As I’m sitting here it’s still hasn’t quite sunk in that I am now officially OSCE qualified. It’s surreal for several reasons which might surprise you, but more about that later. If you have read my OSCP write-up, then you would know that I like to write that which hasn’t been written about before. There are some excellent reviews of the CTP/OSCE course which I highly recommend you read. That being said, there is a lot of repetition that I want to avoid.
My OSCE journey started soon after my OSCP in mid-2016. I knew that I wanted to take it to the next level, but that I would need to do a lot of ground work before I was ready. There was a fair amount of information and scary stories about CTP but I decided to go at my own pace and learn a little bit every day. The usual suspects of corelan and securitysift were great to work through, but I was hungry for more. One day I woke up with an insane idea. What if I could publish my very own RCE 0day?
I learned that Spike was the fuzzer of choice for the course, so I thought that would be a good start. I set up a lab environment, and proceeded to download well over a hundred different software packages that I found from shareware sites. Although I only had a crude understanding of exploit development, I was determined to find something so I started fuzzing. If you have used Spike at all, then you would sympathize with how painstaking this was. A few weeks later, it happened….42424242. I couldn’t believe my eyes. I spent the rest of that day and well into the night to create a working exploit. It required SEH and an egghunter, both of which were things I have only ever read about, but I kept hammering away and eventually I got my shell. It was at this point, that I knew I was hooked.
Fast forward several months and I bought the Security Tube Linux Assembly expert course. I started sharpening up on python, and read a few of the classic recommended books on exploit development. Was I ready for the course? I knew I had to find out. I emptied my wallet, signed up and started to work in the labs. I only took 30 days and in that time I worked through the whole course material from start to finish four times. I curated an extensive list of extra reading which when I printed it out took up an entire level arch file (I prefer paper because it’s something I can do away from my computer). In the last week before my exam, I even discovered another 0day in an FTP client. I was feeling confident.
T-0: The exam pack landed on the dot as can be expected from Offensive Security. I read through the exam objectives and felt ready.
T+7: I cleared my first objective which gave me a bit of a boost.
T+13: Another target fell. I felt focused, but it was the lower point objectives which I had at this point. Still a lot of work ahead.
T+48: I haven’t tweeted in a while. I was knee deep in the challenge and needed to focus. However, in the end….Exam connection closed…..not enough to pass.
What the hell happened? All that prep, dropping 0days, and I still wasn’t ready? In hindsight, it had nothing to do with my knowledge and everything to do with my frame of mind. Hold that thought because I want to pick up the matter of knowledge later in this write up. I tried to work faster than I should have, and the reality is that 48 hours for this exam is plenty of time. I tried to work smarter than I should have, sometimes you need to go back to basics. I made assumptions about things which I didn’t believe had any effect on what I was doing. The support from my friends and those on twitter were incredible to say the least. They kept me accountable and pushed me to try harder and keep going.
After the exam I took a break from my studies because I was immigrating to a new country the very next week! I gave myself a couple of weeks to settle into my new home and get my things in order. I had also started a new pen testing job so I was busier than ever but I didn’t want to leave my OSCE for too long. I was determined to own this!
This time, I had a very different mental approach. I would love to go into detail of what happened during my second attempt, but it would be impossible to do so without giving away too much. Within a few hours of my second attempt (and a full 8 hours sleep in between), I had all the objectives cleared. Just over 24 hours later, I received the confirmation that I made it!
There is something unique about the Offensive Security certifications that I want to talk about because I think it’s a huge topic in the industry that isn’t spoken about enough. OSCE stands for Offensive Security Certified EXPERT. I worked my butt of for this certificate, but I’m not an expert and I will never call myself that. The reality is that as soon as you place that label on yourself, then you close your mind to further learning to a large extent. Robert Greene in his book “Mastery” (which I would highly recommend) goes into this in greater detail. The reason why I raise this here is because Offensive Security goes a great job of humbling their students in a positive way. Other companies like EC-Council doesn’t do this by virtue of their marketing strategies regarding the CEH which I believe stunts the growth of their students. The caveat to this is that you have to have a healthy sense of self belief in order to make it in infosec. The way to do that is not to label yourself an expert at any given field, but rather to label yourself as an expert at learning. I have full confidence that will one day hold the OSEE. Not because of my technical ability or intelligence etc, but rather because I know I have a strong desire to learn and have proved to myself that I can do that based on the fact that I have completed the OSCP, OSWP and OSCE. That is what this certification is really about. It’s not about being an expert at exploitation, it’s being an expert at trying harder.