Was the OSCP course worth it?

Was The OSCP Course Worth It? Having a look at the differences between the OSCP course and the eCPPT course and providing some guidance as to when you will feel ready to tackle the OSCP course

by Johann Van Niekerk

Was the OSCP course worth it?


Warning, text dump ahead!

Hi friends,

I'm back with another review for you. I've been having a couple of weeks holiday after recently finishing the OSCP course with a 90-day subscription and back to provide a perspective from someone that went from the eCPPT certification into the OSCP course and my opinion on the course differences.

I will say that I have not sat the OSCP exam just yet however I am planning on doing it in the near future after a bit of self love and practice then will write my opinion once more on the exam. The 90-day OSCP course was very time consuming and mentally draining; I will provide more details on that below.

In saying that, was the OSCP course worth it? In short, yes it was.

Quick Background Info

Just so you know where I am coming from when I started the OSCP course.

The Long Answer

The Lab Report

When I signed up to the OSCP I came from having just completed & passing the eCPPT certification and various courses. I believed that there would be a lot of overlap and that I would breeze through the course material but boy was I wrong.

I almost didn't complete the course with the 90 day subscription that I had. I ended up finishing the course lab writeup and completed the 75/75 machines within the lab network but there was very little room within that 90 days to take a break. I ended up finishing with only 4 days spare to review and ensure my ass is covered!

The lab report was an enormous time sink that took more than a month to complete thoroughly and I was going hard doing anywhere between 6 - 12 hours every day and averaging closer to the 12 hour mark. I will note that this wasn't every minute and every hour being spent efficiently but I took time to read, learn and discuss topics with fellow students and such to make sure that my notes were in-depth and thorough.

And I didn't even get time to go through the 400+ videos although that is primarily because the videos was just word-for-word the PDF but demonstrated visually.

In saying that; it was still that kind of grind that took more than a month. The reason I mention it as a time sink is because a lot of the course was reading a PDF on the topic and then trying to replicate that topic with provided machines in order to get hands-on experience with the tools and methodology. I appreciated this but there was a huge amount of time having to juggle different VM's, personal VM's, provided VM's and limitations with the VM's that made the process long and frustrating.

If you cared what the issues were then read on, otherwise skip this part:

Rant over. While there was enormous amount of topics and exercises to complete; I ended up learning a significant amount of skills that I was clearly lacking and it was a huge boost in my methodology, my confidence and I don't often see it being mentioned by others but a massive boost to the content of my personal learning notes. It reinforced topics I've explored and it strengthened topics that I was clearly weak in.

From the exercises and the PDF; I really enjoyed it and I definitely benefited from it. Personally I think it was worth it as the content did have some overlap with my previous experiences but surprising it didn't have a lot of it and as such I learned a great deal. This meant that my time spent with the course was valuable and I wouldn't necessarily agree with others who mentioned their experiences and argued that their time could've been spent better elsewhere such as just doing HackTheBox or TryHackMe and so forth.

Finally, it helps that I've done the full report and that means 10 points towards the exam hopefully!

The Lab Network

The lab network was as expected; difficult and time consuming but didn't feel like a time sink in comparison to the lab report.

The lab network consisted of 75 machines that are designed to replicate as close as possible to what you might see or expect in real world. When I mention this; I don't mean the exploits and the exploit paths but rather the setup.

There is 4 networks that are joined to replicate a Public facing Network, IT Network, Developer Network and finally the Admin Network.

Brief Overview of the Networks

so as you can see, there is a lot of connections between the entire 75 hosts and it reinforces and teaches to keep your eyes peeled for interesting bits of information and to also keep your eyes on the bigger picture and how the machines are communicating or related to each other.

There are a few old retired exam machines in the public network and there is a further 5 recently retired exam machines in the internal networks (don't want to spoil where). The exploits within the lab network are dated but still prevalent in the real world and I don't mean just the vulnerable software but just the general oversight and lazy behaviour from people that results in sensitive information being easily gathered and then exploited.

It is not expected that each exploit that the course teaches should be up-to-date; the main point of the course I feel was definitely to refine your methodology. Focusing on being inquisitive and look for interesting things; reviewing code and understand what it does and how it might be insecure. Be thorough with enumeration and then enumerate some more.

The course was definitely focused on developing behaviour and sprinkled with a little bit of exploitation methods but not focused on just exploits themselves.

The Differences Between eCPPT & OSCP

The biggest difference I've seen is that OSCP likes to stress you out by throwing as much ports or as little ports as possible at you I would say this part was the annoyance as it didn't feel like it would be a real life host and rather a host that intentionally screws with your thoughts. The course has a large focus on developing your methodology and refining your critical thinking without a large emphasis on obscure exploits as all the exploits found were public exploits found either on the first page of google or within ExploitDB.

The course does contain numerous different exploits as the content of the course is large. It contains an enormous amount of exercises that you can complete and also 75 hosts to compromise. A large majority of these were unique exploits but almost all of the exploits are outdated and likely not relevant for modern systems and protections any more.

So while it was teaching exploitation; it was honing your methodology and reinforcing your mindset with enumeration and tackling problems.

The exam is a 24 hour exam to rush through 5 hosts and while the exploits may be difficult, they are meant to be doable within that time frame; the focus again is to take you out of your comfort zone, feel time-stressed and highlight your enumeration & methodology. There are tool exclusions with automated exploitations and frameworks such as Metasploit and SQLmap not being allowed. The emphasis here is for enumeration to be however you see fit but the exploitation must be manually done.

In comparison, the eCPPT was focusing on teaching you exploitation but an emphasis on what modern networks are like. Not necessarily modern exploits but a heavy emphasis on what you would see in the real world. The course loves pivoting and this is especially true for the exam.

Link to my review of the eCPPT Exam

The content within the course was not as stuffed as the OSCP one but much more directed and free to use use regarding tools and exploits. You could experiment and there was no tool exclusions. You could use any exploit or tools such as Metasploit & SQLMap as you would in the real world. The course also places an emphasis on reporting and providing value to the client as you would in a pentest engagement.

The Exams

Again just mentioning that I have not yet sat the OSCP exam so the below opinion on the OSCP are public information and not a personal experience

The eCPPT exam is a mock penetration test on a fictional company with an public and internal network that is all linked. This fictional company has employees that do some stupid stuff and mimic what lazy people do in the real world. This included reverse engineering for buffer overflow and various pivoting and exploitation methods. The exam outline is that you are to complete a realistic penetration test and must report on all vulnerabilities discovered and the mitigation steps

The OSCP exam recently changed but primarily it is 3 independent targets (not connected) that focuses on exploit paths and 1 active directory cluster with 3 targets which includes a Domain Controller and 2 clients (connected). The exam may or may not include reverse engineering for buffer overflow as the machines you receive are by chance.

The overall idea appears that the eCPPT is trying to mimic a mock penetration testing engagement including the reporting and the OSCP is trying to hone your methodology, challenge your thinking & improve your enumeration within a small time window.

Final Thoughts

I really enjoyed the course and learned a lot. While there was a small amount of overlap between OSCP course and eCPPT course; I felt the focuses for the courses were in different directions and the difficulty was also in different directions. Doing the eCPPT does not necessarily prepare you for the OSCP and vice-versa, the OSCP does not necessarily prepare you for the eCPPT.

This does signal that the focus of the OSCP & eCPPT complement but don't necessarily overlap each other and that is great.

The lab report is an enormous time sink as it requires 10 Uniquely Exploited Labs and then what felt like a million exercises written up. The exercises need to be written in a way that someone competent could understand and replicate your steps to execution.

In saying that; some people say the report and the PDF exercises isn't worth it: more power to them. Everyone learns differently and it is necessary to adapt if you don't find yourself learning through one method. My opinion was that the course was valuable to my personal learning and the 10 points for the report is the icing on the cake.

The lab network was great; some machines were very difficult and some was a little easier but from each machine I was able to update my personal learning notes with information that I didn't have or understand previously!

And finally; now it is time to prepare for the OSCP exam and I will likely review the exam as well to compare it with the eCPPT exam so keep an eye out!

My recommendations for taking the course