Following the tradition, here is another review for the Penetration with Kali Linux (PWK) Course. I recently got the Offensive Security Certified Professional (OSCP) certification and would like to give my two cents on the whole experience. There are several reviews already available and I hope that if you are reading my review, it helps in motivating you to take on this amazing experience. Before I go on, I want to establish the difference between PWK and OSCP. PWK is the name of the course while OSCP is the certification you get when you successfully pass the exam. People use these terms interchangeably so do not get confused.
I believe that every person in a technical role out there has at one point asked the question, “Do I need to get certified?”. Yes, there was a time when certifications did not really have value and a lot of the older dudes still think that way. Some do it because it is a requirement for the role they are in, some people do it to show off, some do it to bypass HR’s candidate shortlisting filters, some have too much spare time and money however, some people want to keep their technical skills sharp. I fall in the last category and that is why it took me a good amount of time and research to finally decide to go for the PWK course. It was not a hard sell though. I read and heard a lot of good things about it and keeping in mind that I had been in InfoSec for around 3 years, it was a good time for me to decide where I want to steer my career. I had recently transitioned into a new role where I was doing some extremely hardcore Vulnerability Management and I wanted to switch to penetration testing. Having something like OSCP would help me make the switch. So, I went into the course with a clear motive to get certified and prove to myself that I can take on this course and ace it.
Pre-Requisites for the Course
Before signing up for the course, make sure you have the following requirements in order:
- A “good enough” System: Offensive Security mentions the requirements to be able to run their Kali Linux image on the website so it is definitely a good idea to ensure you have enough power in your system to be able to run the guest OS without any issues. I recommend using their image for the course as it will prevent you running into ‘some’ issues later.
- Reading, Modifying and Writing Scripts – The course itself teaches a bit about Bash scripting however, keeping in mind that the course can be a little overwhelming sometimes, it would not hurt if you have experience reading scripts, modifying them according to your needs or writing your own scripts to make repetitive tasks less annoying.
- Familiarity with Windows and Linux Command Line – Having SOC background, it was not an issue for me dealing with Linux command line however, I ensured that I was prepared enough on the Windows CLI as well.
- Get in the habit of taking detailed notes – I have been using CherryTree for a while however, in the beginning of my PWK course, I was taking notes usually in KeepNote or OneNote but they do not even come close to how easy and how useful CherryTree is. I used the portable version of CherryTree and I suggest you do the same. It will make your life so much easier.
- Learn to Google Everything – I know we use google for everything in our daily lives already but when it comes to OSCP, you will have to rely on google like you rely on air for oxygen. Being efficient in googling will do wonders for you, trust me. So polish your google-fu as much as you can because you will need it. Their is a section in the course which teaches some google tricks as well but again, never hurts to know this stuff on your own.
The Course Material
Craziness Level: 3/10
Awesomeness Level: 7/10
The course material consists of a PDF document which is around 300 pages long accompanied with videos. You can take a look at the course material here.
The material is quite straight forward but extremely detailed and guides you ranging from the basic penetration testing procedures to some advanced techniques such as tunneling, setting up dynamic proxies and port redirection. One of the most intense section is where you get to learn Buffer Overflows as it lets you dive write into a debugger and going step by step into the exploit writing process. The course also teaches how to use several tools and once you have a baseline knowledge, you can build up on it and discover more tools online.
I signed up for 90 days of lab time however, it took me a good 40 days to finish up all of the PWK course material. I kept taking notes along the way and completed all the exercises as well since I planned on completing a lab report which requires you to document ALL the exercises as well as at least 10 machines on which you have gained root or administrator access in the lab. More on the lab specifics later.
Pro Tip: Start documenting your exercises as you go through them. This will save you a lot of time and frustration later.
The PWK Lab
Craziness Level: 8/10
The lab consists of 50+ machines/systems which are to be “hacked”. The lab simulates a real corporate network with machines in various segments of this network.
Offensive Security has various mediums where you can communicate with other students and admins and share your frustration. Offsec has have a very nice forum where students share tips related to machines, questions they have regarding anything and people are kind enough to help each other. There is an IRC channel where you can get hints from a bot (most of the times, the hint wont make any sense). Offsec also has a chat option where you can directly engage with an admin and see if you can get a hint or two if you are stuck.
It is recommended that you gain access to as many systems as possible before you deem yourself ready to sit in the exam. I was able to get 46 systems in total including the 4 systems which are considered to be the toughest boxes in the lab (Pain, Gh0st, Sufferance & Humble). By the end of my lab time, I was able to make my way through to the admin network and was able to access systems in every segment of the simulated network. It was a great achievement and I felt I was ready to sit in the exam. I personally would recommend anyone who plans to sit in the exam to get root or administrator access on at least 35 systems in the lab without the use of Metasploit. I did not use Metasploit to pwn any system in the labs and it helped me tremendously on the exam as the use of Metasploit is limited.
The machines in the lab network are of different difficulty level however, each and every machine is “hack-able”. Some can be rooted with a remote root exploit while some will make you bang your head against the wall for several hours and you still won’t figure out how to get past the first hurdle. And that is where the amazing-ness of the course lies. It teaches you to push your limits. It teaches you to make yourself better. It teaches you that you can do better than you think. It teaches you to keep trying. It teaches you the very mantra OSCP is known for which is to “Try Harder”.
Pro Tip: If you are using Metasploit to pwn systems in the lab, try to pwn them without Metasploit as well. It never hurts to add another arrow into your quiver and it will help you a lot in the exam eventually. Too much reliance on Metasploit will kill you in the exam.
Pro Tip: Document the machines as you go about hacking them. It will save you a huge amount of time in the end. The report has to be very detailed and can get overwhelming when documenting 10 machines.
Awesomeness: 100/10 (If you pass)
The exam is a beast in itself. You are given access to an exam network for 23 hours 45 minutes and in order to pass, you have to earn a score of 70 out of the 100 points available. There are strict rules in terms of how to carry out the exam and not abiding by these rules can result in failure. Rules can be viewed here.
The exam is not easy, I repeat it is not easy. The time factor can play a great role and get the better of your nerves. Here is how the events of my exam unfolded:
- 05:00PM – Offsec sends the email with connection details, exam rules and other important things
- 08:00PM – I have identified a vulnerability on one of the higher mark machines however, the exploit is not working as intended.
- 10:00PM – Nothing is working and I am hitting a wall every time I try to do something. I have had several small wins by now. I have tonnes of information because I am enumerating everything I possibly can. Have not lost the battle yet.
- 12:00AM – No major breakthrough. A little disappointed but still going.
- 01:00AM – After failing several times, I decide it is time to get some rest as sleep may help freshen up my brain.
- 05:00AM – My daughter wakes everyone up with her crying. I try to go back to sleep for an hour but after failing hard, I decide to get back in the exam and see if I can move any further.
- 06:15AM – I am back. I have done a lot of enumeration. I have failed at many things. I still have several things to try so all is not lost. I am running a little out of time though.
- 07:30AM – I decide to use Metasploit version of the exploit I am trying as at this point, I am really not doing anything useful so why not. Voila! I get a low priv shell.
- 08:00AM – I am able to get Administrator shell on the machine. One down! I decide to go after the buffer overflow machine since that would bring me closer to the passing score and will lift my confidence as well.
- 10:00AM – Done with Buffer overflow machine and have gathered all documentation related stuff as well. On to the next one.
- 11:00AM – I manage to get a low-priv shell on another one. This one was not really hard to break but required a lot of enumeration. If I am able to elevate my privileges on this machine, I can get enough points to pass provided I submit my lab report as well.
- 01:00PM – I give up trying to elevate my privilege on this one and decide to go after the low point machine. I re-do the enumeration and find something I completely ignored. Another root!
- 02:30PM – At this point I have enough points to pass the exam so instead of trying to esclate my privs on the previous box, I decide to gather all the documentation and submit all the keys in the control panel.
- 04:45PM – I keep trying up till this point to elevate my privs on the one machine I had low privileged shell on but remain unsuccessful. The VPN connection drops and now I have the daunting task to complete my documentation.
I submitted my documentation the next day with both my exam report (50 pages) and lab report (240 pages).
By the end of my exam, my system’s memory was at the point where opening one more application or one more tab shut it down. Thankfully, I had all my documentation going alongside the exam so I did not lose anything otherwise it would have been the disaster of the century.
Additionally, after the exam, I put the VM in a suspended state. I came back to it later and the VM flushed everything (tabs, terminal windows etc). I had lost everything I had done in the 24 hours during my exam. If I had not decided to collect all the proofs and accompanying screenshots earlier, it would all have gone down the drain.
Pro Tip: Avoid asking for help and hints in the lab as soon as you feel you’re stuck or you have hit a wall. You need to train your brain to learn its way out of the “stuck” situation.
Pro Tip: Do not wait until the end of the exam to prepare your documentation for the exam report. Take screenshots as and when you get your wins (low-privileged and/or high-priv shells) in the exam.
Pro Tip: Take a break after every 1-2 hours for 10-15 minutes and clear out your head. It will give room for more and better ideas. Keep yourself hydrated.
Remember the K.I.S.S (Keep it Stupid Simple) Rule
While I was in the PWK course and before I went for the exam, I read numerous reviews and a lot of people tend to script their enumeration steps. I did not. If you do not do it too, I want you to know that it is alright, you do not have to. Keep it Stupid Simple rule works and I am the prime example of it. I did not use any enumeration scripts at all throughout the lab or in the exam. I like to keep things simple
I would say this though. You need to have a methodology and you need to stick to it. For perspective, here is an example:
- Run unicorn scan to find the open ports quickly
- Run nmap scan with the ports found (BTW, these both steps can be carried out by another tool “onetwopunch”)
- Depending on the open ports found, run enumeration tools accordingly
- If a web service is present on the target, run gobuster, dirbuster, dirsearch etc etc
- If SMB services are active on the target, run enum4linux, nmap’s NSE scripts etc etc
- Yada Yada Yada. I think you get the point
I am in no away against running scripts for enumeration as it is recommended to always have something running in the background while you are actively attacking or researching other things but I ran the commands manually instead of relying on a script. Several OSCP students have written some excellent tools for enumeration which are worth looking into. I may create another post for the tools I found incredibly helpful throughout my lab time. I would like to say though that it is really up to you. Someone may prefer one thing over another so whatever you dig, go for it.