As you may have read in my about page, I am OSCP and OSCE. I took OSCP back in 2015, and recently took OSCE in 2019. OSCP is always the number one certificate I recommend to people who are starting in the industry. Not because I took it myself, but I feel like it’s the one that you can get the most out of. It’s all about practical knowledge. How to do stuff, and how to think like a hacker. To pass it you must prove you know how to do what the course teaches you. It’s not about memorizing some terms that no one actually uses *cough* CEH*cough*. It’s about getting down to business and trying harder.
#OSCP (Offensive Security Certified Professional )
OSCP is the “star” exam for OffSec and one of the most seeked out certifications in the infosec industry. If you have never heard of OSCP please check out Offensive Security’s official page with syllabus and information about the cert.
With that said let’s break down OSCP into two main things: 1- Labs/Course 2- Exam.
Labs / Course
In my opinion the OSCP labs are by itself a reason to pay for the certification. It is so fun and addicting. If you love hacking, you will find yourself spending countless hours and many many sleepless nights in the lab. I don’t quite remember the number of machines, but IIRC there is around 50 machines for you to #root. The course is very broad, you will be introduced to all the necessary steps in a penetration test methodology. Emphasis on introduced. One thing I see people complain about OSCP is that some of it may be “outdated”. There is some truth to that of course, for example you will learn Stack Buffer Overflows, which is generally seen as outdated. However, the way Offsec teaches is through seeding curiosity into your mind. At least that is how I see it, the whole #TryHarder mantra can be seeing in all their courses. They may show you how to climb a hill, but it will be up to you to climb a mountain. If you only learn one thing, it is how to think like a hacker, how to go the extra step to get that sweet sweet reverse shell popping up. Overall the labs and course are excellent. As for lab time, this is really a personal thing, but I will say if you work full time and maybe isnot already popping 0days everyday, 90 days is the way to go.
OSCP exam was definitely a different experience from anything I had ever done. 24 hours of critical thinking, and really trying hard to figure shit out, is extremely tiring. A lot of people fail their first try, if you are reading this after you failed, don’t be discouraged! Try harder! You can do this, you’ve got all the tools you need. 🙂
I almost failed my first try myself. Without giving too much away, you will have 24 hours to complete several challenges. Some challenges are worth more points than others. It’s being awhile since I took it, so I don’t remember nor will I tell you what happened or how I felt hour by hour like some reviews out there. What I can tell you is, I remember that it was a roller coaster. I probably spent 19 hours straight listening to music, and hacking away. The exam itself taught me so much, and you really feel a great sense of accomplishment when you pass. I passed it on my first try, but don’t get me wrong I did not get 100%, I made enough to pass. Although the exam is hard it is not impossible. Remember to take breaks, relax, go for a walk, and try not to let the timing pressure get to you, 24 hours is plenty of time to pass. More importantly, enjoy it!!! Trust me, you will miss the labs and exam, you will miss the rush from getting those shells, and the challenges you beat during this journey.
#OSCE ( Offensive Security Certified Expert )
Lots of folks believe OSCE is the next step from OSCP, well, it makes sense right? However, I feel like they are very very different courses, and not necessarily connected. While OSCP is a broad course that will take you from zero to junior pentester. OSCE will not take you to Junior Pentester to Senior . If that makes sense…
OSCE is mainly focused on Windows Exploit Dev. Although there are other subjects in the course itself, they are very brief, and the main focus is developing exploits. Please see offsec’s official page for syllabus and information. https://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/ .
Also if you are thinking about taking OSCE and are not sure if you are ready or not, here is THE BEST preparation guide for this course.
Labs / Course
The labs are completely different from the OSCP’s labs, it is no longer about owning a network. It is all about researching and developing 0days. You will have remote access to a set of machines running different applications that you will build exploits for. The course material will teach you a lot of what you will need to do, but one thing you will notice is that it will have gaps in the explanations. This is not an accident, this is for you to go and try to figure out. That is where you learn the most. One tip that I have for people just starting OSCE is, take the course / labs using an updated Kali VM. This will introduce some additional challenges to you during the course that will enhance your learning. Trust me. The point here is to try harder guys! As for lab time, I feel like 30 days is enough if you are willing to put in the work in that month.
For the OSCE exam you will have 48 hours instead of the 24 hours like OSCP. Don’t be mistaken the exam is also very difficult. However, if you put in the work in the labs, and REALLY understood every concept taught, the exam becomes much more doable. That is the biggest tip I can give for exam, take your time in the lab. Do everything the way the lab teaches, and then go back and do it differently. If the lab shows how to do a conditional jump one way, find out what other ways can you do the same. If you do this for all the exercises in the lab, you will be golden. Overall, I really enjoyed the exam. I somehow managed to pass it on my first try as well and get maximum points. I did it all in around 24 hours. I couldn’t sleep at all, so I just decided to try to finish, luckily I did it, otherwise I may have had to stay awake for 72 hours.
Labs / Course
To me this was the most different lab / course from the others Offensive Security courses. Not sure why I felt like that, but I feel like it’s a completely different beast. It is really all focused on Web Exploitation as the name says, but mainly white box testing. All of the labs and courses will show you how vulnerabilities actually look like in the PHP, Java, .Net, JS code. It certainly inspired curiosity in me to start researching web vulnerabilities with a white box approach, something that I had not yet done. However I have to say I was not as engaged as I was for the other two labs. OSCP and OSCE, I quickly became addicted to it, and extremely interested in all the subjects taught in the course. However, for AWAE, I was struggling to identify how to best approach the course. Take this with a grain of salt, it may be some people’s favorite course. To me it was just not as interesting as the previous two. 30 days for this lab is more than enough in my opinion.
After postponing it for a really long time and literally forgetting to show up for my first attempt… I finally took the OSWE and passed. It was indeed very difficult, and to be honest I believe the biggest contributing factor that helped me pass was having experience bug hunting. The course material does help a lot, but I would highly recommend anyone taking the OWSE to take sometime to develop a written methodology on finding vulnerabilities in web apps. Doesn’t have to be anything too complicated, just write down steps you should take. Another tip is to be sure you understand the basics like how to find the right piece of code corresponding to the web functionality you are fuzzing, how to debug database calls, common vulnerable functions for each language in the course material, and etc.
After I published on twitter that I had passed the OSWE, a lot of people messaged me asking for specifics about the exam. Although I cannot give you any specifics, I want to say the exam is very doable. Don’t be discouraged, or extremely stressed about it. Go through the course material, read of blogs and write ups for vulns presented in the course (unsecure serialization, auth bypasses, blind sql injections, nodejs RCEs) and you should be fine. Additionally, I’m always open to help people through the course, just reach out to me on twitter. Good luck!
One more thing I wanted to talk about is the awesome community around OffSec certs. For OSCP, I spent hours on the #offsec IRC channel. You can talk to so many interesting people from all over the world, and there is a sense of brotherhood since everyone is struggling to own Pain, Sufferance, Humble, Bethany, and others. I’ve actually got someone I met in that IRC channel hired by the company I work for. As for OSCE, instead I spent my time in the Discord channel. You can probably find it online, but if not, hit me up on twitter and I will send you an invite for the offsec’s discord channel. Awesome people all around. I highly encourage anyone taking the Offsec courses to try to connect with the community. It’s a great place to make new friends, and maybe even get a new gig. 🙂