I recently obtained the Offensive Security Certified Professional certification. In this post, I will describe my experiences with the course training and certification exam. As this is my first infosec certification, I will not be comparing the OSCP to other certifications, but there are many other blog posts out there that already make that comparison.
What is the OSCP?
The Offensive Security Certified Professional (OSCP) certification is an information security certification offered by Offensive Security that is obtained by passing a 24 hour hands-on certification exam. Penetration Testing with Kali Linux (PWK) is the training course offered to prepare students for the exam. To obtain the OSCP certification you must first complete the PWK course.
The minimum cost to take the course and obtain the OSCP certification is currently $800 (USD). This buys you all course materials, 30 days of lab access, and one attempt at the OSCP certification. You can purchase additional lab time at a rate of $250/month. I chose the option with 60 days of lab access, which cost $1000. I ended up purchasing 3 additional months of lab access before I truly felt prepared to take the exam.
While this is considered a foundation-level certification, Offensive Security describes the PWK course prerequisites as “A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus.” It also helps to have a strong desire to learn new things.
The PWK Coursework
The PWK course material consists of a 300+ page lab manual and accompanying videos. The course materials are very thorough, but some additional research will probably be required since PWK/OSCP students begin with different levels of experience. The lab manual does an outstanding job of thoroughly explaining core concepts and techniques outlined in the syllabus. The videos reinforce the topics covered in the lab manual and sometimes provide some additional tips on specific techniques.
The most difficult part of the coursework for me was restraining the urge to rush through it and begin the labs. Your lab access begins day 1, but you are encouraged to complete all coursework and exercises before beginning the labs. Take the time to understand all of the concepts covered in the course materials. Hurrying to get to the hands-on labs will likely cost you time when get stuck attempting a technique that you didn’t take the time to learn properly to begin with.
The PWK Labs
The labs alone make this course worth every penny! After completing the coursework, you jump into a simulated corporate network with ~50 machines. These machines are a mix of workstations and servers segmented in various subnets, and contain a variety of vulnerabilities for you to poke and exploit. A few of these machines are trivial to exploit. A few are notoriously difficult. Most are somewhere in between.
A key point to remember while working through the lab network is that the lab machines are designed to help you hone your skills. It can be tempting to pop a box and quickly move on, but I made it a point to review the lessons that I learned from exploiting each machine. Also, make sure that you take detailed notes for every machine that you work on in the labs. Properly documenting your steps will keep you from repeating scans, exploits, etc. This documentation will also help if you plan on submitting a lab report for extra points on the the exam.
Preparing for the Exam
I can’t tell you how many machines you need to own before you are fully prepared for the exam. For me, the number was 42. I remember a sudden feeling of confidence after getting that 42nd machine. However, I have colleagues that passed the exam after only popping 15-20 machines. You should be able to tell when you are ready for the exam.
Register to take the exam either immediately after your lab time expires or while you still have lab time left. Keep in mind that exam times are sometimes fully booked 2 weeks out, especially on weekends. I made the mistake of putting off the exam for two months and it cost me (see below). In the weeks before your exam, complete the course exercise writeups and lab report.
Formally documenting your processes will reinforce everything that you’ve learned, and the extra points could help your exam score.
The OSCP Exam
For the exam, you will be given 24 hours (technically 23 hours and 45 minutes) to exploit a handful of vulnerable machines. These machines are worth a set number of points based to their perceived difficulty. To pass the exam, you need to obtain at least 70 of 100 points. The exam has very specific requirements and restrictions outlined in the exam guide.
Exam Attempt 1
I had planned out a break schedule that including eating food and getting a nap. I had reviewed my notes from the labs. I had even practiced on a couple of vulnerable VMs from vulnhub. I failed. I did not manage time well. I did not enumerate servers/services as well as I could have. I let the time constraint get to my head. I had 45 points at the 12 hour mark and went to bed for a 4 hour nap. I spent my last 8 hours getting absolutely nowhere. When my VPN connection closed after spending the last hour spamming a server with every Metasploit module I could find, all I had was 45 points and a feeling of utter defeat.
I spent the next day or two reflecting on what went wrong. I questioned whether I should give up. I thought that maybe I wasn’t meant to be an OSCP after all. Then, while trying to compare the experience to my last big failure, I released that I hadn’t failed at anything in a long time. I immediately felt better. I began to appreciate the difficulty of the exam. After all, I didn’t want to be handed a piece a paper that I didn’t feel like I earned. Once all of the self pity had been dismissed from my mind, I began preparing to retake the exam.
Exam Attempt 2
Another two months passed before I was able to schedule another exam attempt. This time around, I made an effort to simplify everything. Instead of trying to precisely schedule the entire 24 hours, I planned to take breaks when I became frustrated, eat some food during a break, and get some rest at some point. I decided not to worry about the time limit. I knew everything that I needed to know, and I knew that I needed to focus more time on enumeration.
Within the first two hours I got a 25 point machine. A hour later I had another 20 points. Then things began to slow down. During the next eight hours, I managed to get two low privilege shells. At this point, I estimated that I had around 65 points. I determined that I would probably pass if I submitted my course exercises and lab report for bonus points. However, I didn’t want to pass on bonus points, so I pushed on. About an hour later, I had full privileges on one of the two machines, giving me another 10 points. Satisfied that I had enough points to pass, I decided to get some rest. After waking from several hours of much needed sleep, I spent a bit of time on the “easy” machine that I had been saving, but got nowhere. With only a couple of hours left, I focused on confirming that I had all of the necessary screenshots and documentation in order. I took another short nap, then completed and submitted all of the documentation.
I received an email confirming that I had passed the PWK exam and obtained my OSCP certification roughly 24 hours after Offensive Security confirmed receipt of my documentation. I cannot describe how great I felt reading that email. Several weeks later, I received a parcel containing my official certificate. I had tried harder on my second attempt, and it paid off.
The PWK and OSCP exam is a challenging yet rewarding experience that will teach you new skills and test your determination. If you are looking for training to increase your offensive skillset, this course is for you. If you want to test your resolve and find out what you’re made of, this course is for you. If you want an easy certification to add to a CV, then you should probably look elsewhere. For everyone currently taking the course or thinking about enrolling, remember two things: enumerate, and try harder!