I passed the exam on December 8, 2018. And then, eventually, went on to root all of the regular lab machines (~55) in all of the subnets. It was a blast!
This review will focus on some topics where I may have disagreed with the majority.
On preparing for the course
If you can pwn most of the recommended Vulnhub machines on your own, other than the ones involving buffer overflow, you’re already ready for the course!
Those VMs are all on par with the difficulty of the course, and some are even harder. And HackTheBox is quite a bit harder than the course.
You can stop worrying and sign up if you’ve already done those boxes without needing a walkthrough every step of the way.
If you’re not quite there yet, try working through Georgia Weidman’s book and/or course on Cybrary. It’s pretty similar to the PWK content.
Respect the challenge, but it might not be as hard as you’ve been lead to believe. That is, as long as you meet the basic “prerequisites” listed by OffSec themselves and are self-motivated.
You’ll have to earn this, for sure, but I did it and so can you. I’m married, working full-time, and have a very busy 3-year-old son. I traded sleep for this certification!
You’ll see all over the internet people talking about taking 3, 4, even 5 attempts to pass this thing. I’m guessing that they may be the loudest voices. I passed it first time, and so did the two other people I know in real life who have taken the course. And two others I met online passed first time, as well. It’s doable.
- Full-stack web developer, primarily in the LAMP stack. ~10 years off and on
- Some experience in system administration in Linux (Ubuntu and CentOS)
- Experience with a few vulnerability scanners
- Enough networking knowledge to get by (but it’s my weak point for sure)
My background helped quite a bit. Programming knowledge wasn’t entirely necessary, but my experience with running servers gave me a feel for things that were out of place and worth investigating.
On automating your enumeration process
You’ll notice little things here and there that you want to automate, eventually, but don’t waste too much time on obsessing about your setup.
There’s value in going through the initial enumeration process manually. In doing so, you’ll be getting familiar with the little quirks of the tools.
Your lab time is precious.
Assuming you’re not already a pro, I suggest spending as much of your lab time as possible getting hands-on experience with different enumeration and exploitation techniques.
Spending time automating something you’re not very skilled at, or don’t fully understand yet, is just procrastinating. I realized that mistake early on and forced myself to focus on the real task at hand.
On using the forums for hints
Using the forums is totally fine. Forget the haters.
That is, *IF* you’ve already experienced the pain, in the past, of “Trying Harder” on some Linux and Windows machines on Vulnhub and HTB. At least a few times.
This means you’ve already know what it’s like to chase rabbit holes for hours on end and frustrate yourself. It’s a critical step in an aspiring pen tester’s development. It helps you get a feel for what sort of things to look for, what’s usually a waste of time, and so on.
If you’ve done all that before, then it’s fine to check the forums after you’re stuck for an hour or two.
You can’t know everything up front and no one expects you to.
If you pick up a subtle hint from the forum, research the vulnerability on your own, and then figure out how to exploit it yourself, you’ve learned something and that’s the whole point.
On using metasploit
Many people say to not use it in the labs, lest you become dependent on it.
I recommend using Metasploit often in the labs, for the following reasons:
- To get comfortable with it and learn to use it properly. You get one shot on the exam with it, and should use that shot. Preferably on a 20+ point box!
- To prepare yourself for the real working world where you almost certainly will be using it. The PWK lab is a wonderful playground to experience Metasploit in its full glory against known vulnerabilities.
- To know if you’re on the right track with an exploit. You can then try to replicate the attack without using Metasploit.
Like the forum hints, you just need to exercise some self-discipline here. And then as long as you understand what an exploit does, try it yourself manually, and learn something new, you’re fine!
On buffer overflows
The PWK course materials will teach you everything you need to know on this topic to pass the OSCP exam. It’s quite straightforward. You definitely won’t need to pre-study before the course for this.
I dedicated a couple weekend afternoons to follow along with the buffer overflow instructions in the course materials and took point-form notes. I then practiced it so I could duplicate the whole process only from my own notes.
Really, no extra resources were required other than the PWK content.
On the lab report
This may not be a popular opinion, but I think the lab report is a total waste of time.
It is a massive undertaking. You’ll almost certainly gain more than “5 points” of pwnage ability if you dedicate all that time and effort to the lab instead.
Personally, I thought that if I failed with a 65, I wasn’t ready to be an OSCP anyway. The point is to become a better pen tester, not just to get certified. If I failed, I would keep at it, learn more, and get better until I could pass without needing bonus points.
I spent ~3 hours a day in the lab for 35 days before the exam. Nearly all of that time was invested in learning as many attack vectors as I could, trying out lots of tools, and keeping only rough documentation. I got 4 roots and 1 low priv shell on the exam for ~87.5 points.
The exam was so much fun, anyway. I almost wish I could do it all over again!
Need practice with report writing?
You can do that by making a blog on your own time and doing some CTF write-ups. I don’t think working on the lab report while your PWK lab time is ticking down makes much sense.
Plus, you can’t share your lab report with the world. But your blog, on the other hand, may help you get a job later.
How to know you’re ready for the exam
Rooting 30’ish machines from the public network may expose you to enough techniques for a pass. You should be fairly comfortable with your enumeration process and not just 1-click pwning everything you see with Metasploit.
I do recommend pivoting to the other networks in the lab for the educational (and entertainment) value, but it’s not necessary for the exam at all.
And seriously, learn the buffer overflow before attempting the exam.
On writing the exam report
There’s some confusion out there on this topic. I can confirm that you can take the OffSec template, remove most of the fluff, and stick to the meat and potatoes of your exploitation process and screenshots. Keep it professional and you’ll be fine as long as you have enough points and have followed the instructions to the letter.
But don’t underestimate how long it takes to write the report, and how exhausted you’ll be at that time. It took me about 7 hours to write the report and I almost missed the deadline.
On 30, 60, or 90 days
I passed after 35 days of lab time and 31 rooted machines. Then I used the remainder of my 90 days access to pivot to the other networks and root the rest.
It was nice to have the full 90 days to take my time with it and get maximum value from the course. 60 may have been enough, but 90 let me slow down the pace a little and spend more time with the family.
On the course being “outdated”
It’s true. A lot of the specific vulnerabilities are outdated. But many, I know for a fact, you’ll still run into in the real world. It’s the mindset and methodology though that matters, not necessarily the vulnerabilities you are exploiting.
I chose OSCP over any of the competitors because my goal was to get a new job, and it’s the most recognized pen testing cert. I figured I’d learn enough on the job in the real world to account for any “updates” that may be present in any of the other courses.
- Whitelist your VM directory in your antivirus program on the host machine. My VM instance got “quarantined” the day before my exam and corrupted it!
- Disable PHP on your Apache server, or else you may serve a shell to your own hacking VM.
- Manually logging into the OffSec VPN gets old fast. Set up autologin for the VPN connection. See here for instructions.
- For best results, use VMWare. Especially if using multiple monitors for Kali. VirtualBox is OK but clunky.
- Use the Impacket SMB server for copying files from your Kali machine to a Windows target. This method almost always works out of the box on Windows targets. You can then do things like
copy \\attacker-ip\sharename\nc.exefrom the target machine. It’s much simpler and more likely to work than the FTP and PowerShell methods outlined in the course materials.
- If you have some time before the course, it’s worth getting comfortable with using Burp Suite when attacking web applications. It’s not covered in the PWK course but will make your life easier. And it’s an essential tool in the real world.
Oh, right. This was supposed to be a review.
Was it worth it? Hell yes, it was. This was some of the most fun I’ve ever had and I was sad when my lab time expired.
The experience affirmed my desire for a career change, and then helped me get a real pen testing job.
I got a fantastic return on investment from this course.
I liked it enough to enroll in Offensive Security’s newest online course, Advanced Web Attacks and Exploitation.
Jon Wood, OSCP 🙂