PWK(OSCP) [PEN-200] Review 2021

Kartik Sharma
4 min readJul 16, 2021

--

This short blog post covers how I approached Offensive Security’s PEN-200 coursework along with the examination.

Pre-PWK Preparation

I started my preparation from Proving Grounds Practice (19$/month). It is absolutely worth spending money on, as it provides non-CTF style boxes curated by Offsec itself. I was able to solve 32 boxes (did TJ Null’s PG practice list) in a month, spending 4–5 hours, 5 days/week. After my subscription expired, I revised buffer overflow and curated Linux/Windows privesc cheatsheets for a week.

PEN-200 Coursework

I registered for a 30 days voucher + 1 exam attempt.
Starting with the coursework pdf, it took me 3 days to go over all the modules. Next, I began pwning the machines on the PWK network. I was able to root 70 machines in 25 days including 2–3 break days. On average I was solving 4–5 machines daily and it felt like I was giving the exam every day XD

I preferred spending the last week revising my notes, building a better methodology, and therefore, left the remaining 5 boxes. I completed a few lab exercises but did not document them for the extra 5 points as it was time-consuming for 30 days of access. I spent most of my time on the PWK network.

Note: During lab time, I used to spend 90–100 hours a week and was not working on anything else.

The OSCP exam

My lab access expired on 6th July 2021 and I scheduled my exam for the same day itself.

My Exam Methodology

I came up with the following strategy:

  • complete buffer overflow in the first hour while enumerating the 10 pointer
  • hit the 10 pointer machine for the next 1 hour, while enumerating the 20 pointers
  • if the 10 pointer box is solved, move on to the 20 point box with a lower number of ports (because in that case, I’ll have to focus on less)
  • at last, enumerate the 25 pointer box

I planned to take 10 min breaks every time I solved a box or after being stuck for 2 hours straight.

1 Day before the exam
I did the Try Hack Me rooms for buffer overflow, Linux and Windows privesc in the first part of the day (for the second time). Next, I spent my time watching movies and tv shows.

The final Exam day
On 6th July, I woke up at 7 a.m and went to exercise for 30 minutes. My exam was scheduled for 8:30 a.m. As required, I connected to the proctoring tool 15 minutes before the exam. Finally, the exam began and it went in the following order:

  • Buffer overflow (25 points) [20 minutes]
  • 10 point box [40 minutes]
  • First 20 point box [1 hour 20 minutes]
  • 25 point box (unintended root) [3 hours]
  • Second 20 point box (1 hour)
  • 25 point box (intended privesc) [10 minutes]

In the first 3 hours, I had 55 points with 3 boxes solved. Next, I tried the other 20 point box and I failed to find a foothold. I took a 1-hour long break and started with the 25 point box. It took me 2 hours to get a foothold and then I was stuck on the privesc for an hour. I finally managed to root it using an unintended method. In 7 hours, I had 80 points which were more than enough to pass the exam. After a short break, I started with the second 20 point box. It took me 45 minutes to get a rev-shell and 15 minutes to perform the privesc.

Technically, I was done with the exam, but I still wanted to find the intended root on the 25 point box. I manually performed the enumeration for privesc and found a potential vector. It took me another 10 minutes to get the root. Finally, I was done with the exam in 11 hours 30 minutes!

In short, it took me 7 hours to reach passing marks, 10 hours to root all the machines and 11 hours 30 minutes to solve everything in an intended way.

I took a 3-hour long break and then started with the report writing. Around 5 am in morning, I was done with a 45-page long report. I told my proctor to end the session and I finally went to sleep. The next morning, I proofread my report and uploaded it on the portal.

On 8th July, around 3 p.m, I received the e-mail!

--

--

Kartik Sharma
Kartik Sharma

Responses (1)