Review: Offensive Security Certified Professional (OSCP)

47

During the last 3 months it was more quiet than usual on Hacking Tutorials. In this period less tutorials and articles were publish on Hacking Tutorials but there was a very good reason for that. For the last 3 months I have followed Offensive Security’s Penetration testing with Kali Linux (PWK) course and got certified as OSCP. In this article I will be reviewing the courseware, the labs and the brutal 24 hour exam. We will also look at which prior knowledge would be beneficial during the course and how to get this knowledge. We will conclude this article with some tips and hints that helped me passing the exam.

OSCP courseware and video’s

The Penetration testing with Kali Linux courseware contains a PDF file and instruction video’s on all subjects. The course covers many different subjects such as passive and active information gathering with many different tools but also writing simple buffer overflows exploits for Windows and Linux and privilege escalation techniques for both operating system. You will also learn about exploiting web applications, perform password attacks, tunnelling and how to use Metasploit. The full course syllabus is available here:

https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

It is helpful if you have prior knowledge of networking basics, scripting/coding and maybe some hacking and enumeration techniques in general when you start the course. Every subject is explained very well in the courseware and starts from basic. However, you really need to learn a lot during this course in a very limited timeframe. Especially when you do this course beside a full time job like most of us. Any prior knowledge will speed up the learning, lower the learning curve and save you some time.

Tips for the OSCP courseware

  • Follow the courseware first and then start practicing in the labs.
  • Use additional sources to learn more. A list of great online and offline sources is at the bottom of this article.
  • Join the offensive security PWK forums and social media and talk to other people. You can learn a lot from other people too, especially when you have little or no practical experience on the subject. InfoSec is often a passion and a way of living so people are often quite nice and willing to share information and educate people who share the same passion (read last paragraph for what questions to ask and what not).

OSCP Labs

The best part of the learning path to OSCP certification are the labs. The OSCP labs contain several networks with over 50 servers to practice your ethical hacking skills on. The operating systems on these hosts vary from Windows XP, Windows 2008 server and Windows 7 to different Linux/Unix based operating systems such as Debian, Ubuntu, CentOS, FreeBSD, Fedora and more. Some operating systems are old (there’s even a Windows 2000 server) and some are very recent like Windows 8.1 The lab also contains several clients performing automated tasks which can be targeted to learn about client side exploitation.

Proof.txt files

The main goal for each machine is to get a shell on the machine with administrator privileges and collect the contents of a proof.txt file on the Desktop. Some machines contain a networksecret.txt file besides the proof file. These machines are configured with a second network adapter which allows you to use the machine as a pivot point and access an otherwise unavailable network. The contents of the network secret files allows you to revert machines in other subnets from the student panel. The OSCP student panel is accessible through the VPN connection and is an interface to revert machines, use Offensive Security’s Crackpot and to (re)schedule your exam.

Root shell

Root shell!

Vulnerable machines

Every host on the lab contains one or more known vulnerabilities, varying from local file inclusions (LFI), backdoors and SQL injection to remote buffer overflows, default passwords and remote file inclusions (RFI). Privilege escalation is often performed through exploiting OS and application level vulnerabilities but also trough misconfigurations such as incorrect user privileges on files and services. After proper enumeration and assessing the vulnerabilities you have to exploit them in order to get a limited user shell, sometimes directly a root shell or information which will lead to any of these. The vulnerabilities together have been setup very well and often you need to exploit a clever a combination of them to get root or administrator access. I must say that Offensive Security has done a great job on setting up these labs.

Metasploit and automated tools

The use of Metasploit is limited during the OSCP examination, although it is advised to get familiar with Metasploit and practice using it on the lab machines. You are allowed to use it on one machine during the exam which is often considered as a lifeline by many people. Personally I’ve often used both ways to exploit vulnerabilities, first manually and then with Metasploit if an exploit module was available. Using automated (commercial) vulnerability scanners, such as Open-VAS, is strictly forbidden on the exam. Using them in the labs would be wasting your learning experience when it comes to enumeration and vulnerability assessment as this part of the penetration test is automated.

Tips for the OSCP labs

  • The student forums contain a walkthrough by Offensive Security for machine 71. Follow it to get a picture of how to conduct a penetration test from enumeration to privilege escalation and post exploitation.
  • Learn about the methodology used in the walkthrough, the techniques are less important.
  • When you’re advancing through the labs, write a simple bash or python script to perform (a part of) the enumeration. This will improve your scripting skills and experience but also save time.
  • Try to root as many machines as possible because all boxes contribute to your experience and learning process.
  • Extend your lab time if necessary and possible when you have left a lot of boxes untouched at the end.
  • You can install your own vulnerable machines for practising or download them elsewhere.

OSCP exam

After going through the courseware and finishing the bigger part of the labs, you might be ready for the horrific 24 hours OSCP certification exam. At the scheduled exam date you will receive new VPN credentials to access the exam network. The exam network consists of 5 machines with a number of points ranging from 10 – 25 in the networks I got. You will need a total of 70 points to pass the exam. Personally I have taken 2 attempts to pass the examination and obtain the OSCP certification.

The most important factors to consider prior to the exam are:

  • Time management
  • Avoiding rabbit holes
  • Make a battle plan which you will stick to during the full length of the exam

OSCP Exam #1

On the first attempt I started at 11 AM and did not have a solid plan and just ran into the exam. In the first 2 hours I managed to get root on the first box. In the 6 hours to follow I rooted the second box. From that moment on everything went downwards and I got lost for hours in what later seemed to be a rabbit hole. At that moment it was impossible to get out of it, also because the tiredness kicked in after 16 hours making it hard to remain focused. I stopped at 3 AM and slept till 08:00.

I got back to the exam at 08:30 and only had 2 hours and 45 minutes left. In that period I got a limited shell on the box I was stuck at the night before and almost rooted a second one but it was too late. The VPN died and I knew I had failed the exam. I have learned a lot from this first failed attempt. I have learned how important time management is and that you really need a strategy to avoid rabbit holes and lose too much time. At the end of this article I will present you with a list of points to consider which really helped me to avoid rabbit holes. I found that avoiding rabbit holes is key in passing the exam on the second attempt.

OSCP Exam #2

The second attempt I’ve started the exam at 3 PM and planned to work till 3 AM and then sleep till early morning. This way I had 2 ‘fresh’ starts for the exam to utilize more productive hours. From the first attempt I knew that exam hours 12 to 16 are worthless. Personally I become too tired and lose too much focus after 12 hours. I also started with the harder exam machines this time. Those are the ones that give 20 or 25 points. In the first 12 hours of the exam of the I managed to get 55 points. I went to sleep at about 5 AM and woke up to continue the exam at 8 AM.

In the hours to follow I managed to get another 40 points. I had a total of 90 points and I knew I had passed the exam. For one box I did not manage to escalate my privilege level to root, but I was fine with that.

OSCP exam report

In the next 24 hours you will be writing a penetration test exam report. The exam manual, which you get at the start of the exam, explains clearly what is required in the report. Make sure you collect this information during the exam in the required format. Prior experience with report writing (lab report for example) will help you a lot at this point. After submitting the lab report I got the following e-mail about 2 days later from Offensive security:

OSCP

OSCP Pass mail!

Tips before the OSCP exam

The following tips will help you before the OSCP exam:

  • Make a battle plan before the exam which at least contains the following:
    • Breaks with time, including dinner, lunch and breakfast.
    • Determine when and for how long you will sleep. Yes, you need to sleep in 24 hours.
    • How long to work on a single box. Personally I suggest to switch to another box when you are stuck on a box for more than 2 hours.
    • Which enumeration to perform on every step of the penetration test (at the start and on a low privileged shell).
  • Finish your lab report for 5 extra points and optionally the course exercises for an additional 5 points. You might need them to reach the 70 points.
  • Rest before the exam, at least a day is what I would recommend. A fresh and sharp brain at the start of the exam is more important than a few more details covered.
  • You need to write a penetration test report after the exam. Make sure you know how to write it so you know what information to collect during the exam. The lab report is a great practice for this, use it to learn how to document properly.

Tips during the OSCP exam

The following tip are helpful during the OSCP exam:

  • Personally I would suggest to not work longer than 12 hours on the exam without sleep or at least a longer period of rest to cool down your brains. Pick a timeframe for the exam which supports this and give you 2 fresh starts with enough time.
  • Take frequent breaks during the exam.
  • Recognize rabbit holes! PWK/OSCP is not an advanced penetration testing course and 24 hours is not enough time to write a custom privilege escalation exploit from scratch. Nor can you perform advanced blind SQL injection attacks which aren’t documented anywhere in such a short timeframe. Summarized: When it is too difficult, it is probably a rabbit hole.
  • Use the last 15-30 minutes of the exam to check if you collected all required information before your VPN connection dies. It is easy to miss important information in the state of mind you will be in after 24 exam hours. Note: the VPN connection dies after 23 hours and 45 minutes! Schedule this check on time!

Conclusion and resources

I want to finished this article with saying that Offensive Security did a great job on this course. It is a very challenging course and the hard exam really gives value to this certificate. Many people say that PWK/OSCP is not an entry course and question themselves (and others) when to engage OSCP. Personally I think these people are just partly right, PWK is not entry level but it’s not advanced either. More important is the time you can spend on the course. If you are able to consume a lot of information in a short period of time and your devotion (try harder!). It is always a good thing to prepare yourself for a course like this. I would like to recommend the following books and tutorials:

General penetration testing

Penetration Testing by Georgia Weidman: https://www.nostarch.com/pentesting

Web application hacking

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto : www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html

Exploiting

The Art of Exploitation by Jon Erickson: https://www.nostarch.com/hacking2.htm

Any or all of these hacking tutorials:

Links

The following links are very helpful during the PWK course:

More links and books will be added over time.

Help during the OSCP course

Earlier in this OSCP course review I mentioned that it is a good thing to ask other people to help. Especially when you’re stuck on something or when you cannot find the information that you need. I’d be happy to help you answer your questions or give advice and such. But don’t contact me and ask for the PWK courseware, for help during the exam or anything else that will ruin your or anyone else’s learning experience. For simple questions please use the comment functionality below the article so anyone can benefit from the response given. Also note that Offensive Security admins are available on the IRC channel to help you when you get stuck (and sometimes give you a hint instead of try harder).

OSCP

Share.

47 Comments

  1. Great review! Would you be able to expand a little on the manual exploitation and point me to any resources (links, books, videos) on that subject. I understand from reading tons of reviews including yours that Metasploit is mostly not allowed on exams, and to be honest I’d prefer to learn how to manually exploit machines anyways, but I cannot find any material on how to specifically manually exploit machines. Every search brings me back to some resource using meterpreter for exploitation. I even found a link on Reddit asking the same and there was not really anything helpful there. All I’ve found is that you need some kind of ‘handler’ (such as meterpreter) to deliver your exploit, but I’ve found nothing substantive about the manual exploitation process or what other tools to use to facilitate it. Thanks for any help you can provide.

  2. Brucelle A. Arizmendi on

    Thanks for the links! I’m reading one of the recommended PDFs… Nice! Thanks for sharing. Keep up the amazing work!

  3. I went through the path of OSCP myself. The author couldnt be more spot on. All the details provided above will help you if you are thinking about taking OSCP.

    Great analysis and review thank you

  4. Great review! Congratulations the OSCP certification. You made up your mind to do it and you did not give up until you completed it.

    This is the direction I plan on going in my career. This review provided me with the confidence that this is an achievable goal. Great information loaded with wisdom from hands on experience. You’ve written an analytical review that can be trusted.

    Thank you!

  5. Great Review – thank you!

    Congratulations on passing the exam.

    I have enjoyed your review. I find it to be very balanced in terms of what to expect from the learning process. I have read a few OSCP reviews and have enjoyed this one the most. Before I read this review, I was planning to attempt OSCP in 2 years’ time. I think that I might attempt it sooner.

    I also appreciate the fact that you’ve included a few extra resources. I am sure that these will come in handy during and before the course. I will definitely come back to ask more questions in the future – I promise that it won’t be anything that will minimize the learning experience. :-)

  6. Im currently taking the oscp and this is pretty much what to expect. You’ll find yourself pretty frustrated from time to time but if your willing to Try Harder one should pass. This is a difficult course compared to other information security certifications.

  7. A very good review and quite motivating. I have already learned a lot in the past 2-3 weeks something which I never learned in 1-2 years. I have basic pen testing experience and wanted to go for an advanced course which, OSCP checks all the boxes. My course is about to start in a 2-3 weeks and am trying to learn as much as I can and can only learn the course specific stuff when I get my course-ware in my hands. Done with Buffer Overflow, did some VMs from Vulnhub, however I read somewhere about compiling exploits for Windows and Linux. Can you recommend some good resources for such exploits especially Windows? Also how easy/difficult are the Web Application side attacks?

    • Thank you!

      Exploit (cross)compilation is covered in the courseware and is pretty easy and basic throughout the course. The labs offer are lot of scenario’s to practice this. Regarding your question about the web application; all vulnerabilities are easy when you know how to exploit them. You’ll probably spend a lot of time on some and only a little time on others.

      Personally if would recommend you the Web application hacking handbook for web application hacking as mentioned in the review. Also I would focus on privilege escalation techniques, including enumeration, for Linux and Windows as this is not extensively covered in the courseware.

      Good luck on OSCP! You can always contact me here or on Twitter if you have questions.

  8. Wooo what a great review! Thanks for this. I was looking around for OSCP reviews, the fact is i am a computer security enthousiast, but currently working in developing Java/JEE web application, and aims at switching on computer security, my first love. I certainly do not have your experience and knowledge guys, so after reading some reviews, and yours, specially your “Many people say that PWK/OSCP is not an entry course”, i’m now asking your point of view. Is there another more accessible course, for ex vulnhub.com to start to root VM, or the books you mentionned (already have the art of exploitation), metasploitable may be, or more lab access time will do the trick ( 4, 5, or 6 months)… . Think it’s going to be a huge challenge!!!!

    Thanks again for your feedback and congrats for your OSCP ;)!

    • Hi! Thanks for the compliments!

      Personally I think that most important is to spend enough time on the labs and find a methodology that works for you. I also think that OSCP is not an entry course but it’s not a very advanced or expert course either. The course covers a wide range of subjects and techniques, but it is like 1000 foot wide but only 10 foot deep. In the labs you need to learn how to find and exploit vulnerabilities in an effective and efficient way in order to pass the exam within the 24h time limit. From this perspective I wrote the tips and tricks for the courseware, labs and exam and when applying them I am sure you will pass OSCP as well :)

      If you have more questions, do not hesitate to contact me here or on Twitter.

  9. Do you have any recommended links for working with existing exploits from exploit-db? I followed the courseware for the section on fuzzing, but they just kind of dump you onto an example written in C that I was not ready for.

  10. Hi, Great review, thanks for the tips. My query is did you complete the entire course video and material before you try it on the lab? or you proceeded parallelly with lab and course material?

  11. I’m a little confused on the exam portion. So if I’m not an expert at buffer overflows, but understand the needed registers for a buffer overflow such as EIP, ESP JMP for exploits am I good to go? Or should I be ready to write a buffer overflow from scratch?

    IE; As of right now I’ve just taken PoCs and the needed registers from Metasploit modules.

    • I can’t say too much about the buffer overflow portion on the exam other than that the courseware provides enough information to successfully exploit it. Just study the courseware and use it during the exam.

      Have you planned an exam date already?

  12. I’ve signed up for the course and haven’t planned an exam date. I still have a month or so left in the labs, I might schedule the exam soon so I don’t have a gap in between my lab time and my studies.

    At first I was afraid to trigger anything in the labs and being really cautious. Now I’m just going head on taking down machines, while honing my skills and understanding my weaknesses. At this point it’s more of a game to me, my 60 hours of Counter Strike every two weeks have turned to 0 lol.

    Congrats on your certification.

  13. Hi, congrats on passing.

    Great review, I am happy that I found this blog.

    Could you please answer me this two questions:

    1. Do you think the person that comes from .Net programming and recently acquired CompTia Linux+ with very general knowledge of networks but nothing about windows admin is a good enough to start this course?

    2. You buying 30 days access to labs and course materials, but can you extend additional access and schedule exam after 2-3 months?

    Thanks for the answers.

    • Hi, Thanks for the compliments, very much appreciated!

      Regarding your questions:
      1. I think if you have a programming background, you won’t have much trouble with reading and customizing exploits which you’ll be doing a lot during the course. If you have a network/system engineering background, you won’t have much trouble with understand pivoting techniques and privilege escalation etc. etc. As mentioned in the review, OSCP is 1000 feet wide and only 10 foot deep, so I think you will be okay. You cannot be an expert in every field so you will (need to) learn a lot of new stuff during the course. CompTia Linux+ will also help you with basic understanding of the Linux OS which will help you during the course.

      2. You can buy 30 day lab access and extend as many times as necessary. Unless you buy new lab access, you will need to schedule you exam within 3 months after the last labtime ended. Please note that lab extension does include a new exam attempt. So you can attempt the exam after 30 days and renew lab time with a new exam attempt if you fail.

      When will you start the course?

  14. Hi, Sorry I do not speak english , I don’t understand that is ‘rabbit hole’, Please can you explain the concept.

    Thank you

    • Hi! Good question.

      A rabbit hole in OSCP context is when you think you have a solution to root a certain box or get a limited shell, but after a while (often many hours later) you realize you were wrong and something else was vulnerable. In this case you went down the rabbit hole. This often happens when you’re not performing a full vulnerability assessment on a box and try to exploit every vulnerability you find on the way (many rabbit holes among them). As you probably know, during the exam you don’t have time to lose on rabbit holes. This is why it is important to come up with a strategy to avoid them.

      With a full vulnerability assessment you are able to make a list of vulnerabilities and start to exploit the ones which you think have the highest success rate. For example: you have found a CMS with a blind SQL injection vulnerability with no proof of concept code on exploit-db and a local file inclusion (LFI) vulnerability on another web application. Personally I would go for the web application with LFI instead of the blind SQL injection vulnerability. If you are aware of both and choose for the LFI, you probably avoided a rabbit hole.

  15. Wow! This is by far the best OSCP cert & prep review! Thanks for taking your time to share this valuable guide! I plan to sign up the course next week.

    Few questions:
    1) To enumerate vulns on a box, can you use Nessus or nmap vuln enum script? Your method to find all vulns in the box?
    2) When you say full vulnerability assessment, do you refer to scanning the box for all ports to find the vulns, or looking on banners of all services manually? Came you elaborate?
    3) If a box has multiple vulns, do you go by the one with exploit-db available? Or your method to select the one with high success rate?
    4) During the test, can you use all the available kali tools to enumerate and carry out exploit?
    5) For the report, does each exploit needs to be documented in detail?
    6) Does each box, during the exam, has more than few vulns just to trick you into the rabbit hole?
    7) Is there signal or tell-tale sign that you could sense it’s rabbit hole?
    8) How extensive is the password cracking vuln involve? E.g. Requires obtaining hashes, then bruteforce it?

    Sorry for many questions, and thanks in advance for your reply!

    • Hi, thank you!

      1. You can use any tool you like in the labs. You cannot use automated vulnerability scanners like Nessus and Open-VAS during the exam. Personally I would recommend you to not rely on them in the labs.
      2. With a vulnerability assessment I am talking about translating the enumeration details like open ports, service banners etc. to known vulnerabilities. For example FTP server 1.2 is vulnerable to a directory traversal, Proof of concept is available on exploit-db.
      3. If a box has multiple vulnerabilities I suggest to check exploit-db for proof of concepts codes and/or exploits. Often you need exploit multiple vulnerabilities to get shell. For example Remote code execution vulnerability in combination with upload functionality.
      4. Automated vulnerability scanners and tools are not allowed during the exam. Metasploit use is very limited. Once you get there, you will be informed about what to use and what not.
      5. The exam guide contains all information about what you need to document. You will get it before the exam and you can read about this in the user panel.
      6. Be prepared for rabbit holes.
      7. Experience is key, so work your way through the labs.
      8. You will learn about brute forcing passwords and hashes. Have a look at your user panel too when you’ve signed up.

  16. I failed my OSCP exam.

    During OSCP exam I was doing the machine with buffer overflow.

    It seems that I follow the methodology. Get EIP, ESP, Bad characters.

    My problem was to generate a payload with out bad characters. The tool use was msfvenom.

    However when I use msfvenom with 2 bad characters. My msfvenom crashed in kali2.

    Did you have this error? at the end I fail the buffer overflow and fail exam.

    May I contact you?

    • Hi,

      If I understand correctly, Kali Linux crashed when generating a payload with 2 bad characters using msfvenom? I’ve never had this error, can you post the command here?

      Sure, you can contact me.

Leave A Reply