TL;DR: I passed. Thinking about going for it? Do it, you won’t regret it.
Let’s face it. There are a lot of certifications out there. Before I took the OSCP (and the accompanying Pentesting with Kali Linux course), I spent most of my time researching the “right” course to bust my resume out of the shell it was contained in. I figured there had to be some magical letters that could separate me from the rest of the pack. I had recently taken the GPEN, so GIAC was out unless I wanted to take the GXPN, but ~$6000 is a lot to blow on training. I wanted practical, no hand holding. I wanted in-depth and outright awesome. I wanted the most bang for my buck, and I had been using Backtrack since BT3 – so the OSCP seemed like a solid fit.
I signed up for 60 days of lab time with the course materials and exam included for ~$1000. There is a negligible difference in price for time, it’s a lifetime cert, completely hands-on, includes the course material, free software, free SAINT license, a custom VM, 10 hours of video, AND great support.
First of all, I had to dedicate some serious time to this thing. In order to take the OSCP exam, you have to take the PWK course and be able to prove that you took it. What does that mean? It means you can take the exam at any time after you have purchased the course, but you won’t pass unless you can show that you actually took the course. The only real requirement is that you document nearly all of the exercises. And there are a lot. My final documentation (including the exam) was 238 pages.
The actual course material that contains the exercises is a PDF doc (no bookmarks) that is ~400 pages (369 IIRC). It contains 16 modules, 14 of which contain exercises that require documentation. You can read the syllabus on their website, but it covers all the standard things you might encounter on a pentest, while also traversing some unknown territory for a lot of people. It dabbles in exploit development, AV evasion, along with a myriad of other tips and tricks that should help you on the job. In the beginning, there is a fair amount of hand-holding to help you set up your environment, which does not require documentation. It dives right in and follows common pentesting methodology, filling in the gaps with common use cases for the included tools. The actual course had some great material in it, and I ended up picking up a few things that I wouldn’t have learned otherwise.
As the course progresses, it becomes noticeably about being independent and figuring things out for yourself. Several exercises point you in a generic direction and force you to think on your feet for a solution. Once you traverse the exploit development module, it feels sort of downhill in difficulty (which may simply be a product of the challenge of exploit dev). During the course, they have you practice on the lab network, which gives you some strong hints as to what you should do when you eventually invest all of your time in the labs.
SIDE TRACK: something that irked me a bit. When you purchase the course, you choose a Saturday to receive all of the material, and they don’t send you the PDF until then. Since you have to document all of the exercises, it forces you to “waste” valuable lab time by going through each and every module…
The lab network consists of some well configured lab machines that represent a real network fairly accurately. They span the entirety of a pentester’s toolbox and do a great job of forcing you to perform each step of the process carefully. I’m not going too reveal too much about the labs (since it would violate the agreement), but you can’t reach all of the boxes without pivoting over dual-homed machines into different networks. That being said, OffSec recommends you are able to compromise most of the machines in the “Student” network (with the exception of the (in)famously challenging ones) to consider yourself relatively prepared for the exam. I got around to most of them, but still ran out of time with 5 or 6 left.
The support for the course is quick to respond and very good about resolving issues. It’s a simple Freenode where you can go in and ping the admin. Any time I needed someone, I got help within a few minutes. A few times, I couldn’t connect to my debugging environment (they give you a Windows 7 box with some labs on it). The support team was quick to reset my box and I was able to connect again. I only had one incident where the support team led me astray and that was when I finally caved and asked for some help on a box. I had located a remote-file inclusion on a small web app and was having trouble exploiting it. Every once in a while, the exploit would succeed and I would get a shell only to have it die when commands were run, after which I couldn’t browse to that box anymore. I could browse on others, so I was convinced that it was that specific machine having issues. I reverted the box several times and it kept having the same issue. The admin told me that I “should look for another vector” if that’s the only thing I tried, and to use a different payload because the one I was using was unreliable. After looking around for other vectors and using other payloads for a couple hours, I decided to give it a rest and come back to it later. I returned to the box the next day with an open mind and decided to try my RFI one more time. It worked fine, totally stable. Not a huge deal, but if the solution is correct and I’m telling you I can’t connect to any part of the box, potentially the problem is on your end.
To keep it short, the exam was actually easier than the lab machines in my opinion. You’re given 48 hours total to compromise a small subset of machines with some restrictions on specific tool usage and turn in a report. More specifically, you have 23 hours and 45 minutes in the exam network, then 24 hours to turn in the report. The machines themselves are, again, very well designed. The network is stable and reflects the training environment well. Each target is given a point value and breaks down specific goals into smaller point values (partial points for local vs. root access, sufficient documentation, etc.) Every machine has a proof file that must be cat’d/type’d in order to prove access. I put way more effort into documenting my process for the exam machines than the lab machines, considering the former was the difference between passing and failing. You have the option of turning in a lab pentest report along with your exam report for extra points. I included my course documentation in the lab report and kept the exam report separate. I finished 80 points worth of the machines in ~9.5 hours (you need 70/100 to pass), and was left with plenty of time for documentation. In fact, I hadn’t started my lab report until two nights before my exam (the documentation was ready though, just needed to be organized). I started my exam on a Saturday morning at 9 AM, and turned in everything (including my KeepNote files) on Sunday at 3 PM.
I had a great time on this course, and wouldn’t trade the experience for anything. I highly recommend taking it if you’re on the fence. After turning in my documentation, I received a confirmation email ~7 hours later. I then got a congratulations email on Tuesday morning, only 1 full business day later! Feel free to leave your comments or questions below.