20th June 2020
After three months of work, I finally completed the PWK course and exam attaining my OSCP certification in May this year.
While I found the labs fun and would recommend them wholeheartedly, there are many ways to learn and practice testing. I'll go in to a little more detail in this post.
My feelings towards OSCP
OSCP was, and perhaps still is, a respected qualification. While the marketplace is a little more crowded these days, it is still recognised as a valued qualification, particularly with its emphasis on practical tasks. To properly compare OSCP, it is worth considering not in a vacuum but compared to its peers in labs and qualifications. OSCP, and its course, PWK can be considered in three main area: in comparison to other courses and their contents, in comparison to other practical testing experiences, and in comparison to other qualifications.
There isn't a formal ranking of OSCP compared to other qualifications. In the UK at least there is a loose guide - OSCP is able to be converted to the practical portion of the entry-level testing certification for CHECK-registered testers. As such, it's deemed to accurately cover the minimum standard for testing public sector and critical national infrastructure systems in the UK.
Compared to when OSCP launched, there are now more options than ever to help with studying how to hack. I would say that OSCP remains competitive for the price of a certification. I do not feel that it is competitive for the price of learning. While the provided learning materials are helpful, in that the knowledge is pre-collated for the ease of simply reading without having to go out and research anew, I found that I had already bookmarked and watched a lot of the conferences in other guises. In its defence, a lot of courses seem to have the same content.
It's worth noting that I completed OSCP under the older format and I have not seen the new material. I don't think I will pay for it, but I understand it covers more. This would be good, as the older version I took did not cover Active Directory at all, and I've yet to find any course which covers cloud contents.
Finally, the scope of the content was good. OSCP contains a great representation of buffer overflows at a basic level, and teaches a good approach to systematically testing a series of systems within a network. The learning materials do a good job of taking someone with limited testing experience and getting them to test without taking their tools for granted. It's a good way to ensure that someone isn't just floating through on auto-pilot, but instead at least questions what their tools are doing and why. I like the emphasis on not just getting people to rely on metasploit, but I think it'd be great to go further and have more custom exploitation and taking advantage of program logic, beyond published CVEs on ExploitDB, although given the timeframes of the exam, I can understand why they made that choice.
The course was a decent learning experience. The labs were passable and reflected a decent networked environment. Some machines were clearly meant as more of a challenge verging beyond the scope of the machines I found in the exam.
While I enjoyed my time in the lab, I actually found that I had a more relevant experience on Hack the Box. My first attempt was derailed by my enthusiastic rabbit-holing, wasting valuable time, so perhaps this served more as an opportunity to hone my methodology and get me to just move on when something was clearly not working. However, items which I found in the exam were markedly more up to date compared to those in the lab.
I'd say that the experience of going through the labs was decent, albeit for the price of the course, there are more competitive options available. For practical experience, a set environment does offer more options than testing on the job, where the carefree deployment of new tooling might ruin a clients morning, but safer options, namely Hack the Box, I feel offer a better lab environment. Even the free tier machines, should you look up a structure, can offer a good learning experience, and even more so the paid pro labs.
While the price of the qualification naturally includes the PWK course and access to the labs, which I feel are perhaps less competitive, for the recognition OSCP has, even if slightly eroded, it's still great value. You get a symbol of your ability as a tester, which will almost certainly get your foot in the door at least at most companies.
Furthermore, while OSCP is not the same as more intensive experiences, such as ePTX, for instance, but it's not intended to be. It's way better than CEH or Comptia Security+ (not to belittle those qualifications, which also have their place) at demonstrating practical ability.
I recommend taking OSCP, but spend some time on Hack the Box first, focusing on machines weighted CVE - Enumeration. And keep in mind that OSCP is not the be-all end-all, but in all likelihood is just the starting step of going into penetration testing.