OSCP - Fun and challenging but overrated

Last March I decided to set up a freelancing business in information security. My first step was to meet some old colleagues and people in the field, to ask them about what's going on in the business to business business.
 "OSCP ," they said.
 "OSCP is the shit. If you're going to freelance as a pentester you need to get your OSCP. Everyone's asking about it."
And so I did. After having subscribed I was able to hop on the course train that started at the end of April, with one month of lab time. The exam was set the first of June. After a month of daily exercises, I did the exam and passed after owning 5/5 machines.

Although the course is challenging and resourceful, its title is - in my opinion - overrated in the field. So I'd like to take a few stabs at its popularity before telling you it's lots of fun and totally worth the money.

A little background information on myself: I'm 30 and I've been having fun with information security since I was 14. I taught myself programming, hacking and computer science, and I have been working as a professional pentester and security researcher for more than six years.

Try Harder culture

The first thing I'd like to mention doesn't concern what is taught, but how it is taught. The course is quite unique as its main message is that you have to figure things out for yourself. While this is an excellent skill to develop, its implementation in the course is a bit nauseating. Sharing knowledge is not allowed (or only to a certain extent), and support is limited. This can lead people to mislearn when they teach themselves, or they might miss out on some techniques.

When you start the course you get access to a bunch of useful resources, such as videos, a big PDF with course material, a VPN connection to a lab environment where you can go bananas, and access to a forum. On the forum, one is not allowed to share exploit techniques for owning boxes, since that counts as a spoiler. But people are desperately trying to share them anyway, since the knowledge is needed to get through the course. Take for example privilege escalation. It's hardly touched upon in the course (some reading material is posted on the forum), but it's one of the main techniques you're required to master if you want to get through the exam. The only way to learn it is to own a lot of lab boxes and just try some stuff. Since students are all in the same boat, they try to help each other out. To circumvent the censorship, they come come up with stuff like this:

maybe it is the "a person who is invited to visit someone's home or attend a particular social occasion" + "a period devoted to a particular activity".?

Instead of just saying "guest session". I'm not an expert on pedagogy, but I'm pretty sure that jumping through all these hoops is a waste of time for any serious student.

The Offensive Security courses have a mantra, "Try Harder", which they take awkwardly serious. Over here they speak of a "Try Harder™ lifestyle". There is even a theme song for the "Try Harder" motto. The rap is sung in a Jamaican-ish accent, and the lyrics are written likewise. The lyrics include lines like: "Like Suey, you must Chop This! Like a floor you muss mop this!". "Cringe" is the popular word describing how I feel about this whole ordeal. Additionally, the pompousness of the course's culture reeks of arrogance, which is the last thing we need in the security field (or in any field for that matter).

Course material

The course is called "Pentesting with Kali Linux", and it's just that. You'll get familiar with the basics of scripting languages, web security, a buffer overflow and with using basic enumeration and exploit techniques.

Most of the course consists of finding outdated software and browsing exploit-db for an exploit. Students are not taught how to read code, let alone being taught how to find new vulnerabilities. Code security is not dealt with in the course; you won't be able to spot vulnerable code patterns. Likewise, no mitigating measures are described. You learn how to exploit vulnerabilities, but not how to fix them.

The course material fails to include some of the important security best practices. No attention is given to secure development patterns, configuration practices for things like TLS, or defensive measures such as enabling an audit trail.

To sum it up: anyone who only did OSCP can't read code to look for new vulnerabilities, and isn't able to give proper advise on how to implement security. It's the human equivalent of the impact description of a Nessus scan. However, the course does provide a neat skill set to do black box penetration tests.

The exam

The infamous OSCP exam takes 48 hours; 24 hours for the exam and 24 hours for writing your report, which is quite intense. It's proctored, meaning someone will monitor your screen and webcam. Let me briefly discuss the proctoring software you have to install.

The ScreenConnect software is used for the exam, which is a Java applet. Most browsers have dropped support for Java about 5 years ago and it was a pain to get the ancient tech to work on my Linux box.

A quick search shows that multiple people have failed the exam because of the buggy software. The internal Offensive Security forum also contains multiple threads where people signal the same issues. And support is limited during the course, so I couldn't get assurance that the applet would work properly during the exam. In the end, I used my MacBook because the software runs properly on that.

Conclusion

The course is only 800 bucks and you'll get your money’s worth for sure. Especially the lab environment is amazing. It enables you to frolic around for at least a month to exploit all kinds of exotic boxes. It'll get you more than just doing things like RootMe challenges, because it really is a network; in some cases you need to pwn box A before you can pwn box B.

In spite of the somewhat demeaning and pompous tone of the course, one's autodidactic skills are undeniably developed. If you don't take it too serious, "trying harder" offers a sense of achievement that can’t be obtained from just being handed the answers.