I’ve had a number of people ask me on Twitter to do a review on the Offensive Security Penetration Testing with Kali Linux course, and the accompanying OSCP exam. I’ve put this off for a while, because there are a ton of great resources out there already. However, because it keeps coming up, I’ll throw my two cents in.
I assume if you’re looking at this review, you know what both PWK and OSCP are. But for completeness’ sake, the PWK Course (Penetration Testing with Kali Linux) is a self-study video, pdf, and live-fire lab course that teaches the basics of penetration testing using tools many hackers and security professionals use. Kali Linux is a Debian-based distribution (put out by Offensive Security) that contains a great number of hacking and testing tools wrapped into an easy to use package. The OSCP Exam, or Offensive Security Certified Professional, is a 24-hour hands-on exam in which the exam taker must complete a black-box style penetration test of a number of hosts, then spend the following 24 hours writing a thorough pentest report. The exam taker is able to use any and all tools on Kali Linux, any exploits or code found on their own, custom scripts, and any amount of Googling they’d like.
Lets start with the basics. The course itself has no prerequisites -anyone can sign up an take it. Through my time in the course, I met people from all levels of skill – I know a person who was an A+ Certified Bench Tech before taking the course, and didn’t know anything about pentesting or security. I met people who work as government contractors who pentest for a living. There were lots of systems admins, security analysts, and people with self-proclaimed unsavory histories they were eager to share in DM. My point here is, if you’re willing to give it a shot (and willing to pay for lab time), don’t get too hung up on how much experience you have. Will basic bash, powershell, and python help you in the course? Absolutely. Will a background in systems administration help? Sure! Have you done web development? Great! These will all help contribute to your success, but nothing is strictly required. The course provides a solid foundation, and if you’re willing to “try harder” and dig through Google and other resources, you’ll learn more than you could’ve imagined.
So, logistics. At a minimum, you’ll need the following:
- Between $800 and $1,150 USD. Lab time is sold in increments of 30 days.
- A stable internet connection. You’ll be connecting to the lab environment through a VPN connection, so unstable or shaky internet is going to make life difficult
- Virtualization Software. I used the free VirtualBox package during my course and exam with no issue.
- A computer (duh.) – The VM I ran for both course and exam was a single core, 2gb ram, and 25gb hdd allocated from a 2012 Macbook Pro. It ran fine.
- A tremendous amount of free time, or flexible working situation.
- Somewhere to take notes, and somewhere to save them. My solution was a KeepNote file I kept in sync with Dropbox. Backing up to Dropbox saved me more than once.
I made a critical error in signing up for the course: I didn’t realize that there was a month-delay in between payment and start date. I had a perfect 60 day window to fit everything into, between work and personal commitments. When I actually started the course, I was down to 30 productive days and then work and personal travel, and moving house. Lesson learned.
I received my PDF, ISO link, and Videos exactly when I was told to expect them. I began going through the PDF, which is several hundred pages followed by exercises, and followed each chapter by watching the videos and then doing the exercises. I promised myself this was the route I would take for the entirety of the course. Of course, this fell apart when I first connected to the VPN to scan the network. Depending on your level of experience, you may or may not notice vulnerabilities early on. Noticing them is a double-edged sword: on the one hand, you’re recognizing obvious ‘low hanging fruit.’ On the other hand, this is going to be incredibly distracting as you try to go through the rest of the course materials. This did me in about halfway through the pdf — I decided I wanted to get some hands on time, and “just hack one box.” Well, 10 or so root shells later I realized I had completely neglected the rest of the materials. I made a half-hearted attempt to go back and read the PDF, but I was hooked on the labs (though of course I did eventually go through everything). A word of advice before I continue. Read ALL of the materials first. Watch ALL of the videos first. Do ALL of the exercises first. Then jump into labs. While some of the materials may be a review for you, or seem less exciting than raining shells upon your multi/handler, I can attest that you will gain something out of each and every section. Also keep in mind that a thorough report of exercises can earn you a few points on the exam, which can mean the difference between a pass and a fail. But I digress.
I made good progress throughout the course the first few weeks, and had a decent amount of conquests to my name. I was spending about 5-8 hours a day on weekends, and 3-4 hours a night in labs. I was paying my own way through PWK, so I was doing the course around working hours – which meant lots of late nights in front of a computer, after 8 hour days in front of a computer. A piece of advice here: burnout is a real thing. Time management during this course is probably the biggest challenge you will face. Yes, hacking the planet is fun. Yes, stacking your proof.txt’s is great bragging rights. But staring at a screen 16 hours a day and neglecting yourself and social interaction is a dangerous game. Twice during the course I burned out and took several days off. Each time I came back feeling smarter and more skilled – this was absolutely not true, I was just not mentally and physically exhausted. I can’t count the number of times I’d spend 8 hours on a privilege escalation attempt, get a nights sleep, wake up, and root the box in 10 minutes. Get rest, stay hydrated, and remember its a course, not a lifestyle change. Anyway, back to the experience.
About this time I left town for a few days to attend an out of state security conference (shoutout to CactusCon!) – actually getting my 20th root shell from the Starbucks just outside the conference center. I had told myself that at 20 I’d book my exam – and did so for a few months out, still hacking away. However, life got in the way – some major personal life things as well as some shakeups at work and a pre-planned vacation led to only an additional 7 boxes between that point and the exam. I was feeling confident but stressed on exam day.
I had prepared for the exam in a number of ways:
- Writing out a schedule and setting alarms. I gave myself X number of minutes per box, rotated to the next, etc. I factored in meal breaks, nap breaks, sanity breaks, and the like.
- I meal-prepped a few days before, so I wouldn’t have to think about anything on exam day.
- I planned on a full night of sleep before the exam.
Sounds good right? Well, a few things I didn’t do very well:
- I had scheduled the exam for 11am. I’m usually up around 7. This meant I had 4 hours of waiting, stressing out, and more importantly, being awake. I was already planning on a full 24 hours – now I was looking at 28
- My meal-prep included way, way too much coffee. I had bought canned espresso and made much too liberal use of it.
- My schedule of work, while ambitious, wasn’t realistic.
For the first few hours, everything was going swimmingly. I rooted a few boxes within the first few hours. By hour 8, I had (by my estimate) about 60 points (of the 70 needed to pass).
These would be the last points I got on this attempt.
Over the next few hours, a minor panic began to set in. I was watching the clock — not focusing enough on my systems. I was drinking coffee like a machine, because I was sure I’d need to be up the entire night and next morning. I was not thinking methodically – at one point, I must have tried the same privilege escalation exploit 15 times in a row. I slept a total of 45 minutes during the entire 28 hours debacle. As the sun came up and my exam connection cutout, I was still typing in privilege escalation commands. Disheartened, I tried (and failed) to get some sleep. I knew I had failed, but I wrote up my Exam Report, submitted it along with my Lab Report, and went to bed with the worst migraine I’ve had to date.
Two days after my attempt, as expected, I received the “We’re sorry to inform you…” email from Offensive Security. I replied and asked for feedback – which they were happy to supply. Sidenote: Pass or fail, make sure you submit the report. OffSec will be happy to give you general feedback and tell you what needs work. What they told me was in line with where I believed I struggled most. After receiving this confirmation, I felt a surge of motivation and immediately bought another 30 days lab time. I began to work on my weak areas. I decided to go for quality and difficulty over quantity this time –in the end, the number of lab boxes you root matter to nobody but you – but rooting the hard ones? That made more sense to me. In the end I had 33 full root and 3 low privilege shells, but had knocked out all of the notoriously ‘tough’ boxes. I made a some changes to my plan:
- Better time management. Don’t look at the clock, focus on the exam.
- Ditch the artificial stimulants (in my case, caffeine). Get some rest when focus starts to fail.
- Keep hydrated. Take meal breaks away from the exam. Get some exercise (even just a short walk).
- I decided to book my next exam for 8am. This would let me kick off my scripts, then go shower and have breakfast while they ran — no more wasting time waiting around.
- I spoke with my buddy Tulpa who has a background in psychology. He turned me on to some natural supplements that really helped focus and concentration, and some focus and mind-clearing tactics he used with success. Hoping he does a blog post on it soon (Focus for Hackers, Tulpa? hint hint 🙂 )
- I posted my failure on Twitter. To my great surprise, many people who I greatly respect DM’d me to tell me they’d failed once, twice, and in some cases, three times. Many offered tips, all offered support. That helped a lot with the imposter syndrome.
I re-booked the test right away. The summer months meant that lots of exam slots were full already, and the feeling of a hard deadline gave me the extra focus I needed. When my lab time died, I downloaded and completed a total of 9 VulnHub VMs. This not only kept my skillset sharp, but because CTF-style machines are so different, they made me think outside of my normal process. This helped a lot. I also went back through every video, exercise, and chapter in the guide, and redid them from the ground up. This led to more than one “Oh crap!” moment, where a previously difficult situation clicked into place (I’m being intentionally vague here so as to not violate any NDAs with OffSec). As I said before: go through the entire course before you start the labs!
Exam: Round 2
The second exam went much smoother. By the third hour, I had about 60 points. By the 8th hour, I had what I was sure was 75. However, this was a narrow pass – some bad formatting or grammar on the report, or one missing screenshot would’ve put me back in the fail range. I kept working at it until I had almost all boxes rooted, and command execution on the last. At this point, I knew I had passed. It was 11pm, and I was exhausted – so rather than continuing on with the 5th, I went to bed. I’ve never slept so well.
The waiting in between submitting your report and getting the email is insane. I’d compare it to Christmas Eve, but even that was never so tough – I must have refreshed my inbox 100 times over the next 36 hours. In the end, the email arrived: I had passed and was awarded the OSCP certification.
After receiving the email, the first reaction is obviously happiness – this had been a long time coming. This is followed almost immediately by a “What now?” feeling. Those hours every night, the effort, the merciless taunting by seemingly impossible servers were over. I think everyone goes through some form of withdrawal for a day or two. My recommendation here is to take some time for yourself. After the intensity of the course, you have probably neglected some other things in your life – stop hacking for a few days and get in touch with people, pick up old hobbies for a few days, whatever – just clear your mind a little. Worked for me, anyway.
Summary, or TL;DR:
- Pace yourself, during the course and the exam. If you allow it to consume your life and free time, it will.
- Fight the exam, not the clock.
- Stay mentally focused. Sleep when your body tells you to, eat/drink when you need to. There is no runner up prize for “most exhausted hacker” at the end of the thing.
- Find some people in the community you can vent and commiserate with. That may be the amazing infosec community on twitter, the very active #offsec IRC channel on freenode, or people at work – but having people who know the struggle and will keep pushing you to do better (and celebrate your victories) helps a lot. At the beginning of the course, I met the aforementioned Tulpa and ozzie_offsec, and a lot of of moral support formed between us organically, though we’re all on opposite ends of the planet. Both stand-up guys.
- There’s no shame in not rooting every host in the labs. I’ve seen people pass after rooting 10(!) and some fail after rooting all hosts in all subnets. You’re ready when you’re ready.
- The course and labs comes with access to admins, who will help you push yourself. They have both chat- and email-based support, in which most of the time they’ll just ask you about the scenario. They will not spoon feed you answers. About half the time I used the support function, I figured out what I needed to do as I was typing the question.
- Don’t kill yourself. “I’ve been hacking for 48 hours without sleep or food” doesn’t impress anyone, and clouds your abilities and judgement. Take care of yourself first.
- When all else fails, think like a script kiddy. Remember you aren’t dropping zero days – if you’re not having success with an attack, you’re probably over-complicating things. Go back to your basics, enumerate again, and stop throwing things at the wall to see what sticks.
- Metasploit exists. Professionals use it. Hackers use it. You can use it on the exam (with restrictions). So, use it during the labs. Get familiar with its interface, find out what it does well and what it doesn’t do well. Avoiding it completely will only hurt you.
- JW has a great method I used more than once. When you become frustrated or stuck, start explaining the situation to yourself as if you’ve already rooted the box and are explaining how you did it to someone brand new to the industry. Breaking it down and simplifying things helps you identify gaps in your process, flaws or assumptions in your thinking, and find what you were missing.
- Do not fear failure. Failure is an event, not a person. You’ll learn a lot from your failure, should it come to that – prepare for the worst, but aim for the pass.
- Try Harder.