My Journey Through the Offensive Security Certified Professional (OSCP)

TL;DR: I passed. Thinking about going for it? Do it, you won’t regret it.

Decision Time

Let’s face it. There are a lot of certifications out there. Before I took the OSCP (and the accompanying Pentesting with Kali Linux course), I spent most of my time researching the “right” course to bust my resume out of the shell it was contained in. I figured there had to be some magical letters that could separate me from the rest of the pack. I had recently taken the GPEN, so GIAC was out unless I wanted to take the GXPN, but ~$6000 is a lot to blow on training. I wanted practical, no hand holding. I wanted in-depth and outright awesome. I wanted the most bang for my buck, and I had been using Backtrack since BT3 – so the OSCP seemed like a solid fit.

Signing up

I signed up for 60 days of lab time with the course materials and exam included for ~$1000. There is a negligible difference in price for time, it’s a lifetime cert, completely hands-on, includes the course material, free software, free SAINT license, a custom VM, 10 hours of video, AND great support.

The Course

First of all, I had to dedicate some serious time to this thing. In order to take the OSCP exam, you have to take the PWK course and be able to prove that you took it. What does that mean? It means you can take the exam at any time after you have purchased the course, but you won’t pass unless you can show that you actually took the course. The only real requirement is that you document nearly all of the exercises. And there are a lot. My final documentation (including the exam) was 238 pages.

The actual course material that contains the exercises is a PDF doc (no bookmarks) that is ~400 pages (369 IIRC). It contains 16 modules, 14 of which contain exercises that require documentation. You can read the syllabus on their website, but it covers all the standard things you might encounter on a pentest, while also traversing some unknown territory for a lot of people. It dabbles in exploit development, AV evasion, along with a myriad of other tips and tricks that should help you on the job. In the beginning, there is a fair amount of hand-holding to help you set up your environment, which does not require documentation. It dives right in and follows common pentesting methodology, filling in the gaps with common use cases for the included tools. The actual course had some great material in it, and I ended up picking up a few things that I wouldn’t have learned otherwise.

As the course progresses, it becomes noticeably about being independent and figuring things out for yourself. Several exercises point you in a generic direction and force you to think on your feet for a solution. Once you traverse the exploit development module, it feels sort of downhill in difficulty (which may simply be a product of the challenge of exploit dev). During the course, they have you practice on the lab network, which gives you some strong hints as to what you should do when you eventually invest all of your time in the labs.

SIDE TRACK: something that irked me a bit. When you purchase the course, you choose a Saturday to receive all of the material, and they don’t send you the PDF until then. Since you have to document all of the exercises, it forces you to “waste” valuable lab time by going through each and every module…

The lab network consists of some well configured lab machines that represent a real network fairly accurately. They span the entirety of a pentester’s toolbox and do a great job of forcing you to perform each step of the process carefully. I’m not going too reveal too much about the labs (since it would violate the agreement), but you can’t reach all of the boxes without pivoting over dual-homed machines into different networks. That being said, OffSec recommends you are able to compromise most of the machines in the “Student” network (with the exception of the (in)famously challenging ones) to consider yourself relatively prepared for the exam. I got around to most of them, but still ran out of time with 5 or 6 left.

The support for the course is quick to respond and very good about resolving issues. It’s a simple Freenode where you can go in and ping the admin. Any time I needed someone, I got help within a few minutes. A few times, I couldn’t connect to my debugging environment (they give you a Windows 7 box with some labs on it). The support team was quick to reset my box and I was able to connect again. I only had one incident where the support team led me astray and that was when I finally caved and asked for some help on a box. I had located a remote-file inclusion on a small web app and was having trouble exploiting it. Every once in a while, the exploit would succeed and I would get a shell only to have it die when commands were run, after which I couldn’t browse to that box anymore. I could browse on others, so I was convinced that it was that specific machine having issues. I reverted the box several times and it kept having the same issue. The admin told me that I “should look for another vector” if that’s the only thing I tried, and to use a different payload because the one I was using was unreliable. After looking around for other vectors and using other payloads for a couple hours, I decided to give it a rest and come back to it later. I returned to the box the next day with an open mind and decided to try my RFI one more time. It worked fine, totally stable. Not a huge deal, but if the solution is correct and I’m telling you I can’t connect to any part of the box, potentially the problem is on your end.

The Exam

To keep it short, the exam was actually easier than the lab machines in my opinion. You’re given 48 hours total to compromise a small subset of machines with some restrictions on specific tool usage and turn in a report. More specifically, you have 23 hours and 45 minutes in the exam network, then 24 hours to turn in the report. The machines themselves are, again, very well designed. The network is stable and reflects the training environment well. Each target is given a point value and breaks down specific goals into smaller point values (partial points for local vs. root access, sufficient documentation, etc.) Every machine has a proof file that must be cat’d/type’d in order to prove access. I put way more effort into documenting my process for the exam machines than the lab machines, considering the former was the difference between passing and failing. You have the option of turning in a lab pentest report along with your exam report for extra points. I included my course documentation in the lab report and kept the exam report separate. I finished 80 points worth of the machines in ~9.5 hours (you need 70/100 to pass), and was left with plenty of time for documentation. In fact, I hadn’t started my lab report until two nights before my exam (the documentation was ready though, just needed to be organized). I started my exam on a Saturday morning at 9 AM, and turned in everything (including my KeepNote files) on Sunday at 3 PM.

Conclusion

I had a great time on this course, and wouldn’t trade the experience for anything. I highly recommend taking it if you’re on the fence. After turning in my documentation, I received a confirmation email ~7 hours later. I then got a congratulations email on Tuesday morning, only 1 full business day later! Feel free to leave your comments or questions below.

5 Replies to “My Journey Through the Offensive Security Certified Professional (OSCP)”

  1. hi, i’m wondering what preparation you think is necessary to get the most out of the PWK course? i have about 7 years of IT experience and 3 years of infosec experience. i’d like to take PWK asap but i’m wondering how much programming is necessary, i have only a little programming background. and do you think the PWK course is sufficient to pass the OCSP exam?

    1. The PWK course is certainly sufficient to pass the exam, in fact IIRC all the purchases of the PWK course come with an exam attempt. You should be familiar with light programming concepts. Languages like Python, Bash, C, and Ruby will come in handy. The course stays away from mentioning any basic concepts and kind of assumes you know the basics already. Some of the other languages that are mentioned are Java, Assembly (x86), PHP, Perl, and SQL. Although the course walks you through it, it paid off to be familiar with modifying public exploits to suit your needs. You’ll notice that the majority of exploits you’ll use are written in C or Python. If you’re not comfortable with ASM (x86), I would see if you can slowly ease yourself into it using the tutorials over at corelan.be or fuzzysecurity.com. You can stop at simple stack-based overflows, as the course doesn’t go beyond that.

      With your experience, you may find yourself trying extra hard in the lab environment, which is totally fine. I don’t know a single person who didn’t buy an extension on their lab time. I took the easy route by purchasing 60 days from the get go. You schedule your exam within any 90 days of the end of your lab time. If you extend, it moves back. Feel free to ask some more questions, I’ll say what I can without violating the agreement.

  2. Hi

    Thanks for the info. I would like to know technically if OSWP is worth learning or SANS. I am not looking from certification point of view but knowledge and better ways of white-hat attacks.

    Regards

    1. There’s a huge price gap between the two. It depends on which course you are looking at taking at SANS. OSWP focuses on wireless attacks. There is a (SANS course, SEC617)[http://www.sans.org/course/wireless-ethical-hacking-penetration-testing-defenses], but it’s still > $5,000 to take in-person. The OSWP is only $450, so the value is pretty good there. Although for wireless attack knowledge, there’s not much you can’t find for free. The (aircrack-ng documentation)[http://www.aircrack-ng.org/documentation.html] and (SecurityTube’s Wireless Megaprimer)[http://www.securitytube.net/groups?operation=view&groupId=9] are great places to start. gotmi1k also did a (great writeup)[https://blog.g0tmi1k.com/2014/01/offensive-security-wireless/] on the OSWP.

  3. Hey!
    I am a student and know my way around a Linux machine pretty well. I do know python programming and C programming. Brushing up on TCP/IP concepts as of now. I was wondering what more shoild I know before I start with the PWK course which ultimately culminates into a OSCP certification.
    I will be giving 30 hours a week for those 13 weeks. Is this enough?

    P.S. I have zero experience in Pentesting, but I am willing to work hard as I want it as a career.

Leave a Reply

Your email address will not be published. Required fields are marked *