A Retrospective Look Back At Pen-200 And The OSCP Exam
So before I jump into it, I’ll first set the scene. Aside from some knowledge which I’d gained from YouTube, Google and doing hobbyist web development, I had no experience with network and application security.
I started to look into doing a career change back in late 2022 and knew I wanted to do something in computer/network security, as I’d always enjoyed web app security I started looking down that route. Unfortunately, there are little to no job listings for testing web application security alone. My research showed me that penetration testers tend to start with a broad knowledge base after which they tend to specialize.
Since it would be unlikely for me to move straight into a web application security dedicated field, I started to see what employers would look for and whether my interests overlapped, this is when I discovered the OSCP from OffSec.
Although it had been a few years, I had heard of the OSCP previously. With some further research, I found that it had quite a reputation for being difficult but as this seemed to be the industry standard for getting past HR I decided to take the plunge. Since I was effectively starting from scratch I opted to purchase the LearnOne subscription, luckily it was close to black Friday so I was able to take advantage of the reduced price. If you’re looking at getting LearnOne, I’d recommend holding off until the price goes down around November to December. The past two years OffSec has reduced this making it more affordable. However, it is still crazy expensive.
Pen 200 Content And Overview
The Pen 200 course covers a range of topics from how to set up a Kali Linux virtual machine, cyber security Laws, attack methodologies, some web application security, Active Directory and much more. A full breakdown can be found on their website, here’s a link – https://www.offsec.com/wp-content/uploads/2023/03/pen-200-pwk-syllabus.pdf
OffSec produces the Pen 200 content in both article and video format. The majority of articles have several exercises to help you get your head around the content. Depending on your learning style you’re fairly well catered for with the given material. Due to the time LearnOne offers (1 year), I was able to take the time to both work through the articles as well as watch the videos. It’s my opinion that the articles cover much more of the information and should be the preferred material. However, I also enjoyed the extra reinforcement which the videos offered.
Additionally, OffSec is fairly well covered with support due to their Discord server and support chat. The Discord server allows students to discuss any topics and issues with each other but also allows students to reach out to educators or their support team should any problems arise.
My Journey Through The Course
Although the Pen 200 course has a reputation for being difficult, especially with OffSec’s “Try Harder” mentality, I found the experience to be extremely enjoyable. The content was in-depth and offered numerous challenges to aid in my learning.
I was able to improve my understanding and build further knowledge on a number of topics. I was able to power through roughly 40% of the content fairly quickly. However, here’s where I had some troubles. OffSec decided to refresh the Pen 200 course content meaning I would either need to complete the course within the next month or so otherwise I’d have to start over, not cool.
Given that I had just got to the buffer overflow content and was struggling to fully grasp this I opted to just start over, this turned out to be the smart decision. With the new content not including buffer overflow and having a greater emphasis on Active Directory, I was able to spend more time on topics which interested me and quickly recover the progress which had been lost.
My OSCP Exam Experience
OffSec grade OSCP exams in points, students can get 10 bonus points from completing 80% of all course material along with 30 of the included labs. For each standalone system students are awarded 10 points for low-privileged access and a further 10 points for administrative or root access. Given that 3 stand-alone systems are provided, completing each of these along with the bonus content would grant a passing score of 70 points.
In addition to the 3 standalone systems, with the change to the OSCP content also came a change to the exam structure, an Active Directory lab is also included. OffSec does not grant any points for low-privileged access to the Active Directory domain. Instead, the student must fully compromise the domain controller to be awarded the full 40 points. There are no partial points with this one, it’s all or nothing.
I had never initially set out to get the additional points that come with completing 80% of all course material. However, given that I was approaching September and was getting ready for my exam I opted to get it done. I had already completed the majority of the material and required labs so after a couple of days I had done all I needed to for the additional 10 points.
My exam was scheduled for 10 am on the 6th of September, and given all the course work which I’d done I found that this was when I seemed to perform best. After I signed in and performed all the necessary checks with the exam proctor (display ID, show my environment and set up the monitoring software) I was given my exam machines and the 24-hour counter began.
Out of the gates, I went straight for the Active Directory set. My reasoning was if I had the 40 points then with the bonus points I’d only need one additional full compromise. This did not go well. With all the enumeration techniques I’d learnt, I had found very little information which would give me access to the target system. I messaged the proctor to ensure that everything was working correctly and they confirmed that the path was exploitable. Since I was finding very little information and a couple of hours had passed I moved on to the standalone systems.
During my enumeration of the first standalone system, I found some information which I immediately recognised. I cannot go into detail but I would advise completing as many CTF boxes as possible. Spend time on Proving Grounds, TryHackMe and HackTheBox to maximise your exposure to different technologies.
This system was quick and easy for me to get access to, happy days! After just another 30 minutes I had Administrator access and that was 20 points in the bag. I then moved on to another standalone system, if I was able to get all 3 then that was the job done.
Unfortunately, the second standalone system proved to be very difficult. At least for me anyway. To this day I’m still not sure how I would attack this. I threw every possible scan, targeted any available services and Googled as much as possible but got absolutely nowhere. Here’s a tip, if you get stuck, move on. Don’t get fixated on a singular problem.
Since the second system was a bust but I moved on to the third, I was only about 5 hours in at this point so I wasn’t panicking. Although it took a little more time than the first, this did play to my strengths and after a couple of hours, I was able to get access as a low-privileged user. Like the first, the privilege escalation took me around 30 minutes so that was an additional 20 points.
Due to the difficulty of the second standalone system, I went back to the Active Directory set. Since I had discovered nothing new I opted to go back to the start and take some time to read through every single piece of content that I had found, this was key for me. Within some of the found content, there was key information which enabled me to get a foothold on the domain. If you happen to get stuck take the time to fully examine everything.
I can’t go into much detail regarding the inner workings of the Active Directory network, but I was able to quickly pivot to the domain controller and find the final proof.txt file. I was actually in shock at this point after realising I’d got everything I needed to pass my OSCP.
As I had more than enough points to pass the exam, 90, I decided to go back over any other compromised systems to recreate the steps and ensure I had screenshots for each step. This would streamline writing my report. After roughly 11 hours I had everything I needed and opted to end my exam. Given they allow 24 hours for this I felt this was a somewhat impressive achievement.
The OSCP is difficult but can be achieved. In the space of 9 months, I went from having some understanding of web vulnerabilities to being able to compromise multiple different systems and networks.
If you’re willing to put the time in it can be an enjoyable and rewarding course. Is it perfect? No, the Active Directory content could go into more detail and the price is high, even for the cheaper course and exam bundle. However, the Pen 200 course does provide the necessary skills required to pass the exam.
Depending on whether you’re interested in web application security or Active Directory, having the OSCP certification will grant you the necessary skills to get you started on that journey. It’ll also enable your CV to get past HR teams to help you get a job as a junior penetration tester.
Final tips, put in the work and you’ll see the reward. Take breaks during the exam. Don’t get hung up on a single problem. Take screenshots and document each command or payload.