Skip to main content

PWK and the OSCP Review

Back in 2014 I started down the Pentesting With Kali (PWK) course about a month after passing the CISSP exam, for which I self studied for about 4 months. What can I say, I was a glutton for punishment but it was well worth it. I started off with 90 days, but due to a crazy work schedule, wound up extending it another 30 for a total of 120 days of lab access. I'm not as young as I would like to think I am and have other important responsibilities as Dad and Husband which I consider "Priority 1". So, my time to study, perform the homework assignments, go through the modules, videos, and lab work were limited to 2 hours in the morning before work (typically 5am until 7am), and then again for a few hours after everyone was asleep in the house (typically 9pm until 11pm or Midnight). Weekends I could usually spend up to 6 hours on Saturdays and Sundays studying which helped tremendously.

Other people have already done a great job at reviewing the PWK course and the OSCP challenge exam. It's not my intention to take away from that great work but instead I would like to provide a different perspective, that of someone looking to switch careers into the offensive security realm of information security. You may be a bit more, ahem, "seasoned" like I was when moving over. What I mean by that is you've probably worked in some career for over a decade and your wife just told you she wants to quit her job and be a stay at home mom for kids she doesn't have yet. Ok, so maybe not everyone switching careers has that kind of "motivation" but still, if you're coming from a non-technical career field, into offensive security, there's a lot to learn. This course is definitely not for beginners, though this is Offensive Security's introductory course.

I've had several of my colleagues ask me what the labs, modules, and exam were like. Of course I only dropped hints that would encourage them to try it and not anything that would discourage them from going through the course.  These are guys who have been pentesting a lot longer than I have asking these questions. Guys I consider to be very smart and fully capable. So, in good spirit, here's what I recommend for you, the reader, should you find yourself pondering over the PWK course and OSCP certification challenge.


  1. Read and memorize information about common interfaces and protocols (HTTP, SSH, Telnet, FTP), how they work, how to make a manual request from the command line, etc.)
    1. Read the RFCs!!!
  2. Get very comfortable with both Linux and Windows operating systems.
    1. Learn the command line operations of each, specifically for administering the OS
  3. Play around with Kali linux, get familiar with the tools present on the system
    1. Learning the ins and outs of netcat is a biggy, read a book, or Google it!
  4. Download intentionally vulnerable VMs from http://vulnhub.com as this will get you practicing using the tools in Kali, and your brain, how to think about solving the problems presented in the VMs.
    1. Keep training your brain how to think appropriately so that you can solve problems efficiently and effectively
    2. Train your brain some more
    3. Keep training
    4. More brain training!
  5. If you don't know something learn how to get that knowledge and do it quickly
    1. Google
    2. Books
    3. RFCs
    4. W3 Schools (web languages)
    5. Trial and error in a lab environment
  6. The most important thing is to fail, over and over and over and over again so that you actually learn something
    1. Make noob mistakes so you are so embarrassed you won't repeat them (learning!)
  7. Review example penetration testing reports (writing and communicating technical findings is a needed skill)
  8. Learn a scripting language so you understand how to code in that language
    1. Python
    2. Ruby
    3. Perl
  9. Learn at least 1 more robust programming language. I prefer C and Assembly.
    1. C
    2. C++
    3. Java
    4. Assembly
  10. Learn to the point you can teach someone else how to perform the same tasks and get into the same mindset.
    1. Final stage of truly learning something
I will be the first to admit, I'm a horrible test taker, when the exam is multiple choice. I'm a hands on learner, always have been, always will be. If you have a hands on learning style too, this is an excellent course. If you typically memorize answers to questions and that's how you pass tests, this course will be brutal. It's designed to provide repetition by doing each task so that the knowledge sticks.

One final lesson before moving on to my experience, there is usually more than one way to skin a cat. What I mean by that is if you find yourself beating your head against a wall because something specific isn't working, see if there's another way to get the same result. It is incredibly easy to get stuck on one problem and waste weeks of lab time trying to solve it. As others have said, and I will repeat, walking away from a problem is sometimes just what you need to get a fresh perspective at your approach and to come up with a different, sometimes better, solution that actually works.

Ok, on to the modules and labs. I enjoyed this part of the course tremendously. Each student is given a PDF document with supplemental video, or it might be the other way around. You'll get to watch Muts demonstrate various vulnerabilities and how to perform the exploit. You'll then go through the PDF, get a chance to mimic what you just learned and then tackle some homework questions. Don't skim through this part. Some of the homework is required to be documented in the lab report at the end, some of it is not. If you want to pass, do it all, you still may learn a thing or two.

Supplementing the module videos and the PDF, are the labs where you, the student, get to practice the skills in a hands on fashion. It's a digital playground representing a fictitious client network that you get to use to practice your newly learned skills. I recommend leaving ample time to complete the labs. I originally signed up for 90 days, and left 60 days for the labs, which then turned into 90 days for the labs when work got busy and I had to extend my time. This was a good decision. I tend to learn things quickly, especially when it's hands on, so the modules were done in around 30 days or so. Remember, I was only really able to devote 2 to 4 hours a day, and even that happened on average only 5 days a week (family activities, double booked at work, etc.).

I won't go into too much detail but the lab machines took the modules to the next level and this is really where the course begins. I encourage you to do what you can to NOT use Metasploit in the labs. Granted a few machines might require it, at least they did during my lab, but getting in the habit of not using Metasploit exploits will serve you well once you get to the exam. Still, using Metasploit is a good skill to have and everyone going through the PWK course and OSCP exam should have already gone through the Metasploit Unleashed tutorials (http://www.offensive-security.com/metasploit-unleashed/Main_Page). If you want to increase the challenge level, don't use Metasploit at all and rewrite any Metasploit exploit you need into python or perl, or another language of your choice. A lot of people like Ruby and that's their choice, I find that Python serves my coding style and needs perfectly so I only learned enough Ruby to figure out how to rewrite Ruby based exploits into Python.

Within the labs, you will encounter at least 3 machines that are increasingly more difficult than the rest. Absolutely go after these machines and save as much time as you can, I think I saved 20 days for both Pain and Sufferance just to leave myself enough time to conquer these challenges. I finally got both at a hotel one night while on a business trip after a full day of beating up on a client. I also think the 2 glasses of Johnny Walker Black Label helped kill off the weaker brain cells so the stronger ones could help me conquer the challenges. That's what I'm going with anyways.

Once my labs were done, I had the majority of the machines on the main network, and had unlocked one additional network. I ran out of time before getting to those and wanted to focus the last few days of lab time to review anything that I knew was weak. Throughout the labs I noticed that my Linux privilege escalation skills became really strong and I needed to work on my Windows privilege escalation knowledge. I wouldn't find out just how weak they were for the more advanced privesc attacks against Windows OSes, until the first exam.

The exam is broken out into a specific number of machines, each with a certain point level totaling up to 100 points. 70 points are needed to pass and this is where the effort in the labs pays off. Document everything, all the homework that is required to be documented, all of the steps you took in the lab with supplemental screen shots, code blocks for request/responses, etc. Turning in a separate lab report along with the exam challenge report may help get you over the hump and may be the difference between passing and failing. Offensive Security is rather hush hush about how they grade and I can't tell you for sure, nor would I want to because the unknown is what makes it fun! I can tell you that just like in that math class you may have disliked, showing your work on a certain problem, even if you didn't completely solve it, can only help you.

I didn't pass my first attempt, like most people I would imagine, and I realize that I missed a key part of the exam instructions. Yes, I RTFM! I didn't document my evidence for each machine as requested in the exam instructions. I would imagine, and don't know for sure, that I didn't get full points for the machines I DID fully compromise because of this. It might not have made a difference because I was no where near having enough points the first time around, but it probably would have made a significant difference my second time around if I didn't catch it before turning in my 2nd exam report. You've been warned!

I am happy to say that the 2nd time went better. Not perfect by any means but better. I got the passing notification and was super excited. I'm currently prepping to do the 2nd class in the series Cracking The Perimeter (CTP). After talking with friends who have started the course, they advised I brush up on assembly and C first. So, my certification challenge for the Securitytube Linux Assembly Expert 32-bit class will be my next set of blog posts.

Hack Responsibly!

Comments

Popular posts from this blog

SLAE/SLAE64 Course Review

After recently finishing both the SLAE (http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html) and SLAE64 (http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html) courses available through SecurityTube Training, and earning both certifications, I thought I would write a review of the training itself. Personally, I chose these course as a way to learn Assembly in preparation for the Crack The Perimeter (CTP) course and OSCE certification. After taking the Pentesting With Kali (PWK) class and earning the OSCP, I knew I needed to fill some gaps in my knowledge, and specifically with C and Assembly programming. Seeing that there aren't many training offerings that aim to teach Assembly specific to penetration testing and shellcoding, I gave SLAE a try.

  If you don't care about the certification itself, you can obtain all of SecurityTube's videos for a small monthly fee through Pentes…

SLAE64 - Assignment 1

Following completion of the SLAE32 course (http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html), I decided to take advantage of the Pentester Academy account we have at work to continue the training with SLAE64 (http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html). So, we'll delve into each assignment like we did before and because it's part of the certification challenge.

Assignment 1 requirements are as follows:

Create a Shell_Bind_TCP shellcodeBinds to a portNeeds a "Passcode"If Passcode is correct then Execs ShellRemove 0x00 from the Bind TCP Shellcode discussed