Offensive Security Certified Professional (PWB) Review

This is my full review of Offensive Security’s OSCP Certification / PWB Course. Now that I’ve attained the certification it’s probably a good idea to post a review. :)

To setup the review, I do have a background in scripting, programming, exploit writing, pen-testing, forensics, and reverse engineering. I have never taken a course or certification focused solely on pen-testing and thus was not able to “easily” pass the certification. I took the 30 days originally and was only able to use about 20-25 days of the total allotted. About three months later (busy with work) I took another 15 days and wasn’t able to spend a single day in the labs (last minute Blackhat/Defcon trip!). After another two months I purchased another 15 days of lab time and was able to use about seven or eight of the 15. In total I probably spent ~40 days in the labs and thus would recommend to anyone to purchase 60 days of lab time from the start (as long as you can spend adequate time on the course.

Course Review:

This course is one of a kind (in a great way)! No where do I know of any courses that force you to learn much more in depth about the topics discussed then offer a practical evaluation, not a written multiple-guess test.

After paying for the course you’ll receive an email with the course pdf (and videos) and files needed to connect to the lab VPN. I spent the first few days running through the entire course pdf and videos. I went through each example and the additional examples provided in certain situations. I also spent some time researching the topics further at this point. Once I was done with the course material and felt that I had a complete understanding of what was discussed I then dove into the lab network.

The lab network is where you’ll spend the majority of your time in the course and also where you’ll learn the most. The network has four separate subnets, each containing multiple hosts, each with different operating systems and exploits. While the lab network may not match what you’ll see in a typical pentest (not uniform operating systems, etc), it pushes you in ways most other lab networks do not. Of course you’ll find some hosts that are very easily exploitable others will likely take days and for some weeks. The best part about these lab machines is that the desire to get “root” or “system” often leads to a lot more research on a variety of topics. I know personally I spent a lot of time refreshing myself on web exploits (read Web Application Hackers Handbook).

I got around 80% of the machines in the lab network in the time I had in the labs and reached every network as well. I wish I had more time to spend on the labs, they are quite fun and rewarding.

The Test:

The certification exam is unlike most certification exams. There are no “multiple guess” questions and only a hands on practical. I can’t go into details about the exam, but I will say it was challenging. It tests everything that you learned in the course material and labs (and some that wasn’t specifically covered). The best advice I can give is take the exam at a good time for you, make sure you get plenty of rest, and don’t give up. The goal of the exam is to get “root” or “system” on all of the machines that they present you with. I achieved this on all systems but one (only got a user level shell). OffSec gives you ~24 hours for the exam. Everyone completes the exam in different times, most spend close to the maximum allowed time. At around 10 hours I had completed almost enough to pass (70 points are required to pass, I was right around 70 points at that point). At this point I was stumped and spent the next 5-6 hours getting next to no more points. I decided to take a 2.5 hour nap. After my quick nap I had a clear head and re-attacked the remaining machines. After about another hour I got access to the remaining host I was having problems with and had more than enough points to pass.

A big part of the exam is the exam report. OffSec requires you to write a pentest style report explaining everything you accomplished to prove what you did. This wasn’t hard but requires you to take notes along the way. It’s also important to note that you are also required to send a report of everything you accomplished during your time in the course lab network. This report can take some time so make sure you set aside a few days to write it prior to your exam. If you don’t do the report, it won’t hurt you during the exam. However, if you are on the borderline of passing the exam a well written course report can possibly help push you into passing (this is all per OffSec).  I did the course report for practice but did not submit it.

Advice:

– Go through the course pdf and videos and do every exercise they give (including the extra exercises). Maybe even do them twice.

– Make friends in the #offsec IRC channel who are also working through PWB. You can offer advice to each other. This can be a great resource! (Don’t give out answers, it doesn’t help anyone!)

– Research, research, research. If you launch an exploit or are debating an exploit to launch, you need to fully understand what you’re doing and why you’re doing it.

– Don’t take the exam until you feel “comfortable” getting root or system in the labs on “most” machines.

– Don’t give up! It can be frustrating and challenging at times but perseverance only leads to more knowledge. This certification is attainable!

– Take the exam! You’re only going 1/3 of the way if you don’t “cross the finish line”!

– Research, research, and research some more! Pwn, exploit, and hack!

Great Resources:

http://g0tmi1k.blogspot.co.uk/ — Shows a lot of great examples of different exploits and has his own resources and links that can help.

https://www.corelan.be/ — Great tutorials for exploit writing.

http://www.amazon.com/The-Shellcoders-Handbook-Discovering-Exploiting/dp/0764544683 — Best book/resource I know of for web application hacking.

2 comments on “Offensive Security Certified Professional (PWB) Review

Leave a Reply

Your email address will not be published. Required fields are marked *