Sunday, July 12, 2015

My Experience with PWK and OSCP

I received the magical email on Friday night. 
Dear Brandon, we are happy to inform you you have successfully completed the Penetration Testing with Kali Linux certification challenge and have obtained your Offensive Security Certified Professional (OSCP) certification.
I was completely surprised. I wasn't expecting a response until 4 days later. But anyway, it's about god damn time! I'm extremely happy to have completed this challenge. I put in a crazy amount of money, time, and energy into getting this certification. It finally paid off. A celebration was in order, which is why I'm writing this a few days later.

I originally bought the course a little more than two years ago. I was able to go through all of the course videos and pdf, but I just didn't have the time or willpower to struggle through the labs. So I dropped it and pretty much forgot about it. In May I decided to revisit the course. I'd like to comment on my experiences with all aspects of the course. There won't be any spoilers in this post though.


This is an expensive course and certification if you don't hold a well-paying job. The base course with 30 days of lab access is $800. Don't get me wrong though, the price point is decidedly justified. I bought it a few years ago when it was still Pentesting with BackTrack. It came with 30 days of lab access, which I completely wasted. I'm still kicking myself for that. When I picked it up again recently, I had to first upgrade from PWB 3.0 to PWK. That was $200. On top of that, I also needed to buy 30 days of lab time (another $250). So if you're going to start this course, make sure you're going to be fully committed to it, otherwise you could spend more money than necessary like I did.

My only major gripe with this course is that your lab time starts as soon as you receive the course materials. Most of the information and exercises don't require access to the labs, and the ones that do can be completed very quickly. It felt I was wasting valuable lab time while working on the basic course materials. But it forced me to just power through the course material as fast as possible so I could focus on the labs. This worked fine for me, but others might need to go through the course material multiple times to fully understand the concepts in order to be successful in the lab environment.

Course Material

The course comes with about 8 hours worth of video, which are all desktop recordings. The instructor always speaks very clearly. He doesn't speak so quickly that you can't follow, or slowly enough to bore you. And if you do miss anything, you can always rewind the video. Every time he executes a command or changes a setting, he explains exactly what he's doing and why he's doing it.

In addition to the 8 hours of video, students also receive a 350 page pdf with even more information, and practice exercises. Everything is very well written and easy to understand. Some of the practice exercises were actually really fun.

The course material contents are all very modular, which makes it easy to say "Alright, today I'm going to do the whole Password Attacks module by watching the videos and then reading the lab guide and doing the exercises." There are some things that are in the videos that are not in the lab guide and vice versa, so it's very important to utilize both for learning.

Lab Network

The lab network is easily the best part of this course. When I first started playing in the labs, I was a bit overwhelmed. You don't have anyone holding your hand and telling you what to do. It's just you and your terminal against a network of machines with various "personalities". At the end of my 30 days I was able to compromise of about 30 machines. I'm pretty satisfied with this, but I really wish I was able to compromise all of them. I used various attack vectors and had to get pretty creative for some of them.

I mentioned above that some machines have "personalities". This made the labs extremely interesting and fun. Some machines are specific user machines, and some interact with each other so it's fun to keep track of what they're talking about and how they're all related to each other.

Note that the labs are extremely frustrating, and not all machines are at the same difficulty level. Some days I would pop 3 boxes no problem, and then I would go 3 days without getting any shells. I was consistently putting in 10-12 hours a day. So if you have a full time job I would definitely suggest getting at least 60 days of lab access. The best way to learn is to get your hands dirty, and you want as much time in the labs as possible.

Also I highly suggest making use of both the student forums and the IRC network. I found a lot of fantastic information in the forums. The IRC was great for complaining about different machines, and the admins were very helpful without giving out much information. Serious props to the IRC admins. They're on 18 hours a day and have to deal with the same questions that they can't answer over and over again. But be prepared to hear "Try Harder" about 90% of the time you ask a question. 


There's only one way to describe this exam: stressful. The OSCP exam is 48 hours long. The first 24 hours are dedicated to hacking the 5 exam machines. The second 24 hour period is for writing your exam penetration test report. There are a total of 100 points and you need 70 points to pass. Not only do you have to worry about actually pwning the machines though, but you really need to pay attention to your bodily needs like sleep and food.

I ended up taking the exam three times. My first attempt was my worst. I was only able to gain the highest privileges on one of the machines. My largest mistake though was my strategy. I kept jumping around when I hit a wall instead of trying to stop and think. In addition, I tried to power through the whole 24 hours without sleeping, and I barely took any breaks. By the time my access to the exam network ended, I couldn't even concentrate on my terminal. I was so confident that I failed that I didn't even bother sending in my report. But writing it once I had some sleep helped me find some things I missed during the exam.

A week later I purchased another exam take. This time went much better. Before the test started I picked up all of my favorite snacks and beverages. This really helped me personally. Anyway, I was able to gain the highest privileges on two machines, and lower privileges on another two. I sent in my exam having no idea whether or not I would pass. I failed. I'd guess that I had about 60-65 points, but the exam is pass/fail so I never found out how many points I really had.

I knew I really needed to work on my privilege escalation skills if I wanted to pass the exam. So I took about three weeks to practice in both Linux and Windows environments. I did this without lab access; I just read a LOT online about Windows privilege escalation and practiced in some VulnHub virtual machines for my Linux skills. I learned some really cool techniques and tricks, which I hoped would be useful in my next exam attempt.

Thankfully third time was the charm. I fully compromised my first machine after about an hour. Another hour and a half and I got another one. Then I had a zen moment where literally everything just clicked for the third machine. I was in the zone and super determined. Another 2 hours and I finished the fourth box. At this point I knew I already had enough points to pass, but I REALLY wanted to pwn all of the machines. Unfortunately I could only get limited privileges on the last box. I sent in my report and got my passing notification about 24 hours later.

Wrap Up

Overall, this is an amazing course and certification. The amount I learned in the past two months is insane. I really had a blast, and although I'm very happy that I finally passed, I'm definitely going to miss the lab environment. Hopefully this certification opens new career opportunities for me so I can finally break into this challenging industry.

I've already got my eye on the WiFu course...


  1. This article encourage to take this certification, congratulations!

  2. you crossed many obstacles through your journey of oscp. happy to hear all information's which is you mentioned above i am the way of doing OSCP certificate really it motivated and still you did not share about the deep exam experience

  3. Great article and congratulations! I just have one question. For someone who has some knowledge/experience of Linux shell commands and the command line environment in general, where would you suggest I begin my journey into infosec? Any suggestions at all would be greatly appreciated.

  4. This comment has been removed by a blog administrator.

  5. Great Article... For me its a heads up, to work on my privilege escalation before i take this course and certification exam.