My Journey Through the Offensive Security Certified Professional (OSCP)

TL;DR: I passed. Thinking about going for it? Do it, you won’t regret it.

Decision Time

Let’s face it. There are a lot of certifications out there. I’ll tell you what, none of them are like this one. Before I took the OSCP (and the accompanying Pentesting with Kali Linux course), I spent most of my time researching the “right” course to bust my resume out of the fictional shell it was contained in. I’m quite young (though there are younger in our field), but I figured there had to be some magical letters that could separate me from the rest of the pack. I went over CompTIA (A+, Sec+, etc.+) and decided it wasn’t enough. I had already taken the GPEN, so GIAC was out unless I wanted to take the GXPN, but who the hell has ~$6000 to blow on training? Nothing against SANS, there are some truly amazing people over there, it’s just so damn expensive. I thought about ISC2, but that’s slowly fading away as they had out CISSPs like they’re going out of style. I wanted practical, no hand holding. I wanted in-depth and outright awesome. I wanted the most bang for my buck, and I had been using Backtrack since BT3 – so I figured “Why not make it official?”

Signing up

I signed up for 60 days of lab time with the course materials and exam included for ~$1000. There is a negligible difference in price for time, it’s a lifetime cert, completely hands-on, includes the course material, free software, free SAINT license, a custom VM, 10 hours of video, AND great support.

The Course

First of all, I had to dedicate some serious time to this thing. In order to take the OSCP exam, you have to take the PWK course and be able to prove that you took it. What does that mean? It means you can take the exam at any time after you have purchased the course, but you won’t pass unless you can show that you actually took the course. The only real requirement is that you document nearly all of the exercises. And there are a lot. How many are there? My final documentation (including the exam) was 238 pages. There’s no question, you need to set time aside. With 40 hours a week as an analyst, it’s hard to find the time for anything other than studying and work. Of course, I wouldn’t have been able to do it without the support of my SO, who probably shouldn’t have put up with my crap when I kept saying “just one more box!”

Anyway, the actual course material that contains the exercises is a PDF doc (no bookmarks) that is almost 400 pages (369 IIRC). It contains 16 modules, 14 of which contain exercises that require documentation. You can read the syllabus somewhere else, but it covers all the standard things you might encounter on a pentest, while also traversing some unknown territory for a lot of people. It dabbles in exploit development, AV evasion, along with a myriad of other tips and tricks that should help you OTJ. In the beginning, there is a fair amount of hand-holding to help you set up your environment, which does not require documentation. It dives right in and follows common pentesting methodology, filling in the gaps with common use cases for the included tools. The actual course had some great material in it, and I ended up picking up a few things that I wouldn’t have learned otherwise.

As the course progresses, it becomes noticeably about being independent and figuring things out for yourself. Several exercises point you in a generic direction and force you to think on your feet for a solution. Once you traverse the exploit development module, it feels sort of downhill in difficulty (which may simply be a product of the challenge of exploit dev). During the course, they have you practice on the lab network, which obviously gives you some strong hints as to what you should do when you eventually invest all of your time in the labs.

SIDE TRACK: something that irked me a bit. When you purchase the course, you choose a Saturday to receive all of the material, and they don’t send you the PDF until then. Since you have to document all of the exercises, it forces you to “waste” valuable lab time by going through each and every module…

The lab network consists of some very well configured lab machines that represent a real network quite well. They span the entirety of a pentester’s toolbox and do a great job of forcing you to perform each step of the process carefully. I’m not going too reveal too much about the labs (since it woud violate the agreement), but you can’t reach all of the boxes without pivoting over dual-homed machines into different networks. That being said, OffSec recommends you are able to compromise most of the machines in the “Student” network (with the exception of the (in)famously challenging ones) to consider yourself relatively prepared for the exam. I got around to most of them, but still ran out of time with 5 or 6 left.

The support for the course is quick to respond and very good about resolving issues. It’s a simple Freenode where you can go in and ping the admin. Any time I needed someone, I got help within a few minutes. A few times, I couldn’t connect to my debugging environment (they give you a Windows 7 box with some labs on it). The support team was quick to reset my box and I was able to connect again. I only had one incident where the support team led me astray and that was when I finally caved and asked for some help on a box. I had located a remote-file inclusion on a small web app and was having trouble exploiting it. Every once in a while, the exploit would succeed and I would get a shell only to have it die when commands were run, after which I couldn’t browse to that box anymore. I could browse on others, so I was convinced that it was that specific machine having issues. I reverted the box several times and it kept having the same issue. The admin told me that I “should look for another vector” if that’s the only thing I tried, and to use a different payload because the one I was using was unreliable. After looking around for other vectors and using other payloads for a couple hours, I decided to give it a rest and come back to it later. I returned to the box the next day with an open mind and decided to try my RFI one more time. It worked fine, totally stable. Not a huge deal, but if the solution is correct and I’m telling you I can’t connect to any part of the box, maybe the problem isn’t on my end.

The Exam

To keep it short, the exam was actually easier than the lab machines in my opinion. You’re given 48 hours total to compromise a small subset of machines with some restrictions on specific tool usage and turn in a report. More specifically, you have 23 hours and 45 minutes in the exam network, then 24 hours to turn in the report. The machines themselves are, again, very well designed. The network is stable and reflects the training environment well. Each target is given a point value and breaks down specific goals into smaller point values (partial points for local vs. root access, sufficient documentation, etc.) Every machine has a proof file that must be cat’d/type’d in order to prove access. I put way more effort into documenting my process for the exam machines than the lab machines, considering the former was the difference between passing and failing. You have the option of turning in a lab pentest report along with your exam report for extra points. I included my course documentation in the lab report and kept the exam report separate. I finished 80 points worth of the machines in ~9.5 hours (you need 70/100 to pass), and was left with plenty of time for documentation. In fact, I hadn’t even started my lab report until two nights before my exam (the documentation was ready though, just needed to be organized). I started my exam on a Saturday morning at 9 AM, and turned in everything (including my KeepNote files) on Sunday at 3 PM.

Conclusion

I had a great time on this course, and wouldn’t trade the experience for anything. I highly recommend taking it if you’re on the fence. After turning in my documentation, I received a confirmation email ~7 hours later. I then got a congratulations email on Tuesday morning, only 1 full business day later! Feel free to leave your comments or questions below.

5 Replies to “My Journey Through the Offensive Security Certified Professional (OSCP)”

  1. hi, i’m wondering what preparation you think is necessary to get the most out of the PWK course? i have about 7 years of IT experience and 3 years of infosec experience. i’d like to take PWK asap but i’m wondering how much programming is necessary, i have only a little programming background. and do you think the PWK course is sufficient to pass the OCSP exam?

    1. The PWK course is certainly sufficient to pass the exam, in fact IIRC all the purchases of the PWK course come with an exam attempt. You should be familiar with light programming concepts. Languages like Python, Bash, C, and Ruby will come in handy. The course stays away from mentioning any basic concepts and kind of assumes you know the basics already. Some of the other languages that are mentioned are Java, Assembly (x86), PHP, Perl, and SQL. Although the course walks you through it, it paid off to be familiar with modifying public exploits to suit your needs. You’ll notice that the majority of exploits you’ll use are written in C or Python. If you’re not comfortable with ASM (x86), I would see if you can slowly ease yourself into it using the tutorials over at corelan.be or fuzzysecurity.com. You can stop at simple stack-based overflows, as the course doesn’t go beyond that.

      With your experience, you may find yourself trying extra hard in the lab environment, which is totally fine. I don’t know a single person who didn’t buy an extension on their lab time. I took the easy route by purchasing 60 days from the get go. You schedule your exam within any 90 days of the end of your lab time. If you extend, it moves back. Feel free to ask some more questions, I’ll say what I can without violating the agreement.

  2. Hi

    Thanks for the info. I would like to know technically if OSWP is worth learning or SANS. I am not looking from certification point of view but knowledge and better ways of white-hat attacks.

    Regards

    1. There’s a huge price gap between the two. It depends on which course you are looking at taking at SANS. OSWP focuses on wireless attacks. There is a (SANS course, SEC617)[http://www.sans.org/course/wireless-ethical-hacking-penetration-testing-defenses], but it’s still > $5,000 to take in-person. The OSWP is only $450, so the value is pretty good there. Although for wireless attack knowledge, there’s not much you can’t find for free. The (aircrack-ng documentation)[http://www.aircrack-ng.org/documentation.html] and (SecurityTube’s Wireless Megaprimer)[http://www.securitytube.net/groups?operation=view&groupId=9] are great places to start. gotmi1k also did a (great writeup)[https://blog.g0tmi1k.com/2014/01/offensive-security-wireless/] on the OSWP.

  3. Hey!
    I am a student and know my way around a Linux machine pretty well. I do know python programming and C programming. Brushing up on TCP/IP concepts as of now. I was wondering what more shoild I know before I start with the PWK course which ultimately culminates into a OSCP certification.
    I will be giving 30 hours a week for those 13 weeks. Is this enough?

    P.S. I have zero experience in Pentesting, but I am willing to work hard as I want it as a career.

Leave a Reply

Your email address will not be published. Required fields are marked *