Is PWK-200 lab worth it? What to do before OSCP and during the lab time
As someone who just passed the new version of the OSCP, yes, it is worth it.
In this post, I’ll go through some questions you may have if you’re wanting to try out the lab but are not sure what to expect.
How long did I spend in the lab?
— 4 months. (3months + 1 month extension)
Unless you’re not working and you have no responsibilities (doing chores, going to school, etc), I believe it’s not possible to finish the lab within 3 months.
Was PWK lab all I needed to pass the OSCP?
I wouldn’t say it was ALL I needed.
I practiced hacking occasionally while following walkthrough videos/write-ups for about three months (but not consistently).
I have a list of machines I completed during the preparation time if you would like to have something to refer to. https://docs.google.com/spreadsheets/d/1rwpA782Ze4z4iICpNU8RO5HR-OGaPrSgw4PIbHYHSrU/edit?usp=sharing
I was also glad I was somewhat already familiar with linux command lines, bash and python scripting pre PWK since completing lab machines will be quite challenging if you don’t have any experience in them. I took a few udemy courses on scripting and for linux command line I used https://overthewire.org/wargames/bandit/
I do believe this preparation period is necessary if you don’t want to waste your money after starting your lab time.
Did I finish all the lab exercises and is it necessary to pass the exam?
There are a lot of reading materials that the PWK offers. I didn’t read all the materials nor finish the lab exercises. I read some of it before I started tackling the machines, but I mostly used the reading materials when I was stuck on the machines. I’m not sure if that was a good approach or not but it worked for me. Of course, if you have time and money, you should do the exercises and write a lab report to get the extra 10 points. (For the exam details, check this article) That 10 points could save you during the exam (I was thinking about this when I had 60 points at 2:00 am.)
Did I complete all the lab machines and is it necessary to pass the OSCP?
I did complete all the machines including the sub-net machines. And man, some of them were very tough (and annoying lol ). I can’t speak for everyone because everyone has a different level of exposure to ethical hacking. But for someone relatively new to the field, I’m happy I completed all of them. It gave me this incredible sense of achievement; more importantly,
I was exposed to so many different pen-testing skills (web exploitation techniques, active directory, different privilege escalation techniques and so much more!).
No, I didn’t need all the skills I acquired through the labs to pass it. But that should be obvious. I believe there are 78 machines in the lab. There are only 3 individual machines and 1 set of Active Directory machines (3 machines) on the actual exam.
I would still recommend everyone to try completing as many lab machines as possible since you won’t know what will come up during the exam. However, if you have very limited practice time, I would strongly encourage you to complete the two Active directory sets in the lab. You will need the 40 points no matter what (unless you get 60 points from the individual machines + 10 bonus points which may be quite challenging.)
Did I use student forum resources?
Within my first three months, I was only able to finish about 50 lab machines. But during that period, I learned the most.
When you’re in the lab, it may be easy for you to rely on student forum hints to complete some machines, which is fine if you’re moving slow and you just don’t want to waste your lab time. But I made sure not to use the hints until I exhausted every possible methodology I knew and attempted to research for a few hours.
I also believe that if you don’t know it, you just don’t. Set the time limit for yourself and ask for guidance. There’s also an offsec student discord channel which is more active than the student forum for asking questions. I used it a couple of times towards the end, but I wish I had known about it earlier.
Another important tip I could give to fellow hackers is to always take notes and review them before you forget about what you did on the following day.
It’ll help you practice writing the exam report; make it a habit to write every step you take to solve machines (I also wrote notes when I got stuck). On the exam report, the person who evaluates your report will need to be able to reproduce the exploitation. Taking appropriate screenshots of the terminal windows is also crucial.
Alright, that’s it for today’s post. Thank you so much for reading.