PWK: My Journey and Review

Hello guys, this blog is continuation to blog on my OSCP journey.

In this blog I will be sharing my PWK lab and exam experience and would also share how some of the best practices and resources for students enrolling in future. Having said that, I assume that you know what PWK course is.

The Start:

I enrolled in the starting of the year 2021 with 60 days lab access. My lab started from 10th January 2021 and I started with the pdf first before jumping into lab. The initial plan was to study hundred pages everyday and spend remaining time doing exercises on what I read. This consumed a lot of time and became even difficult with a full time job. However, I was able to finish it within 8 days.

According to me the pdf material was not up to my expectations and I learned nothing new from the material. In fact, the material was still fairly outdated even though I took PWKv2 which was launched in 2020.

A lot of times I had to research on it separately as the tool mentioned in the course didn’t exist or were not relevant at present.

I heard through blogs that students who took old course were complaining that the course was not beginner friendly and less detailed. The new course even though was much more elaborated but didn’t went much deep in any concept.

I finished the course material which was 850+ pages long within first 8 days along with some exercise.

The Exercise Report:

I was working on and off on exercises. I finished very few exercises along with reading pdf and for remaining; I used to work on them if I needed break from labs. The exercise report according to me took a much much more time than I expected. There were hell lot of exercises. Most of the times, the objective was to recreate what was explained in courseware and explain the whole process step by step. I think, the Offensive Security made it lengthy deliberately, just because it carries extra 5 points for the exam if submitted along with pentesting report of 10 unique lab machines.

It took me almost 3 weeks to finish the lab report which was more than 400 pages long. Some sections like Active Directory took fairly long amount of time as I had to write scripts in powershell of which I had no idea.

Now, a lot of people have questions whether they should go for the lab report or not as it takes considerable amount of time. Well, my straightforward answer to those people is; go for it only if you don’t have prior hands on experience with it. But, by experience I don’t mean experience doing CTFs and stuff. If you are already a penetration tester or working day to day on linux, BASH, powershell, burpsit, nmap etc then I don’t think the exercises will help you learn anything new. The exercises are designed for people like me who are not working on these tools and have limited experience with them. My present profile didn’t allowed me to work on these tools and all knowledge I ever gained was mostly by doing CTFs. For example, I never knew that we can do port scan with netcat as well. Also, I learnt a lot about client side attacks like creating a malicious word file or even bypassing AV which you will never see in any CTF challenges. Thus, overall for beginners, exercises are must as you will learn to use more than one tool for doing same thing and also various options and arguments used in those tools.

The Lab machines:

After finishing the pdf, I jumped into the labs and started working on them. I must say the labs were quite tricky in the starting but I got used to it after some time. I even took leave for around 10–14 days and got involved fully into it. I was able to do at least 1–2 machines everyday. Although, this was not completely on my own. I got a lot of help from offsec student admins and other students.

Here, I also want to specify that the labs were much better than what I heard about them. I knew in past students have had difficulty in accessing labs since it is a shared environment and at a time more than one student might attack same box. However, I really didn’t experience that. I think OffSec did a really good job in improving the labs.

During my whole journey I never faced any such problem where machine I was working on got reverted. I even worked on some machines with double pivoting for almost whole day and I never had any such issues. Though, you might find some left out exploits on machines so, before starting on any machine, make sure to revert it to remove any traces or left over exploits.

The Offsec student forum is great and is very helpful. However, there is a way to ask for doubt in the forum if you really want to improve. You must always start a fresh thread while asking a question rather than searching for any old thread on same machine. That thing can sometimes reveal more than required and will spoil your learning experience. I understood that early and never used to look at old chats to find hints.

Overall, the labs are really awesome and I would suggest that if possible, try to do all machines in the lab as every machine will teach you something new. There might be some labs which are not relevant with respect to exam, but Offensive Security has done a really good job in giving the feel of real life pentesting to students as in practical, there will be machines and users interacting with each other and also we might have to use tools which are forbidden in exam. I really had a great time doing labs and exercises related to client side attacks as these are not common in CTFs. However, things like double pivoting sometimes spoiled my fun as it was very time taking. Overall I did around 40 labs machines including all big fours and machines from different departments. I would have done all if I had time but that’s all I could in 60 days of lab time with a full time job.

If you are confused between which plan to purchase, I would suggest to purchase 60 days plan if you are not willing to do exercise report and 90 days if you are planning for submitting exercise report. Although, if you are working full time on it and don’t have a life, 60 days of lab might be enough to do exercise report and all lab machines. Again, decision is yours as to how much time can u allot.

First Attempt:

My lab was expired on 11th march and I scheduled my first attempt on 16th march. For the remaining of days, I practiced some easy and medium machines on proving grounds practice(PG practice) which is by Offensive Security itself and costs around $19/month.

For exam my plan was to do buffer overflow first followed by 10 marks and then trying both 20 marks simultaneously and finally 25 marks hard one.

Overall my first attempt was not as I expected. This was the point when I realized that the lab machines are far behind in difficulty compared to exam. I believe that Offsec keeps on updating their exams from time to time and keeps on bringing more challenging machines but, same is not done with the labs.

Anyways, my exam started at morning 11 am. Buffer overflow was fairly basic and I finished it first within 40 minutes. After that, it took me a long time to get my second machine. I gave a lot of time in enumeration on all machines but it got me nowhere. I took breaks every 2 hours and tried refreshing my mind but finally I got my next easy 10 marks machine after 7 hours. That victory encouraged me and I started doing enumeration from start for other 20 marks machine. I got another 20 marks about 4 hours after that. My total marks by now were 55(25 +10 +20) and with the lab report it was 60 marks. All I needed was 10 more marks. But unfortunately, that didn’t happen. I was too much desperate for 10 more marks and hardly slept for 3 hours(bad move). By the end of the exam I was too much exhausted and depressed.

As my exam time finished I started revaluating things. My enumeration was definitely not up to mark. Also, if you are using auto enumeration tools like Autorecon, it will certainly help you but that should not stop you from manually enumerating. This mistake cost me a lot of time as Offsec is very clever in fooling these tools. That’s the most I can saw.

Second attempt:

I took break for a week and started creating my strategy for second attempt. For my second attempt I started working more on PG practice and hack the box. I spent a lot of time doing active boxes on HTB and jumped from “noob” to “hacker” rank. This again took a lot of research and frustration at times. I also did almost all the easy machines and lot of medium and hard machines on PG practice. Although I wasn’t able to do all PG boxes on my own, I didn’t hesitate in looking at the walkthroughs even though it reduces the point of that machine to zero.

I worked hard for another one month and booked my second attempt on 26th April. The strategy was same however, I decided to take breaks more often this time and sleep also.

My second attempt was from 9 am. I started again with buffer overflow and finished within 40 mins. Next I jumped to 10 marks, I spotted the vulnerability within 20 minutes but had to do some changes in exploit and had to try different things to finally get root after 1 hour. Next, I started reading the Autorecon results for remaining machine and found something interesting which I had already encountered in past on 25 marks. I tried different version of the exploits from github, exploitdb, did some changes and finally one of them worked. I took another 40 minutes to get root on it. Within first 5 hours I had 60 points. Then I moved to 20 marks. I got stuck here for a while took lunch break and sat down again on it. After a while, I got user on one of the machine. 70 marks and I was hyped. I took break and celebrated my victory. Came back to same machine later on and found root access in another hour.

I got 80 marks in 11 hours which was a great improvement. I tried running different things on last machine but finally gave up after whole day of struggle since I already gained passing marks. At around 1 am, I ended my exam. I made sure to have all the snippets before ending. Got up next day and prepared the report and sent within 6 hours.

2 days later, on 29th April, I got the email I was waiting for since a year.

Leaving thoughts:

If you read through my whole journey, I hope you would have learned something new. Overall, PWK was one hell of a ride and I don’t regret doing it. The OSCP exam is just one part of the whole process, I think the real learning comes from the labs and exercises. I learned lot of new things in these 60 days compared to my whole year of preparation.

If you want me to share any cheat sheet or anything like that then sorry I won’t. I think the best way is to try different tools and techniques and create your own cheat sheet. I also searched for different cheat sheets but then never used any of them. I used cherry tree mainly for my cheat sheet and OneNote for taking notes and snippets.

In my opinion “try harder” mentality stresses more on researching and challenging your whole methodology. There will be things kept in place just to deceive you and your methodology and at times you’ll have to think outside the box or try something that you have never.

On this note, I would like to end this blog. I would definitely attach important links at the end of the blog which might be helpful.

What’s next?

Even though, PWK teaches lot of things but definitely not everything. This was just the first step towards my career in red teaming. I am planning to extend my knowledge and move forward with this. At the same time, I am also working to learn some web application skills through different bug bounty programs. I’ll keep posting my other future certs and skills as well and will also share some writups on bug bounty if I get any.

Important links:

Pentration tester, Red teamer, Metal Head | OSCP | CRTP | eJPT |