panthadori

Passing the OSCP

Wed, 19 Nov 2025 00:00:00 +0000

Metrics

I took the OSCP on October 15th, 2025, and passed with 80/100 points on my first try.
I studied sparingly for 6 months and very intensely for 4.
It took me about 9 hours to get a passing score of 70.

Disclaimers

I took the OSCP using my company’s money and therefore got the expensive training.

Prior Knowledge

I’ve been working as an application security engineer for a few years and have also participated in a handful of CTFs, but I do not believe these experiences contributed greatly to my passing score. The OSCP is enitrely network penetration testing, which I had very little experience in before beginning to study.

If you’re starting from absolute 0 (like you don’t work with computers at all) you may want to consider taking Sec+ first to get a basic idea of ports, protocols, and how the network stack works.

Phase 1: Gathering Knowledge

I highly recommend taking the paid OSCP training. It is structured, understandable, and created by the people who will test you, so it enforces good habits early on. If you can afford it, or can get your company to pay for it, do so.

The OSCP training has ~27 modules at the time of writing. Almost every one of them is important. I took notes on every module, and still wished I had taken more and organized them better. I recommend taking notes on the purpose and requirements of every single command.

For example, if the module uses this command: nmap -p22 $IP --script ssh-auth-methods --script-args="ssh.user= $USER, I would take note of:

every argument (--script, -p, what are they, what do they add, how to use)
when I could use this command (what systems, and with what information)
why I would use this command (what does this accomplish, what information should I gain)

There are some modules I found less practical than others, but they are all fair game for the exam.

One thing to note here; although there are metasploit commands listed throughout the modules, the OSCP exam limits your use of metasploit to ONE machine. That means you cannot use it to tunnel, and if you rely too heavily on it you’ll miss other machines. I tried to use metasploit as little as possible when studying. There are other ways to find exploit scripts, and it’s better to learn how to edit them and pass arguments correctly anyway. I would only use metasploit as a last resort on the exam.

If you can’t afford the training, take a look at TJNull’s list here and start from the top. I’ll be referencing this guide in the next section anyway; it’s a great resource.

Key Points

I’d say a good general timeframe for obtaining a knowledge base is ~ 3 months (7hr days) - 7 months (3 hour days)
Take excellent, robust notes that are easily searchable, focusing on commands
Do the practice problems within the modules
Join the OSCP discord. It’s okay to look at hints, but only do so when you’re banging your head against the keyboard. And be sure to take note of why you needed the hint - this indicates something is missing from your notes.

Phase 2: Using the Knowledge

Once I finished the modules, I started with the Challenge Labs. I did labs 0-2 and 4-6, completely skipping the “stretch goal” and harder labs. This is because my primary goal was to pass the exam within the timeframe I had committed to.

I finished the Challenge Labs about a month before my exam. This left me a lot of time for the Proving Grounds Labs - other labs that Offsec provides access to as part of the paid training I purchased. At this point, I’d recommend just doing as many labs as possible to fill in your notes! Every machine you complete can teach you something new. I followed a list on this excel sheet (the Proving Grounds Practice section on row 47) and got through about 30 of them before the exam.

If you didn’t purchase the full training, you can still go through some of the labs in that list or purchase lab access separately for a much more reasonable price. There are also a lot of OSCP-like machines on HackTheBox and TryHackMe, as seen on the excel sheet and in TJNull’s list. Ideally, you’d have more than a month to go through all of these; I felt a bit rushed at this point.

Key Points

I’d recommend giving yourself at least 1 - 2 months of daily practice. I tried to complete 2-4 labs every day (after the Challenge Labs)
Refine your testing process. You should be using and refining your notes for every lab. This is your cheatsheet and your playbook!
Try not to use metasploit

Phase 3: Pre-Exam Preparation

About 2 weeks before the exam, I began paying more attention to my setup. I checked their operating system requirements for proctoring and scheduled several test sessions to ensure their proctoring software worked on my machine. I read all their guidelines; they want screenshots and flags to be submitted in a very particular way. And I created a Google Doc (I do not recommend LibreOffice - mine frozed when I added too many screenshots) following their recommended report template.

I ensured my playbook/cheatsheet/notes were ready for the exam and could be easily accessed. At this point you should already have a dedicated playbook that you’ve been using for all your labs. It should be familiar and rich with commands and suggestions. I host my notebook in this repo if you want an idea of what I’m talking about, but you should definitely create your own.

On the day-of, you’re going to want every little thing accounted for and out of the way. Make sure you’re ready so you don’t waste any time with setup once the clock starts!

Key Points

Treat your labs as the actual test. Take notes and use your cheatsheet as you would on test day.
Ensure your environment is ready according to their guidelines

Phase 4: Exam Day

Schedule your exam early if you’re like me and can’t sleep the night before important events. I probably got 2 hours of sleep and barely choked down breakfast at 7am, and still had to wait until 10am to start.

At 10am I got the login email, logged into the proctor portal, followed their instructions, and started at 10:15am. By 3:50pm, I only had 10 points. And by 7:30pm, I had 70. It’s okay to get stuck and then come back. I waited to do the AD set after I had tried all the standalones, but the order doesn’t really matter.

Take a deep breath and rely on your notes
Enumerate, enumerate, enumerate
You’re not allowed to record your screen, so give yourself time to check your screenshots and flags during the exam

Final Recommendations

There is a lot of amazing advice on r/OSCP; check out the top posts on there.

My favorite tools:

Ligolo-ng
Winpeas/linpeas
Bloodhound

Looking back, I genuinely enjoyed the process and feel infinitely more capable than when I started¹. If you’re planning on taking the test soon, I wish you the best of luck!!

But there was a strange since of loss when it was over; after all the adrenaline passed, I wondered ‘where do I go from here’? ↩︎

Sunshine CTF 2023 RE Challenge

Tue, 10 Oct 2023 00:00:00 +0000

Overview

Sunshine CTF 2023 had two reverse-engineering challenges that my team completed (just before time ran out, too!). This post describes my thought process behind Dill, a challenge worth 100 points.

Dill

‘Dill’ provides players with a .pyc file that is unreadable to users. A .pyc file contains the bytecode of the python file, not the source code. The source code has already been compiled, and we need to decompile it to read it. We can also understand what the .pyc file is doing by running it in a debugger,

Luckily for us, this .pyc file can be easily decompiled by a tool called uncompyle.

It can be downloaded here: https://pypi.org/project/uncompyle6/#files
Choose the latest .whl file and install like: pip install uncompyle6-3.2.3-py27-none-any.whl.
You should now be able to type uncompyle6 --version via commandline and receive a version number.
With this tool, we can decompile dill.pyc like so: uncompyle6 dill.pyc.

Now we have the source code:

class Dill:
    prefix = 'sun{'
    suffix = '}'
    o = [5, 1, 3, 4, 7, 2, 6, 0]

    def __init__(self) -> None:
        self.encrypted = 'bGVnbGxpaGVwaWNrdD8Ka2V0ZXRpZGls'

    def validate(self, value: str) -> bool:
        return value.startswith(Dill.prefix) and value.endswith(Dill.suffix) or False
        value = value[len(Dill.prefix):-len(Dill.suffix)]
        if len(value) != 32:
            return False
        c = [value[i:i + 4] for i in range(0, len(value), 4)]
        value = ''.join([c[i] for i in Dill.o])
        if value != self.encrypted:
            return False
        return True

Here is what I notice when reading through the class:

the prefix and suffix are irrelevant to the encrypted string, since they are just part of the flag for Sunshine CTF.
self.encrypted must be the encrypted string. We will have to understand how it was created to understand how to decrypt it.
the length of the encrypted and decrypted string is the same (32)
there seems to be a strange ordering of numbers in array o declared at the top
c and value build the encrypted string. This is where we will be focusing the most, since we will have to undo this process.

I want to run this script locally to test it first. I removed the class and added a main function. I also wanted to understand what `c` and `value` were doing, so I printed them out.

prefix = 'sun{'
suffix = '}'
o = [5, 1, 3, 4, 7, 2, 6, 0]

encrypted = 'bGVnbGxpaGVwaWNrdD8Ka2V0ZXRpZGls'

def validate(value: str) -> bool:
    print(value)
    if len(value) != 32:
        print("not right length")
    #for every group of 4 letters letter in value
    c = [value[i:i + 4] for i in range(0, len(value), 4)]
    print(c)
    value = ''.join([c[i] for i in o]) # add back the quartets in a strange order
    if value != encrypted:
        return False
    return True

def main():
    string = encrypted
    validate(string)

if __name__ == "__main__":
    main()

Output

Ah, so these blocks of 4 letters have been rearranged according to the order listed in o. To put them back, we have to create a new array that organizes them in order. Since 0 should be the first block and is listed last in the array o, we know that the last index 7 should be printed first. Similarly, since 1 is the second block and is printed at index 1. 2 is the third block and is printed at index 5.

o = [5, 1, 3, 4, 7, 2, 6, 0]

To print the blocks in the correct order again, we will use this new array:

a = [7, 1, 5, 2, 3, 0, 6, 4]

By reordering the blocks, we arrive at the solution:

prefix = 'sun{'
suffix = '}'
o = [5, 1, 3, 4, 7, 2, 6, 0]
a = [7, 1, 5, 2, 3, 0, 6, 4]

encrypted = 'bGVnbGxpaGVwaWNrdD8Ka2V0ZXRpZGls'

def validate(value: str) -> bool:
    print(value)
    if len(value) != 32:
        print("not right length")
    #for every group of 4 letters letter in value
    c = [value[i:i + 4] for i in range(0, len(value), 4)]
    print(c)
    # add back the quartets out of order to 'encrypt' them
    value = ''.join([c[i] for i in o])
    # reorder the quartets to decrypt them
    unencrypt = ''.join([c[i] for i in a])
    print("here", unencrypt)
    if value != encrypted:
        return False
    return True

def main():
    string = encrypted
    validate(string)

if __name__ == "__main__":
    main()

Solution output:

Just add the prefix back to the string, and we have the flag!

Boba Tea Ratings

Thu, 21 Sep 2023 00:00:00 +0000

Overall

9.5 Orobae, California
9.0 Cha Kyojyou, Japan, Kyoto
8.8 Matcha Republic, Japan, Uji
8.7 Omomo, California
8.1 Tea 18, Japan, Hiroshima
8.0 BobaPop, California
7.6 Tiger Sugar, Maryland
7.5 Kung Fu Tea, California
7.2 Ding Tea, California
6.6 XiuXiu Cafe, Japan, Kyoto

By Location

California

9.5 Orobae

Osmanthus oolong milk tea, 0% sugar

8.7 Omomo

Osmanthus oolong milk tea, 0% sugar

Deliciously floral, bright, and similarly woody. The milk adds a creaminess that blends well with the natural sweetness of the osmanthus flowers and tender boba pearls.

8.0 BobaPop

Osmanthus oolong tea 30% sugar

This drink’s flowery and grainy heartiness are dimmed with the addition of milk, and enhanced with a small addition of sweetner. Refreshing and classic. The boba is firmly chewy and sweet (but not sweet enough to replace the sweetner).

7.5 Kung Fu Tea

Oolong or green milk tea 0% sugar

Kung Fu tea could be called the Starbucks of boba. They’re consistent, everywhere, and brew decent tea. Both the oolong and green tea are good; not the best in their class but flavorful (without being bitter) nonetheless. The oolong comes off as a more earthy black tea while the green is akin to a jasmine. I like getting the milk tea and the milk cap for a creamier sip.

7.2 Ding Tea

Oolong Milk Tea with Boba, 0% sugar

This tea has a pleasantly strong oolong taste that nears hojicha. Earthy and not bitter. The boba is soft, very slightly flavored like brown sugar, and almost too gooey. The drink would benefit from a sweeter boba mixture.

Maryland

7.6 Tiger Sugar

Japan

9.0 Cha Koujyou

Brown Sugar Milk Tea

This small shop nestled in an underground train station mall serves some of the best boba in Japan. The tea selection is broad, and all the flavors I tried were high quality. The boba was perfectly honey-sweet and chewy.

8.8 Matcha Republic

Matcha Latte

Deliciously thick and flavorful matcha drink with freshly ground matcha. The best I’ve had. No bitterness, only a sweet grassy flavor.

8.1 Tea 18

Taejilang oolong milk tea

A gentle drink with full-flavored oolong and sweet boba.

6.6 XiuXiu Cafe

Golden black milk tea with boba

Tea had a slight bitter taste that lingered beneath a floral and wheaty earl grey flavor. The boba was firm and chewy but lacked sweetness.

Secure a New Ford Vehicle by Disconnecting the TCU

Sat, 04 Feb 2023 00:00:00 +0000

TL;DR

Ford, and many other car manufacturers, have begun demanding that you forsake your right to privacy by connecting your phone to your vehicle during the buying process. This post describes a simple method of severing this connection, and is intended for fellow members of the tinfoil hat community that are ready to forgo the very savory convenience of starting your car from inside the house when it’s 30F outside.

The What and Why behind the TCU

Phone apps such as ‘FordPass’, ‘Toyota’, and ‘HondaLink’ allow owners to remotely start, lock, unlock, and monitor their vehicle. These apps work by communicating with the TCU in the vehicle.

A TCU (Telematics Control Unit) is an embedded system in a vehicle that wirelessly connects the vehicle to cloud services or other vehicles over a cellular network.

How convenient! Unfortunately, this very same module allows car manufacturers to collect data from your vehicle, and upon connection, your phone.

As I have recently purchased a new Ford, this post will focus on Ford’s privacy policies, apps, and vehicles.

According to the FordPass privacy policy, Ford will collect:

vehicle location
driving data (including speed, brakes, steering, seat belts)
voice commands (when the vehicle’s voice recognition system is in “active listen” state)
phone location
phone specifications
app usage metrics

FordPass does not have multi-factor authenticaion, so anyone who has your password and the VIN of your vehicle is able to start, lock, and unlock your car.

The TCU is also vulnerable to remote vehicle attacks.

These vulnerabilities can be mitigated by removing the TCU from its power source. I used a pair of pliers.

How to Disconnect the TCU

This process will vary depending on the specific make and model of the vehicle.

In the owner’s manual, under ‘Fuses’, find the fuse labelled ‘Telematics control unit module’. Specific to my car, this is located under the passenger’s glovebox.
If needed, remove the cover panel to reveal the fusebox. I took mine from the bottom and pulled gently to un-latch three tabs.
Identify the fuse.
Pull out the fuse. While the car is off, use pliers or fingers to gently remove the fuse.
Replace the panel cover.
Ensure that the vehicle is disconnected.
Keep the fuse in a safe place in case of vehicle return, repair, or investigation.

Outcomes

Disconnecting the TCU successfully deactivates cellular service to and from the vehicle
Bluetooth and radio are still operational
There are no error messages or warnings within the vehicle
Taking the vehicle to Ford for other recalls has not yet raised alarms among the employees