Not Your Ordinary OSCP Review

10 comments

20180921_151830

Video

 

 

 

Introduction

It has been almost a year now since I have passed the OSCP.  I wanted to reflect not only on my journey a bit, but also touch on some topics that I feel other reviews rarely go into.  For example, the most frequent question I am asked by aspiring red teamers is: “When should I purchase the PWK/OSCP?”  While it’s frequently asked, it’s seldomly discussed in most reviews.

Another topic you do not see often is how passing the OSCP has actually helped enhance a career in any way.  What timeline does it take to find a job afterwards?  What type of salary should I expect?  How well does the OSCP actually prepare you when you finally start hacking?

This review will only lightly touch on my time in the labs.  You can read 1,000 other posts on that.  However, if you’re intrigued by the OSCP, curious on when to know you’re ready, and where you might end up after, then buckle up and keep on reading.

When You Should Register for the PWK/OSCP

When should you register for the PWK/OSCP?  Today.  Seriously.  Given that you have the time, some experience (not much), and the money, there should be almost nothing holding you back.  Let me explain.

Like most people, getting the OSCP seemed like a daunting task to me.  I found out about the OSCP shortly after I landed my first help desk job in late December of 2015.  I knew then and there that it was a certification that I wanted.  I began to read review after review, compiling information from everyone’s journey into a long Microsoft Word document that I could reference at any time to prepare me for the task.  I had hundreds of websites, tools, Vulnhub boxes, and much more to sift through at my disposal.

While sifting through the reviews, I noticed a common theme of students talking about how difficult the OSCP was.  This theme, more than anything else, scared the shit out of me.  Buffer overflows?  Coding?  Wanting to break your computer from frustration?  I thought I would never be prepared for any of that.  However, let me be the first to tell you, it’s not that bad.

I prepared for the OSCP the way I prepare for most exams: I just bought it.  Whenever I am studying for a certification, I will buy the voucher and schedule the exam.  That gives me a hard deadline to get my ass in line and actually study.  Out of the 11 exams I have taken in my life, I have yet to fail any ever using this self-motivation tactic.

In terms of real material, I used two resources to study up while I was waiting for my labs to actually start.  Those courses were:

Python for Security Professionals by Joe Perry
Advanced Penetration Testing by Georgia Weidman

Everything found in both of those courses is relevant to the OSCP.  Georgia’s course is dated, but so is the OSCP.  They really go hand in hand.  I’ve heard rumbles about the labs being inaccessible, but Georgia will provide you VMs if you hit her up on Twitter.

As for Python.  Joe’s explanation of everything is amazing.  The Python that you will use in the course for buffer overflows is pretty straight forward and covered by everything taught in Joe’s course.  For other exploits you encounter, you will have to tinker with code and be able to understand how to read it, but you DO NOT need to be a coder.  That is not required to pass the OSCP.  I promise you, because I am still very much an awful coder and did just fine.

All of the other material out there is nice, but not necessary.  For example, HackTheBox is fun, but it’s full of capture the flag (CTF) style machines as opposed to what you’ll see in the PWK labs or in the real world.  It’s great fun and good practice for getting your scanning down, but your time can be better spent elsewhere.  I hold the same sentiments towards most Vulnhubs.

Before you get all motivated and rush to purchase your lab time, keep in mind a few prerequisites:

You need free time for the labs.  Seriously.  Buy 90 days and expect to spend any free time that you have in the labs preparing for the exam.  I spent well over 200 hours before actually taking my exam.  Warn your family, friends, spouse, etc. that you will be MIA for up to a few months.

You should understand basic Linux and networking concepts.  This is important as time in the labs is critical.  You do not want to spend your time looking up what ls does when you could be doing the lab guide and hacking some boxes.  If you need to brush up on Linux or networking, we provide the following free courses:

Linux Essentials for Hackers
Practical Networking for Hackers

-Be motivated.  You will absolutely not make it through this certification or this career field if you are not motivated.  It takes hours upon hours to get slightly better at anything in infosec.  The field is always changing and the true professionals are always studying.  You will not make it if you are not motivated and complacent.  Find a mentor (I’m always happy to help) who will guide you, but not give you the answers.

-Find a community.  A good support community is absolutely critical to your success.  Find others who are going through it.  Perhaps it’s the OSCP sub-Reddit or a Slack/Discord community with similar interests.  Links are out there and people are always happy to refer you.  (As am I.  If you’re a vet, join our Slack!)

If you meet these requirements and have the money, do not wait any longer to purchase.  You are holding yourself back.  Everything you need to learn is taught in the lab guide or through hours of Googling when in the labs.  The course is not designed to make you fail.  It is designed to make you put in the effort and that’s what a lot of people hate about it.  Put in the effort and you’ll make it out without needing much preparation beforehand.

My Lab/Exam Tips

From start to finish, my OSCP journey took 45 days.  I broke into 30-ish (I think 33) machines and decided that I was ready to take the exam.  My goal was always to take my first exam before my lab time ended and I recommend this to everyone I talk to.  An exam retake is $60.  However, if you’re out of lab time, then you’ll need to buy additional lab time in order to practice more and that can get expensive.  By taking the exam before your lab time is up, you’re able to have some lab time left in case you fail and need to brush up on your weak spots.

Before you sign up for the exam, make sure that you have a good time management schedule planned out.  For example, my attack plan was to immediately knock out the buffer overflow box while the remaining boxes were being scanned.  Doing it in any other order would be wasting time.  Have scripts prepared, a clean backup of your VM ready, and everything tidy.  It all helps.

Finally, know buffer overflows and do your damn lab guide.  It’s free points.  Do not be lazy and be the guy/girl who did not do their lab guide and missed passing their exam by a few points.  I’ve seen it happen quite a few times.  As for the buffer overflows, you get 25 points and it should only take you an hour.  That’s essentially 30/70 points right off the bat, leaving you with four boxes and 23 hours to get 40 more points.  Too easy.  If you need help on buffer overflows, here’s another shameless self plug of a walkthrough: 32-Bit Windows Buffer Overflows Made Easy.  We also have an entire video series on the topic: https://veteransec.com/exploit-development-buffer-overflows/ If you can perform that walkthrough, you’re ready for the buffer overflow box on the exam.

Where I Ended Up After the OSCP

The OSCP, in my experience, was not the golden ticket I thought it was.  I assumed that I would be finding a job as soon as I put it on my resume.  I was wrong.  I was also picky.  I wanted to work remote or in very specific locations.

What you will find after you pass the OSCP is that there are a million recruiters that will hit you up.  Some will be cryptic and not tell you anything about the position.  Delete.  Some will have no idea what they are talking about.  Delete.  Some will try to get you in on a few months of contract work.  Delete.  Delete.  Delete.

Eventually, a recruiter will come along who cares about you and their job.  They will know what the OSCP is and other relevant certifications in the field.  They will be able to tell you about the company, provide you a direct hire, and seriously want you to succeed in the position.  A good recruiter will not even consider you for a position he or she does not think would be a good fit.  You will find this recruiter, but you need to be patient.

Once I found my guy (shout out to Joe Hudson at Huntsource), I found my job.  It took about 4 months from finishing the OSCP to landing the job I truly wanted.  I am now a senior penetration tester.  I hack in my underwear from home.  I make great money.  I love what I do and I love the people I work with.  Life is awesome.

How the OSCP Prepared Me for Real Work

The first time I sat down to put my skills to work professionally, I was nervous as hell.  It was an external penetration test and I was terrified that I would have no clue what to do.  Fortunately, that wasn’t the case at all.  It was just like riding a bike.

The process never changes.  You scan for your exploit and you try to find a way in based on what you find in your scans.  Sometimes, you have to rely on lessons learned outside of the OSCP to gain entry as there are well-patched companies out there.  However, when it comes to doing an external pentest, it felt just like home.

Where things get shaky, and what the OSCP fails to prepare you for, is internal penetration testing.  I remember the first time that I broke into an internal network from the external side.  I thought to myself, “Awesome!  Shit…now what?”, because I simply wasn’t prepared.  Why?  Because most companies are using some sort of Active Directory (AD) environment and you will not find that on the OSCP.  If the OSCP ever did a true overhaul to their labs, this would be my first suggestion to them.

In terms of other work, I also do wireless, physical, web application, and malware assessments.  The OSCP is really not in the scope to do this type of work.  Once you break into the field, you really just learn as you go.  As I said before, the field changes every day.  There are always new exploits and new defenses.  Staying motivated to learn will be a key factor to your career success.

In Conclusion

I hope you enjoyed this rant about my experience with the OSCP.  I also hope that my perspective was unique and provided a brief insight on when to suck it up and purchase the course, how to pick your recruiter, and what to expect when you land your first job.  Be patient.  Have fun with it.  Stay motivated.

 

Wanna chat? Add me on Twitter or LinkedIn!
Veteran? Join our Slack!

10 comments on “Not Your Ordinary OSCP Review”

  1. I enjoyed a lot reading through your article but your conclusion about OSCP made me wonder if you could ever write a post about resources/courses/certifications to prepare for internal penetration testing.

    Hope you keep on going with this blog since you’ve got a new reader!

    Like

    1. Thank you! I definitely plan on writing some blogs on internal pentesting. There definitely aren’t a lot of resources out there.

      Like

    1. Hi,

      Unfortunately, I do have have any of that material anymore. You could likely supplement the gaps by scanning/enumerating/attacking a VulnHub. I like the Kioptrix series for just starting out.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s