I've been doing the OSCP course: 'Pentesting with Kali linux' for the last 80 days (the end is near).
Background:
I've got a solid interest in binary exploitation and breaking things, I really enjoy a good challenge. The first time I defeated ASLR and NX it took me literally 5 days of nothing but eating sleeping and staring at gdb-peda. I loved that, I loved the challenge and the journey.
What I think of the OSCP:
When I started the OSCP I thought it would be the same, and for a lot of people it is exactly that.
But nooooope
I found it extremely tedious. The material they give you is like glorified man pages. Useful, but not really.
The value is in the lab. A bunch of boxes with a bunch of vulns.
Before continuing I want to make how I feel about the OSCP very clear. It's a 7/10, pretty good, but room for improvement.
It's taught upside down
The way the material is presented is like "If you do X,Y,Z that tells you A,B,C and you can use that to do D,E,F" where X,Y,Z are specific tools or commands.
Learning this way fells like aimlessly meandering through a forrest gathering anything that looks useful.
INSTEAD, it should be taught in a more goal centric way.
Take the recon stage for example, analyse what it is you're looking for. Think of the weaknesses from a higher level such as "Exposed services", "bits that only other computers can see" and the sort of information that will be useful. Then, outline how that can be done and finally, provide some example tools that help accomplish that task.
The material is also uncorrelated with the lab. I think there should be more guidance available for completing the labs. I think pentesterlabs does a really good job at this.
I think the OSCP works really well for a lot of people but not me. I think the lab is a great start but the educational material is rubbish.
I don't think an educational service should have a motto like 'try harder'. I think the value of the OSCP is mostly in the certificate, which is not reflected in the price. I think the course is a lot of money (unless your company is paying).
If you're a computer science person working at a company and want to move to a security job and you're company is going to pay for the OSCP then 100% yep this is for you, I would definitely recommend.
If you're a college student, I wouldn't recommend doing the OSCP until you've done all the wargames, CTF's, and vulnerable vm's that are online for free.
If, like me, you love binary exploitation and want to learn some pen test skills, learn how to metasploit first. This is not a course about binary exploitation, it is covered, but only a little. Don't expect to spend time in gdb.
I would recommend doing the course at the same time as some friends. I often got stuck and not in the 'try harder' kinda way, stuck in the bored kinda way.
I've got the exam coming up and I don't expect to pass the first time.
There's my 2 cents on the OSCP
