The 3 Ways to Fail at Your OSCP / OSCP+ Exam Report

Written By Vidar Frostbjorn

Read this, and there is 0% chance it will happen

My theory is that not even a single time has a candidate been failed because they weren’t good enough at report writing.

And yet still, in the OSCP subreddit and other places where people discuss this certification, there are almost daily posts and comments of people either having failed due to the report, or being scared that the report will be the reason that they fail. How can this be?

All the exam reports being failed can be explained in 3 points:

  1. You didn’t follow the instructions

  2. You didn’t take notes during the exam

  3. You overcomplicated, adding unnecessary risk

And that’s it! The report requirements from Offsec are very basic. No customer in the world would have as low of a bar for a pentest report as they have. 

The OSCP being an entry-level certification is probably half the answer for why so many people fail on the reporting part. And I’m here to tell you that avoiding this is very easy: Follow the instructions Offsec has given you.

Of the three points given above, only the second one has to do with your actual skills and methodology. 

So yes, work on your note-taking, and make sure that you have all the notes you need to explain every step when you have finished one of the challenges.

If you are struggling with this, or other factors during the exams, I wrote another article on how to perform on the exam day. If you learn better through video form, here is the video:

Other important tips to avoid failing because of this:

  • Take note of every step needed to reproduce your finding

  • Don’t half-ass the report. You have 24 hours to write it, you only need a handful of those hours.

  • Write the report draft as you go. Take notes of what you need, but also don’t spend time formatting and perfecting your report. You have more than enough time to write the report, as long as you have everything you need.

Screenshots

Take loads of them. Any time you feel like you are progressing, take a new screenshot. Find a method that is fast and won’t distract you from your work. 

I use the Windows Snipping tool on my host machine myself, and just save a big number of screenshot that I’ll sort later. 

Of course, during actual pentest work I sort them immediately, but during certification exams, I do that work after I have completed the challenges required to get certified.

Which template to use

USE THE TEMPLATE OFFSEC HAS PROVIDED YOU!

  • Yes, there are some good report templates that have been created by other people than Offsec themselves.

  • Yes, if you are a pentester, the report template you use for engagement are probably way better than what they provide.

  • Yes, the template Offsec has provided you is basic, boring, and far from perfect.

However, it is what they prefer that you use, it is tailored to make you provide all the requirements necessary, and there is 0% chance the template will be a factor for you failing the exam.

Choosing another template is adding a risk factor to your exam for no reason. Don’t do it.

Her are links to the Offsec template, please use it:

Requirements from Offsec

Let’s go through all the requirements Offsec has to the exam report. Below is the link to their page giving you all the requirements, and below I will give you a more condensed version of the requirements with what you need to know.

OSCP Exam Guide

Documentation

  • Describe your exploitation process for each target

  • Document all your attacks including all steps, commands issued, and console output

  • The documentation should be thorough enough that your attacks can be replicated step-by-step by a technically competent reader

Exploit Code

If no modifications: Provide the URL to where the exploit can be found

If modified, you should include:

  • The modified exploit code

  • The URL to the original exploit code

  • The command used to generate any shellcode (if applicable)

  • Highlighted changes you have made

  • An explanation of why those changes were made

Exam Proofs

  • Include a screenshot of local.txt and proof.txt on each target machine.

  • Must be performed in an interactive shell on the target machine, with the type or cat command from their original location.

  • For full points on Windows targets, you must have a shell running as either: SYSTEM, Administrator, or user with Administrator privileges.

  • For full points on Linux targets, you must have a root shell.

  • So, remember: Don’t move the content before showing it, web-based shells are not valid.

  • On al machines, take a screenshot showing the content of the local.txt and proof.txt, as well as the IP address by using the commands ipconfig, ifconfig or ip addr.

Example screenshot shown by Offsec

And lastly: Submit all flags in the Control Panel.

Conclusion: Don’t overcomplicate

The bottom line: Don’t expose yourself to unnecessary risk. 

Any failure because of the report is easily avoidable. Don’t try to outsmart Offsec. Just fulfill the requirements they have, use every tool they provide you, and don’t let the report be a way to fail.

Pay special attention to the requirements for submitting your exploit code, and the way you need to screenshot the proofs: Must be performed in an interactive shell on the target machine, with the type or cat command from their original location.

This is where people overcomplicate. They do things like:

  • move the flags to another folder

  • Use other fancy commands or macros they have created to run ifconfig/whoami/cat at the same time

  • Use only a web shell or similar to print the proof

The exam is hard enough as it is, there is no need to add more difficulty on your own.

Good luck!

Vidar Frostbjorn
Previous

6 Reasons You Are Wasting Money on Penetration Tests
Next

The Hidden Gem of Pentest Certifications in 2024