I know, I know, I know. There are already like 9000 of these on the internet. What I'm hoping to add is my experience with the Penetration Testing with Kali (PWK) course and the Offensive Security Certified Professional (OSCP) exam as someone who has been in the field as a pentester for some time. It seems like a lot of reviews of the course/exam are written by or for beginners, or people just trying to get into the industry. While I definitely think those have value, I ended up setting my expectations pretty high and overly stressed myself.
The course videos and book/PDF were very simple, although a bit tedious. My strategy to get through the material was to watch the videos, and then read the course PDF to fill in any of the blanks. I tried to keep a 1 chapter per night pace but found that I could sometimes get through 2-3 in a night. I think I ended up reading maybe 1/10th of the material, but the most important thing about the PDF is the chapter exercises that are used in the lab report. Which leads me to my next point,
DO YOUR LAB REPORT.
Seriously. If there is one thing you take away from this, it should be that you need to do your lab report. It is 10 free point on the exam and takes only a few extra minutes per chapter. It will act as a safety net should shit hit the fan during the exam. There is no excuse not to do it.
Here's where the fun started. Offensive Security gives you a preconfigured VM and an OpenVPN certificate to access the lab network. Once you connect, there are a bunch of hosts on the subnet to go after, each with flags on them to submit through the internal portal that you'll have access to.
Treat this like any other internal engagement. Offsec pushes the whole "run recon until your face falls off" thing, so make sure you do your normal Nmap scans, along with the more tedious and boring stuff like SNMP and SMB enumeration. Leave no stone unturned. These targets are meant to be breakable. There is always something to go after, its just a matter of how obvious it is.
The same thing goes for post-exploitation if you need to do it on a target. Recon. Recon recon recon. The answer is in front of you so don't overthink it.
While you are compromising hosts in the first subnet, take notes. For your lab report, you need to include write ups for 10 hosts. My advice (outside of just DO THE LAB REPORT), is to pick the 10 simplest ones to compromise and do your writeup on those. This will save you from having to write pages on pages of details and will make the lab report easier to get through.
As you start popping boxes in the network, you may stumble across some keys (different from flags). These can be used to unlock other networks with more targets. Don't stress to much about this though - if you can pop most of the boxes in the first network, you're good to go for the exam. Almost everything you'll need to get all of those machines is in the courseware, so don't go chasing things too far outside of that.
At the end of my lab time, I think I'd compromised ~20 hosts. This is in part due to life getting in the way and also I just didn't feel the need to beat my head endlessly. And that is all this course and exam is. Offsec wants to you beat your head on your desk until you figure it out. Its in the motto "Try Harder," you'll get it when you ask the support people a question, and you'll feel it once you finally get that tricky exploit working.
I took a few weeks off between the course and the exam to get my notes straight, make sure my lab report was good to go, and get things ready for the exam.
I wasn't really sure how difficult the exam was going to be going in. I'd heard everything from it being the most difficult hosts in the lab to the easiest. What I felt though was that it was a fair representation of moderately difficult hosts. Offsec gives you 24 hours to do the exam. Why would they give you more than you can reasonably complete in that time?
I'm not sure how detailed I can get with this section, but my advice is this:
- Don't overstress yourself. It is supposed to be challenging, but not impossible.
- Take a break every once in a while. You're not going to help yourself by trying to push through uninterrupted. That 15-minute break you take could refresh you and help you pop the next box in half the time.
- Eat and drink. No, not junk food and coffee. Eat something decent for you that is going to keep your brain moving. Even better, prep what you're going to eat the day before so you don't een have to worry about it come day-of.
- Write up your findings as you go. It doesn't have to be report-quality, but make sure you have screenshots, code, and a full step-by-step walkthrough of how you did it. You can't go back and get any of that stuff during the reporting period. I found that OneNote helped a ton here.
I completed the exam with over the minimum amount of points (plus my lab report), in about 14 hours. Report writing took another ~6. I heard back 2-3 days after via email that I'd passed.
A huge thank you is in order for my wife who tolerated me sitting at the computer for hours on end and helping me time food and breaks during the exam. Also shout out to the Offsec guys for putting together a great course and exam.
This experience definitely solidified the OSCP and related certs as the "real deal" for me. I would strongly consider a candidate who had an OSXX over those who don't, simply because it is an easy way to validate that you can walk the walk. That being said, I saw no return on investment as an established tester outside of personal satisfaction. While I'm cool with this, make sure you manage your expectations if you're already a tester and don't think you'll see a $30k jump in salary.
Next up for me is the OSCE, but before that I'd like to take some non-cert focused courses like SEC760, one of Immunity's trainings, or a Corelan course.