Changes to the OSCP (PEN-200) Exam for 2023

Posted on 16 Mar 2023 by Ray Heffer

I’m constantly seeking new opportunities to enhance my expertise and broaden my understanding in the field of cyber. In 2021, I successfully completed the Certified Ethical Hacker (CEH) exam offered by EC-Council, followed by the CISSP last year—both of which showcased diverse aspects of cybersecurity. In my day-to-day work, I collaborate with both security engineering teams and CISOs, as I hop from one meeting to the next, which requires me to transition between technical and strategic discussions. This skill has proven to be incredibly valuable in my career.

As someone who has always been deeply immersed in the technical aspects of cybersecurity, I find it essential to maintain and nurture that passion, even as I continue to evolve in my career. Participating in Capture The Flag (CTF) challenges during my evenings allows me to stay up to date with my hands-on skills. This is why I find the Offensive Security Certified Professional (OSCP) exam so appealing. OffSec has revamped the PEN-200 exam to better align with the modern world of cybersecurity. They’ve introduced Learning Units, Learning Objectives, Module Exercises, and Capstone Exercises, and the course has also undergone significant restructuring, with some modules removed

The decision to remove Buffer Overflows from the PEN-200 course material and exam reflects a shift in focus towards more modern and prevalent attack vectors in today’s cybersecurity landscape. While Buffer Overflows are still relevant in certain scenarios, their importance has been diminishing as new technologies, architectures, and security measures emerge. I was actually enjoying the BoF labs, but oh well!

By removing Buffer Overflows from the course content, OffSec seems to have made room for other topics, such as Web Application Attacks, Privilege Escalation, and Active Directory exploitation. This change aims to provide students with a more well-rounded and up-to-date understanding of real-world cybersecurity challenges.

However, it’s important to note that the removal of Buffer Overflows from the course material does not mean that I should ignore this type of vulnerability altogether. I still need to maintain a solid understanding of Buffer Overflow concepts, as they can still be encountered in specific situations.

Updated Syllabus for the PEN-200

  • PWK: General Course Information
  • Introduction to Cybersecurity
  • Effective Learning Strategies
  • Report Writing for Penetration Testers
  • Information Gathering
  • Vulnerability Scanning
  • Introduction to Web Application Attacks
  • Common Web Application Attacks
  • SQL Injection Attacks
  • Client-Side Attacks
  • Locating Public Exploits
  • Fixing Exploits
  • Antivirus Evasion
  • Password Attacks
  • Windows Privilege Escalation
  • Linux Privilege Escalation
  • Port Redirection and SSH Tunneling
  • Tunneling through Deep Packet Inspection
  • The Metasploit Framework
  • Active Directory Introduction and Enumeration
  • Attacking Active Directory Authentication
  • Lateral Movement in Active Directory
  • Assembling the Pieces
  • Try Harder: The Challenge Labs

Adjusting My Study Plan

With the updated syllabus, I’ll need to adjust my study plan to account for the new content. I intend to focus on the areas that have undergone significant expansion, such as:

  • Web Applications
  • Privilege Escalation
  • Port Redirection and Tunneling
  • Active Directory

If you are embarking on the PEN-200 journey, make sure to download and review the free PEN-200 introductory module provided by OffSec. This will help you understand the new learning approach and set the foundation for my studies.

The updated PEN-200 exam also features a new lab architecture, which provides each student with their own environment. This setup consists of Challenge Labs, where learners can work through specific penetration testing problems at increasing levels of difficulty. I plan to tackle these labs sequentially, ensuring that I thoroughly understand each concept before moving on to the next challenge.

Preparing for the Exam

As for the exam itself, the most notable changes are the removal of the Buffer Overflow machine and the updated bonus points criteria. Since Buffer Overflows are no longer part of the course material, they will not be included in the exam. To qualify for bonus points, I’ll need to complete 80% of the 2023 Module exercises and submit proof.txt for at least 30 PEN-200 (2023) Lab Machines. This requirement may include machines from both the 2022 and 2023 lab environments.

To ensure success, I’ll be adjusting my study plan to account for these changes. This means allocating more time to the areas that have seen significant updates, such as:

  • Web Applications
  • Privilege Escalation
  • Port Redirection and Tunneling
  • Active Directory

For those preparing to embark on the PEN-200 journey, make sure to download and review the free PEN-200 introductory module provided by Offensive Security. This resource will help you understand the new learning approach and lay the foundation for your studies.

Good luck!