My name is Mohamed, a Penetester & Java web developer and a continous learner, i created this blog to share my thoughts, tips, tools and anything that may help others.

My OSCP – PWK Review

  • Before OSCP
  • Before sharing my thoughts about my oscp exeprience, i would like to give you an idea about my IT background which may encourage in one way or an other people with same background to try oscp pwk course.

    So i’m a java&web developer, used to work on java entreprise applications using JAVA EE and other frameworks (Spring,Hibernate,JSF …etc), i was introduced to the infosec field 20 months ago, and since then i have tried to learn more and more about it, especially the web categorie because it is related to what i’m good at (Java EE/Web development).

    Later on, i discovered that InfoSec is not related only to “WEB”, there’s also a network categorie, system, mobile, forensics, cryptography…etc and each category requires an understanding of
    the underlying concept, i mean you can’t talk about “WEB” attacks if you don’t know what “HTTP” means or what “HTTP HEADER” or “HTTP METHOD, REQUEST, RESPONSE, COOKIE ..etc” means.

    So as a next step, i made sure to learn more about networking basics, TCP/IP, routing …etc, and at the same time getting comfortable with linux(debian/kali) and windows command line, playing CTFs(started with root-me next vulnhub, ctftime), and learning more and more about each security categorie’s vulnerabilities, how they’re exploited and how to develop your own exploits …etc, i also planned to pass CEH as my first certification challenge in infosec field (later i realized it is not enough).

    After passing CEH i was aware of most of the network attacks (CEH covers network attacks well), but still no hands on exploit development, web attacks, and especially no real world simulated networks (subnets, servers, firewalls …etc) where i can practice most of known vector attacks and techniques required to infiltrate through different servers, networks, and elevating privileges accordingly.

    So that’s when i found out about OSCP from a friend, and i was convinced that this is what i was looking for after reading multiple reviews about people’s experience and how it is more challenging than “Question -> Multiple Answers” Certifications.

  • Preparing for OSCP
  • the following map represents what i had to learn and practice to be ready for oscp :


  • Lab review
  • After signing up (for 2 months) and receiving pwk course material from offensive security, i planned to check the course material like the following :


    (I was too lazy to read the pdf, i checked an old version of it on the net before starting oscp :p).

    Offensive security Lab Networks are a simulation of small or meduim companies networks where you can find some kind of a network segmentation in place resulting multiple subnets and each subnet with multiple systems, servers and various operating systems (Linux, Solaris, Freebsd, Windows) which makes it more challenging, the student needs to gain full access with highest privileges(root/Administrator) on each box and move on to others while documenting, taking notes and screenshots to his findings which makes life easier during the lab reporting step.


    For me the lab was easy for like 30% of the targets, meduim for 30% and hard for the rest, i started with law hunging fruits machines (as stated by most of OSCPs recommendations)
    which gived me some confidence at first, but not for so long, once i faced “Ghost” things started to become more and more difficult, i had to spent a long time googling and searching for other techniques, vector attacks, and most importantly enumerating more and trying harder(hated this word) which was in most cases the key (rule) to root them all.

    After 18 days of lab time i rooted 22 box, but still didn’t face the trinity of pain, sufference, and humble, “pain” took from me 7 hours, while sufference and humble were a nightmare
    of 4 and 3 days per each.
    the worst thing about these machines, “Admins Are Not Allowed To Help Or To Say Anything About Them”, and there’s no way to confirm if you’re digging in the right path or not except you and how you’re interpreting your enumeration findings :p, while for other machines admins are there to help by providing advices, recommendations (and of course not telling you what to do exactly).

    For the rest of networks (Dev, IT, Admin), i struggled with them for a while it was fun to practice all the port forwarding and tunneling techniques,
    “Jack” on the Admin network did take some time from me, but as usual once you root a box you discover how weak your enumeration step is and what you should do next time to improve it more.

    After 42 days, rooted all the boxes, and already took some notes and screenshots for most of the targets, i started my lab report earlier (18 days left),
    and included only 10 machines in my final lab report which is the minimum number of machines required by Offensive Security.

  • Exam review
  • OSCP Exam is a 24 hours challenge, where you have 5 machines to root (you’ll need to script a buffer overflow exploit for one of them), each machine with a certain amount of points,
    and you have to get a minimum of 70 points to pass, you’re restricted to use any automated tools like sqlmap, metasploit …etc and allowed to use metasploit only on one target of choice.

    I started mine at “10 am”, as usual i tried to root the law hunging fruits, only this time after 90 mins couldn’t find a way in, so i moved to the Buffer overflow target and had it cleared after 1 hour, next i went back to the first target and found a way in, took me an other hour to root it.

    the next target was not easy it took me more than 6 hours to get in and escalate my privileges, so far 55 points, and still i had my metasploit card to play with on the next target.
    after an other 7 hours and using metasploit i successfully rooted the 4th target and escalated my privileges accordingly, the last target wasn’t easy, i spent a long time on it trying to find a way to gain a limited access, but i had already enough points to pass, i was too tired to continue (later after the time was up i found that i was too close to get a limited shell).

    Next day it took me some time finish my exam report, and sending it with the lab report, i received the “we are happy to inform you” message the next day, saying that i have
    successfully completed the pwk challenge and obtained my oscp ^_^.

  • Conclusion
  • I must say that what i’ve learned in the last two months is so far more than what i learned in the last 18 months, and i’ll difinetlly take the next challenge “OSCE”.

    I recommend the PWK course for everyone interested in infosec (and looking for a more challenging certification) or performing penetration tests as a daily job.

    the Lab represents the whole OSCP journey and it is all what it matters not the destination, so try to profit from each moment spent on it, because once you’re finished from oscp, you’re going to      miss it Q_Q.

    For any questions hit me up in the comments or contact page and I’ll be happy to answer.

  • Ressources :

  • Comments
    Harvey Specter
    Posted at 12:57 pm June 14, 2016

    Epic Poste Mate …you’r not lazy 😀

    Harvey Specter
    Posted at 12:57 pm June 14, 2016

    And congrats for nailing it 😀

    Harvey Specter
    Posted at 3:16 pm June 16, 2016

    Congrats, good job, and great review !

    Harvey Specter
    Posted at 2:37 am June 18, 2016

    I will right away grasp your rss as I can’t to find your
    email subscription hyperlink or newsletter service. Do you’ve any?
    Please let me recognise in order that I could subscribe.

      Harvey Specter
      Posted at 3:15 pm June 19, 2016

      For the moment “no”, i’ll let you know when it is available.
      Thanks =)

    Harvey Specter
    Posted at 2:15 pm August 4, 2016

    Congrats Dude 😀

    Leave a Reply

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>