I know there are tons of OSCP reviews out there, but I am pretty sure that any student/professional looking to take the Penetration Testing with Kali (PWK) course and the challenge exam i.e. the Offensive Security Certified Professional (OSCP) would like to read new experiences. So here I am, writing my first blog on Offensive Security’s PWK course and OSCP exam which I hope helps someone on their journey of becoming an OSCP.
Who gives the OSCP exam and why?
Any person working in the penetration testing field (practice of testing computer systems, software, network and web applications for security weaknesses) would attempt giving this exam . However, many administrators and developers also give the OSCP exam as it helps them configure or develop secure systems.
A few reasons why you should attempt the OSCP exam:
- Never expires: Yeah you read that right! Once you receive your OSCP certification, its for life. No re-certification!
- New Job opportunities: Yeah, you probably are going to get new invites from recruiters on LinkedIn and more job opportunities. The reason being, security has become so important in organisations that the demand for a professional with experience and certifications like the OSCP are on a all time high.
- Great knowledge: The most important reason and a sure benefit of this course is the knowledge you gain. Sure you will learn to exploit so called obsolete vulnerabilities. But the truth is that this field is hard. If you wanna be a great hacker or penetration tester, you have to take baby steps and this course is designed in a great way for you to self learn and improve your skills.
The PWK Course
The PWK course comes with course materials and access to labs over VPN where you attempt to hack your way through various systems and networks. You can register for either 30, 60 or 90 days lab access.
How many days of lab access is sufficient for me?
The answer is if you have a full time job I would suggest 60 or 90 days which is also dependent on your work experience. I have over 6 years of experience in information security however I registered for a safe 90 days of lab access.
How much time should I give per day practicing in the Labs?
I personally spent nearly 3 to 4 hours almost every night and close to 7 to 8 hours on weekends as I was working on a full time busy job. Initially, I would compromise one or even two machines a day, but overtime the machines got harder and there were times when I spent a few days on a machine. Wait!! Don’t lose hope. Reaching out to offsec admins on support channels and reading the offensive security forums are the way to go in such situations. But keep in mind, Offsec admins help you based on your knowledge about the target machine. Else be ready to receive the cool yet annoying “TRY HARDER” messages from admins.
The course material is in the form of videos and a PDF with over 300 pages covering the PWK syllabus. The syllabus can be found here. I personally covered the videos and the PDF document because @muts (voice in the video) stresses on certain concepts which you may or may not give importance to if you only read the PDF.
Is the PWK course material (PDF and videos) enough to hack systems in the Lab or pass the exam?
The answer is NO. The PDF and videos only help you learn the concepts, tools and a few techniques. You will have to apply what you’ve learnt and a whole lot of googling to hack systems in the lab and exam.
This definitely deserves a separate section because its the key to passing the OSCP exam and the most rewarding part of the course. The Lab comprises of systems mimicking a company network with known vulnerabilities and common misconfigurations over various network subnets starting from the public network to development network. In order to successfully compromise a system, you have to gain administrator/root access on a system and capture the flag/trophy i.e “proof.txt”. I personally compromised almost all the systems in the public network and most of the systems in the other networks.
Linux Privilege Escalation
Windows Privilege Escalation
Reverse shell cheatsheets and shellcode generation
Vulnerable VMs for practice
- https://www.vulnhub.com (Try searching “site:vulnhub.com oscp” on google for best results)
How do I know if I am ready for the OSCP exam?
From my experience, once you compromise all the systems in public network (excluding the Big3 i.e. Pain, Sufferance and Humble) its enough to give you the confidence to attempt the OSCP exam. The reason is by this time, you have covered enough scenarios and definitely have a fair idea on enumeration, modifying known exploits and privilege escalation. Compromising Pain, Sufferance and Humble will add to your confidence and no doubt teach you a lot more.
There are three components which need to be documented:
- Course exercises: The topics in the PDF include exercises at the end of the chapter. These exercises should be documented. Documenting course exercises earlier is better so that you don’t waste time towards the end of the your lab access or just before the exam.
- Lab report: A Lab report should be prepared documenting all the compromised lab machines. Complete your lab report before scheduling your exam.
- Exam report: An Exam report should be prepared at the end of the exam documenting the compromised exam machines in the form of a formal penetration test report. Here is a sample report by Offensive Security which I used as a template while writing my own report.
The Exam report is mandatory to pass the OSCP exam even if you have compromised all machines during the exam. Upto 5 points may be earned by submitting your lab report. If the course exercises are included then you may earn an additional 5 points. In all you need 70 points to pass the OSCP exam. The lab report and course exercises could be incredibly helpful when you are short of points.
Firstly, you are expected to give the exam within 90 days after your lab expiry. However, after a grueling 60 days in the lab, I booked the exam on the evening of October 9, 2016. The exam is a 24 hour challenge to gain root/administrator access on 5 machines (none from the lab) and capture the “proof.txt” file. I won’t go into details of the exam for obvious reasons.
However the following tips will help you before the OSCP exam. Remember the OSCP exam tests your mental and physical endurance.
- Rest well before the exam
- Schedule periodic breaks. Try to be away from the computer during this period. It might help gather your thoughts.
- Eat your breakfast, lunch and dinner as per your daily schedule.
- Drink lots of water.
- Stock up some snacks and energy drinks.
- Maintain detailed notes of your enumeration so that you can refer to them easily.
- Perform a time check whenever your stuck on a single box too long. It’s probably not so complicated as you think it is. You probably haven’t enumerated enough.
- Take sufficient screenshots and validate them before the exam time ends because you have to prepare the exam report within the next 24 hours.
Even though I knew I had to rest well, drink lots of water.. bla bla.. I never managed to follow some of these tips coz I was so anxious throughout the exam.
I ended up compromising 4 out of the 5 boxes in good time which secured me 75 points. I slept the night and started the report in the morning. I then submitted the exam report along with the lab report and course exercises just in time before my report submission time ended. Two days later, I received an email.
Overall, this was an awesome experience and challenge for me. I would like to thank my wonderful wife for her support throughout my OSCP journey.
Stay tuned for my next blog post on my review and journey in attaining the GIAC Exploit Researcher and Advanced Penetration Testing (GXPN) certification from SANS.
Contact me on twitter or leave a reply below if you have any questions.