Skip to main content

My Journey to OSCP+ (2025)

· 16 min read
potions3ller
potions3ller
Offensive Security Specialist

I first heard about OffSec’s OSCP exam whilst studying at university; unlike many of my course mates, I was too busy adjusting to my new found freedom to pay anywhere near enough attention to extracurricular activities. Having spent my entire life thus far oscillating between three villages in the English countryside, moving to a city had nothing short of paralyzed my ability to maximise all of the opportunities that were presenting themselves to me at that time. Whilst others were presumably applying for industry placements and networking with lecturers and third years, I was being bewildered at the concept of shops remaining open for business past 7pm.

Needless to say, had I have been applying my learnings to understanding the landscape of the industry as much as I was leveraging £1.89 pints of Bulmers at the local Wetherspoons, I am sure that I would have recognised the value of OSCP sooner and thereby begun my journey towards this certification far, far earlier.

Everyone has their own journey.

I have been working in cyber security for four years since graduating my degree, my role is a mix of vulnerability management, pentesting and threat hunting. The last couple of years I have been pushing harder to shape the role to be more focused on pentesting and with buy-in from the business I was able to procure a Learn One Subscription.

For reference, OffSec offer four levels of courses:

  • 100 level
  • 200 level
  • 300 level
  • 400 level

OSCP and OSCP+ sit at the 200 level and if I am not mistaken, there is only a single 400 level course, OSEE, and its the only one that needs to be taught in person. Understandably it is reserved for the few who are extremely experienced specialists in this field.

The pricing model is generally designed to push you towards the $2,749 ‘Learn One’ subscription which gives you access to the course materials and Proving Grounds (their lab environment) for 365 days. I say this as the majority of people are not able to juggle a day job, family life and a certification within 90 days which is available in their ‘Course + Cert Bundle’ subscription for $1,749. For most, value for money is found in the former.

Work had organised my course to start in August 2024, which aligned perfectly with me developing pneumonia and becoming bed bound - value for money right there. Three weeks later and 4kg lighter I began the reading. OffSec present the course in 3 formats, reading materials, videos and labs. The videos are essentially synopsises of the reading materials and the labs are to reinforce learning along the way. Contrary to the popular zeitgeist of r/oscp I did not complete the labs and nor did I watch more than 3 of the videos - the strange AI voice and smooth mouse movements were too uncanny for my liking. The platform gives you a progress percentage of how far you are through all of the content and at the time of passing mine was sat at 51.6%.

Image

I did not find that the videos added much benefit to the reading and I often found myself reading away from my desk meaning the labs were not really convenient to complete as I read along. Obviously, it goes without saying that your milage may vary and everyone learns in different ways. Its nice to note that OffSec allow you to download the course materials (only once mind you, so don’t lose them) meaning that when your subscription expires, you still have something to show for it - hopefully in conjunction with a certification.

My strategy was to get through the reading as quickly as possible, complete all of the labs to collect the 10 bonus points and then start the challenge labs. I would love to say that this was how it went but classically life got in the way and in the back of my mind I just thought ‘ah a year is ages, no rush’.

Famous last words.

November rolled around and the course was updated in situ, anybody sitting the exam after 1st of November would now be sitting the new OSCP+ certification. They would be removing the 10 bonus points of which many relied upon and the active directory section would now be an assumed compromise engagement. It was around this time they added three more chapters to the course, ‘Phishing basics’, ‘Enumerating AWS Cloud Infrastructure ’ and ‘Attacking AWS Cloud Infrastructure’. Though, I was disappointed to find out that I could not redownload the course content with these updated chapters seen as though I had paid for them. OffSec could take notes from this. These were, however, not to be on the exam.

Image

So I changed my strategy from “get through the reading as quickly as possible, complete all of the labs to collect the 10 bonus points and then start the challenge labs” to just get through the reading as quickly as possible, and then start the challenge labs.

“Lovely, this should be quicker now.” I thought to myself…

*Wakes up one cold winters morning in February 2025 *

“ah sh!t”

So with six months remaining, I studiously wrote off any social plans and informed my friends and family that I needed to lock in; and they should refrain from tempting me with anything sounding remotely more interesting than reading a ~900 page PDF. It was time to earn my OSCP… plus!

The course is jammed with good information but having not sat any other red team specific certifications I cannot talk to a comparison of say HackTheBox’s CPTS - though many regard CPTS as harder and more informative (just lacking clout). The first half of the chapters were in my opinion quite basic, I found myself skim reading or outright skipping sections as I found no information I didn’t already know. This is not to knock the content, I found it to cover many basics well, but in some areas not as concise as it could be. The general intention of the course is to force the learner into understanding a specific concept entirely, so that one can repeat it manually and know the ‘whys’ and ‘hows’ of what they are doing. This does mean that you are not using any automated exploitation toolsets or vulnerability scanners like nessus, metasploit framework or sqlmap. Great for beginner/intermediate study but not representative of real world scenarios.

The second half of the course was far more engaging and I found myself reflecting on how many gaps there were in my knowledge. Like many in the industry, my knowledge is mostly self taught with a blend of formal education and mentorship. Many times I realised that I often do something without understanding why it happens, only that I know what to do and what it will achieve; this course was the repointing of the gaps in my knowledge and I appreciated it very much.

A common critique of the course is that the materials provided are not enough to pass the exam. I would somewhat contest this claim, on the basis that the materials are enough to pass the exam if you use all of the materials provided - I just wouldn’t recommend it. This means not only reading all of the written content but also spending an equivalent amount of time in Proving Grounds… proving yourself. Though my perspective on this argument is that self study and research is part of any educational course, I just do not think that there are any pre-requisite courses that you need to do in order to take on OSCP, trusting you have some understanding of IT and networks.

This is not to say that you will not benefit from using external sources of information and tools that are not touched on within the course, its just to make the point that you absolutely can get by without. In my experience I found the subreddit and discord to be a great source of information to get your head around what to expect from the exam and additionally, help with the Proving Grounds challenges. Additionally, reading past learners write ups of their exam experience or write ups of the labs helps to give you a new perspective on problem solving.

From May until August I completed over 60 proving grounds boxes and 3 challenge labs, Medtech, Secura & OSCP A. This is where I would say most of the learning was done. A critical part of passing any exam is understanding the meta of the exam authors. Many of the machines that are available to you on Proving Grounds start to illustrate this meta and once you are ready to start tackling the challenge labs it is generally pretty straight forward - you eventually get a feel for how they write their labs and as an extrapolation of that, how you need to approach the challenges.

Probably my most crucial piece of advice to anyone sitting this exam is to refine your methodology by spending as many late nights as possible crunching through boxes on Proving Grounds. Your methodology is going to make or break your exam attempt, you have to be able to rely on it to back you up through 24-hours of stress and exam nerves. You’d be a fool to assume your calm and collected approach to the challenge labs will crutch you on D-Day; failure to prepare is preparing to fail as they say.

The challenge labs are really fun, my only regret throughout this journey is not sparing myself more time to enjoy all of them, instead I had to settle for three but there are eleven to play through.

Exam day

I booked the exam for early August 2025, nerves began to show in the days preceding. I was conscious that I had underutilised the full extent of the time I had available to study for this and despite how it may sound, I did really want to nail this exam. I remember feeling how I had felt before any big test at University, Sixth Form or school but this time there was a financial implication if I messed it up, as well as the sorrowful walk into the office to declare nothing had come of six months of study. Something, I was not willing to experience without a fight.

Image

The exam was scheduled for midday on a Sunday, I completed the registration and proctoring procedures and got underway. My plan was to crack on with the Active Directory set first, which to my displeasure ate three hours of my time and yielded no flags, I was unable to escalate my privileges. I combed through my notes and enumerated everything I could think of but no dice.

I took a short break and came back with a fresh head, I switched lanes and kicked off scans for all of the standalone boxes. Having quickly evaluated which one appeared to be the path of least resistance I began attacking. Three more hours had passed and I got my first foothold, 15 minutes later I had pwned the box. Now with 20 points, I was feeling good again. Onto the second standalone. This one took a couple of hours for me to find a way in, I enumerated hard but brushed over the entry point multiple times before I clocked what I was supposed to do. I got the foothold and spent another 30 minutes escalating privileges. At this point it was 8pm and I needed to make some dinner.

I took a lengthy break and toiled over my gameplan, with 40 points in the bag, I still needed another 30 to pass. The issue is, if I was able to pwn the final standalone I would still need to get past the first privilege escalation on the AD set to collect enough points to pass. On the other hand, however, if I was able to escalate my privileges on the first AD machine, I would still have to complete the entire set because of the way the points are allocated - 10 points each for box 1 and 2, 20 points for the domain controller. So with a third of the exam time gone, I didn’t feel that it was a good use of my time to work on the final standalone, if I can get past that first AD machine, then I should have a decent amount of time left to work through the set.

I had my dinner and got working on the AD set, after a couple of hours I had realised what I had been missing and collected another 10 points. It was getting pretty late and I didn’t want to fatigue myself. As I had learned from playing Proving Grounds, my mental efficiency declines rapidly as I tire and my time is better spent sleeping. Which is what I did. I left my desk for about 6 hours and tried to get as much rest as I could - though this was extremely difficult as despite being tired, the tense exam mindset did not lay rest and I found myself struggling to stay asleep.

That said, when I awoke I was able to take a fresh perspective on the problem at hand and had the energy to focus on finding a way to solve it. The time is now 7am and I have roughly five hours to pwn box 2 and the domain controller. Over the next 3 hours I would frequently glance at the time and proceed to hear my heart beat in my ears. I really needed to persevere and figure out a way to complete these machines.

By 10am I found the flag on box 2 and then just 15 minutes later I compromised the domain controller. My hands shot into the air as I punched away in celebration, I'm sure I must’ve given my proctor quite the shock with how fast I moved. That was it, 80 points, enough to pass on the condition that my report is good enough.

Wait, the report…

Cue the frantic final hour of screenshotting. My notes became an incoherent mood board of terminals as I desperately attempted to recreate everything I had done and made sure that I had everything screenshotted. I triple checked the flags that I had submitted and then calmly accepted fate as the clock ticked over 11:45am. My proctor ended the session and I laid back in my chair wondering why I put myself through all of that.

Afterwards, I took most of the day off, eating as many missed calories as I could and trying to balance my sleep schedule to make sure it didn’t have a knock on affect with my busy work week. I completed the report and submitted it. Five days later I received the email from OffSec notifying me that I had achieved the OSCP and OSCP+ certifications. I was extremely pleased with myself.

What’s next?

As we all know cert collecting is lame, you don’t need a flashy PDF to prove your worth in this industry… right? So am I going to start grinding out certifications? Yes obviously.

The experience was challenging, and I enjoyed pushing myself far out of my comfort zone. Forcing myself to learn and refine my skills. It’s something that I wish I could do easily without the need for certifications but it seems I - like many others - work well when there is financial and social consequence.

HackTheBox’s Certified Penetration Testing Specialist seems like the clear next move for me. Its a fraction of the price and I was able to buy it in the August sale for even cheaper, perfectly reasonable for a self funded certification. I have heard many accounts of how much harder it is than OSCP but that the course itself is far better. The way I see it going is that CPTS will eventually surpass OSCP in HR clout if they move to a proctored exam. I think until then, employers will recognise OSCP over it, solely due to the similarities in difficulty but with the assurances that you can’t cheat.

I am also interested in pursuing the Certified Red Team Operator (CRTO) certification from ZeroPoint Security. Another relatively cheap certification which many of the individuals I network with at industry events recognise as a good acknowledgement of AD skills.

As I am UK based, it would be unfair to not mention Cyber Scheme. For any US readers, Cyber Scheme is a competitor to CREST. In the UK, we have a programme called CHECK, set out by NCSC (National Cyber Security Centre) a child organisation of GCHQ (our NSA). NCSC accredit both providers the ability to issue CHECK Team Member (CTM) and CHECK Team Leader (CTL) statuses through their respective certifications.

CREST

CPSA + CRT = CTM

CCT INF = CTL INF

CCT APP = CTL APP

Cyber Scheme

CTSM = CTM

CSTL INF = CTL INF

CSTL APP = CTL APP

Why does this matter you may ask? Well achieving any of the above allows you to work on a CHECK team. Which along with the appropriate clearances, means you can perform pentests against critical national infrastructure domestically. Which understandably comes at a much higher day rate than your ordinary jobs.

Additionally, if you care, progressing through this path also allows you to apply for professional titles. The UK Cyber Security Council were empowered by government to start dishing out Practitioner, Principal and Chartered statuses to individuals holding the correct certifications. Which, if you’re culturally aware of the social class system in Britain, carries weight in some circles - that is if you’re more interested in socialising with lobbyists and lawyers than pwning boxes.

Interestingly, CREST and OffSec have an equivalency program, which allows OSCP holders who also achieve CPSA to pay a small fee and be given CRT without having to sit the exam. Unfortunately though, this does not contribute towards CHECK, if you want it to be valid for that you must sit the exam. If you’re interested in cert collecting though, this could be something worth knowing.

I would be partial to another OffSec certification but the cost to play is steep and there are other certs to flirt with here. If work offered me another license I would bite their arm off for it but would I shell out nearly three large ones personally? Maybe.

Written without AI.