Try Harder! My Penetration Testing with Kali Linux OSCP Review and course/lab experience

Try Harder! My Penetration Testing with Kali Linux OSCP Review and course/lab experience — My OSCP Review

Introduction:
Obtaining the OSCP certification is a challenge like no other. After my experience with the OSCP exam and course from Offensive Security, I decided to go ahead and write an OSCP Review. I decided to take the OSCP course and exam in September 2014 after seeing some fellow members of a forum I frequent quite a bit (www.techexams.net) state that they were taking it soon. This is a course and exam I wanted to tackle as I have a passion for IT security. I figured why not sign up as the same time and compare notes etc with like minded people, and make the process easier.

So I signed up, for the 90 days, and a week later, I was sent the introduction email with all the information I needed to connect to the Offensive Security labs via VPN, IRC information, login information, and forum information.

About me:
I have about 20 years of combined IT experience. I have two MCSEs, two MCSAs, MCITP:VA, VCP5, Security+, CEHv7,  RHCSA, a BS in IT security, and I am finishing up my Masters in Applied IT with a concentration in Applied Cyber Security.  I currently work for Lockheed Martin as an Active Directory Engineer on a government contract.

The course:
When I first signed up for the course, I quickly went through the manual and videos that included with the email once you start the course. A lot of the information I was already familiar with as I had to review a lot of it for the CEHv7 certification. As we all know the OSCP exam and course are very technical and very hands on. The CEH is pretty much all about theory and multiple choice questions. I was glad to take a course that not only talked about tools, but how to use them, and why they are used.

So when I first started the course, I was very motivated. The very first day I was in the labs, I was able to knock out 3 servers with very minimal effort. At this point I am thinking to myself, this is too easy! That is, until I met “sufference”. Over the course of the next month or so I was able to get to about 20 servers. As I said in the beginning I was super motivated, but as time goes on, I was losing interest, and just simply didn’t have the time.

Sufference
As I said, I thought I this course was too easy at first, and I was able to knock out server after server. That is until I met sufference. This is where I lost a lot of motivation. I believe I spent 3 weeks alone on this beast of a server. It demotivated me and made me feel like a child who just had his ice cream money stolen by Vic the bully down the street. I spent hours a day on this server alone obsessing over it. I decided to come back to it. So I move on to some other challenging servers and I am able to root them and get some of my confidence back.

I decide to go back and kick sufference right in the teeth after this. I do a lot of googling, AND I MEAN A LOT, and finally I find a way in and get a limited shell! Great! Half the battle has been won! This is not enough for me, I need to make this server my bitch and show it who’s boss. Yeah… not so much. Again I decide to regroup and move on…. maybe the answer will come to me. I pop a few more servers (at this point I am close to my 90 day point. I HAVE TO OWN THIS BEFORE MY LAB TIME IS UP!  One more attempt I tell myself.

I finally come across something that clicks for me, and I have one of those AH-HA! moments. Its something I should have seen sooner… but for some reason I did not, and stayed ignorant. I finally found the answer, and I was able to root sufference after nearly 3 months! My motivation and confidence have been renewed.

/sufference

I decide to extend for another 30 days. I only have about 30 servers owned at this point… and I hadn’t unlocked any of the other networks. I can do better. So I renew and I decide my new goal is to at least get into the admin network. After a lot of time spent in the labs and researching exploits etc, I had finally learned how to pivot into the admin network. Thank you proxy chains! I was able to get all of the servers in the IT network, and all but one in the admin network. My time was almost up in the labs, so I decided to go ahead and book the exam. I felt I was ready and could do this.

The Exam (part 1):
The exam is a 24 hour challenge. This means that you have 24 hours from the time the exam starts to try and compromise the servers assigned to you in the exam. Additionally you have another 24 hours after that to write your report and send it in for grading. You are graded on your report alone, and you HAVE to complete this in order to pass the exam. You are also encouraged to submit a lab report documenting your efforts in the lab. You may get extra points for this should you need them on the exam. This is all explained in the exam email.

I booked my exam for a Saturday evening starting at 5pm.  The email comes right at 5pm. I connect to the network, look at the exam guide that is provided and start working. In the first hour I had managed to root 2 servers. I felt like I was on a roll, and that I was going to end this beast early. Not so much.

After the first two, I didn’t get anything on the next three servers for the next 12 hours. Nothing. Zilch, Nada! I was deflated and dumbfounded. I figured I should take a nap and come back to it. Maybe I am just exhausted and needed some rest. I take a 3 hour nap and come back. This is what I needed. In the next hour or two after that, I had 2 more limited shells. I couldn’t escalate. I tried until the bitter end. At the end, I had two fully compromised hosts, and 2 limited shells. Would this be enough to pass the exam?

Turns out it wasn’t. I got the email Tuesday afternoon stating I hadn’t passed.

I will NOT be defeated!

The Exam (part 2):
I decided to extend my lab time for another 15 days, and book the exam 2 weeks after I had failed. I decided to concentrate on privilege escalations since this is what I was felt I was weak at. I spent the next couple of weeks working on that as well as buffer overflows. I really didn’t too much in the labs, except maybe a few servers I may have missed in the public network. I just really wanted to work on escalations. Turns out this was a smart move on my part.

This time I book the exam for 10AM. Again the email comes, along with the exam guide and instructions to connect in. Away I go. Again, I get the first 2 servers in the first hour. I don’t get a head of myself and just keep plugging away. I start on the next server and it falls in the next hour. By the 5th hour I had 3 full compromises and 3 limited shells. I KNOW I have passed at this point, by the amount of points I will be awarded based on the exam guide. Again… this is not enough for me. I have to prove to myself that I can TRY HARDER!

I do just that.

After 6 hours in the exam, I feel like I am done. 4 full compromises out of 5, and the last server I had a limited shell. This should have been about 90 points. I am satisfied but tired. I was smart enough to document everything as I went, so I only had to spend another hour fixing up my report. I sent my report to the offsec team, and walked away from my computer like a boss.

OSCP Passed!

 

Wrap up:
This is by far the most challenging and rewarding course and certification I have ever taken. I respect anyone else who has the guts to take this on and succeed. It truly shows you know your stuff in this field.

I sent off my report Saturday evening around 4-5PM. I got the response this morning (Monday Feb 23, 2015) that I had passed the exam. I am elated that this challenge is over and I was able to overcome it. I tried harder when it mattered most and I was able to accomplish what I set out to do.

I am now an Offensive Security Certified Professional because I tried harder!

My OSCP Review

I can not say enough good things about the OSCP course and exam. I was challenged and I learned a whole lot more than I thought I would about security and penetration testing. I hope that the OSCP will gain more recognition by companies. The OSCP is the certification I am most proud of by far.

Time to update the old resume to reflect the new OSCP certification!

 

Resources:
Some resources I used for this challenge:
http://www.fuzzysecurity.com/tutorials/16.html
http://pentestmonkey.net/category/cheat-sheet/shell
https://github.com/GDSSecurity/Windows-Exploit-Suggester
https://github.com/PenturaLabs/Linux_Exploit_Suggester
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
http://www.offensive-security.com/metasploit-unleashed/Main_Page

I also read the hackers playbook, the Metasploit unleashed book, and the Penetration Testing book by Georgia Weidman.

These are all very good resources.

Thanks to all those who helped me and pushed me when I needed it, especially all the other people who have written an OSCP review to help others.

More information about the OSCP and PWK can be found here:
https://www.offensive-security.com/information-security-training/penetration-testing-with-kali-linux/
https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

Additionally the offsec admins can be contacted via IRC at irc.freenode.net #offsec

If anyone feels wants to talk or has any questions, feel free to connect to irc.osswg.com #oscp
I will not give any hints or answers, but I can try and answer any other questions pertaining to the OSCP. Good luck to anyone wishing to take on the OSCP course and exam. After you pass the exam, write your own OSCP review!

172 thoughts on “Try Harder! My Penetration Testing with Kali Linux OSCP Review and course/lab experience

  1. Were you restricted on using metasploit/meterpreter during the exam?

    • Yes. You are restricted while using metasploit.
      When you get your exam email, the details will be spelled out for you. I tried not to use metasploit during my lab time, it proved to be challenging, but it can be done.
      I did however use metasploit on a few occasions so that I could make sure I was learning as much as a could about it.

  2. During your preparation on the 2nd attempt, what privilege escalation pratice/methods ended up helping you out the most? Windows vs Linux, Exploits vs mis-configurations.. etc. I’ve got a meeting with our adversary next week!

    Thanks in Advance!

  3. you could use metasploit? i was looking into classes and found this, (good read by the way) i wanted to learn how to do it without tools, using them makes me feel like a glorified script kiddie. but if the OSCP allows tools then it shouldn’t be as hard as i thought, oh well. does anyone know what i should go for if i want to learn how to create the tools?

    • Your use of metasploit is very limited. When you get the exam documentation from Offensive Security, it will outline how you are allowed to use it. I believe you can actually find out what how it is limited in the forums.

      • The exam document you will receive will spell out exactly what you are allowed to do and what you are not allowed to do. You can find some of the rules outlined in the offsec forums.

  4. Hi! Great review of exam. I would like to congratulate you. You have got one of most-respected certificates. I have programming background (3 years) and linux experience (RHCSAv7). I am new to security field, but i do not want to spend my time some entry level certifications, determined right for OSCP. Could you, please, recommend course/training/videocourse/book for OSCP? Free training, course, etc. are appreciated much. Thank you, beforehand.
    PS: As i am student, i cannot afford PWK training, it is too expensive for me.

    • Unfortunately I am unaware of any training that would take the place of the PWK course. The course covers the things you need to be prepared for, and then you are able and expected to practice what you learned in the labs.

    • Hi Rzaaeeff,
      There is quite a lot of stuff free over internet that can help you for instance buffer overflow you can go through http://www.fuzzysecurity.com ( which covers a lot more exploit development than what is covered in oscp ) and pentest.cryptocity.net examples, for web applications mutillidae and bwapp are some good play grounds as well as there is a good tutorial on http://www.youtube.com/user/webpwnized and last but not least look for the infiniteskills course on reverse engineering and exploit development and what’s left the privilege escalation please try to solve the examples on vulnhub.

  5. Congrats first up on your certification, I really want to know how that feels, I have just started the OSCP 60 days. I am in the field of I.T as a network admin, little to no prior programming experience. This blog has made me freak out, I am not built for this? You have so many certs already and it busted you up… I might end up throwing my laptop at the wall…

    Well I am here to tryharder! and I will but damn you got me freaked out now

    • Just try harder, don’t give up, and you’ll make it through.
      Feel free to connect to IRC if you have any questions.

      • Me too same as him..gonna start my course on next week…im a network admin know rhce.. bash and python knowledge are very little.but i have good understanding of tcp/ip.my lab time is 60 days. Is there any chance for me to get oscp?

  6. Do this exam require to have programming skills? I am a goner for programming.

    • No it is not a requirement. I am not the best coder by any means, and I was able to pass the exam.

  7. Hi i am actually considering to try this!i would like to ask you how is the exploitation of the servers??? like for example find secrets around the server?or actually doing sql injection lfi and stuff???

      • Jason, Will they give any template or sample format for report? or We are on our own? May i know cost for 60 Days Lab access+ Exam? Does this course require extensive knowledge in Security or Anyone with basic knowledge in Security could pass exam?

        • Yes Offsec has a sample report available. I have stated this before. Also, go look at their website for the costs. I have replied to a few comments with that same information. It is located on their site. Yes this course requires extensive knowledge. Do some research!

  8. Hey Jason, nice work and thanks for sharing your experience to the community.
    I would like to know if is necesary to know a deep knowledge about Buffer Overflows, I mean, to pass the exam, because I know there is a specific chapter about BoF, but is relevant this point during the exam??

    Best regards

  9. Hello Jason, i’m currently in the course. I have a question because i’m kind of confused, Do i need to make a report of the course and lab too, or just a report of the exam???

    • Doing a lab report is not required. I did not turn one in. That being said, if you are on the cusp of passing the exam, turning in a detailed lab report could get you enough points to push you over and get you a passing score. Think of it as extra credit.

  10. Hello Jason, i have another question. does buffer/stack overflow or exploit development would be useful in the exam? would it be tested? would they ask me to make my own exploits in the exam? or is it just for an understanding in exploits?

    • I would suggest reviewing and having a solid understanding of the buffer overflow section in the student guide. I can’t say too much without giving anything away.

  11. Is any of the below a pre-requsite ? I mean will these be helpful

    – Bash scripting
    – PERL/PYTHON
    – ASSEMBLY/DEBUGGER

    • As long as you are comfortable with editing and modifying exploits for your use, you shouldn’t have a problem. I don’t have any professional programming experience, and it’s not something I am great at. I did just fine.

      That said, having experience with the mentioned languages may help you.

      • Hi, do you have any sources you can Recommend for modifying exploits. Eg shellcode switching but making sure the size remains the same etc.
        Thanks

  12. Hello Jason.

    I have some questions about laboratories. Can you help me with some answers? Can we speak on private if you agree? Send me an email at my address because I don’t have your email.

    • I can not answer specific questions about the labs, as I will not give out answers to problems in the labs. This course is meant to teach and challenge you.

  13. Does the course teach you how to write the type of report they hope to receive at the end?

    • No the course does not. They have a link to a sample report though. I used their sample report when writing my report for my exam.

      • How did you redact your report? The sample report is written from OffSec perspective “Offensive Security was contracted by MegaCorp One to …”
        How did you start it, what was your legend? Did you even bother?

        • I used their report template and just edited it with my information. I wrote it as though I was contracted to perform the test.

  14. Awesome read! I’m three days into the material and loving it!

    I have a hopefully quick question for you if you don’t mind answering…

    A lot of other reviews say that the video training is not enough to prepare you for the exam completely. I understand that a lot of our own research needs to go into preparation if we want to be successful (not only in the exam but in real life). My question is what percentage of your preparation did you take from external sources?

    • I don’t know that I can give an exact percent, but I did use other sources when challenged with boxes that I couldn’t figure out in the lab. For instance, I did Google searches for things like Windows privilege escalations. The videos are definitely not enough. This course expects you to learn from other sources. I did also read the Penetration testing book by Georgia Wiedman as well as the Hackers Playbook.

      • Yeah, I noticed your extensive list of resources! Thanks again.

        I’ll get a kindle copy of these today!

        What are you working on next? OSCE or Wireless perhaps? I know that getting your OSCP is only going to make you ‘itch’ to get the others 🙂

  15. Does the lab time start with the course, or does the timer start after you login?

  16. Hi, I’m looking at this cert and just wondering if the course/videos are enough to pass on their own or do you need to do a lot of external reading/research?

  17. Just wondering if you know of any websites out there that are like the labs in offensive security. I would like to practice on test machines a bit before committing to taking the course so I’ve been looking for sites like hacking-lab out there where you can test yourself and learn. Know of other ones?

    • I would suggest taking a look at vulnhub. They have a bunch of vulnerable VMs, usually with a walk through, that you can run attacks and practice on.

  18. Hey Jason,

    I have a lot of respect for what you have done to get this certification. I am also getting into the security field and would like to know what should I start with before I think about going for this certification. I am taking my masters in security right now, but am learning things on my own as well. Can you tell me where I should start before I take the course and labs in Offensive security? I see what is listed in the syllabus, but I want to know what you knew before you started going into this certification.

    Hope to hear from you soon!

    Thanks,

    -Joe

    • I had a quite a bit of experience with Linux before I took this course/exam. Knowing the Linux CLI will definitely help out tremendously. That’s probably the biggest obstacle a lot of people have is being able to perform tasks with Linux.

      • Yea. I have played around with the command line for Ubuntu and Kali Linux. Do you recommend any sites that provide good Linux command training? Also, in the course package they offered for OSCP, what did you think of the labs and the course as a whole? Did it prepare you well enough for the exam? What programming languages did you learn in the course?

        Thanks,

        -Joe

        • The only Linux training I have taken was for the RHCSA, which my last company sent me to. The training was more geared for the exam, and not really to learn much. I already had been using Linux professionally for years, so I didn’t really need to learn too much.
          The OSCP labs are a great place to practice what is talked about in the videos the provide, as well as the exercises in the book.
          This course isn’t designed to teach you any programming languages, so I didn’t learn any. I do have some experience with bash and python. In the course you’ll need to be able to modify exploits and tailor them for your personal use.

          • In the beginning I was spending 5-8 hours a day. Which slowed down to an hour or two a day. By the end I got a second wind and was over 5 hours a day until the test.

          • Nice. Thank you for your comments. I am not taking exam/course yet, but I want to prepare myself mentally before going any further.

            All the Best!

            -Joe

          • Congrats on your OSCP. I agree with your statements on Redhat training . Sadly it’s turned into a lab prep /revision only for a given exam and it’s associated requirements. As a result I no longer take official redhat training as it’s exspensive and do not have luxury of employer paying.
            I hold RHCE x3 plus a bunch of expertise level on route to RHCA

            I will be taking OSCP course as it is affordable , looks to teach you feel skills and is challenging (not saying redhat exams aren’t as they are very tough as well especially 3xx and 4xx levels)

          • I liked the red hat training, but yes, it was geared toward passing the test. I don’t plan on renewing my RHCSA, which expires this year.

  19. Thanks for the great review. I’m going through the labs now and was wondering if you might be able to give a little insight. Without giving too much away, what was your methodology for working through the machines? Did you perform nmap scans and the look for vulnerable services or did you find vulnerabilities other ways? Thanks again and I appreciate any advice you might have.

    • I typically would run an nmap scan against a target. After finding out what services were running, I would start digging deeper.
      For instance, if I ran a scan and I saw that a web service was running, I would load up the webpage to see if I could gather anymore intel. Then I would run various web tools (dirb) to see if there were any hidden directories etc.
      Hope that helps.

      • Thanks for the response. Did you find the standard dirb lists to be good? Also, did you find web attacks to be a common vector. As I run my scans I’m finding fewer and fewer services that I’m able to find exploits for. Thanks again for your time it’s very much appreciated

        • I found the standard dirb list to be just fine. I did find some websites on the targets after using it.
          I don’t want to give too much away.

  20. Hi Jason

    Nice write up about the course, i respect you for your achievement.

    Currently doing the course, in your journey did you concentrate mainly on the servers to attack or you chose to attack the whole subnet?

    This course is awesome and eventhough i worked in IT for a long time i feel novice in this field.

    cheers
    Gerry

  21. Your blog is quite an inspiration. I am planning to go for a training with OS to gain my knowledge and enhance my skills towards penetration testing. I believe the exam is really challenging as you need to knock down several servers within a span of 24 hours and write all of your documentation for the next 24 hours. My!.. that is really exhausting as you are not going to sleep for almost 2 days!!. But i salute you and would like to say thank you for the inspiration. Hopefully i can do this as well on my part and gain this certification.

    Keep it up man! 🙂

  22. You are really cool!
    How do you think – will help “The Balmer’s effect” in OSCP?

      • He’s referring to the Ballmer Effect, or the Ballmer Peak, which is a supposed “peak” in programming ability caused by alcohol and named after Steve Ballmer, CEO of Microsoft.

  23. Hi, this time I am preparing for CEH and after ceh I want do oscp in future. So can you give me certain advices about oscp that what is my next step in future for oscp after ceh

    • I am not sure I fully understand your question, but I guess I’ll take a step.
      Know how to navigate the Linux CLI and be comfortable with Linux as a whole.
      Also, try harder.

  24. I just got my BS in IT with a focus in Information Security and Assurance. I am currently working on getting the Security+ Certification. I really don’t have much more experience in the IT Industry than what I received from school and personal experience. So far the Security+ seems to be simple. I have a huge interest in being a Penetration Tester and so far the OSCP seems to be the best Cert for that. I definitely want this cert but after seeing your credentials, I hope I’m not getting over my head by trying to do it now.

    The power of Google has been my best friend throughout college. Do you think it is possible to take the course information and the resources you provided plus more Google searches to pass this certification ?

    So far this blog has been the best information I have found for the OSCP!!

    Thanks for what you have done!

    • As long as you are very comfortable with the Linux and Windows CLI, it shouldnt be too much of an issue.
      Just make sure to put in a lot of time and effort during the course, Google everything you don’t understand, and ask the admin questions on things you are not clear about.

  25. Jason,
    Great write-up, definitely inspiring. I have been studying for a few years and putting my enrollment off on this course for a while now. I have a few questions for you. What books in your library during your course did you find yourself reaching for? I have been looking around, do you know if PWK offers the lab manual for download without registering for the course so I can study more before signing up. I want to make sure I am ready, self taught and don’t want to waste course time when I sign up. Thanks!

    • Ryan,
      Sorry for the late reply. I used Georgia Weidman’s book as well as the Red Team Field Manual (RTFM), and the Hackers Playbook 2.
      You can not download the lan manual or course book with out registering first.

  26. Hi Jason!

    Congrats on the cert! Question, I have extensive background in Windows, have my CCNA, MCSE, CEH, CHFI, CISSP, GIAC2700, Network+, etc. I worry because I am more theoretical/policy driven up to this point but am really really interested in this course. I have messed with Backtrack/Kali/Fedora in the past – but not an expert by any means. Since my background is more Windows, general networking, and theory, would you recommend the course now, or would you recommend more linux training? I guess my long winded question is do you believe the course provides the necessary training, coupled with my Windows knowledge, that would lead me to being successful (while putting forth research). I don’t have a lot of scripting experience and am worried that I will get lost in Linux if I don’t have a solid foundation.

    Again, congrats!

    DMH

    • DMH,
      I would say dive right in. Nothing like a trial by fire right?
      I would definitely suggest that be very comfortable with the Windows and Linux CLI. As long as you can move around and do what you need to do the CLI, it shouldn’t be too difficult.
      The course will show you a few things, but they do expect you to be able to figure things out and put things together.
      Also, I do not have any background in development. Its not a huge thing for the course.

  27. Dear Jason,

    Thank you very much for your review especially with the references used before the start of the main course.

    At the end, could you tell us how many it cost you from start to end ? If that’s not indiscreet !

    Congratulations on your success, will join you soon enough ! 🙂

    Best regards from France,
    Etienne.

  28. Dear Jason,

    Thank you for this write up – very useful.

    Did you work on this full or part time?

    Thanks

    • I worked part time on it. I had a full time job in addition to being in graduate school at the time.

  29. Hi Jason !
    I am beginning my college this fall. I know the basics of C/C++ and Python. That’s it. Nothing more. I am really interested in InfoSec! What prerequisites does this course need ?

  30. Jason,

    Thanks for this post. I’m starting to research getting this cert. So far it seems like the most interesting and most practical in the realm of InfoSec and Pen Testing.

    Your post has me encouraged. I’m going to spend sometime on the material you noted (I need to breakout my copy of the Hacker’s Playbook) before I drop the dough on it but this is exactly what I was looking for.

    Thanks!
    S

      • Jason,

        Quick follow up question. You provided some resources for the technical aspect of the exam but what sort of resources would you recommend for writing a professional report? I have experience writing IT Audit reports but nothing in the realm of security analysis work.

        Any tips would be great.

        Thanks!

        • For me, I used the Offensive Security template to submit my final report for my exam. It worked well for me, and was able to customize it as I saw fit.
          I was used to writing material like that because at the time I was in graduate school working on my Masters in Applied IT and Cyber Security, so writing for me is pretty trivial.

  31. Jason,

    I want to take the time out to say thanks for the push. I am an ex-sysadmin turned network engineer with a focus in security with a slew of Cisco certs..ie. CCNP, CCNP Security, JNCIA, CompTIA stuff..blah blah. I see CLI like Neo from the matrix, a little weak on linux but Cisco and Windows has given me the foundation to learn any language. The fact that you are still replying to messages after all this time and I have a huge thirst for knowledge will no doubt get me through this. I was on the fence about which cert I should push for next in the security field(CISSP or any of the GIAC, CASP) I think this OSCP will be it. I felt I was too vendor specific with Cisco but I aspire to be more of a Security Architect and I need to be able to hack my way through a network instead of just knowing how to secure it. I am extremely technical and have 0 doubt about reaching any goal. Thanks and I will be reaching out in IRC for any questions.

    • Thanks. I am glad I was able to help out.
      I actually enjoy replying to people when I get comments. I like knowing I have been able to help out in some way.
      I am actually getting better at this stuff as I recently took a position as a red team operator and will be doing lots and lots of work soon.
      Feel free to stop by IRC. I am typically not there during the day, and sporadic at night, so if I don’t respond, hang around until I do.

  32. hi jason,
    currently i am pursuing my engineering in cs.i want to learn penetration testing and exploits.i have a basic knowledge of c,java and batch files.i also familiar with linux and i have a basic knowledge of bash files.
    The biggest problem with me is that i can’t join any online course thus i don’t know how should i start my learning?
    plzz tell me where sholud i start and how to prepare for exam and not for only exam i wanna learn the basic things so plz suggest me.
    thanks..

    • To take this exam you have to take their course. If you just want to learn subject, then do a search on penetration testing. Search youtube for videos, and become very familiar with Kali.

  33. Great story. Any advice, I have a CCNA, CCNA security with expriance of basic switching and firewall during my work experience. Have touched on python, visual basic, C programming. Any advice, for a noob. I know about zenmap, and a bit of netcat so far. Any advice I am starting my 90 days in about a month..

    • Definitely get very familiar with nmap and metasploit. Make sure you can search google for things that you dont know that will come up in the labs.

  34. Hey there! Thank you for all of this great knowledge! I just passed my Net+ and Sec+ and am going back to attempt the CEH again. After that I really would like to work on the OSCP. I have a big support group her of other seasoned pentesters, and I currently work as a pentester. I noticed a lot of people are asking about learning about pentesting, perhaps many of them are new to InfoSec in general, so I thought I would reply with what I have found to be one of the best resources of InfoSec knowledge so far. Cybrary.IT is the site that I use for all of my training for the most part these days. They are a site that offers free opensource Infosec training to all who want to learn. You had mentioned Georgia Weidman in a few of your posts, and she is one of the subject matter experts there (As am I, although I am not nearly as advanced as she). There is a lot of good stuff there to study and go over that I think many people who are reading this page’s comments might benefit from.
    I posted an article a while back on Cybrary that is basically just a huge list of online resources (https://www.cybrary.it/0p3n/information-research-content-categorization/) that I think you might find interesting/useful, or maybe even would like to contribute to. If it would be OK with you, I would like to add an OSCP Information section and list a link to this article there. It would be super awesome to have you post a comment with a few more resources that you may have that you might want to share, and I would be more than happy to give you credit as one of the few contributors to the content if you are interested.

    Thank you again for your awesome review of the OSCP

    • I am a member of Cybrary currently. I don’t believe when I took this, they had any courses related to the OSCP. I know they have their ethical hacker courses now though.

      • They do have advanced penetration testing and then post exploitation, and they are currently working on a metasploit class as well. I think it is moving more advanced every day. I hope that there will be more and more content that might pertain to the OSCP or at least help a bit with preparation. If you ever have time to, I am sure that cybrary would love to have you contribute anything you can to help others learn.

  35. Just started to learn about pen-testing certifications and this review was great info. A lot of work ahead but I will definitely go for the OSCP. Thanks a lot, Jason !

  36. Hi Jason,

    Great review.

    I’ve started oscp 25 days ago, I thought no machine is going to stop me after rooting ghost and pain . ..etc, until I faced sufference (funny, same as you).

    Could u please give me some tips on this machine. Without giving too much.

    I’m stuck in this for days

    Thanks.

    • Sorry, but I can’t give out any hints on sufferance, or any of the other boxes. Like OffSec says, you’ll have to try harder!

  37. Heya Jason!
    First of all thank you a lot for this great review!
    Now, my main question is if you do have an irc contact (a nickname if possible so i can see if you’re online, without having to bother anyone asking randomly of Jason Bernier), or email or skype or whatever where i can contact you to make some direct questions (i’m not gonna ask for tips since i did not start the course yet) about the course you’ve taken that are not really answered on the offensive security site, and also some personal opinions.
    If you want to send me your contact privately heres my email: paulo.sds301@gmail.com

    This would be A GIANT help for me, so if you have a little time please answer me!!
    You have no idea of how much this could help me.
    Again thank you a lot for the review, great great job!

    Thank you in any case!

    • I don’t tend to give out my email address on public forums. I can be contacted on irc. I may not answer if I am not around.
      irc.osswg.com #oscp

  38. Dear Friend,

    Firstly BIG CONGRATS for holding OSCP,obtaining which you have prove your mettle.

    To give you clear picture to furnish advice , I am done by Masters in IT and then Bachelors in Law choosing Cyber Law are area of interest.

    I am presently practicing Cyber Law. I feel that this is right time to choose cyber crimes area to focus upon and henceforth I intend to step my foot in CYBER FORENSICS.

    Now I went to Institute for inquiring about CHFI ( Ec Council ) and GCFA( GIAC)

    I am suggested strongly to go ahead with CEH or Pen Testing course to learn the same to dept before entering Cyber Forensics.

    Is CEH enuff or shall I step in foot for OSCP before entering CHFI or GCFA.I am really confused and there is no body to give a convincing reply.

    Your advice shall be highly paid heed and for which I shall remain thankful to you.

    Thanks and regards
    Masood

    • Apropos to the statements above, In nutshell, i want to ask whether for Cyber Forensics is Penetration Testing required at expert level or desirable level.

      Because if I choose OSCP then I need to put immense hard work comparatively to the effort I put in CEH.

      Thanks once again in advance.

      Masood.

  39. Hi, Your review was helpful. I already started studying as my OSCP lab starts coming Sunday. Some suggestions that you think i should follow from the starting would be really helpful.

    Thanks

  40. Hi, this was a great reading, I am new in security, i have mostly focused on CCNA – P R&S, and as time goes on I am getting interested in security.

    Just heard about this certification, it is quiet a challange.

    Could you tell me a way to get into this world?

    What certifications would be good to achieve before trying this, I see CEH is mostly theory, so… I’ll keep researching, and any recommandations are welcome.

    Thanks in advance y congratulations on achieving it and also on a grea story to read.

    • I feel like I was pretty lucky getting into it. I had my OSCP for a year before I landed the position I am in now. I am part of a red team.
      I could have had a job much sooner, but I wasn’t looking to cut my pay down to a beginners level when I had 20+ years of IT experience.
      If you decide to take the OSCP and pass, you’ll have a much easier time finding a job as a jr pen tester.
      I only have CEH because its a requirement for my contract. I actually plan on doing the CCNA security sometime this year. So that’s a good start for you.
      Maybe do the CEH and then the OSCP?

  41. Hi Jason,

    first of all I would like to congratulate you for the OSCP – late as I am to the party.
    I do have one question: is there a way for me to benefit the 40 CPE points as I am not yet CISSP certified? I am starting the PWK course today, but I am thinking 40 CPE points are a terrible thing to waste…

    Thanks.

    • I do not have the CISSP either, so I don’t know what their process is. I did use the OSCP towards maintaining my CEH though.

      I can tell you that CompTIA will not let you use the OSCP towards maintaining any of their certs.

  42. Hi guys i am having a slight doubt about CEH. Is it mandatory to have a minimum 2 years of work experience in IT sector or CEH official training.

  43. Hello and thanks for sharing this great experience.
    My question is a bit silly/generic but asking is legit 🙂
    My main concern is the feasibility for people that have a fulltime job, averagely how much time would you think is needed per day in order to get thru OSCP?
    Would be better to get a week off? to get thru the core or is 2hrs a day feasible?
    I know this boils down to personal time management and skill but just wondering if makes sense to embark on this?
    Any hint is appreciated.

    • I took the 90 days and worked different hours every day on the labs after work as well as on the weekend.
      I probably should have went more through the training manual and videos than I did, but I did not. I dove right in to the labs.

  44. Congratulation….:) keep it up.
    I am having 3 years of experience in IT as Test engineer, I am new to this field, So before going OSCP what i need to learn? Pls help me out jason.
    What is the process to take up the OSCP course?

    • Just get used to using the command line in Linux and Windows. If you aren’t comfortable with Linux, you will have a hard time in the course.

  45. Pingback: You guys rock. OSCP will be my choice

  46. Pingback: eJPT before OSCP? or just dive straight into OSCP?

  47. Thanks for the review. I’ve been debating on this one. Minimal coding experience, never much liked programming, but understand the concept. Have years of experience with kali as far as the os, social engineering and knowing my way around it, none in terms of building exploits. Still. The course alone looks fun.

  48. Hey great review. I loved every minute of OSCP. Just curious if you have considered the OSCE cert and CTP course before it?

    I am looking to do OSCE in another 8 months or so, I just want to be very ready for it. I’ve read that the Linux Assembly language expert course via pentest academy is great prep so I am currently going through the 32bit course and might even do the 64 bit version after before I attempt OSCE.

    I would just like to know your thoughts and opinion on this prep or any other prep you would recommend before OSCE. I know you will be living in a debugger for the entirety of the CTP course and the 48 hour exam so having decent assembler skills is probably advisable.

    I have completed the CTP registration challenge but I would still like to be much more skilled before I take the course.

    • I have considered the OSCE, but I definitely need more time and practice with debugging and ASM. They are definitely not my stronger suits. Maybe later on down the road I’ll go for it. If you were able to complete the registration challenge (without cheating), then I’d said you are probably ready for it.

      You can always ask in the Offsec IRC channel.

  49. I loved this write-up on OSCP. I’m nearing the end of my current lab time and I had a few questions about the exam that I haven’t been able to glean from reading the OSCP Exam summary page.

    It does list that metasploit is restricted to one system (which I intend on saving until I hit a system that I can’t crack any other way), but do the meterpreter modules count as using metasploit? Meterpreter itself is not restricted, but is getsystem or hashdump? What about incognito or mimikatz?

    I’m also wondering if the exam network contains only a few systems that need to each be compromised to reach 100, or if there are more systems than would be necessary to reach 100. In other words, does the exam network contain only, say, 5 systems, each worth 20 points, or perhaps 25 systems worth 15 points each, and you get to pick which ones you want to compromise?

    • Sorry for the late reply, I been busy with Black hat and Defcon.
      MSF is restricted, and it will tell you which boxes you are allowed to use it on. I believe you are allowed to use the auxiliary modules, again this will be explained in the email you get when you take the exam. Also in the documentation it will tell you how many points each system is worth. So you’ll know as soon as you start the exam.

      Good luck!

  50. Your experience is exactly what my son went through! Very well written. He passed the second time too. He just turned 19 and he’s passionate about internet security.

    • Having a passion for security is crucial. It’s good that he’s starting it at a young age. I am sure he will do well!

  51. Does taking the PWK course and passing the OSCP give you the needed knowledge and experience to become a pen tester? If you were hiring someone to be a pen tester for your company would you see the certification and know without a doubt that the person will be good to go? I only ask because I want to take a course that when I am done I can feel confident that I have a good foundational knowledge to run a pen test. I am sitting on the fence wondering if I should jump in.

    Thanks for your experience and response.

    • It really depends on the individual. If I were hiring for a pen tester, I would want the OSCP just to make the interview process. Going through the OSCP course will expose you to a lot of different exploits which should help you learn why things perform the way they do, and hopefully connect the dots so to speak. I will always recommend people take the course for those interested. Just remember, you’ll only get out of it what you put into it.

  52. Hello, I don’t know if you’re answering anymore.
    But, I really need your help. I liked what you wrote there, and it seems like it was a very hard challenge, which i’m afraid to enroll in!

    I’d like to ask you, if this teaches everything from scratch ? I really like stuff like that and spent hours trying and reading but everything was semi useless.

    I don’t have any security certificate, and still a computer science student .

    Do you recommend me to enroll and buy this course ? Please I need your answer .

    • If you look at any of my other comments on here, you will see I always recommend taking the course and exam.

  53. Hey Jason,
    Congrats on wiping the first galaxy 😉 Any idea how to do RCE from LFI on a windows target. If possible share some resources or tutorials. I found many for linux but couldnt find for windows. Target had xampp with apache. No log file poisoning worked out.

    Thanks in advance

      • The target machine had Apache web server and It was prone to LFI. I injected malicious code in Apache logs and ssl logs but was not in a luck to get a shell. Is there any other workouts to get a shell from LFI apart from log injection. /proc/self/environ was not accessible.

  54. Can you go into more detail about your certifications – chronologically? I would like to get a clearer picture of what knowledge was foundational to get the OSCP, obviously aside from the 20 years of work experience….

    • I started with Security+, then took on a bunch of MS (MCSA then MCSE) certs as I was working as a sys admin/engineer. Then took RHCSA and VCP5. Decided I wanted to do more in security, so I took OSCP, then GCIH, and finally OSWP.

  55. Hi,

    I saw your answer to Krishna on June 10, 2016 at 07:54 that: “f you aren’t comfortable with Linux, you will have a hard time in the course.”
    Can you details a little bit what means more exactly comfortable with Linux? (for example: advanced bash scripting, linux OS architecture)

    I’m an experienced programmer (Java, Javascript, some Python) with basic Linux knowledge (no administration experience) and I’m curios what you need in order to take this exam.

    Do you recommend taking first an exam like ISC-squared CISSP or GIAC Security Essentials (GSEC) before tackle OSCP?

    Thank you for your answer!

    • Just being able to navigate around the OS via command line. Knowing permissions, how to get files from one host to another, and how to look for ways to escalate privs. This is all crucial.

  56. Hello Jason.

    I want to echo whoever thanked you for continuing to monitor your article’s comments and for keeping the patient replies coming. The article by itself is fantastic, but the information, tips and help you provide in the comments are a goldmine!

    I’ll be looking into taking the class and exams before too long, but only after beefing up on Linux. That someone with your background and experience had to take the exam twice is daunting but also helps me set realistic expectations about what my experience with OSCP will probably be like.

    Thanks again for taking the time.

  57. Hi Jason,

    Do you know if there is a way to take the exam only without the course, assuming I have enough experience on pentest ?

    Seems there has no option on certification only from Offensive Security.

    • In order to take the exam you have to take the PWK course. I remember seeing that posted on their FAQ somewhere.

  58. Hi! Just a silly question!

    I just signed up for the course and I am good with bash scripting and programming as well.

    But I am just confused about something! In the control panel I can see the list of Ip addresses which starts from 10.11.1…..

    so my question is what is a subnet and how can I find it? I heard the lab is divided into 4 subnets? what does this mean? please please explain it to me

    • You may want to do a Google search on what subnets are. This is a pretty important part of networking. I am going to give you the same response that offsec gives most students. #tryharder

  59. Awesome post! All my research echos how hard and authentic this certification is, and I love it. I definitely want to strive to succeed at this. However, I need some pre-requisite guidance please:

    I recently graduated with B.S. in Computer Science. I can honestly say I know nothing about security, except the basic theoretical they teach in the University.

    I can’t afford much. Every time you extended your lab time, all I could see was dollar signs. How can I best prepare myself for this certification so that I can complete it in the $800 packet (30 day lab time)? I’m willing to learn whatever I must, but I’m just not sure where to start.

    Also, I’m one of those structured OCD guys… I have to have a logical plan of attack. It drives me nuts to just dabble without purpose and direction. Any sources, books, lectures, Udemy/Udacity/Coursera courses that would help?

    Any feedback would be greatly appreciated!

    Frank

    • I would seriously consider doing the 90 days of lab access. Having little experience, and then very little lab time is not going to help in your situation.
      Like anything else in life, practice and experience are what makes people better. So having the 90 days provides more of both.

      You may want to look at cybrary. I believe they have some courses on pen testing. Also look at vulnhub.com and download their vulnerable ISO’s to practice with.

      Hope that helps.

  60. Hello Jason,

    This is an awesome article. Congrats on getting the OSCP. I come from a more IT Management background and i have no certs and completely self taught. Ive been in the industry for about 20 years (NT days). Ive found myself moving more towards security as opposed to being a windows active directory/exchange admin. I have some linux experience but nothing like an rhcsa background and i also have some coding experience so i can read the code but i cant necessarily build something from scratch until i really sit and learn a language. I realize that i have some work to do before i even take a crack at the OSCP but that is my eventual objective. Being more on the management side turns an IT pro in to a generalist. You mentioned in your article that you used proxy chains to get in to get past the last network. I was just curious to find out from you how much networking experience do you actually need to have to help with the OSCP. Like i said, i work more in the windows world and not so much the networking side of things so im trying to determine if i have to be a ccna first and foremost or is my knowledge of building active directory infrastructures and building linux servers enough? Also, i realize that the CEH doesnt really compare to the OSCP but did it help you in any way? Im thinking of doing the ceh before the oscp to add to my credentials. I was just curious if it was of any help to you.

    Thanks

    • I came from a similar background.
      I was a Windows Admin/Engineer for a long time. My networking isn’t the best, but I have a good understanding. I won’t be setting up any Cisco devices anytime soon, although I could probably figure it out if needed.
      Just understand how NAT works, know Linux CLI, and the Windows CLI. You should be good to go.
      The only reason why I took the CEH was because it is required by the government. If it weren’t for that, I wouldn’t keep it up to date.

      • Thanks for the reply Jason, it is very much appreciated. I find myself asking these questions because without the formal certs and a lot of on the job IT experience, im not sure if i would be setting myself up for failure without some added skills before the OSCP or if my experience and knowledge is enough to be able to learn the lessons from PWK. So again i appreciate the feed back as im trying to determine if i gotta do other certs first before the oscp. When you mentioned “know windows cli and linux cli”, are we talking about knowing how to put together a batch file or knowing wmic usage down cold? As for linux cli, is knowing how to manuever a linux cli with some google help good enough? Like i said before i can build a linux server and perform some administration and not just follow along with a walkthrough from the internet so i have an understanding of linux but to remember all of the commands without looking it up is still a work in progress since i dont work on it as much as windows enviroments. On the windows side i was never really a vb scripter and on the linux side ive never done a shell script though im sure i can figure it out. I guess what im getting at in regards to your comments about the cli is, is knowing what commands to run on a windows and linux box prescribed because an oscp candidate needs to be able to understand what they are actually doing to do a privelege escalation by following a set of commands or do they really need to know things like where to find the appropriate bin files or config files to edit it? Or be able to read logs or restart services? As for CEH did it take you a long time to study and pass it? My understanding is that its not a very well respected cert. How would compare it to security+ by way of value to your career?

        I apologize ahead of time if this question is a little long and i appreciate your feed back.

        Thanks again

        • As far as the CLIs for Linux and Windows, just knowing how to navigate, set file permissions, copy files from one host to another. For instance, how would you copy an exploit to a compromised host with just a reverse shell?
          Knowing how to do that as well as a decent understanding of how the OS’es work will pay dividends. I was fairly versed in both Linux and Windows, so it wasn’t an issue.

          As far as CEH. I had the CEH All in One book by Matt Walker. I read it for a week, and took the test. I think I scored close to a 90. Don’t remember for sure. I only have it due to the government requiring it. The same thing for Security+. I had a pretty popular book, and read it for a couple of days and took the test. I wont be renewing it again since I have the GCIH, and don’t need Security+

  61. Hello Jason,

    Congrats for passing OSCP.I just want to know if is it okay for me to go for OSCP with skills: RHCSA, RHCE, C(intermediate), C++(intermediate), Python(Basic), DBMS, LAMP, & little knowledge of networking.

  62. So glad to read such a helpful review. Thank you so much. May this good deed come back to you in the best ways possible.

    I just got done with my CEH v9 but I’ am aching for something which tests hands-on knowledge in a simulation. There needs to be frustration, surge, crying, thinking, and an adrenaline rush.

    Will surely go for this one.

  63. Jason,

    First off congratulations on passing the exam. I, like you, am a 20 year Network/Systems Administrator. I recently passed the CISSP exam and am looking at adding another Certification. This one is at the top of a very short list. I think I need some more knowledge before I tackle this one though. I appreciate your write up as it will help me in making my decision.

  64. Hi jason i’m newbie . Let me know can i try just 2 years for this exam? Now I’m trying web applications security……
    But still too much knowledge needed

  65. Hi, I’m interested in taking the OSCP certification, can someone please advise what is a good training center to prepare for the exams, etc..? Thanks in advance!

  66. Out of curiosity, what kind of hardware specs are advisable when going for the oscp or just pen testing in general? What are the computer specs of the computer you used when you went for the actual 24 hour exam? Would you have any advice on this?

Comments are closed.