My OSCP Journey: Triple Attemptsเส้นทาง OSCP ของผม: สามครั้ง
Hello everyone reading this blog. I'm "Sabastiaz" (my pen name). Today I'm going to share my OSCP exam journey. It might be a long one, so let's get started.
Before reading my OSCP journey, let me briefly introduce what OSCP is. OSCP, formerly known as Offensive Security Certified Professional and now called OffSec Certified Professional (code PEN-200), is an exam that penetration testers desperately want to conquer. It's notoriously difficult and highly coveted — including by me.
Badge OSCP
With that brief intro out of the way, feel free to dive into my OSCP Journey.
Let's Gooooo Going back two years, I had passed the CEH (Certified Ethical Hacker) and realized it wasn't enough, so I started looking for other certifications. While searching, I happened to notice there was going to be a Cybersec Asia 2024 event with booths from many companies including NCSA, M.Tech, Offsec, Crest, Tenable, WatchTowr and many more.
Details of various Booths
As an OffSec fan, I headed straight for the booth — only to stop dead in my tracks when I ran into my idol, P'Nop, CEO of Mayaseven, one of Thailand's leading pentesting firms. I had followed his work for a long time. After meeting him, I worked up the courage to introduce myself. P'Nop kindly helped negotiate a discount on the OSCP exam with Leon (I was excited and my English was shaky at the time), and I got Leon's contact for registration and the discount.
Below is the penetration tester roadmap shared by Mayaseven on their page — helpful for anyone interested:
Cybersec Asia x Thailand International Cyber Week 2024
It was an amazing event with countless vendors — easy to lose track of time wandering around. The event also featured The OSCP Jumpstart organized by SecureD, with a team of impressively credentialed professionals.
The OSCP Jumpstart: Mini Hands-On Training (OFFSEC)
The OSCP Jumpstart was a Mini Hands-On Lab applying techniques useful for the exam.
After attending the Jumpstart, my motivation to take the exam was ignited and I started drafting a rough exam schedule.
At this point, I have to thank my company for covering the exam cost — it's very expensive at $2,599 (nearly 90,000 baht).
Here are the course details:
I chose the Learn One course for its 1-year access and 2 exam attempts — perfect for working professionals. Two attempts is clearly the better value.
I started the course full of excitement. But that enthusiasm quickly faded due to work obligations and plain laziness — there wasn't much to do beyond the single lab provided in the system.
Just seeing the lab was enough to make me faint
Time passed until the first scheduled exam date.
First Attempt Would I pass? Of course not — I hadn't finished half the labs and hadn't completed even 5 lessons. But I'd already booked the date with one year and two attempts to go.
December 09, 2023 (First Attempt): Failed
I scheduled for 10 AM — my optimal time. The proctoring process required identity verification and equipment checks. My first attempt immediately threw me the notorious "Nightmare" machine. It lived up to its reputation — I failed as expected.
Passing score is 70 points or higher. My first result was a fail. I held onto the OffSec motto: TRY HARDER — keep fighting.
So I went back to prepare for round two.
While preparing for the second attempt, I registered for BlackHat Asia 2024 in Singapore.
BlackHat ASIA 2024
It brought together security professionals from around the world for 4 days full of sessions, activities, and partner booths — I'll cover it in another blog post.
At this event I got to know P'Tun "Clinton" (Facebook: Clinton Yimprasert, c1inton's Diary), also the owner of IC21 Tech Co., Ltd. We exchanged contacts for follow-up. Back home I practiced on Hack the Box but didn't focus enough, losing passion from the first failure.
Between attempts there was also HITB x PHDays, held in Thailand and free to attend — I wasn't going to miss that.
HITB x PHDays
This was a packed educational event — see the AGENDA for details.
I enjoyed every session. At this event I also met a great friend, Kim (Chairat Kimmie) aka "kyokito", who holds numerous CVEs and was one of the people who helped me pass by offering encouragement and advice. I also can't fail to mention P'Ta (Pichaya Morimoto) aka "longcat", Lead Penetration Tester at Siam Thanat Hack (STH), Thailand's leading pentest firm. He tutored me and provided detailed exam guidance.
P'Ta is also the Thailand Top Talent 2023 champion. Absolutely incredible.
Web Hacking like a Cat V.1
It took 4-6 months before my second attempt, using the last exam from the Learn One course.
Second Attempt
June 09, 2024 (Second Attempt)
Scheduled for 10 AM again, arrived 15 minutes early to verify everything. This round gave me another tough exam set. I managed to complete the Standalone machines and earned 10 bonus points, though getting them was hard.
June 11 2024 (Result round 2): Failed
When results came out: failed again. I crashed harder than ever before, thinking there was no way I wouldn't pass this time. I had been overconfident. I later realized the exam only counts points when you have a proper shell — not a webshell. One of my targets only gave me a webshell, making that machine worth 0 points.
After processing this, I had a serious conversation with my father, received support from family and my girlfriend, and planned my preparation much more seriously this time.
June — October 2024 (Preparation OSCP Round 3)
After two failures I found the TJNull and IPPSEC lists for exam preparation:
I followed the TJNull list and watched IPPSEC videos intensively, practicing labs every day. When laziness crept in, I reminded myself of past failures — that fired me right back up.
That fired-up feeling when thinking about past failures
I also practiced with HackTheBox Seasons 5 and 6, which had very fun challenges.
A few months before the exam I discovered the OffSec Exam HTB Lists:
This gave additional machines to practice. But I still felt it wasn't enough, so I asked P'Ta to tutor me the week before the exam — he generously agreed, for which I'm extremely grateful.
13 October 2024 (Tutoring Session — 1 Week Before Exam)
P'Ta tutored me with numerous tricks, highlighting where the exam commonly trips up candidates, covering every detail imaginable.
16 October 2024
This could be called a pre-exam blessing. My friend Kim happened to be ordained as a monk on the day of my exam, so he sent good wishes for my success and gave me extra advice.
Third Attempt My third and final attempt began.
18 October 2024 (Third Attempt): Passed
This round I'll write as a timeline — I managed myself much more systematically.
My time allocation plan: First 8 hours: complete AD for 40 points Next 12 hours: complete Standalone for 60 points Last 4 hours: review details and write Report
Timeline 07:00 Wake up and refresh 08:00 Breakfast, exam preparation 09:00 Called family for good luck blessings 09:45 Logged into Proctor system for identity verification 10:05 Exam started (slightly delayed due to a system glitch) 10:20 Started VPN and verified machine readiness 10:25 Checked exam targets and started the exam timer
Active Directory (1 Domain Controller and 2 Clients) 10:30 Began Recon and Enum, AD machines only 11:00 Found entry point for first AD machine 12:00 Got user flag AD machine 1 (0 points) 12:30 Got Administrator flag AD machine 1 (0 points) 12:45 Got information for AD machine 2 (0 points) 13:00 Accessed AD machine 2 (0 points) 13:30 Lunch break 14:00 Back to working on AD machine 2 (0 points) 14:30 Got user flag AD machine 2 (0 points) 14:45 Got Administrator flag machine 2 (0 points) 14:50 Accessed final AD machine (Domain Controller) 15:00 Got Administrator flag of Domain Controller (40 points)
At this point I had 40 points. Took a short break, stopped the AD timer, and started the Standalone timer.
Standalone (3 Machines) 16:00 Began Recon and Enum on machine 1 16:20 After Recon/Enum, found the same machine I couldn't solve last round 16:30 Switched to Recon/Enum on other machines 18:00 Found entry to machine 2 after falling into a rabbit hole 18:30 Dinner break — delicious food cooked by my aunt, giving me renewed energy 19:30 Recon and Enum machines 2 and 3 20:30 Got enumeration data, preparing entry 20:50 Found entry to machine 2 21:00 Came back to machine 1 — remembered the mantra Enum is Key and re-enumerated more thoroughly 22:00 After thorough enumeration, finally found the entry 22:30 Got user flag machine 1 (50 points) 22:45 Privilege Escalation machine 1 23:00 Got root flag machine 1 (60 points) 23:15 Accessed machine 2 23:30 Got user flag machine 2 (70 points) At this point I could have stopped — already at passing score — but the fighter's spirit pushed me forward. 00:00 Got root flag machine 2 (80 points)
After midnight I couldn't find entry to machine 3. The exam ended with 80 points.
19 October 2024 (Submit Report)
Today was all about writing the report. I used the official OffSec template, downloadable here:
For report content, I captured every step in the template with explanations — the more detail the better. I had been taking screenshots after finishing each machine during the exam, which made this much easier. I wrote from 12:30 PM and submitted at 23:30. Then came the anxious wait — OffSec states "10 Business Days," but my email arrived after just 4 days.
The page everyone waits for
After the email arrived, I claimed my certification through the OffSec link provided.
Offsec Certified Professional
And that's the end of my OSCP Journey. I hope you enjoyed it. Most importantly, thank you to everyone who helped me reach this point. Without everyone's support and encouragement, I could not have done it.
รายละเอียดของการสอบเป็นดังนี้ Exam Structure 60 points 3 independent targets 3-step targets (low and high privileges) 20 points per machine 10 points for low-privilege 10 points for privilege escalation 40 points 2 clients 1 domain controller Active Directory set Points are awarded only for the full exploit chain of the domain No partial points will be awarded เกณฑ์การผ่านคือ 70 คะแนนขึ้นไป
มีเรื่องราวระหว่างทางก่อนสอบรอบสอง หลังจากกลับจากประเทศสิงคโปร์ ก็ได้มีงานของ Hack in the box ซึ่งคืองาน HITB x PHDays จัดที่ไทยด้วยแล้วที่สำคัญเข้าฟรีสายฟรีแบบเรามีหรือจะพลาดก็ไปสิครับ
Active Directory (1 Domain Controller and 2 Clients ) 10.30 เริ่มการ Recon และ Enum Targets โดยทำเฉพาะแค่เครื่อง AD อย่างเดียว 11.00 เจอทางเข้าสำหรับ AD เครื่องแรก 12.00 Get user flag AD เครื่องแรก (0 point) 12.30 Get Administrator flag AD เครื่องแรก (0 point) 12.45 ได้ข้อมูลสำหรับ AD เครื่องที่ 2 (0 point) 13.00 เข้า AD เครื่องที่ 2 (0 point) 13.30 พักทานข้าว 14.00 ลุยต่อกับ AD เครื่องที่ 2 (0 point) 14.30 Get user flag AD เครื่องสอง (0 point) 14.45 Get Administrator flag เครื่องสอง (0 point) 14.50 เข้า AD เครื่องสุดท้าย (Domain Controller) 15.00 Get Administrator flag ของ Domain Controller (40 point)
ถึงตรงนี้ก็ได้มาในมือ 40 point แล้ว เลยพักสักนิดนึง พร้อมกับหยุดจับเวลาของ AD และเริ่มจับของ Standalone ต่อ