Strategy recommendations, pitfalls to avoid, and why you should just write the lab report for crying out loud.
There’s a reason why this certification has a reputation. The material covers a wide array of topics, the time required is substantial, and the exam is difficult.
For those looking to take the PWKv2 course or are close to taking the OSCP exam, my goal in this post is to help you avoid some of the traps I almost fell in along the way. It won’t contain tools I used, tips and tricks, etc.
There are plenty of places to find that stuff already if you Google around a bit and gathering them together is part of learning!
How to Spend Your Lab Time
“dont skip the lab exercises, srsly” – Confucius
One of the first things you might notice about PWKv2 is that there’s a lot more material than in PWKv1. And I mean over twice the amount. Since you can only buy a maximum of 90 days of lab time, there are some things you should think about before starting:
Trap 0: Not Studying the Course Content
When I started the course, I immediately went for the actual course content to get it out of the way and get to the labs as soon as possible.
Doing this pointed out gaps in my knowledge and forced me to think in ways I hadn’t before. Going through the course content, doing what was effectively an expertise audit, was invaluable.
As I read about others’ experiences with the exam, I noticed that a significant number of the people who failed their first or second attempt spent little to no time on the course content. They also often added that if they had, they probably would have passed sooner.
Not going through the content absolutely defies logic. You can’t be certain you’re prepared for the exam if you don’t, which leads me to my next point:
Trap 1: Not Doing The Bonus Lab Report
OffSec lets you submit an optional report on all of the exercises in the book and 10 lab machines for a chance at five (5) extra points on your exam. You should decide if you’re going to do this before even starting (you definitely should) and spend your lab time accordingly (seriously, do the bonus report).
Assuming you’ve decided to go for the bonus points, I highly recommend writing your lab report as you go as if you were going to submit it without revisions. You’ll need the lab time to complete all of the exercises and you don’t want to end up buying extra lab time (like me) just to get your bonus points.
The lab report will take you a long time. It took me about a month (one-third of my lab time) to get through the book and videos because of all the additional material. This left me with only 60 days to attack the lab machines. The final draft was just under 400 pages.
When all is said and done, you will have struggled through every book exercise and learned a lot along the way that will help you build your methodology (which I’ll talk about in the next sections) and build a deep understanding of the concepts that OffSec has included.
Trap 2: Using Metasploit/Sqlmap (Too Much)
Whether or not you should use these in the lab environment is hotly debated and both sides make good points. The pros and cons of using these two tools, in particular are, to me, as follows:
- Practice with tools you’ll probably use in the real world
- Faster compromise of machines (less time being stuck and not moving on to others)
- Easier lab report writing
- Less experience with using non-Metasploit exploits
- Shallower understanding of how exploits you use work
- A false sense of preparedness come exam time
My approach was to use Metasploit and SQLmap when I needed them so I didn’t get stuck on a box too long (and miss valuable experience with another), but I kept track of the boxes I used them on and went back and did them manually once I called it quits on the attack labs (I ended up with over 50 boxes rooted).
Knowing how to manually exploit network services and web apps is crucial since you can’t use automatic exploitation tools in the exam. Don’t make them your crutch.
Trap 3: Not Building a Methodology
Use your time in the labs to establish your own way of attacking boxes. Repeat it, improve it, and document it. This will help you recognize when a situation is something you have dealt with before and when you’re out of your element and need to do some research.
This process should help you curate a toolset you like (in addition to tools the book teaches you about) and a collection of payloads that are good to have on-hand. Don’t get caught up in how many different tools you can use to do automatic enumeration or scanning.
Find the tools that work and stick to them.
No matter how prepared you are for it, 24 hours to hack as much as possible isn’t much. This, according to OffSec, is on purpose. The true adversary for those 24 hours isn’t OffSec and it isn’t your target range.
It’s your mind.
Everything else is secondary. Here’s what I mean by that:
- Time is a safety net. Your brain sees things differently when the clock is ticking down.
- Sleep is a gamble. You’re going to get tired. If you’re like me, after about 15 hours, you’ll start typing slower, thinking less clearly, and obsessively calculating your points to see how close you are.
- Not making progress feels like doom. Every minute that goes by without some measure of success feels like failure.
Before going into the exam, you should be ready to defeat your own mind. There are many ways of going about this. Common advice you’ll see around the internet includes taking breaks, staying hydrated, having checklists, etc.
That last one was the most important for me. Knowing what to check, what commands to run, and what tools to use for every situation you come across will keep you from wondering if there’s something you missed. If all your boxes have been checked, you missed something you weren’t ready for.
The time to start searching around for new ideas and techniques is after you’ve exhausted all your options, not before.
After the exam comes the report. My advice, both from experience and from listening to people more experienced than me, is to write the report as you go.
You’ll have a whole 24 hours after your exam time concludes to draft the report in an official format. You should use as much of this time as you need to make sure the report is perfect, but you should also document your process as you go.
Don’t get to your report and realize you’re missing a screenshot. Capture everything as you go and refine it later.