Offensive Security are known for their tough but respected certs. Offensive Security Certified Professional (OSCP) being the goal for a lot of people breaking into (or already in) the security industry, including myself. Other than OSCP they also offer a number of other certs, including Offensive Security Certified Expert (OSCE). Since I settled on the idea of security as a career path, largely with a preference for the offensive side of things, getting my OSCP was my goal.
I achieved this goal in October 2019, but never got round to writing a blog post about my experience. I have now recently (August 2020) also achieved my OSCE certification, and am this time getting a post written!
Since I completed my OSCP the course has been updated, from what I have heard about the new content from new students it sounds like the new content is incredibly well written and useful. Although the core topics and ideas of the certification remain unchanged so I will still provide my insights into what I learnt, and what I would do differently if I were to take the course again.
Further to this, the version of OSCE I have now completed (Cracking the Perimeter) is also being retired in October of 2020. Although I will also still discuss what I learnt for this course on the chance it may help someone out before the course is retired.
OSCP
Roughly a day and a half from when I had submitted my report to the Offensive Security team, at 11:44 PM on the 13th of October 2019, I received the above email. This was confirmation that my countless hours of prep work, on the lab, on HTB, vulnhub and more had paid off.
Pre-Prep
Knowing I wanted to sit my OSCP, I spent a fair while pre-prepping. This largely consisted of working through machines on Hack the Box, I have a VIP membership. So, I filtered the machines easy to hard and started working through the list. From this I ended up seeing a wide range of technologies in use, both Windows and Linux based, and learnt how to approach each one in order to identify any weaknesses of vulnerabilities within it.
I feel without this practice I would have had a much harder time with the course lab and the exam. For example, a lot of the easier Hack the Box machines are running software with known vulnerabilities, having practiced taking software, identifying its version, tracking down known issues and finally exploiting them, was an incredibly useful skill. Furthermore, when completing these machines, I made a point of taking decent notes and writing up these machines (the writeups are also on this blog!). This was largely in preparation for making sure I took notes of sufficient quality to write the required report during the exam.
The Course
For the course, I brought the 30 day lab time package. I spent the first day reading through the materials which were pretty good, I won't go into detail about my experience with the material as it has been changed since I did the course.
From day 2 I started on the lab, the lab may have changed since I completed the course too, although from what I've heard it is not entirely different. My goal on the lab was to complete as many machines as I could before returning to my Hack the Box practice. In all I completed a majority of the lab in \~12 days. This was largely due to a lot of "repeated" exploits from my Hack the Box practice. But I did learn a fair bit during this time too. As with Hack the Box I avoided using metasploit and other tools you aren't allow in the exam as much as I could.
An interesting addition to the lab compared to most machines on Hack the Box was the various subnets and linked boxes. It was no longer a game of "oh I'll go for this one now" and instead required some thought and direction.
Overall the course was well designed, it introduces you to a range of concepts, and when combined with the labs and external practice it felt like I had been provided with everything I needed to be able to pass. For some final pre-exam prep, I spent the day before my exam going over the notes of every Hack the Box and Vulnhub machine I had done for practice, and hand wrote notes on various topics. These included, Linux Priv Esc, SMB recon, SQL injection and more. During the exam I then was able to quickly reference my notes where needed.
The Exam
Due to the nature of the OSCP exam I won't be going into detail about how I solved the challenges.
My exam was scheduled for 7am on the 11th of October 2019. I woke up early in the morning to have breakfast and some caffeine (caffeine became a recurring theme during the exam), before logging on just before my start time with the proctor.
My exam went fairly well. I had some internet issues which cost me an hour or so, and some pressure induced mistakes which slowed me down, but overall I had what could have been a passing score after around 12 hours. Beyond that I carried on, and after a few hours sleep, at around 2am, I had completed all the exam boxes. I then decided to get some more sleep, before getting up and starting on the report.
For the report I used the Offensive Security provided template, and largely just filled it in with my notes from each of the boxes. I ended up submitting it at around 7pm on the 12th of October, and the wait for results began. Luckily, I didn't have to wait long.
Useful Resources
Hack The Box - Hack the Box has over 100 practice machines (with a VIP subscription) available, the price is well worth it.
Vulnhub - Another source of practice machines, this time free, although you do have to set them up yourself.
Shameless Self Promotion (Also Vulnhub) - My own Vulnhub posting, a virtual machine with 5 practice Linux buffer overflows, each slightly harder than the last.
G0tM1lk Linux Priv Esc - A great cheat sheet for Linux priv esc.
Fuzzy Security Windows Priv Esc - A great reference for Windows priv esc.
Exploit-DB - A source of exploits for known vulns
Cherry Tree - The note taking tool I used during my exam.
Caffeine - I think this one explains itself.
OSCE
Similar to OSCP, I didn't have to wait long for my results on OSCE. I received the above email at around 6am on the 23rd of August 2020, having submitted my report at around 4.30pm on the 21st.
The Course
So the CTP course is being retired, so I won't go into much detail on it. It has a reputation for being old and out of date, and although it is true that a lot of the material is old, I would argue that it is still all vital and relevant information. You can't learn to break all modern protections on a binary if you don't know how to do the things they protect against, and I hope the new course continues to teach these fundamentals.
The lab for OSCE, unlike the OSCP lab, is configured to go hand in hand with the course materials. Unfortunately that is where my review of the labs end. My lab time for the OSCE course fell at the height of the UK Covid lockdown, and due to my situation at the time, I found it very difficult to motivate myself to use the lab time effectively. Instead I booked my exam, this time for the 19th of August 2020.
In the weeks approaching the exam I began my prep, I followed the course materials and essentially built and environment as close to the lab as possible to practice in. I went over these materials, twice in total to make sure I understood them. After which I then followed the Fuzzy Security windows exploit development series, stopping when it got to heap corruption. Once I had completed that, I moved onto vulnserver and Exploit DB where I filtered by "Has App" and "Windows". From the list of exploits this created I selected from them randomly, downloading the app, attempting to locate the vuln myself and recreate the exploit, ideally only checking the posted exploit when I got stuck. Overall I had about 2 or 3 weeks of practice, and then came the dreaded 48 hour exam.
The Exam
My OSCE exam was on the 19th of August 2020, starting at 11am. The later start to this exam compared to my OSCP meant my routine was a bit more normal. I didn't get up early, I had breakfast with my housemates as normal, and then chilled for a little before the exam started.
At 11am I received my exam connection pack. This is where I had some initial issues due to old TLS versions, once it was sorted I was underway. As with OSCP, I won't go into much detail about the exam. But I was provided with a number of challenges, each with a specified criteria to be met, along with some restrictions on how I could achieve them.
Due to the length of the exam, it was important to manage my time well. I made sure to take regular screen breaks, and go to sleep at a reasonable time (although I didn't stay asleep for long). Luckily, I managed to complete enough tasks to have what could have amounted to a passing score before I went to bed after the first day. This meant I could sleep without as much stress, although I would be lying if I tried to say I wasn't working through problems in my head until I eventually fell asleep. I got back up the next morning and had a quick look at what I had left to go, then went and had my normal breakfast routine and a shower. When I sat back down to tackle the remaining tasks, things clicked, the sleep had helped. From there it was only a few of hours until I had solutions for all the tasks.
I then gave myself a decent break before starting up on the report, again using the Offsec provided template. I ended up not writing much that day as I gave myself a long rest and an early night. Getting back up the next day to write and submit the report, sending it to Offsec at around 4.30pm on the 21st.
Overall it was an incredibly challenging exam, and I can safely say I haven't ever experienced one like it before (no, not even OSCP).
Useful Resources
Fuzzy Security - These tutorials were a life saver, I did the window exploit dev ones up to heap corruption.
Exploit-DB - A great place to get practice apps.
Vulnserver - One app, lots of practice.
Boofuzz - An easy to use, effective fuzzer in python.
X86 Assembler - Was useful for converting asm to hex op codes.
The Next Steps
Having completed my OSCP, and OSCE I now have some options. I would love to try OSEE, although I feel like I'll need a lot more prep time, and also the requirement of in person training (and cost of that!) may mean this is a dream for the future. Before then I have OSWE and OSWP to tackle. I will likely go for my OSWE next as with the recent 2020 update it looks like it could be an incredible course, and with the added bonus of being 1 of the 3 required to achieve the successor for OSCE. Speaking of which, I am excited to see what the new courses will offer and will very likely look to take them myself, with the eventual goal of holding both legacy and new OSCE.
If you made it this far I would like to thank you for reading about my Offsec journey, I will try to be better at reviewing certs and courses in a timely manner in future!