This is a review of my OSCP experience. I registered in late 2018 and received my OSCP in May of 2019 with one exam attempt. This review is coming out in 2020.
The Offensive Security Certified Professional is a golden standard in the CyberSecurity and Penetration Testing community. Its known for it’s grueling 24 hour exam which is entirely practical and hands on, meaning there is not a single question on the exam, you can either attack the systems or you can’t. It easily ranks as my most proud career achievement, outdoing all other certifications by a long shot.
What I’ll Cover
- My Background Experience
- How I started with Penetration Testing
- Registering and Beginning
- The Course Materials / Video
- My study plan and time involved
- Writing the Lab Exercises report
- My Lab Time
- Documenting the lab machines report
- Working through the systems in your time
- How to prepare for the exam
tldr is below
If you’re like me, this section is always the worst part of an OSCP review. Really… you don’t care about my background, you don’t want to know what I might do with my career or how I got here, but you still have to read it, because you kinda wanna know if I’m similar to you. Ugh… here goes.
I had always had a small interest in IT Security but recognized early on that you needed to know a lot about a lot. The more you’ve worked with, the better off you are once you start attacking things. Attacking a database? Sure would help if you knew SQL, and even better if you’ve been a DBA in the past. Trying to move laterally through the network? Would be helpful if you knew networking protocols and remote connection options for Windows systems right?
I started as a help desk, XP certified, desktop support. I moved into a SysAdmin role quickly after that, getting additional network and server certificates along the way. A+, Net+, Sec+, MCSA, among other studies. I did practically no “programming” languages for almost 7 – 8 years of my career. The one thing I did that benefited me greatly is that I would solve every problem twice. Once, by helping the end user solve the problem, and then a second time when I got back to my desk by finding out how I could have solved that problem without actually going to the end-users PC. This made me extremely familiar with command line and remote support. Which led to powershell, which led to Object Oriented languages and scripting.
I received my OSCP in early 2019, but started taking security more seriously around 2016. As I said, I was always interested but I knew that I was an idiot. I didn’t have what it took to get into security. In 2016 I registered for a Udemy course.
The Complete Ethical Hacking Course: Beginner to AdvancedErmin Kreponic – https://www.udemy.com/share/101Wm2A0EbeVlaQ3g=/
It’s Udemy, so it was priced fair which made it super easy for me to access. I figured this was a good way to see if I was actually interested in it, or if it was just a fun thought. Even then, a lot of it was over my head, but all familiar enough that I knew I enjoyed it. None-the-less, it was a background interest for years after that as well. Until 2018.
2018 I decided it was time. I wanted to make the IT security dream a reality. This is how I went from SysAdmin with limited scripting knowledge to a Full-Time Penetration Tester.
“I researched and found the OSCP. Oh the stigma! Such a presence around the OSCP, that was the one… but how? “– Me … My Thoughts
Like most, I started with HackTheBox. Again, it was a cheap (free) option that let me validate that I was capable and actually interested in doing it. Hack the Box kicked my ass. I sucked. I struggled. I spent hours, days, weeks, googling small things that weren’t even correct just to gain access to the simplest boxes. It was the definition of “Try Harder”. But I was getting it.
My first box was Jerry, and it took me forever. In retrospect, that’s almost embarrassing, but I completely forgot the box, and after going back to that box once I was certified, I knocked it out within 30 minutes. That was a super fun validation that I had made it!
After about 3 months of working through hack the box machines, I decided that I had plateaued in the knowledge that I was able to teach myself. I registered for the OSCP starting in January of 2019. I registered for the whole 90 days, knowing that I would need it all.
I was a sysadmin / network admin with some limited powershell and batch file knowledge, and a knowledge of SMB’s including email servers, database servers for business software like ERP systems, and firewalls / networking. I did that for about 8-10 years. All of my security knowledge came from HTB and OSCP.
Registering and Beginning
There was some time between registering and beginning the course. I took the time for family during the holidays and made it clear to everyone that I was going to be slammed in studying with the start of the new year.
I still wanted to make good use of my time, and I found that the Kali Linux Revealed PDF was free from https://www.kali.org/download-kali-linux-revealed-book/
This was a great step into more formal knowledge around Kali itself. It gave me a needed refresher on the basics of linux command line. There are sections that aren’t super applicable to the beginner, like customizing your own Kali Image, but it’s material that I frequently think about revisiting now that I have the capacity to make use of that knowledge. I honestly don’t remember much from the PDF, I just remember it was exactly what I needed to feel comfortable with the tool I was about to use non-stop (Kali).
Again, it was cheap (Free) which is important to me. I’ll always try the free option before implementing the expensive paid-for solution.
Then the course date started. I received my coursework PDF, the videos, the VM that they provide, and the VPN access. Here’s the first time I’m going to mention this. . .
Do the lab report
How do I know where to start?
“How do I get started?”
“Where do I begin in the lab”
Don’t be that person
So many posts… soo many posts on the OSCP subreddit, so many posts in the forums…
Start with the PDF. Read the sections. Watch the corresponding videos. I found that the PDF and the videos synced up almost perfectly.
This feels stupid to say, but in order to learn, you need to be taught. The course material will teach you. Start there.
“Do I start at the first IP address?”
“What else can I ask that will later be embarrassing once I realize I could have just done the coursework that I purchased?”
This is a good time to mention that the material does a really good job of teaching you everything you need to know in order to be successful. If something doesn’t quite make sense, I would go through the videos and then it would click. If I still struggled then it was usually my own fault, misreading or misunderstanding, that would come together by looking it over again. With each section, there are exercises that you can perform and record in a report. Which leads me to this….
Do the lab report
The exercises are supremely helpful in understanding the material. True to the OffSec model though, it’s not enough to just understand it, lets actually do it! Read the material, watch the videos, then do the exercises so you can prove that you can do it yourself. With each exercise completed, you can record your answers in the lab exercises report.
The “optional” lab report is worth 5 points towards your exam. The word optional is pronounced “you’d be dumb to skip this”.
To complete your lab report, you simply need to record your lab exercises. Each exercise will clearly define what you need to do. Sometimes it’s as small as a few commands, or it might be a completely custom script of some kind. Record these answers as the first requirement for the lab exercises report.
The second requirement is to record a lab penetration testing report against at least 10 machines in the lab network. This is the same report that you’ll turn in for the exam, but would be done against the lab instead of the exam machines. If you’re paying attention, you’ll realize that this is your practice on report writing. Do it in the lab, and you’ll have a solid template and methodology for report writing on the exam.
Package the lab exercises together with the lab report on 10 machines. Congrats, 5 extra points when you submit this with your exam report.
Do the lab report
More than just the 5 extra points, I sincerely believe that people who do the lab report have a far better chance of passing the exam. This was verified by the number of people that would post to forums asking for help after failing the exam. Doing the exercises makes you far more familiar with the materials. In addition to that, once you complete your lab exercises, you’ll have built your own cheat sheet for countless attack vectors. You’ll be referencing your own work, your own scripts, your own commands to properly succeed in the lab.
I took all my notes in the CherryTree app. I still have those notes, and have even been able to help other aspiring OSCPs as they work through the material. Even more than that, I built my methodology for note taking while pentesting the machines in the lab. I still use CherryTree for pentest engagements today, and I still take notes the same way I did while working through the OSCP. I learned that by going through the motions within the labs and while writing my lab report.
For the love of God
Do the lab report
If you take nothing else way from this review…. just do the lab report, right?
My Lab Time
I read a lot of reviews first, and I knew what to expect. I knew roughly where I stood too, and I estimated that it would take me about 3 weeks to get through the lab materials and exercises. I was spot on, so I was glad that I reserved 90 days.
Plan your time and dedicate to it. I made all of my family and friends very aware of the dedication I intended on having. I spent 20 – 30 hours a week on the OSCP course, in addition to my 40 hours a week at work.
I knew it was going to be an uphill battle for me. I planned for it as much as possible. On the right is a random week during my studies, I recorded my time and kept notes in some events to keep track of where I needed to start the next day.
Saturdays and Sundays were often all-day-events. I usually went slow on Wednesdays, taking a little time for myself.
“Read the material, watch the videos, then do the exercises so you can prove that you can do it yourself.”– Me just a few paragraphs ago
Do that for 3 weeks, or however long it takes you. Then jump into the labs.
Side Bar: I read a lot of reviews where people can do the course materials way faster. I guess I must be a slow reader or maybe I took longer to do the exercises? This was as fast as I could push through it.
Some people do this in between schooling, or in between jobs, so they can afford full 8 hours days (or more) to study. I didn’t have that opportunity, so I think 3 weeks is a fair estimate of time. I also think this is why people don’t do the lab report. They want to get straight into the labs since they think that will be a better use of their time. A mistake, IMHO.
You’ll find that some of the lab exercises require exploitation of a lab machine. This is a little out of place, since you won’t really know which lab machine is vulnerable to what flaw… so it can be hard to complete those exercises right away.
I made a short list (no more than 5) to come back to. I kept the list around so I could work through the lab until I found a suitable host to document the lab exercise. I recall sqlmap being a good example of this. You have to identify a good SQL injection point before you can really do that exercise, so once I found one, I went back to the exercise to document it in my lab exercises report.
The Lab Machines
One thing that I completely missed until I was a few machines in was the Alpha lab machine. If you’re truly lost about how to get started in the labs, the Alpha machine has a write-up in the student forums, which is basically a walkthrough on how to enumerate and exploit the system. If you haven’t done any HackTheBox, VulnHub, or similar CTFs… then you should start with Alpha to understand what you’re doing.
Of course, you prepared well before registering, so you won’t need help with that, right? In that case, just be aware that you can’t use Alpha in your lab report, since the answers are basically out in the open on the student forums.
So outside of that, how DO you get started in the labs? For many people, this might be the first time that they can actively attack a group of computers this large.
After all that time in the course materials, and the time I had spent learning on HTB… I had to step back after scanning the lab and think through… how am I actually going to start getting into this network?
The answer will change, depending on the person. Are you good with linux web servers? You might want to start there, see if you can find a few that you’re familiar with. If you’re comfortable with them, it will be easier to tell when something isn’t quite right with them.
For me, I’m a Windows SysAdmin, so I targeted old Windows machines. I figured if they’re old, there are probably known exploits, and I’m comfortable with Windows so it shouldn’t be too bad.
This worked well for me. I went from feeling a little lost, to picking off a few easy machines in a very short time. It helped me develop a “groove” that I could keep using throughout the lab. When it came time to progress onto machines that I was less comfortable with, I could still work through it. I had successfully adopted a methodology.
That’s the real magic of the OSCP labs. Out of everywhere that I’ve studied, that was the one place that I could naturally develop a methodology that would live long past the exam completion and into my career.
From there, the methodology really became “rinse and repeat”. Each new machine could be a different OS, with different services, but the structure of the attack fell into a pattern. With that happening naturally, I started finding a groove for my note taking. And slowly, over the course of a few machines, my note-taking evolved and turned into a repeatable pattern. Of course, there isn’t a single perfect template as each attack could be different, but I found what works for me.
Don’t be afraid of using the forumsI know this is a little taboo, as most people would tell you to “try harder”
Use the forums, but use them in moderation. The best advice I can give around this is to be honest with yourself. I knew the difference between struggling because I didn’t try hard enough vs. when I knew I had a knowledge gap. I don’t gain anything by struggling for 3 hours on a topic I know nothing about. I succeeded by spending a little time learning from the forums, and then experimenting with it in the lab. I specifically recall learning how to use other peoples SSH keys while in the labs. I knew it was an option, but I never knew how. I spent some time in forums to validate that it was the right move, and then I learned about it. Don’t struggle because somebody tells you it’s the right move. Learn when you are are struggling, so you won’t have to struggle next time.
I documented the machines I compromised throughout the labs as I was going. This is the second half of your lab report, remember, the one you’re definitely doing? In the first half, you documented all of the homework exercises from the coursework PDF. Now, you’re compromising at least 10 machines in the lab and documenting the compromise as a part of that report. There are at least two good reasons to do this lab penetration test formatted report.
The biggest reason in my mind that you should do this is: Methodology. Again, you’re building this methodology while in the lab. You get a feel for how to take notes on the machines you’re attacking and you get a feel for what you want to document.
The other big reason you’ll be glad you did this: You’re also documenting in the ‘final’ format, so you’ll have a template of a final report that YOU created. You can use your template once you’re in your exam, or for your career afterwards.
Both of these things are going to make you more efficient in your exam and in your career. With a template and a routine structure, you can spend your time focusing on the attacks. The documentation process will be second nature to some extent.
I selected and documented more than 10 machines, like a bakers dozen. Then at the end I had roughly 15 to pick from. I selected the 10 that were the best sounding, least similar to each other, and threw out the “burnt cookies”. You only need to submit 10 lab machines in your lab report. I actually submitted 11 in mine, just in case OffSec felt that two were similar in nature. The rules more or less say that you can’t use the same exploit against multiple machines, or can’t use two different exploit paths against the same single machine.
… but what did you learn??
I’ve mostly given you my opinions and conceptual ideas around how to work with the OSCP course and the labs, but haven’t really mentioned anything about the toolkits or attacks that you learn. This is kinda intentional… I learned the syllabus… what else can I say? I can’t really go into each utility that they discuss.
SQLi, XSS, LFI RFI, RCE, Hydra, John, Hashcat, directory fuzzing, dirbuster, gobuster, sqlmap, smb enumeration, buffer overflows, scripting and languages (python, ruby, c, bash scripting, powershell), metasploit, tcpdump, nc, reverse shells, interception proxies (burpsuite, owasp zap), sooo many more.
I learned a lot. For every protocol I thought I knew and understood, there is at least one offensive tool focused around enumerating and exploiting it, and often there are dozens (smbclient, smbmap, enum4linux, nmap smb scripts, etc). It was like I was relearning every protocol I had ever known.
Personally, I learned a lot about bash scripting things. I also learned a lot about python scripting, which leads nicely into a staple of the OSCP…
The Buffer Overflow
Calm down people, this was way easier than everybody made it seem.
Really though, the materials teach you everything you need to know. I can say this confidently, because despite trying to learn this before the course, I was completely lost.
Then I started the buffer overflow section of the course materials. I felt everything was covered in a great, logical way. It ended up being one of the areas I was most comfortable with. I went through their exercises early on, and then again right before my lab time expired.
A week before the exam, I ran through the more public examples of buffer overflows, like dobufferoverflowgood, and that was enough to validate that I could do it.
That’s all I’ll say on it. Shellcoding, assembly language, python scripting, fuzzing, all makes it seem like it’s going to be harder than it really is.
The famous exam. 24 hours to compromise the exam machines. Another 24 hours to write a report. Fail to compromise the machines and you fail the exam. Even better, if you compromise the machines but fail to provide a quality report, you fail the exam. I love that it stresses the importance. There isn’t a company in the world that cares if you can compromise their network if you can’t also provide them with quality information.
At this point, you should be prepared. You have a cheat sheet of your attack examples from your lab exercises. You have a template for note-taking, and for the final report based on your lab report.
I took three weeks between the lab access and the exam. I took most of the time to relax after a LOT of late nights and long weekends. I spent a little time back in HackTheBox, seeing how much the course helped me.
Most people will agree, get good sleep, eat well, take breaks. I did some of those things… My wife made my meals for me and delivered them to me. I drank a lot of caffeine, there was no sleeping. Of the 24 hours, I spent about 21 at the keyboard. I did stop at some point and sleep for those other 3 hours. In the last 15 minutes, I was working on privilege escalation on the last machine, which I never did get to finish… oh well. I maybe should have slept after I knew I had enough points to pass, but the thing is, I was having fun, I didn’t want to stop.
At the end of my 24 hours, I was happy. I started copying my notes over to the final report, but my lack of sleep quickly caught up with me. Microsoft Word is pretty hard to stare at … and I couldn’t stay up any more. I slept, with no alarm set, until I was refreshed. After that it was just casual copy and paste into my final report until things looked good. It probably only took me about 4 hours to do the report, because I had already taken such good notes along the way. That’s a hard mentality to stay in when you’re experimenting with exploits, but it really pays of for report writing later. I packaged up the lab exercises PDF, the lab report PDF, and the exam report PDF. I only had to wait 3 – 4 days for my exam results.
I’ve never checked my email so often.
Even more ridiculous, somehow I missed the email when I got it, and didn’t know I passed for a few hours after I got the email. But I did it. I can honestly say I’ve never worked harder for a certification. It’s by far the most challenging certification I know of.
Now it’s on to the next. I plan on doing the rest of the Offensive Security certifications. Their approach to the exam, requiring that you actually be able to do it (entirely practical exams with no Questions and Multiple Choice answers) is super appealing to me. I’m still debating between the OSCE and OSWE for the next cert, in early 2021. For now, I’m focused on SANS certifications for work, and might consider reviewing those as well. (GWAPT – Sec542 certification has already been achieved, and the new Beta Sec588 Cloud PenTesting is this July).