employer sponsorship.

Practical tips:

  • Prefer an x64 host running a Kali VM for the exam. On ARM hosts, some tools and frameworks can be painful due to compatibility issues.
  • Proving Grounds Practice is excellent for getting comfortable with the OSCP style. Hack The Box helps with advanced techniques and attack workflows.
  • Don’t mythologize the exam—approach each target with a real attacker mindset: stay curious, map all attack surfaces, and avoid rushing into rabbit holes.

Good Luck! and Try Harder!!!

Show off

My Certificate Link here.

cybersecurity, ctf, career
pentest cybersecurity ctf personal career
This post is licensed under CC BY 4.0 by the author.