My PWK/OSCP Journey
Penetration Testing with Kali Linux (PWK) is a foundational ethical hacking course at Offensive Security (OffSec). It is a self-paced online course designed to teach you penetration testing methodologies and the use of the tools and exploits included within Kali Linux distribution. After completing this course, you will have a chance to take a certification exam which will earns you Offensive Security Certified Professional (OSCP) certification and 40 Group A CPE credits for ISC2.
There are many ethical hacking or information security courses available from various organizations such as EC-Council, eLearnSecurity, CompTIA and etc. However, what makes PWK/OSCP special is that in order to get certified as an OSCP holder, you needs to take 100% hand-on exam within limited 24-hour time. In addition, you are also required to submit a comprehensive penetration test report including details of your findings during exam within another 24-hour after the exam. The exam is a proctored, and you will be given around 5 vulnerable machines in isolated VPN network to compromise.
In contrast, OSCP doesn’t appear to be as well-known to general hiring managers as some other penetration testing certifications, such as the Certified Ethical Hacker (CEH) certification; however, the OSCP seems to be highly respected and known within true penetration testing circles.
I started my journey in IT with Computer Science as my major at university. However, I did not find myself fit with career path in Management Information Systems (MIS) which is the main subject for my university major. As a result, I tried to focus more on computer networking instead by attending Cisco Certified Network Associate (CCNA) course. It was when I know how to do self-learning and I managed to earn some certifications in this field such as CCENT, CCNA Routing & Switching, CCNA Security, JNCIA-Junos and JNCIS-Security. I thought I know something about security, but I only knew a small portion in network security. So I decided to grab a chance and attended a Post Graduate Diploma in IT Infrastructure, Systems and Security (PG DITISS) in India. It was when I first got to know ethical hacking and Capture The Flag (CTF) competition. I really enjoyed doing CTF and also learned many things from it. When I came back to Cambodia, I tried to introduce CTF to my friends who were still working in networking field, and we built a team just to play CTF.
After sometime with CTF, we started talking about life after CTF. We came up with a few courses and certifications, but courses from OffSec like OSCP and OSCE were like our ultimate goals, so we decided to take some lighter courses and certifications first such as CSCUv2, CCNA Cyber Ops, CEH and etc. In 2018, one of my friend decided to try and took PWK course and successfully earned OSCP certification.
He then told us to start prepare for PWK/OSCP with Hack The Box which is a penetration testing lab. I managed to register on March 2018, but I still thought that I am not ready for hacking, so I ended up spending 1 month doing just CTF in that platform and managed to solve around 30 CTF challenges. He then said to me “There is no point doing CTF to prepare for PWK/OSCP. You have to get out of your comfort zone (CTF) and learn hacking.“. I then started doing more hacking and less CTF stuff, and by December 2018, I managed to root around 30 active machines and 50 CTF challenges to earn the rank of Guru and Top 50 in Hack The Box at that time. I thought it should be more than enough for me to attend PWK/OSCP, but then I decided to postpone taking the course due to budget constraint. Time flew, and I postponed it for 1 whole year. ?
Before I went for PWK/OSCP again, I returned to Hack The Box, just like what I did before, to review my skills. On January 09, 2020, I got enough budget to finalize the payment for the course’s package of PWK course + 30 days lab access + OSCP exam certification fee. I then selected February 02, 2020 as my start date for the course. I finished my second preparation just one day before the course started, and within that 1.5 month preparation period, I managed to root 16 active machines and 19 machines in LinkedIn Learning dedicated lab.
I started my course on February 02, 2020. I spent the first 2 weeks learning from study guide (PDF & Videos) and doing exercises. Then I took 2 weeks time on lab where I managed to root around 30 machines including cloned machines in Public network and unlocked 2 other networks, IT Department and Development. After 4 weeks of lab access passed, I used my last 2 days of lab access to do lab report of 10 fully compromised machines.
Note: Exercise and lab report is optional. You could ignore it, if you would like to spend most of your time on lab. However, I would suggest you to complete the exercise and lab report since it can reward you up to 5 points bonus during exam, and it might come in handy if you need just 5 more point to pass the exam. Moreover, lab report will also prepare you for your exam report.
I also found that learning from study guide while doing exercises in parallel is one of the best learning experience I have ever had. OffSec really nails it with their teaching methodology, and you should not miss it. Plus, they are able to make Buffer Overflow section very simple and easy to understand. ?
The downside of the course is that the machines and exploits used in the lab environment are quite old. However, this issue should have been resolved since OffSec have just announced the release of the new PWK 2020 on February 11, 2020, just a little over 1 week away from my start date. I was quite upset since I started the course on February 02, 2020 and stuck with the old material and labs. If I had known there is a new PWK 2020 to be released, I would have delayed my course start date. ?
Anyways, OffSec stated that the exam will remain the same for both existing PWK and the new PWK 2020. Therefore, I booked my exam on March 12, 2020 which is 10 days after my lab access expired. I spent my 10 days period on around 2/3 VulnHub machines in the below list.
On March 10, 2020 till the exam start, I found myself tired of preparing for exam, so I decided to end my exam preparation from that day onward.
As the time went by, my exam finally arrived on March 12, 2020. I woke up at 08:00 AM and finished preparing my laptop and extended monitor by 08:20 AM. Next, I went on to have a shower to freshen myself up, had breakfast and enjoyed my morning coffee. At 09:45 AM, I opened up the proctor portal and completed the pre-exam and verification process which took around 15 minutes in very hassle-free manner. I then stepped into the exam at 10:00 AM, knowing I had a possibility of 5 points bonus from the exercises and lab report if I did it correctly. I started my exam with buffer overflow machine, and I managed to overcome some obstacles and pop up the shell after 1 hour into the exam. With this machine, I have collected actual 25 points or possible 30 points. I then took 15 minutes break to freshen my brain and returned to the exam afterward. By 12:00 PM, I managed to get initial shell on one of 20 points machine. After that, I went for my lunch and rest until 01:00 PM. I spawned the root shell on that machine 30 minutes later and went on to get a user shell on another 20 points machine by 02:00 PM. At that time, I manged to collect actual 55 points or possible 60 points, and I decided to take another 15 minutes break. By 04:00 PM, I was finally able to get the root shell from that second 20 points machine. If my exercises and lab report work out, I should have already pass the exam at this point, but there is still a possibility that it might not work and I might end up 5 points away from passing the exam, so I decided to take a break and returned to 10 points machine later on. From this point onward, I found my productivity getting throttled, and I couldn’t think of anything, so I ended up using my metasploit allowance on that machine. Sadly, metasploit didn’t work out as I had expected. ? A moment of silence! After banging my head against the wall, I finally could overcome my stutter brain and got root shell from 10 points machine at 06:00 PM. Knowing that I got actual 75 point or possible 80 points, I gifted myself a 2 hour break to enjoyed dinner and rest. I returned to the exam at 08:00 PM in order to do my note in detail and collect all necessary screenshots before went back to the last 25 machines at 10:00 PM. This machine struck me really really hard as I went to the rabbit holes for the rest of the day. At this point, my brain was just blank, so I decided to go to bed at 12:00 AM without any achievement at all on that remaining machine. On the next day, I woke up at 08:00 AM and returned to that machine for one last time, yet I fell into another rabbit hole until 09:00 AM when I found the right flow. By 09:30, I was able to spawn the initial shell from that machine which made me securing actual 87.5 points or possible 92.5 points. I spent sometime enjoying my achievement, but I didn’t stop there and went on for the root shell which I thought I knew the trick, but I didn’t have enough time to get it to work. Therefore, I decided to end my exam at this point at 09:40 AM.
Then I took a shower to freshen myself, had my late breakfast and enjoyed my morning coffee as always. I returned to my computer at 01:00 PM to do the report and sent it out to OffSec at 03:00 PM. Since then, I kept refreshing my email inbox even though every email notification scared the shit out of me. ?
While waiting for the result from OffSec, I tried to build the a lab replicating the environment of 25 points machine that I missed privilege escalation part during exam to test if the vector I found earlier was right or not. After around 1 hour working on it, I managed to gain the root shell with that vector, and it made me feel complete.
Finally, I got a confirmation email from OffSec that I passed the exam on March 18, 2020. From now on, I can officially say, I Tried Harder! ?
I would say the exam is very unique, enjoyable and truly reflected what were covered in course materials. Just remember that the main goal of PWK/OSCP is to teach you penetration testing methodologies and the use of the tools and exploits included within Kali Linux distribution. As long as you truly learn and understand them, you are good to go.
I am really satisfy with PWK/OSCP course and exam, and I would definitely recommend PWK/OSCP to those who would like to lay their career path in ethical hacking or information security as it is highly respected and known within true penetration testing circles. Even if you’re just interested, I would also recommend it since both the course, the labs and the exam are fun and super educational. While having this certification is not as valuable as having experience in the field, it will look great on your CV, and shows that you have at least a basic understanding of common hacking tools and techniques.
In short, the precious thing about PWK/OSCP is the journey itself. My journey was quite long, but I am glad I did it, and I won’t stop here.
Am I ready for PWK/OSCP?
According to OffSec, you should meet the below requirements in order to attend PWK course :
- Solid understanding of TCP/IP networking
- Reasonable Windows and Linux administration experience
- Familiarity of Bash scripting with basic Python or Perl a plus
In my opinion, there will also be a plus if you used to do some kinds of CTF challenges such as Web, PWN, Programming and Misc.
If you would like to know how it is like to take PWK/OSCP, you can try spinning up some machines from VulnHub then tried to get root shell or give it a try with Hack The Box.
Tips for the Exam
Here are some tips to prepare for exam:
- Get your coffee ready ☕
- Read PWK exam guide find out Do’s and Don’t during exam
- Do time management for your break time and sleep
- Plan your point collecting route before the exam begins
- Document as you go and backup your notes regularly to avoid data loss
- Get familiar knowing when you fall into rabbit holes
Hack The Box/VulnHub Machines
Hack The Box:
- LinkedIn Learning machine (Invite required):
- Enterprise (Out of OSCP scope)
- Reel (Out of OSCP scope)
- Lazy (Out of OSCP scope)
- Shrek (Out of OSCP scope)
- Joker (Out of OSCP scope)
- Retied machine (VIP subscription required):
- Tartar Sauce
Note: VIP subscription can access all the machines within Hack The Box including machines within LinkedIn Learning lab. In addition, some machines within LinkedIn Learning dedicated lab such as Lazy, Enterprise, Reel, Shrik and Joker might be out of PWK/OSCP scope.
- Kioptrix: Level 1
- Kioptrix: Level 1.1
- Kioptrix: Level 1.2
- Kioptrix: Level 1.3
- Kioptrix: 2014
- FristiLeaks: 1.3
- Stapler: 1
- VulnOS: 2
- SickOS: 1.2
- Brainpan: 1
- HackLAB: Vulnix
- pWnOS: 2.0
- SkyTower: 1
- Mr-Robot: 1
- PwnLab: init
- Lin.Security: 1
- Temple of Doom: 1
- Zico 2: 1
- Lord of the root: 1.0.1
- Tr0ll: 1
- Tr0ll: 2
- Web Developer: 1
- SolidState: 1
- Sar: 1
- UA: Literally Vulnerable
- LazySysAdmin: 1
- Prime: 1
- DerpNStink: 1
- W1R3S: 1.0.1
- The Ether: EvilScience (v1.0.1)
- Misdirection: 1
- symfonos: 2
- symfonos: 4
- digitalworld.local: JOY
- digitalworld.local: TORMENT
- digitalworld.local: MERCY v2
- digitalworld.local: DEVELOPMENT
Useful Tools & Resources
Enumeration and initial foothold:
- Nmap & Nmap Scripting Engine (NSE)
- Burp Suite
- metasploit framework (limited to one machine use on the exam but unlimited within the lab)
- sqlmap (for lab only)
- PEASS – Privilege Escalation Awesome Scripts SUITE
- Windows Exploit Suggester
- Linux Exploit Suggester
- Windows Kernel Exploit
- Linux Kernel Exploit
- Buffer Overflow
- Practice BOF:
- Seattle Lab Mail (SLmail) 5.5
- Vulnserver (PWK Study Guide & Lab)
- oscp like stack buffer overflow