OSCP Review

The last several months have been extremely busy, mainly thanks to me taking the OSCP Certification. Good news, I have passed! Many people have asked me about the course and would I recommend it? I decided I would put my thoughts here.
TL;DR - Awesome Course, take it, you won't be upset.

To understand my point of view you first need to know I have a degree in Computer Security and have been working in pentesting for about 5 years. I signed up for the 90 days of lab time with the exam. You are provided a book, video lessons, and a VPN access to a virtual lab with somewhere near 65 different machines on 3 different networks. My approach was to go through the book with the videos, complete all the exercises and then move onto the labs. This is Offsec's recommended approach.

At first I was actually disappointed. I kept hoping the book would go into more detail, however I found it extremely basic and the exercises not very challenging. The book and videos do a good job at showing you the basics of the concepts and giving you and introduction to a lot of different areas, however someone with my experience level did not gain very much from this material.

Due to life and lack of motivation it took me about 60 days to complete the book and all the exercises. Which left me about 30 days for the labs. In retrospect this was a mistake. The labs were awesome and I regret not leaving more time for them. The labs provided a great challenge for all levels and truly tested not only your skills, but your motivation to keep trying. This is where I learned a great deal and was able to improve my skills. For anyone who has done the Kioptrix challenges, the labs are like a bunch of Kioptrix challenges that are connected. In 30 days, I was able to get root on 22 of the systems with working an average of 3-6 hrs a day on the challenges.

Several people has asked me, "How do you know when your ready for the Exam? Should you get root on all the boxes first?"

Its hard to say when your ready for the exam. My advice would be make sure you have firm understanding of all the concepts in the book and how to perform all of the attacks. You don't need to get every single box, however I would suggesting getting a variety of boxes. If you only went after the MS08-67 boxes in the lab, you will not be prepared. If you only worked on the Web boxes, you will not be prepared. Offsec does a good job at providing boxes for every area of pentesting, If you are comfortable performing each area MANUALLY, you will be fine.

The exam is all about preparation and time management. Offsec imposes many restrictions on what tools are allowed. Most automated too, such as vulnerability scanners and most metasploit functionality is not allowed. I took the time to precompile a wide variety of windows exploits for both remote and local attacks. I also created python scripts to help automate my recon. I organized my notes of things I found useful from the labs, and included reference links. I found all of these very useful during the exam. In the end, it took me 8 hrs to obtain the required 70 points to pass. I enjoyed taking the Offensive Security course, and plan to take some of their other courses in the future.