Warning, text dump ahead!
I'm back with another review for you. I've been having a couple of weeks holiday after recently finishing the OSCP course with a 90-day subscription and back to provide a perspective from someone that went from the eCPPT certification into the OSCP course and my opinion on the course differences.
I will say that I have not sat the OSCP exam just yet however I am planning on doing it in the near future after a bit of self love and practice then will write my opinion once more on the exam. The 90-day OSCP course was very time consuming and mentally draining; I will provide more details on that below.
In saying that, was the OSCP course worth it? In short, yes it was.
Quick Background Info
Just so you know where I am coming from when I started the OSCP course.
- Self taught in Python
- All TryHackMe certs/learning paths and numerous machines
- Only some HTB machines/no academy paths etc.
- eJPT course & cert
- eCPPT course & cert
- Tib3rius Linux & Windows Priv Esc courses
- TheCyberMentor Practical Ethical Hacking course
- TheCyberMentor Linux & Windows Priv Esc courses
The Long Answer
The Lab Report
When I signed up to the OSCP I came from having just completed & passing the eCPPT certification and various courses. I believed that there would be a lot of overlap and that I would breeze through the course material but boy was I wrong.
I almost didn't complete the course with the 90 day subscription that I had. I ended up finishing the course lab writeup and completed the 75/75 machines within the lab network but there was very little room within that 90 days to take a break. I ended up finishing with only 4 days spare to review and ensure my ass is covered!
The lab report was an enormous time sink that took more than a month to complete thoroughly and I was going hard doing anywhere between 6 - 12 hours every day and averaging closer to the 12 hour mark. I will note that this wasn't every minute and every hour being spent efficiently but I took time to read, learn and discuss topics with fellow students and such to make sure that my notes were in-depth and thorough.
And I didn't even get time to go through the 400+ videos although that is primarily because the videos was just word-for-word the PDF but demonstrated visually.
In saying that; it was still that kind of grind that took more than a month. The reason I mention it as a time sink is because a lot of the course was reading a PDF on the topic and then trying to replicate that topic with provided machines in order to get hands-on experience with the tools and methodology. I appreciated this but there was a huge amount of time having to juggle different VM's, personal VM's, provided VM's and limitations with the VM's that made the process long and frustrating.
If you cared what the issues were then read on, otherwise skip this part:
- You can only have 1 Virtual Machine running at any one time unless it is both your debian & Windows Pro/Server virtual machines (These are provided to you for experimental reasons but also for use if you prefer to use their machines for exploit development and such)
- So the rule is, either have a PDF-provided virtual machine running (they are provided at each topic that contain the exploit path in the topic at hand) or your personal Debian/Windows machines but not both.
- This was frustrating because each topic exercises you did had 50% of the questions needing you to launch PDF-provided VMs and the other 50% of the questions needed your Debian/Windows VMs in order to replicate the content.
- A lot of the time was spent shutting down and boot up between PDF VMs and the Debian/Windows VMs
- This was particularly frustrating because shutting down/resetting machines also had a timer so you couldn't jump between the exercises too quickly otherwise you have to wait for the timer.
Rant over. While there was enormous amount of topics and exercises to complete; I ended up learning a significant amount of skills that I was clearly lacking and it was a huge boost in my methodology, my confidence and I don't often see it being mentioned by others but a massive boost to the content of my personal learning notes. It reinforced topics I've explored and it strengthened topics that I was clearly weak in.
From the exercises and the PDF; I really enjoyed it and I definitely benefited from it. Personally I think it was worth it as the content did have some overlap with my previous experiences but surprising it didn't have a lot of it and as such I learned a great deal. This meant that my time spent with the course was valuable and I wouldn't necessarily agree with others who mentioned their experiences and argued that their time could've been spent better elsewhere such as just doing HackTheBox or TryHackMe and so forth.
Finally, it helps that I've done the full report and that means 10 points towards the exam hopefully!
The Lab Network
The lab network was as expected; difficult and time consuming but didn't feel like a time sink in comparison to the lab report.
The lab network consisted of 75 machines that are designed to replicate as close as possible to what you might see or expect in real world. When I mention this; I don't mean the exploits and the exploit paths but rather the setup.
There is 4 networks that are joined to replicate a Public facing Network, IT Network, Developer Network and finally the Admin Network.
Brief Overview of the Networks
- Public network is easily accessed from your Kali machine, there are a lot of interconnectivity in the public network as some machines are related or contain secrets and information that lead to compromising other machines. There are not a lot of "standalone" machines and Offsec intentionally wanted this as to reproduce a lab network that mimics life as much as possible.
- IT Network and Dev Network are internal networks that aren't accessible from your Kali machine and requires you to compromise hosts in the public network through various exploits in order to pivot or even client-side attacks to compromise the internal network.
- Admin Network is even further removed and requires you to not only pivot to the IT or Dev Network but then you also need to Pivot again from there to the Admin network in order to reach hosts.
so as you can see, there is a lot of connections between the entire 75 hosts and it reinforces and teaches to keep your eyes peeled for interesting bits of information and to also keep your eyes on the bigger picture and how the machines are communicating or related to each other.
There are a few old retired exam machines in the public network and there is a further 5 recently retired exam machines in the internal networks (don't want to spoil where). The exploits within the lab network are dated but still prevalent in the real world and I don't mean just the vulnerable software but just the general oversight and lazy behaviour from people that results in sensitive information being easily gathered and then exploited.
It is not expected that each exploit that the course teaches should be up-to-date; the main point of the course I feel was definitely to refine your methodology. Focusing on being inquisitive and look for interesting things; reviewing code and understand what it does and how it might be insecure. Be thorough with enumeration and then enumerate some more.
The course was definitely focused on developing behaviour and sprinkled with a little bit of exploitation methods but not focused on just exploits themselves.
The Differences Between eCPPT & OSCP
The biggest difference I've seen is that OSCP likes to stress you out by throwing as much ports or as little ports as possible at you I would say this part was the annoyance as it didn't feel like it would be a real life host and rather a host that intentionally screws with your thoughts. The course has a large focus on developing your methodology and refining your critical thinking without a large emphasis on obscure exploits as all the exploits found were public exploits found either on the first page of google or within ExploitDB.
The course does contain numerous different exploits as the content of the course is large. It contains an enormous amount of exercises that you can complete and also 75 hosts to compromise. A large majority of these were unique exploits but almost all of the exploits are outdated and likely not relevant for modern systems and protections any more.
So while it was teaching exploitation; it was honing your methodology and reinforcing your mindset with enumeration and tackling problems.
The exam is a 24 hour exam to rush through 5 hosts and while the exploits may be difficult, they are meant to be doable within that time frame; the focus again is to take you out of your comfort zone, feel time-stressed and highlight your enumeration & methodology. There are tool exclusions with automated exploitations and frameworks such as Metasploit and SQLmap not being allowed. The emphasis here is for enumeration to be however you see fit but the exploitation must be manually done.
In comparison, the eCPPT was focusing on teaching you exploitation but an emphasis on what modern networks are like. Not necessarily modern exploits but a heavy emphasis on what you would see in the real world. The course loves pivoting and this is especially true for the exam.
Link to my review of the eCPPT Exam
The content within the course was not as stuffed as the OSCP one but much more directed and free to use use regarding tools and exploits. You could experiment and there was no tool exclusions. You could use any exploit or tools such as Metasploit & SQLMap as you would in the real world. The course also places an emphasis on reporting and providing value to the client as you would in a pentest engagement.
Again just mentioning that I have not yet sat the OSCP exam so the below opinion on the OSCP are public information and not a personal experience
The eCPPT exam is a mock penetration test on a fictional company with an public and internal network that is all linked. This fictional company has employees that do some stupid stuff and mimic what lazy people do in the real world. This included reverse engineering for buffer overflow and various pivoting and exploitation methods. The exam outline is that you are to complete a realistic penetration test and must report on all vulnerabilities discovered and the mitigation steps
- 7 Days to complete full engagement
- Further 7 days to complete Report containing ALL exploits and the recommends/mitigations
- Report must be written such that at least 2 different levels of stakeholders can read it. The executives and the developers who have to fix it
- Weighting is on the report as it needs to contain numerous found exploits and how to fix them.
The OSCP exam recently changed but primarily it is 3 independent targets (not connected) that focuses on exploit paths and 1 active directory cluster with 3 targets which includes a Domain Controller and 2 clients (connected). The exam may or may not include reverse engineering for buffer overflow as the machines you receive are by chance.
- 24 hours to complete
- Further 24 hours to complete the Report with the exploit steps and evidence.
- Goal is to reach Admin/System/Root shell and read "proof.txt" and once done then you move on
- Weighting is on the report to contain steps to Admin/System/Root shell
The overall idea appears that the eCPPT is trying to mimic a mock penetration testing engagement including the reporting and the OSCP is trying to hone your methodology, challenge your thinking & improve your enumeration within a small time window.
I really enjoyed the course and learned a lot. While there was a small amount of overlap between OSCP course and eCPPT course; I felt the focuses for the courses were in different directions and the difficulty was also in different directions. Doing the eCPPT does not necessarily prepare you for the OSCP and vice-versa, the OSCP does not necessarily prepare you for the eCPPT.
This does signal that the focus of the OSCP & eCPPT complement but don't necessarily overlap each other and that is great.
The lab report is an enormous time sink as it requires 10 Uniquely Exploited Labs and then what felt like a million exercises written up. The exercises need to be written in a way that someone competent could understand and replicate your steps to execution.
In saying that; some people say the report and the PDF exercises isn't worth it: more power to them. Everyone learns differently and it is necessary to adapt if you don't find yourself learning through one method. My opinion was that the course was valuable to my personal learning and the 10 points for the report is the icing on the cake.
The lab network was great; some machines were very difficult and some was a little easier but from each machine I was able to update my personal learning notes with information that I didn't have or understand previously!
And finally; now it is time to prepare for the OSCP exam and I will likely review the exam as well to compare it with the eCPPT exam so keep an eye out!
My recommendations for taking the course
- The 90 days subscription is far too short if you are coming into the course blind with no previous experience. There is far too much content and labs that if are coming in blind then you will feel too pressured to rush and not take in any of the learning material. You will spend too much time asking for tips and help without at least a little bit of the struggle. This struggle really does define what this course is trying to teach you.
- Furthermore if you are fulltime and have family/friends/plans then again, 90 days is very short. You would need to somehow fit in work and family plus another 6 - 12 hours per day and that would not be a great experience in my personal experience.
- While the course does attempt to teach you from scratch, it only touches the surface on most topics and the difficulty ramps up very quickly so if you can do TryHackMe learning paths, HackTheBox Academy or go for other easier certifications first; this will allow you to really dive in with this course and not feel like you are drowning.
- Join the Offsec official discord! The students and the staff are very helpful with assisting with your understanding (although they won't provide you the answers so keep in mind it is all up to you) and guide you towards building up to the solutions.
- Don't worry about asking for help/using hints. I am a big advocate for realising that "You don't know what you don't know". Spend the time to attempt each problem and finding a solution. Struggle a little and don't give in to the temptation to look for answers within 10 mins. After an hour or more then go and get that hint/help. Don't feel like you failed because you will still go to sleep knowing more than you did the day before; there is an enormous amount of topics and tools within this industry and the "Try Harder" mentality has its limits.
- Help those around you and you will quickly get more involved and focused with the learning. When you get to the top of the mountain, don't just look at yourself; look at those behind you and help them get up there too.