OSCP Blog Series – Is The OSCP Lab and Exercise Reporting Worth It ?
As we all know PWK(Penetration Testing with Kali Linux) course followed by OSCP exam requires a lot of factors to obtain an OSCP certification successfully. Reporting of course exercises and Labs is one of them which is not mandatory but plays a crucial role throughout your journey. Normally people think this as a source to claim 5 bonus points for exam but it is not only about 5 points.
Basically 70 points are required in exam to clear the OSCP certification which have a set of challenges. Apart from this, Offensive Security provide additional 5 bonus points for the reporting of course exercises and Lab challenges.
As per OSCP official blog – https://support.offensive-security.com/oscp-exam-guide/#bonus-points
- In order to receive 5 bonus points, you must complete the lab report AND the course exercises.
- The lab report must contain a description of your attack steps for no less than 10 fully compromised unique machines.
Now this is a very common question that “Is the OSCP Lab and Exercise reporting worth it ? ”
Is it your choice if you don’t want to do this reporting for 5 marks in exam ? Yes, because Offensive Security doesn’t consider this as a mandatory requirements to clear the exam.
But please make a note that it’s not only about 5 marks. Offensive Security promote “Try Harder” approach and makes you go through a 24 hours proctored exam to issue OSCP certification if the exam is cleared. In this case, do you think they will provide 5 marks just to get a report from you without any agenda promoting “Try Harder” ?
So the simple answer is NO.
Let me explain :
Reporting of Labs/Exercises helps us in various ways including –
1- Improvement in professional report writing
You will learn how to write a professional Penetration Testing report and will help you to improve your reporting skills for final exam reporting. It’s better to have clear understanding of reporting process so that you do not waste time in exam reporting as you will only get 24 hours of time for reporting.
2- A fine line between Pass/Fail if you score 65 marks in exam
One needs to score minimum 70 marks in exam to clear OSCP certification but if you only score 65 marks in exam then these 5 bonus points makes a difference in order to Pass/Fail your certification.
3- (ISC)² 40 CPE credits
According to https://www.offensive-security.com/offsec/pwk-oscp-faq/ , PWK qualifies students for 40 (ISC)² CPE credits after they submit exercise documentation at the end of the course or pass the certification challenge.
4- Critical role to clear OSCP Exam
As I mentioned above Lab/Exercise reporting is not only about 5 bonus points. It helps you a lot in a long run and indirectly plays a critical role in order to clear the exam. There are lot of blogs on internet which explains whether you should do this reporting or not as it is very time consuming if we see it as a source of 5 marks. As others, I also was in a myth that reporting is required to get 5 marks so that it can help you to reach 70 in the exam but later on I realized that it’s more than it.
Let me share my personal experience with you.
Initially I decided to prepare the report to get those 5 bonus points but while going through course material I saw that there are 100+ exercises which needs to be reported along with minimum 10 Lab machines to get 5 points. It looks very hectic right ? Yes, to me as well.
Reporting 100+ exercises and 10 Labs are too much for 5 points. Realizing that it may take my lot of time and effort , I decided to drop the reporting and continue with course material and Labs only. However I was doing 80% of the exercises for the knowledge purpose but didn’t start reporting just because I decided not to do rest of 20% exercises which seems very easy or very time consuming along with that reporting might have taken my lot of time.
Frankly , this was one of my baddest decision taken during this Journey. I started with course material and reached to Module 12, suddenly I started realizing that I have missed a lot while preparing for the exam. Because few exercises looks so simple or time consuming but they are not that much simple when you start working on it.
See, one thing is to remember here that OSCP stick to the topics what they have covered in course material. When you reproduce the attacks explained in PDF , you will find it very easy most of the time. But only that is not the enough part for the exam. For exam you may not get out of the syllabus challenges but surely the level of challenges will be difficult than the one explained in PDF. To cover those gaps, you need to really focus on Exercises provided in course. These exercises force you to think beyond the scenarios they have explained in course. The methodology would be same but approach would be different as you need to be very creative while solving the exercises. This helps you in creating a “Try Harder” mindset and improve your problem solving and research abilities which are surely going to help you in the Exam. After realizing the criticality of this reporting, I again started taking POC for all the exercises from Module 1 to 12 which took my 15-16 hours as I had done those earlier but didn’t capture POC. I wasted my 15-16 hours from my crucial Lab period which could be avoided by taking the right decision at the first place.
So I would again say, it’s not only about 5 marks of reporting but will also help you in a long run to get another 65+ marks to score your minimum passing marks.
Author: Yogesh Prasad
Information Security Professional | Cyber Security Expert | Ethical Hacker | Founder – Hackers Interview