My PWK/OSCP Experience

Background

While I have no professional experience with InfoSec and I did not study IT nor CS in college, I have always had an interest in cyber security. Just over one year ago I earned my Certified Ethical Hacker certification and from that point on, my interest was invigorated.

Fast forward to June of this year when I owned “user” on my first active Hack The Box (HTB) machine. One month after that, in July, I completed my CompTIA Security+ and eLearn Security’s Junior Penetration Tester certification. From there I took the month of August to purchase 1 month of HTB VIP, which would allow me to practice on retired machines and work along with their solutions.

Beginning August 31st , I made the uncertain decision to begin 90 days of PWK, the prerequisite course required to taking the OSCP. However, just 26 days into my lab time, I successfully took and passed the OSCP exam. Now I would like to take a moment and share my thoughts and experiences about the journey.

Preparation

While the OSCP is an entry-level penetration testing certification, penetration testing is by no means an entry-level field of study. I strongly believe one needs to begin the course with a robust understanding of Kali Linux, and the capabilities of each tool.

If you feel shaky and desire a confidence boost before starting, eLearn Security’s Junior Penetration Tester course and certification may prove helpful. While the content was fairly trivial, I found it beneficial to see the various tools and tactics taught in a professional manner. This course definitely helped to solidify the fundamentals of Kali Linux. Additionally, the material can be completed with about 2 weeks of dedicated study, so it would not be a major setback to work through before beginning PWK.

Next, I would highly recommend taking a month or two to work through retired HTB boxes. What I found incredibly helpful was to complete machines from the curated list of “OSCP-like boxes.” While completing each machine, I would watch the Ippsec walkthrough and follow along. I completed about 25 of these machines before starting PWK.

Finally there is an amazing Discord community dedicated to InfoSec Prep. There you can find dozen of OSCP holders and PWK students. I highly recommend joining this community before starting PWK as there are many knowledgeable people there to learn from.

PWK & Lab Time

I personally greatly enjoyed the PWK PDF and videos. Since I wanted the “full PWK experience”, I made sure to work through every exercise and complete my lab report. If completed correctly, this report can earn students an additional 5 points on their exam. At this point it is of vital importance to have developed a notetaking method that works for you. Trust me, having notes on all of the topics from the PDF as well as detailed notes on how to exploit each box was invaluable. This allowed me to quickly search for code snippets or privilege escalation techniques when I needed them. Additionally, once you root 3-4 boxes you will begin to forget how you did ones before that. I am a fan of OneNote and highly recommend it, although I know CherryTree is also a popular choice.

In my 26 days of PWK leading up to the exam, I focused only on boxes that required no dependency nor required tunneling. A dependency box is one that cannot be completed without a piece of information, such as a password, from another machine. I made the decision to ignore these style boxes because the exam machines would not require tunneling nor have dependencies. In the end I rooted 33 machines on the public subnet. There is no hard number of machines that means you are ready; I have heard of people passing with as few as 6 done. However, I believe that exposure to many different situations and scenarios is the key to success.

Luckily, I was at a point in my life where I could dedicate 6-7 hours each day to studying for PWK. If you have this kind of time then 30 days should be sufficient; however, if you can only commit 1-2 hours each day then consider the full 90 days. Either way, shoot for at least 150 hours of studying PWK material before an exam attempt.

The Exam

If you are unaware, the OSCP is a 24-hour, proctored exam where you have to document the steps required to compromise up to 5 vulnerable machines. After those 24 hours you must write a professional report that includes repeatable steps to compromise each machine as well as recommendations for how to remediate these vulnerabilities.

I began my exam Wednesday at 8am. After a few minutes of panic and reorienting myself to the new virtual network, I turned my attention to the buffer overflow machine while allowing AutoRecon to scan the remaining hosts. In my opinion, the buffer overflow is the only part of PWK that the PDF prepares you 100% for. With no additional practice outside of the PDF’s “vulnserver” activity, I was able to compromise the buffer overflow machine in around 45 minutes, securing my first 25/100 points.

From there I turned my attention to the 10-point machine and had fully rooted it in another 45 minutes, bringing my score up to 35/100. After another hour and a half, I had root access to one of my 20-point machines, bringing me up to 55/100 points. From there my progress slowed greatly. I was unable to get make any progress on the remaining 20-point machine and I only obtained a low privileged shell on the 25-point machine. As low privileged shells are roughly half points, I estimated my score to be about 67.5/100 after 10 hours.

For the remainder of the exam I made no progress, although I am sure I missed something obvious on that 20-point box. After sleeping for a few hours, I re-exploited all the machines to ensure my notes and screenshots were sufficient and began working on my final report.

Finally, 7 business days after submitting both my exam and lab report for an estimated score of 72.5/100, I received a wonderful email telling me I had obtained my OSCP certification! Moving forward, I am excited to continue with my studies in this fascinating and thrilling field of cyber security.