In this post I will outline my experience with Offensive Security’s PWK (Penetration Testing with Kali Linux) course and the accompanying OSCP (Offensive Security Certified Professional) exam.
MY BACKGROUND AND PREPARATION
Before enrolling in the PWK course I was working IT helpdesk (answering phones, making tickets, etc …). I had earned my CompTIA A+ and Network+ Certifications in 2019 and was looking to earn my Security+ to complete the trifecta. While researching Security+ in January 2020, I discovered the fabled OSCP exam on some reddit threads. OSCP sounded way more interesting than Security+ - so I decided to give it a shot. I downloaded the official Kali Image, signed up for HackTheBox, and started binging Ippsec videos on youtube. I went through about 20 Ippsec videos prior to signing up for PWK.
Offensive Security lists the following as course prerequisites: solid understanding of TCP/IP networking, reasonable Windows and Linux administration experience, familiarity of Bash, and scripting with basic Python or Perl. I did not have any linux experience prior to my first Kali install. I also did not have any bash/scripting experience. This definitely put me at a disadvantage during the course because I was continuously researching bash/python syntax while running exploits. If you are not on a time crunch, I would recommend taking a short python course and reading the linux man pages.
I signed up for PWK in February and started the course mid-march with 90 days of lab access. It took me about 60 days to get through the monstrous 850+ page PDF. At the end of the 90 days I had root/admin on 25 machines with a user shell on an additional 6.
The PWK course material was phenomenal. I found a lot of value in watching the videos first while reading the corresponding section in the PDF at the end of each video. The content in the videos and PDF is not always the same for each module. My biggest piece of advice is to take your time. Some people recommend blazing through the material in a week or two and spending the rest of your time in the labs. This may be a good approach if you have some penetration testing experience. If you’re new like me, I suggest going slowly through all of the videos and PDF to make sure that you fully understand the material before dedicating a lot of time to the labs.
The OSCP exam is a scary, exciting, and tiresome marathon. You are given a 24 hour VPN connection to 5 machines with varying point values. The objective is to obtain user and root flags on each of the machines. You need 70 points to pass the exam. I attempted the exam on June 12th at 9:00 AM. I scored 35 points from 2 machines within the first couple of hours, but struggled to find the correct exploitation paths on the remaining servers over the next 10+ hours. I ultimately ended my exam with about 60 points - not enough to pass. The hardest part about the exam is the rabbit holes. The exam machines are designed to deceive. There were some exploitation paths that looked very promising to me, but only led to dead ends. The reason I failed was because I became hyper-focused on the dead ends rather than taking a step back to reevaluate my options.
With one exam attempt behind me, I immediately scheduled my next attempt for July 17th at 8:00 PM. I focused entirely on improving my enumeration in the month leading up to the second attempt. I completed an additional 35 retired HackTheBox machines and intensely studied Ippsec and 0xdf’s enumeration methodologies. The night of exam I made a big ole pot of coffee, connected to the vpn, greeted the proctors, and started hacking away. This time I was able to quickly identify the truly vulnerable services and applications on most of the machines. After 2 hours I once again had 35 points. Another 5 hours later and I was back to roughly 60 points. At this point I was sitting on two low privileged shells. All I had to do was escalate my privileges and claim my certification. I decided to sleep for a few hours and approach privesc with a fresh perspective. After arriving back to the terminal, I elevated both shells in under 2 hours. Knowing that I had enough points to pass, I relaxed and focused on writing clear and concise documentation paired with screenshots for each machine. When the VPN connection closed I had rooted 4 boxes. I took another short nap and completed my report.
After 3 days (which felt like an eternity) I received this glorious email:
Earning my OSCP designation was a bitter sweet moment. I feel validated knowing that I have the technical know-how to pass the exam, but I miss the grind of chasing the certification. I still feel like a complete noob.
I have recently started a desktop support role, but intend on continuing my infosec education. My goal for the remainder of 2020 is to learn more about web exploit development and earn my OSWE certification. I signed up to start Offensive Security’s AWAE course in October and hope to be ready for the OSWE exam by December.
Feel free to reach out to me on Twitter if you have any questions :)
These are some of the resources that I referenced during my OSCP studies: