Hellinga.IT

Technology, Security, Pentesting, Write-ups, etc.

Achievement unlocked: OSCP

2019-03-10 Security Lammert Hellinga

In september 2018 I’ve started a journey called PWK or Penetration Testing Training with Kali Linux. A self-paced, online course offered by Offensive Security, training you in ethical hacking tools and techniques. Eventually leading to the OSCP (Offensive Security Certified Professional) Certification. That is… if you manage to pass the 24-hour exam.

Last monday, after learning and training for roughly half a year, I received an e-mail stating that I had succesfully passed the exam and earned my OSCP Certification.

The course

When you sign-up for the PWK course you will, at the start-day, receive several materials guiding and helping you in this journey. These include: ~ 8 hours of videos, 350 page course guide, access to the student forums and most important… access to the virtual lab environment!

The guide and videos teach you a lot (depending on your experience of course ;) ) guiding you through a lot of techniques used in pen-testing. But the guide is by no means exhaustive. Which means, it teaches you the basics. So by just reading the guide and making the exercises you won’t pass the exam. It provides you with enough information to go out on the internet and search for more information using it to learn, learn, learn and then learn some more.

This is also where the virtual lab environment comes in.

The lab

When you order the course, you can select between 30, 60 or 90 days of lab access. (Which can also be extended later on, when needed). This lab is the most valuable part of this course. The lab is a simulated environment which you might encounter in real-life. Unlike some CTF-style labs, which are a lot of fun, but some things are a little far-fetched. In the lab you can practise and hone the skills you’ve acquired from (including but not limited to) the guide and the videos.

If you choose to enroll for the course yourself, I advise you to really take advantage of your time in the lab. You can develop your skills, trying several techniques to gain access to a system. It’s very addictive, but it also consumes a lot of time :).

The exam

When you have studied the course materials, gone through your lab time, developed a methodology and have the feeling you’re ready, it’s time for the exam. When taking the exam you are provided access to an isolated environment in which you are required to demonstrate the skills you’ve learned during the course. For this part you have 24 hours. In which eating, taking breaks and sleeping is also taken into account. And I really suggest you make sure to eat, take breaks and sleep! I have taken my first exam attempt in january and sadly failed. I had some flaws in my methodology and I’ve neglected to take (enough) breaks and sleep. Resulting in me being awake for more than 24 hours. Your concentration is long gone by then, which doesn’t help.

After failing on my first attempt I knew where my flaws were. So I’ve asked my employer for 30 more days of lab time. So in february I had the time to hone my skills even more. On friday the first of march my second exam attempt was scheduled. Knowing what to expect and having thought about my methodology, I started my exam. This time went much better, I had a nice flow throughout the exam, taking enough breaks along the way. Roughly 6 hours later I had enough points to pass the exam, another 6 hours later I had finished my exam. I took some time after that to check if I met al the requirements, having gathered all the proof. Because after finishing your exam you are required to write a professional pen-test report, for which you also have 24 hours.

I first went to bed to sleep for a couple of hours. The next day (saturday) I’ve spent about 9 hours writing my report. When I was done with that and submitting the report I could finally relax a bit and then the waiting started. On sunday morning I’ve received an e-mail confirming they had received my report and that I would receive the result of my exam within 3 business days. Luckily it didn’t take that long, monday morning at 08:30 I received an e-mail congratulating me that I had passed the exam.

Looking back / Tips

Looking back on the past half year it’s been an amazing journey. The labs are really addictive and I’ve learned a lot. It does however take a lot of time! Certainly next to a full time job.

But it was worth it. When starting the course I spent too much time on the guide and the exercises, starting to work in the labs quite late in the process. This may be different for everyone depending on skill level and knowledge, but I personally would have gone to work in the labs much sooner if I had to do it all over again.

From there on it is all about learning is much as you can and developing a solid methodology on pen-testing. Really learning how to enumerate and what to do with that information.

In the end I’m really happy to have earned my certification.

Certification Security
© 2018 - 2019 Lammert Hellinga