Signing up
I finished up the last of my university submissions, then took a week off to let my brain rest. I signed up to the PWK course with 90 days of lab time. My course start time was about two weeks from paying, so h̶e̶a̶v̶i̶l̶y̶ ̶r̶e̶s̶e̶a̶r̶c̶h̶e̶d̶ ̶t̶h̶e̶ ̶c̶o̶u̶r̶s̶e̶ ̶s̶y̶l̶l̶a̶b̶u̶s̶ ̶a̶n̶d̶ ̶d̶i̶d̶ ̶t̶o̶n̶s̶ ̶o̶f̶ ̶C̶T̶F̶s̶ sat on my ass and played videogames in the meantime.
Course
The course content comes in the form of a PDF which is a few hundred pages long. While that might sound overly lengthy, it contains a lot of images, so it’s not eye rollingly dense. Additionally several hours of videos are supplied. These teach the same content as in the PDF. Most people seem to recommend watching the videos and then reading over the written content after each section to make sure you understand everything. In my opinion the PDF was well written, it’s lengthy enough that it teaches you the basics to start you off, while not just overwhelming you with useless information. The OSCP is about self learning, it’s not a memory dump like most exams, and the content reflects this. Learning the content will NOT bring you anywhere close to passing. The important knowledge comes from spending time in the labs.
Throughout the PDF there are multiple practical exercises too. These range from very useful for learning techniques to kind of “eh”. My biggest complaint with the course, while nothing major, was that a few of these exercises had not seemed to have been updated in a while, so rarely you would stumble upon a specific exercise where a tool was broken. I would spend a bit of time trying to figure out what I was doing wrong, before I checked on the forums and would find others who had stumbled into the same issue with a workaround.
I would recommend doing as many of the exercises as you can early so that you can get them out of the way and maximize your lab time. I did about half the exercises early on, then left the rest until the run up of my exam which was a bad idea.
Labs
This is the meat and potatoes of the entire course. The course content and exercises are the training wheels for the labs. The labs are set up in the format of multiple networks with many different exploitable machines in each. In total there’s over 50 machines to exploit which vary from quick owns to frustrating time sinks, all with different combinations of OSes and software.
Spending time in the labs was the most rewarding and enjoyable part of the course. I tried to stick to one root a day if possible, and I did for the first 30 days or so. After that I started on some of the harder machines and the additional networks which slowed down my progress a bit.
Some of the best parts about the lab is that because it tries to mimick a “real” network, it requires you to learn techniques that aren’t really common in HTB/Vulnhub. For example, there can be links between machines, so you need to refine your post exploitation skills. Because you must exploit other networks, you need to learn pivoting skills and so on. Owning every machine in the lab will require researching and learning lots of different techniques and tricks, far beyond what you’ll find in the course content.
An IRC channel and the official PWK forum are both available if you get stuck. I didn’t use the IRC for help personally, though I did visit the forum quite often. I would recommend trying to only visit for a quick hint when you’re really stuck, as you can become pretty dependent on hints otherwise.
In the week or two before my exam I had finished managed to exploit all 50+ machines in the labs that I was aware of, so I practiced on a few machines on HackTheBox. While these are pretty different from the kinds of machines you encounter during the OSCP labs, they are extra experience and help keep you in the rythym of owning machines before your exam.
Resources
I’ve read quite a few OSCP reviews/blogs like this where a ton of links and resources are supplied. While I think that those can be useful, a huge part of the course is about learning to be self sufficient and thorough enough in your research that you can quickly find X information about a certain service online and then research and use techniques Y and Z to exploit it quickly, so I won’t provide the dozens (I think it ended up being a couple hundred) bookmarks I made during my preparation and labs.
That said, a lot of people seem to struggle with privilege escalation when popping boxes both in and out of OSCP.
These two links are the most useful resources I had for this. Learn these off for they are your priv esc bible.
Fuzzy Security Windows PrivEsc guide
In terms of scripting, I tried to stay away from those, as I find you can become a little too reliant intead of learning how things work manually. My exception to this was for privilege escalation enumeraiton. I used the popular LinEnum and LinuxPrivChecker for this on Linux. For Windows I mostly did everything manually; but as a shameless plug I have since written a script for Windows privilege escalation, Clippy.
Exam Format and Restrictions
Before I talk about my exam experience, I’ll just go over the format for anyone that isn’t aware. The exam consists of five machines of varying points that you must exploit. You need 70/100 points to pass and you have 24 hours to do so. You are also required to write up a full detailed penetration test report on how you exploited the machines. You are given the day after the exam to write this up. This isn’t a short writeup, Offsec expect it to be clear and professionally written as if the exam were a real pentest, as reporting is a pretty key part of that.
Additionally by supplying a lab report of at least ten machines in the PWK lab along with ALL exercises an additional five points are available. Previously this was five points for each so the exam is a little more difficult than before these changes.
There are a few restrictions on tools you can’t use during the exam. This includes any tool with auto exploitation, e.g. SQLMap. I believe the reasoning is that it’s easy to point and click with these tools without actually knowing the underlying techniques on how to exploit the vulnerabilities and I can’t say I disagree.
You are not allowed to use commercial versions of tools (e.g Burp Pro, Metasploit pro).
You are allowed to use MetaSploit and Meterpreter including auxillary/post modules, but these are limited to one machine you choose during the exam. Previously you were allowed to use Metasploit on only one machine, but Meterpreter on any number of machines. This is no longer the case so the exam is again a little harder than it used to be.
Exam Day
My exam was scheduled for the 15th August, starting at 9AM. I spent the previous day relaxing and not looking anywhere near the labs/course; I’m glad I didn’t. The exam is hugely mentally draining, so try to go into it with a clear head and a relaxed mindset. You can’t cram learn for the OSCP exam. Spending the day prior to your exam frantically trying to learn everything won’t work, at that point you either have enough experience or you don’t.
I couldn’t sleep very well that night, but I woke up and prepped myself to be ready for the exam starting time.
I recieved my VPN pack from Offsec and connected. I spent a few minutes reading over the information provided about the exam to make sure I wasn’t going to make any stupid mistakes.
I got to work on the first machine (high points), I was making good progress with this and it should have fallen quickly, but I rushed a bit too much and ended up having to go over the steps I’d taken so far. After I figured out where I had messed up, this fell pretty shortly after, and I had my first box down which was a great feeling
Next I decided to focus on the lowest point machine, I scanned this and quickly found the exploitation vector. A few minutes later and I had another box down. “Two boxes before lunch! This is gonna be easy.” (Spoiler: it wasn’t.)
I finished off my scans on the other machines and took a ten minute break to catch myself. This is where things started to slow down.
I was left with two middle point machines and one high point machine. I should have stuck to my strategy and order on which box to attack next, but I kind of bounced between all three for a while not getting anywhere, before figuring out that I needed to disregard the other two and focus on one, so I chose the high point machine. In hindsight, I should have stuck to my plan because I wasted valuable time messing around on different machines at the same time.
I spent a bit enumerating this one again and found a vector for exploitation that I was pretty confident on. Actually carrying out that exploitation was far more difficult. Like earlier, after spending way too long banging my head, I repeated all my steps over again a few times, I figured out where I was going wrong and got the exploit to work. Shortly after owned the entire box, which was much easier than the initial attack. This was a major confidence boost and took away a lot of the stress.
After another short break I began hopping between the remaining two mid machines.
I don’t have my timeline notes handy with me when writing this to know exactly when I got the fourth machine, but it was around 4PM.
At this point I knew I had passed so long as I followed the steps and reported correctly, which was great. I wasn’t tempted to quit, at this point I needed that fifth box owned for my own ego. I took an hour break to eat and let my brain refresh and then went straight back to it. This final box was to me by far the most difficult of all the machines. 12AM rolled around and I had finally gotten user on it. An hour and two tracks on Mario Kart later and it was owned. All boxes down and I hadn’t needed to resort to using Metasploit for any box either.
I spent the another couple hours screenshotting EVERYTHING and making sure I hadn’t made any mistakes or missed anything.
3AM rolled in and I couldn’t look at the screen any longer, so I triple checked I had everything I needed and then went to bed, I woke up just as my VPN connection expired.
The next day I spent writing up my report, making sure everything was detailed enough and I had all my screenshots and steps documented correctly. I submitted it to Offsec along with my Lab Report around 10PM.
About a day and a half after submitting my exam an email came through while I was sleeping.
And with that, I’m now an OSCP!
Proctoring
I was part of the proctoring beta, and I can’t say I had any issues with it. The Offsec proctors were professional the whole time. At one point my webcam feed seemed to interrupt (I think Firefox killed the tab after a few hours), but after a quick refresh everything was working fine again.
I’ve seen quite a lot of controversy over this aspect of the exam as it will be compulsory very soon. I understand both point of views. Would I rather have not been on webcam? Well yeah, but it wasn’t anything more than a slight inconvenience either. That said I can absolutely see how it might be more of a concern for certain people.
From the perspective of Offsec I imagine cheating/group work is a difficult thing to combat. From what I’ve seen posted around the net about the issue, it was unfortunately becoming an increasingly common problem as OSCP continued to gain fame. However I’m glad that efforts are being made so that my legitimate cert which I worked hard for won’t be devalued by cheaters. Offsec aren’t going to go to the hassle of setting up the infrastructure for proctoring and having staff carry it out unless they think it’s worthwhile. And sure, a few cheaters are still gonna slip through like anything else in life, but let’s be honest, if you cheat in the OSCP you’re going to rightfully caught out in industry sooner or later when you can’t do what you’re supposed to.
Exam Tips
A few tips for anyone doing the exam.
- Stay calm and don’t rush. You have 24 hours, if you rush a step to save two minutes it may bite you in the ass when you make a mistake and then you’ve wasted multiple hours (I did this multiple times and it is VERY annoying)
- Get as much practical experience as possible. When I ran out of lab machines I subbed to HackTheBox and did another ~10 machines. Practice and refine your own “process”/technique of pen testing.
- Have your notes and commands well organized in advance so you can check important stuff in seconds.
- Probably unnecessary but I found writing out a lab report of ALL machines really useful. It helps you to evaluate what you did right/wrong in review when you have to remember your experience with a machine.
- Relax the day before the exam. I did no work at all. The exam is very mentally draining so I think if I had spent the day before hacking/studying i would have failed hard. This isn’t an ordinary exam so last minute cramming won’t help much.
Final Review
Good
- Labs were amazing. You will learn so much. I miss them already.
- The labs were amazing, I need to stress that again.
- Course content PDF is well written.
- Course content videos are professional and well spoken.
- Most of the exercises were useful.
- Exam was tough, but very, very rewarding.
Bad
- A handful of the exercises requiring some tool fixes/workarounds was a bit annoying.
Other (nitpicks)
- Exam slots can be booked up pretty far in advance, but this might just depend on what time of the year you do it.
- The course needs to be paid for in USD, so depending on your country/bank you might get charged an additional conversion fee.
In closing, I would highly recommend this course to anyone who wants to learn solid practical pentest skills. If you want a quick easy cert which you can memorize content and brain dump, this is NOT the course for you. It is hard. This course is one of the best examples of “you get what you put in”. If you are able to put in the time and effort to try hard, own as many machines as possible in labs and pass the exam, you will absolutely learn a ton of real practical skills.
Honestly, this is the best format of education I’ve ever experienced.
Road to OSCE next?