My First Year In InfoSec: Zero to OSCE3
In August 2022, I took a gap year to study OffSec certifications to "break into" the information security industry. In total, I spent * hours studying, acquiring the OSCP, OSWE, BSCP, OSEP, OSED, OSCE3 certifications. As of Feb 2024, I'm the youngest * in Singapore.
In this blogpost, I share my experience going from absolute zero to OSCE3. I've written this guide to share:
How long it took for me to acquire these certificates
What study resources I used to go from absolute zero to OSCE3
Some tools I created which should help you with these exams
My reflections after obtaining the OSCE3
At the end, I'll also try to answer questions like, "Was the gap year worth it?" and "Why am I still planning to attend college after this?".
Please note: This article is a reflection of my experience. Your experience with studying certifications may be different. The learning path I took is not the royal road. What works for me, may not work for you.
Why Certifications?
Certifications are a controversial topic in information security. In my opinion, certifications for practical, proctored exams are a great way to demonstrate your ability to employers.
I've found OffSec courses to be a well-structured environment where I could learn different areas of offensive security, while having a challenging exam as a end goal.
Why a Gap Year?
After serving mandatory national service, I had little direction on where I wanted to go career-wise. Analyzing my potential options, I found information security to be a technical, well-paid, impactful and safe option. Importantly, I saw that there were certifications like the OSCP which were considered the .
If I could acquire these certifications, it could make me a more competitive candidate in job applications. A gap year to focus entirely on certificates seemed like an investment with asymmetric returns. In the worst case, I would lose a year. In the best case, I might get my hands on a miracle year.
OSCP
Note: I took the 2022 OSCP Exam. In 2023, the OSCP was updated.
As with all my other OffSec courses, I purchased the "90 Days Course & Exam" bundle instead of the Learn One subscription. Before purchasing a course from OffSec, you may want to try reaching out to them for goodwill discounts. Alternatively, OffSec offers discounts for students and at the year's end.
For the OSCP, I spent 651 hours, pwning a total of 136 machines and studying an average of 7 hours and 33 minutes a day.
Below is a rough list of the study resources I used to pass the OSCP exam:
Very useful. After the courses, I felt much better equipped to start doing practice boxes.
TryHackMe Networks: Holo, Wreath, etc.
Very important. These networks taught me lateral movement across Active Directory instances.
TryHackMe Machines: Mr Robot CTF, Hydra, Chill Hack, Internal, SQL Injection, etc.
Easy machines that were good practice for building a pentesting methodology.
54 Proving Grounds Practice machines from TJ Null's OSCP-like VM's List.
The "meat and potatoes" of my OSCP journey. I would wake up, solve 2 boxes in PG, then do it the next day. I did this for about a month.
30 PEN-200 Lab machines
This was done to get the 10 bonus points for the OSCP exam.
Review
The exam was much easier than I expected. Lateral movement, something I learned in Holo, turned out to be incredibly important. Although I used chisel, nowadays I would recommend using ligolo-ng.
Although it may look like I overprepared, I look back at this intensive preparation as laying a strong foundation for my future endeavors. To me, learning is a continuous journey, where knowledge builds upon each other. I paid the startup cost of understanding topics like Active Directory well, which was later helpful when I studied for the OSEP.
Tips
Make a writeup for every machine as you complete it.
When pentesting, take notes about each machine and synthesize a writeup as you go . This will save a lot of time when you have to write a report for the OSCP exam. Furthermore, with each writeup you make, you now have a case study to reference when doing similar machines. When learning new topics, I also suggest taking Atomic Notes so you can network concepts and easily refer to them later.
Look up similar walkthroughs while pentesting.
Whenever you're stuck, I highly recommend looking at 0xdf's/IppSec's website to see how similar machines were rooted. Suppose I was pentesting a flask web machine. I'd pull up HackTricks and 0xdf on a second monitor to look at . There's a great chance that one of these vectors is the way forward. Whenever I got stuck for longer than 2 hours, . I would note down what I missed, and move on. After completing a box, I would compare my writeup with those online. Did I miss an alternative attack vector? Did they use a different tool? I would then update my writeup accordingly.
Do Practice Exams.
About a week before my scheduled OSCP exam, I would simulate the OSCP test environment by using machines of the same type and the same time constraints. This significantly reduced my nervousness during the actual exam.
OSWE
For the OSWE, I spent 472 hours, studying an average of 6 hours and 2 minutes a day.
When possible, I scripted the solutions to each machine/study resource with python. I got comfortable using python's requests library, which was essential in the OSWE exam.
Really enjoyed the practice-centric approach.
I like the interactive client. Videos were approachable and enjoyable. Good practice-centric approach to JavaScript.
I used these videos to get used to reading PHP/C# syntax.
Good introductory resource. I took the Django course because some OSWE reviews said you should learn .
This course was formerly at TCM Academy. It was more on the blackbox side and not that relevant to the OSWE.
This was a gentle introduction to PHP and web attacks.
The "meat and potatoes" of my OSWE journey. I learned a lot by first manually solving each challenge lab, then writing a python script that'll solve
OSWE Course Materials and Extra Miles
As the scripts written in the Course Materials were in Python2, I would rewrite them all in Python3. I also completed every extra mile.
Challenge Lab: Squeakr
Although this was a blackbox challenge, the lessons learned were very applicable to the exam.
Practice Exam 2: Answers and Docedit
These were the challenge labs in the OSWE course and were really great practice for the actual exam.
Review
Initially, the OSWE intimidated me because I had zero prior programming experience. A source code review exam sounded like a nightmare. I remember telling a friend, "I don't know how to read source code, how am I'm supposed to audit it and write exploits?" It didn't help that most of the OSWE reviews at that time, were from software engineers who had experience programming. Well, I'm living proof that you can get the OSWE from absolutely zero programming knowledge.
The exam was moderately easier than what I expected.
Tips
Initially, I got stuck because I was afraid of the requests library. I felt that I "wasn't good enough yet" and would jump around programming tutorials, hoping that after the next one I'd be "good enough" to learn how to write exploits. I think this kind of procrastination was a protective strategy for coping with the conflicting fear of failing and the desire to succeed. It wasn't that I was unmotivated - in fact, I was overmotivated. However, if I failed to "learn" the requests library, then I felt it would mean that I had "failed" the OSWE. It seemed much safer to just study one more programming tutorial than risking it all.
What got me out of this predicament was just doing it - Out of frustration, I wrote an "exploit script" for SecAura's Build it and Break it. I "chained" vulnerabilities I thought made sense, and in the process, had to confront the big scary monster that was the requests library documentation. It turned out to be incredibly readable and approachable. If you're ever in a similar situation, I recommend just diving in. You can learn anything with enough time, effort and persistence. You never "learn" something one-and-done. It's a continuous journey where you pick up and put down things along the way.
Nowadays, I also recommend using LLMs like ChatGPT to ask "How do I use the requests library?" and to clarify any worries you may have. Asking questions to a helpful programming coach can break down "impossible" tasks into approachable ones.
Looking back, it seems so stupid that I wasted time on programming tutorials instead of just Reading The Fun Manual (RTFM). Thankfully, now that I'm old and wise, I'll never make the same mistake again... so of course recently I fell into the same trap.
When I was learning C/C++ in preparation for the EXP-401. I would scour online posts looking for the "right" resources for learning. Thankfully, I thought back to my experience learning python, and just jumped into OpenSecurityTraining2's Vulns 1001 and Vulns 1002 course, where I got to stare at vulnerable C/C++ code all day. I learned far more C/C++ by reading vulnerable code, than I did watching yet another programming tutorial.
Interlude
After spending ~1123 hours chasing certifications, I wanted to verify whether these certificates were actually useful, so I thought about getting an internship - but who would hire someone with zero job experience and no college degree?
Social Engineering Experts
In January 2023, I joined Social Engineering Experts, a Singaporean CTF team. At that time, I was studying for the OSWE and thought that Web CTF challenges were a good way to practice for it. It was a great decision - I made a lot of friends and even wrote my own CTF challenge for SEETF 2023.
KPMG
In May 2023, I interned at KPMG's Cyber Defense, doing mobile, web (blackbox and whitebox) penetration tests. It was a good experience applying the knowledge and methodology I earned through studying the OSCP and OSWE to make websites safer. I also did some open source security research and found CVE-2023-3552. I ended the internship going on a Department Trip to Vietnam, which was nice.
Note: There are valid criticisms about roles, but I didn't really mind because I was very early into my career.
BSCP
While I was at KPMG, I got access to Burp Suite Pro, which allowed me to take the Burp Suite Certified Practitioner (BSCP) exam. I didn't bother tracking the hours I spent studying. I just did all the Apprentice, Practitioner labs and the Practice exam.
The BSCP exam was incredibly stressful due to the short time constraints (4 hours). I remember reading exam reviews where students failed on multiple occasions, so I went into it expecting to fail at least ten times before passing. Surprisingly, I passed on my first try with 3 minutes left, my hand trembling as I hurriedly submitted the last flag. If you're considering taking the BSCP exam, I found this github repo by botesjuan incredibly useful for referencing during the exam.
Second Gap Year
Emerging from my internship, I knew I wanted to get the OSCE3. Thus, I declined my offer from the National University of Singapore's Information Security programme to
OSEP
For the OSEP, I spent , studying an average of a day.
OSEP Course Materials and Extra Miles
I did most of the extra miles. The sections "Bypassing Network Filters" and "Kiosk Breakouts" were not relevant to my exam.
Challenges 1-6
These were really easy.
Exam Attempt #1
Failed. The exam was a very different beast from what I was expected.
I found this network messy and confusing.
Very well designed network that was instrumental in passing the exam.
This was designed with realism in mind, which my methodology lacked.
Review
The OSEP is a good course. It takes complicated topics like Active Directory exploitation and Antivirus Evasion and distills it into an approachable format. From a purely learning standpoint, it's well-made.
Unfortunately, the OSEP exam has some issues.
I ran into technical difficulties on both my exam attempts.
The exam was harder than what I was expecting. The majority of the course focused on Phishing and AV evasion and the Challenge machines were easy, so I expected the exam to be similar. Unfortunately, the exam leans towards standard OSCP-like exploitation and Lateral Movement.
Exam Attempt 1
I encountered technical difficulties in the exam network, and informed the proctor. The technical staff did not find any issues, and the exam continued. Later, I again informed the proctor about the issues , but upon reevaluation, they determined that no issues were present.
Exam Attempt 2
Once again, I encountered the same exam set, with the same technical difficulties. Fortunately, it was determined that there were technical difficulties present. I was given an extension of 2 hours, a free exam retake attempt, and a waiver of the cooling-off period. Nevertheless, I was able to find an alternative foothold that I missed on my first Exam Attempt, which allowed me to pass the exam.
In retrospect, I think most of my troubles stemmed from inaccurate expectations of what the OSEP exam was like. Had I approached the OSEP more like the 2022 OSCP, and trained more on other platforms, I think I would have had a much better experience.
I think before you take the OSEP exam, you should be comfortable with Lateral Movement using ligolo-ng, Active Directory Enumeration with BloodHound and Exploitation using crackmapexec. You should be familiar with OSCP-like foothold exploitation and privilege escalation. Your payloads also shouldn't trigger the AV in the Challenges.
Tips
Be prepared
I maintained a secondary Windows VM dedicated to compiling Shellcode Runners, MSSQL exploits and phishing documents. This allowed me to efficiently transfer files to my Kali virtual machine using Shared Folders - a method that was simpler and faster compared to using the course's debug machine.
I kept a folder containing all my AMSI bypasses, Shellcode Runners, Enumeration Scripts and Post-Exploitation utilities. Using a Python web server, I could quickly transfer anything I needed onto the target machine.
I also wrote an enumeration script to automate a part of the enumeration process. You can find it here:
OSED
For the OSED, I spent , studying an average of a day.
Course Materials and Extra Miles
I did most of the Extra Miles except Faronics.
Challenge 2
I found this to be quite easy.
Custom Shellcode Exercises: MessageBox, download and run .msi over HTTP
This was really fun, I got comfortable reading MSDN for Win32 APIs.
Well made, great practice for the exam.
Review
The exam was about as difficult as I expected, which might come off as a surprise because the OSED is . I think the OSED is painted in a bad light because topics like Assembly and Binary Exploitation look intimidating. That's a real shame, because it's a great course that teaches the fundamentals of Windows Binary Exploitation.
I myself have been guilty of this; I probably wouldn't have taken the OSED if it weren't a part of the OSCE3. I wrongly assumed that exploit development was too technical and "low level" for me. Looking back, I should have given it five minutes - watched a simple video about buffer overflows, before disregarding an.
If it's any help, I'm living proof that you can achieve the OSED from absolutely zero binary exploitation experience.
I believe a key component of my success, was approaching these "intimidating" topics like Structured Exception Handler Overwrites and Egghunters head on, and asking ChatGPT to explain these concepts until they made sense. I learned that the Structured Exception Handler is basically like an operations room that calls a phone number in a log book whenever an exception occurs. By overwriting the log book ( SEH record ), you can make the program call ( execute ) your malicious phone number ( your code ).
Tips
Writing custom shellcode and return oriented programming, is a really detail-oriented activity. You have to keep track of bad characters, offsets and gadgets. Instead of relying on my fallible mind, I combined ommadawn46's win-x86-shellcoder and the RopChain class from @Tan90909090's OSED blog post into an all-in one script. You can find the exploit template I wrote here:
OSCE3
Two months after earning the OSCE3 Certification, I received my physical certificate and challenge coin.
My Linkedin post about obtaining the OSCE3 did pretty well - 129,111 impressions.
Surprisingly, I received 0 messages from recruiters after getting an OSCE3. I didn't really mind, but I think this was probably due to the and me not being in .
Reflections
I realized that with each certificate I obtained, I took less and less time getting the next one. That's surprising, because I think I took the courses in increasing order of difficulty. I attribute this result to , and shifting towards working a .
For what it's worth, I think this gap year was worth it. I got to make new friends, experiences and learn difficult, technical skills. I'm a more competent, competitive candidate than when I first started. I feel much more confident applying for internships and learning other technical subjects.
I do wish I didn't fall for the myth that there are millions of cybersecurity jobs available. I also wish someone with these certificates told me that they weren't the end-all-be-all of information security. I probably would have still took a gap year, but I would've had realistic expectations about what the OSCE3 can do for your career.
From all that I've asked/read, I think that it can set you apart from other candidates and get you into the interview room, but you still need the chops to get the role. Until I actually start looking for roles, I still don't know for sure how useful the OSCE3 is. For now, I'll keep my head down low and continue studying until I'm so good they can't ignore you.
Trends
When I first started,. Now, excluding me, there are around 3. Recently, another 19 year old has achieved the OSCE3. I think infosec is shifting towards certifications and academic degrees over Github Profiles, and I'm not sure how I feel about it.
Should you get the OSCE3?
Although I never intended for this article to encourage/discourage people from going after the OSCE3, I'm sure I'll get this question so I'll try my best to "answer" it. Also see: The perils of general advice, and why advice about certificates are usually a recipe for disaster.
As a 22-year old with ~3 months of job experience, I'm one of the least qualified persons to dish out career advice, so I won't. However, I think these questions are worth asking:
Can you afford worth of course materials?
Can you make a lot () of time for self studying?
Most people I know study these courses while in work/school, and can take significantly ( ) longer than the .
Are you in your career?
Should you take a gap year to study the OSCE3?
When I started, there were barely any resources and documentation about gap years. I think it's an incredibly personal decision, and I can't in good faith, give advice. Here are some questions that might be worth asking:
Do you have 1 year or more of living expenses?
Do you have sources of support from friends and/or family?
Are you okay with being misunderstood/isolated for long periods of time?
Do you have the discipline to study consistently and focus for long periods of time?
The value of the OSCE3 is indeterminate, is that okay with you?
It's also worth considering the possibility that on your deathbed, no one will remember or care about the certificates you got.
Why am I still planning to attend college?
Interestingly, this is the number one question I get, whenever I tell others I'm taking a gap year to study certificates.
The education premium for college graduates is incredibly high (~50%). Assuming you can graduate, college remains I think gap years may be a great way to complement a college experience. Showing up as a driven, skilled candidate can give you a leg up in internships, which may compound into a larger advantage down the line.
What's next?
Right now, I'm for the OffSec's EXP-401 course, arguably the hardest exploit development course in infosec. Later this year, I'll be attending Corelan Advanced in Sydney, Yarden Shafir's Windows Internals for Security Engineers, OffensiveCon 2024 and SINCON 2024's EXP-401 Live Training. If you're attending any of these, please send me a message via LinkedIn or X/Twitter so we can meet up!
Fun fact: As I was writing this article, I realized that I reached my 2000 hour studying anniversary. Here's to 8000 more. 🎉
Last updated