Review: Offensive Security Certified Professional (OSCP)


During the last 3 months it was more quiet than usual on Hacking Tutorials. In this period less tutorials and articles were publish on Hacking Tutorials but there was a very good reason for that. For the last 3 months I have followed Offensive Security’s Penetration testing with Kali Linux (PWK) course and got certified as OSCP. In this article I will be reviewing the courseware, the labs and the brutal 24 hour exam. We will also look at which prior knowledge would be beneficial during the course and how to get this knowledge. We will conclude this article with some tips and hints that helped me passing the exam.

OSCP courseware and video’s

The Penetration testing with Kali Linux courseware contains a PDF file and instruction video’s on all subjects. The course covers many different subjects such as passive and active information gathering with many different tools but also writing simple buffer overflows exploits for Windows and Linux and privilege escalation techniques for both operating system. You will also learn about exploiting web applications, perform password attacks, tunnelling and how to use Metasploit. The full course syllabus is available here:

It is helpful if you have prior knowledge of networking basics, scripting/coding and maybe some hacking and enumeration techniques in general when you start the course. Every subject is explained very well in the courseware and starts from basic. However, you really need to learn a lot during this course in a very limited timeframe. Especially when you do this course beside a full time job like most of us. Any prior knowledge will speed up the learning, lower the learning curve and save you some time.

Tips for the OSCP courseware

  • Follow the courseware first and then start practicing in the labs.
  • Use additional sources to learn more. A list of great online and offline sources is at the bottom of this article.
  • Join the offensive security PWK forums and social media and talk to other people. You can learn a lot from other people too, especially when you have little or no practical experience on the subject. InfoSec is often a passion and a way of living so people are often quite nice and willing to share information and educate people who share the same passion (read last paragraph for what questions to ask and what not).


The best part of the learning path to OSCP certification are the labs. The OSCP labs contain several networks with over 50 servers to practice your ethical hacking skills on. The operating systems on these hosts vary from Windows XP, Windows 2008 server and Windows 7 to different Linux/Unix based operating systems such as Debian, Ubuntu, CentOS, FreeBSD, Fedora and more. Some operating systems are old (there’s even a Windows 2000 server) and some are very recent like Windows 8.1 The lab also contains several clients performing automated tasks which can be targeted to learn about client side exploitation.

Proof.txt files

The main goal for each machine is to get a shell on the machine with administrator privileges and collect the contents of a proof.txt file on the Desktop. Some machines contain a networksecret.txt file besides the proof file. These machines are configured with a second network adapter which allows you to use the machine as a pivot point and access an otherwise unavailable network. The contents of the network secret files allows you to revert machines in other subnets from the student panel. The OSCP student panel is accessible through the VPN connection and is an interface to revert machines, use Offensive Security’s Crackpot and to (re)schedule your exam.

Root shell

Root shell!

Vulnerable machines

Every host on the lab contains one or more known vulnerabilities, varying from local file inclusions (LFI), backdoors and SQL injection to remote buffer overflows, default passwords and remote file inclusions (RFI). Privilege escalation is often performed through exploiting OS and application level vulnerabilities but also trough misconfigurations such as incorrect user privileges on files and services. After proper enumeration and assessing the vulnerabilities you have to exploit them in order to get a limited user shell, sometimes directly a root shell or information which will lead to any of these. The vulnerabilities together have been setup very well and often you need to exploit a clever a combination of them to get root or administrator access. I must say that Offensive Security has done a great job on setting up these labs.

Metasploit and automated tools

The use of Metasploit is limited during the OSCP examination, although it is advised to get familiar with Metasploit and practice using it on the lab machines. You are allowed to use it on one machine during the exam which is often considered as a lifeline by many people. Personally I’ve often used both ways to exploit vulnerabilities, first manually and then with Metasploit if an exploit module was available. Using automated (commercial) vulnerability scanners, such as Open-VAS, is strictly forbidden on the exam. Using them in the labs would be wasting your learning experience when it comes to enumeration and vulnerability assessment as this part of the penetration test is automated.

Tips for the OSCP labs

  • The student forums contain a walkthrough by Offensive Security for machine 71. Follow it to get a picture of how to conduct a penetration test from enumeration to privilege escalation and post exploitation.
  • Learn about the methodology used in the walkthrough, the techniques are less important.
  • When you’re advancing through the labs, write a simple bash or python script to perform (a part of) the enumeration. This will improve your scripting skills and experience but also save time.
  • Try to root as many machines as possible because all boxes contribute to your experience and learning process.
  • Extend your lab time if necessary and possible when you have left a lot of boxes untouched at the end.
  • You can install your own vulnerable machines for practising or download them elsewhere.

OSCP exam

After going through the courseware and finishing the bigger part of the labs, you might be ready for the horrific 24 hours OSCP certification exam. At the scheduled exam date you will receive new VPN credentials to access the exam network. The exam network consists of 5 machines with a number of points ranging from 10 – 25 in the networks I got. You will need a total of 70 points to pass the exam. Personally I have taken 2 attempts to pass the examination and obtain the OSCP certification.

The most important factors to consider prior to the exam are:

  • Time management
  • Avoiding rabbit holes
  • Make a battle plan which you will stick to during the full length of the exam

OSCP Exam #1

On the first attempt I started at 11 AM and did not have a solid plan and just ran into the exam. In the first 2 hours I managed to get root on the first box. In the 6 hours to follow I rooted the second box. From that moment on everything went downwards and I got lost for hours in what later seemed to be a rabbit hole. At that moment it was impossible to get out of it, also because the tiredness kicked in after 16 hours making it hard to remain focused. I stopped at 3 AM and slept till 08:00.

I got back to the exam at 08:30 and only had 2 hours and 45 minutes left. In that period I got a limited shell on the box I was stuck at the night before and almost rooted a second one but it was too late. The VPN died and I knew I had failed the exam. I have learned a lot from this first failed attempt. I have learned how important time management is and that you really need a strategy to avoid rabbit holes and lose too much time. At the end of this article I will present you with a list of points to consider which really helped me to avoid rabbit holes. I found that avoiding rabbit holes is key in passing the exam on the second attempt.

OSCP Exam #2

The second attempt I’ve started the exam at 3 PM and planned to work till 3 AM and then sleep till early morning. This way I had 2 ‘fresh’ starts for the exam to utilize more productive hours. From the first attempt I knew that exam hours 12 to 16 are worthless. Personally I become too tired and lose too much focus after 12 hours. I also started with the harder exam machines this time. Those are the ones that give 20 or 25 points. In the first 12 hours of the exam of the I managed to get 55 points. I went to sleep at about 5 AM and woke up to continue the exam at 8 AM.

In the hours to follow I managed to get another 40 points. I had a total of 90 points and I knew I had passed the exam. For one box I did not manage to escalate my privilege level to root, but I was fine with that.

OSCP exam report

In the next 24 hours you will be writing a penetration test exam report. The exam manual, which you get at the start of the exam, explains clearly what is required in the report. Make sure you collect this information during the exam in the required format. Prior experience with report writing (lab report for example) will help you a lot at this point. After submitting the lab report I got the following e-mail about 2 days later from Offensive security:


OSCP Pass mail!

Tips before the OSCP exam

The following tips will help you before the OSCP exam:

  • Make a battle plan before the exam which at least contains the following:
    • Breaks with time, including dinner, lunch and breakfast.
    • Determine when and for how long you will sleep. Yes, you need to sleep in 24 hours.
    • How long to work on a single box. Personally I suggest to switch to another box when you are stuck on a box for more than 2 hours.
    • Which enumeration to perform on every step of the penetration test (at the start and on a low privileged shell).
  • Finish your lab report for 5 extra points and optionally the course exercises for an additional 5 points. You might need them to reach the 70 points.
  • Rest before the exam, at least a day is what I would recommend. A fresh and sharp brain at the start of the exam is more important than a few more details covered.
  • You need to write a penetration test report after the exam. Make sure you know how to write it so you know what information to collect during the exam. The lab report is a great practice for this, use it to learn how to document properly.

Tips during the OSCP exam

The following tip are helpful during the OSCP exam:

  • Personally I would suggest to not work longer than 12 hours on the exam without sleep or at least a longer period of rest to cool down your brains. Pick a timeframe for the exam which supports this and give you 2 fresh starts with enough time.
  • Take frequent breaks during the exam.
  • Recognize rabbit holes! PWK/OSCP is not an advanced penetration testing course and 24 hours is not enough time to write a custom privilege escalation exploit from scratch. Nor can you perform advanced blind SQL injection attacks which aren’t documented anywhere in such a short timeframe. Summarized: When it is too difficult, it is probably a rabbit hole.
  • Use the last 15-30 minutes of the exam to check if you collected all required information before your VPN connection dies. It is easy to miss important information in the state of mind you will be in after 24 exam hours. Note: the VPN connection dies after 23 hours and 45 minutes! Schedule this check on time!

Conclusion and resources

I want to finished this article with saying that Offensive Security did a great job on this course. It is a very challenging course and the hard exam really gives value to this certificate. Many people say that PWK/OSCP is not an entry course and question themselves (and others) when to engage OSCP. Personally I think these people are just partly right, PWK is not entry level but it’s not advanced either. More important is the time you can spend on the course. If you are able to consume a lot of information in a short period of time and your devotion (try harder!). It is always a good thing to prepare yourself for a course like this. I would like to recommend the following books and tutorials:

General penetration testing

Penetration Testing by Georgia Weidman:

Web application hacking

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto :


The Art of Exploitation by Jon Erickson:

Any or all of these hacking tutorials:


The following links are very helpful during the PWK course:

More links and books will be added over time.

Help during the OSCP course

Earlier in this OSCP course review I mentioned that it is a good thing to ask other people to help. Especially when you’re stuck on something or when you cannot find the information that you need. I’d be happy to help you answer your questions or give advice and such. But don’t contact me and ask for the PWK courseware, for help during the exam or anything else that will ruin your or anyone else’s learning experience. For simple questions please use the comment functionality below the article so anyone can benefit from the response given. Also note that Offensive Security admins are available on the IRC channel to help you when you get stuck (and sometimes give you a hint instead of try harder).




  1. Great review! Would you be able to expand a little on the manual exploitation and point me to any resources (links, books, videos) on that subject. I understand from reading tons of reviews including yours that Metasploit is mostly not allowed on exams, and to be honest I’d prefer to learn how to manually exploit machines anyways, but I cannot find any material on how to specifically manually exploit machines. Every search brings me back to some resource using meterpreter for exploitation. I even found a link on Reddit asking the same and there was not really anything helpful there. All I’ve found is that you need some kind of ‘handler’ (such as meterpreter) to deliver your exploit, but I’ve found nothing substantive about the manual exploitation process or what other tools to use to facilitate it. Thanks for any help you can provide.

  2. Brucelle A. Arizmendi on

    Thanks for the links! I’m reading one of the recommended PDFs… Nice! Thanks for sharing. Keep up the amazing work!

  3. I went through the path of OSCP myself. The author couldnt be more spot on. All the details provided above will help you if you are thinking about taking OSCP.

    Great analysis and review thank you

  4. Great review! Congratulations the OSCP certification. You made up your mind to do it and you did not give up until you completed it.

    This is the direction I plan on going in my career. This review provided me with the confidence that this is an achievable goal. Great information loaded with wisdom from hands on experience. You’ve written an analytical review that can be trusted.

    Thank you!

  5. Great Review – thank you!

    Congratulations on passing the exam.

    I have enjoyed your review. I find it to be very balanced in terms of what to expect from the learning process. I have read a few OSCP reviews and have enjoyed this one the most. Before I read this review, I was planning to attempt OSCP in 2 years’ time. I think that I might attempt it sooner.

    I also appreciate the fact that you’ve included a few extra resources. I am sure that these will come in handy during and before the course. I will definitely come back to ask more questions in the future – I promise that it won’t be anything that will minimize the learning experience. :-)

  6. Im currently taking the oscp and this is pretty much what to expect. You’ll find yourself pretty frustrated from time to time but if your willing to Try Harder one should pass. This is a difficult course compared to other information security certifications.

  7. A very good review and quite motivating. I have already learned a lot in the past 2-3 weeks something which I never learned in 1-2 years. I have basic pen testing experience and wanted to go for an advanced course which, OSCP checks all the boxes. My course is about to start in a 2-3 weeks and am trying to learn as much as I can and can only learn the course specific stuff when I get my course-ware in my hands. Done with Buffer Overflow, did some VMs from Vulnhub, however I read somewhere about compiling exploits for Windows and Linux. Can you recommend some good resources for such exploits especially Windows? Also how easy/difficult are the Web Application side attacks?

    • Thank you!

      Exploit (cross)compilation is covered in the courseware and is pretty easy and basic throughout the course. The labs offer are lot of scenario’s to practice this. Regarding your question about the web application; all vulnerabilities are easy when you know how to exploit them. You’ll probably spend a lot of time on some and only a little time on others.

      Personally if would recommend you the Web application hacking handbook for web application hacking as mentioned in the review. Also I would focus on privilege escalation techniques, including enumeration, for Linux and Windows as this is not extensively covered in the courseware.

      Good luck on OSCP! You can always contact me here or on Twitter if you have questions.

  8. Wooo what a great review! Thanks for this. I was looking around for OSCP reviews, the fact is i am a computer security enthousiast, but currently working in developing Java/JEE web application, and aims at switching on computer security, my first love. I certainly do not have your experience and knowledge guys, so after reading some reviews, and yours, specially your “Many people say that PWK/OSCP is not an entry course”, i’m now asking your point of view. Is there another more accessible course, for ex to start to root VM, or the books you mentionned (already have the art of exploitation), metasploitable may be, or more lab access time will do the trick ( 4, 5, or 6 months)… . Think it’s going to be a huge challenge!!!!

    Thanks again for your feedback and congrats for your OSCP ;)!

    • Hi! Thanks for the compliments!

      Personally I think that most important is to spend enough time on the labs and find a methodology that works for you. I also think that OSCP is not an entry course but it’s not a very advanced or expert course either. The course covers a wide range of subjects and techniques, but it is like 1000 foot wide but only 10 foot deep. In the labs you need to learn how to find and exploit vulnerabilities in an effective and efficient way in order to pass the exam within the 24h time limit. From this perspective I wrote the tips and tricks for the courseware, labs and exam and when applying them I am sure you will pass OSCP as well :)

      If you have more questions, do not hesitate to contact me here or on Twitter.

  9. Do you have any recommended links for working with existing exploits from exploit-db? I followed the courseware for the section on fuzzing, but they just kind of dump you onto an example written in C that I was not ready for.

  10. Hi, Great review, thanks for the tips. My query is did you complete the entire course video and material before you try it on the lab? or you proceeded parallelly with lab and course material?

Leave A Reply