# My First Year In InfoSec: Zero to OSCE3

In August 2022, I took a gap year to study OffSec certifications to "break into" the information security industry. In total, I spent [**1732**](#user-content-fn-1)[^1]**\*** hours studying, acquiring the [OSCP](https://www.offsec.com/courses/pen-200/), [OSWE](https://www.offsec.com/courses/web-300/), [BSCP](https://portswigger.net/web-security/certification), [OSEP](https://www.offsec.com/courses/pen-300/), [OSED](https://www.offsec.com/courses/exp-301/), [OSCE3 ](https://www.offsec.com/offsec/osce3-certification/)certifications. As of Feb 2024, I'm the youngest OSCE3[^2]\* in Singapore.

In this blogpost, I share my experience going from **absolute zero** to **OSCE3**. I've written this guide to share:

* How long it took for me to acquire these certificates
* What study resources I used to go from absolute zero to OSCE3
* Some tools I created which should help you with these exams
* My reflections after obtaining the OSCE3

At the end, I'll also try to answer questions like, "Was the gap year worth it?" and "Why am I still planning to attend college after this?".

*Please note: This article is a reflection of **my experience**. Your experience with studying certifications may be different. The learning path I took is not the* [*royal road*](https://www.dictionary.com/browse/royal-road)*. What works for me, may not work for you.*

### Why Certifications?

Certifications are a controversial topic in information security. In my opinion, certifications for practical, proctored exams are a great way to demonstrate your ability to employers. [However, they are not the **ONLY** way.](#user-content-fn-3)[^3]

I've found OffSec courses to be a well-structured environment where I could learn different areas of offensive security, while having a challenging exam as a end goal.

### Why a Gap Year?

After serving [mandatory national service](https://en.wikipedia.org/wiki/National_service_in_Singapore), I had little direction on where I wanted to go career-wise. Analyzing my potential options, I found information security to be a technical, [well-paid](https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm), [impactful ](https://80000hours.org/career-reviews/information-security/)and safe option. Importantly, I saw that there were certifications like the OSCP which were considered the [**"gold standard"**\*](#user-content-fn-4)[^4]. 

If I could acquire these certifications, it could make me a more competitive candidate in job applications. A gap year to focus entirely on certificates seemed like an investment with [asymmetric returns](https://en.wikipedia.org/wiki/Asymmetric_payoff). In the worst case, I would lose a year. In the best case, I might get my hands on a [miracle year](https://www.dwarkeshpatel.com/p/annus-mirabilis). 

## OSCP

*Note: I took the* [*2022 OSCP Exam*](https://www.offsec.com/offsec/oscp-exam-structure/)*. In 2023, the OSCP was* [*updated*](https://www.offsec.com/offsec/pen-200-2023/)*.* 

*As with all my other OffSec courses, I purchased the* [*"90 Days Course & Exam"*](https://www.offsec.com/offsec/course-cert-bundle/) *bundle instead of the* [*Learn One*](https://www.offsec.com/products/learn-one/) *subscription. Before purchasing a course from OffSec, you may want to try reaching out to them for goodwill discounts. Alternatively, OffSec offers discounts for* [*students*](https://help.offsec.com/hc/en-us/articles/4415856211348-Do-you-offer-student-discounts) *and at the* [*year's end*](https://www.linkedin.com/posts/offsec-training_dont-miss-the-chance-to-save-20-on-learn-activity-7146817201621135360-6-yQ/?utm_source=share\&utm_medium=member_desktop)*.*

For the OSCP,  I spent **651** hours, pwning a total of **136** machines and studying an average of **7 hours and 33 minutes** a day.

Below is a rough list of the study resources I used to pass the OSCP exam: 

<table><thead><tr><th width="356">Study Resource</th><th>Review</th><th data-hidden></th></tr></thead><tbody><tr><td><a href="https://www.udemy.com/course/total-comptia-network-n10-008/">Udemy courses for the Network+ </a>and <a href="https://www.udemy.com/course/total-comptia-security-certification-sy0-601/">Security+</a></td><td><a data-footnote-ref href="#user-content-fn-5">Unsure if they were useful</a>. If you're not short on time, I would recommend Professor Messer's <a href="https://youtube.com/playlist?list=PLG49S3nxzAnmpdmX7RoTOyuNJQAb-r-gd&#x26;si=pvd1HhUTUfFtAN4f">Network+</a> and <a href="https://youtube.com/playlist?list=PLG49S3nxzAnnVhoAaL4B6aMFDQ8_gdxAy&#x26;si=PI56oO74V-lf3QyY">Security+</a> course.</td><td></td></tr><tr><td><a href="https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course">TCM Security's Practical Ethical Hacking</a>, <a href="https://academy.tcm-sec.com/p/windows-privilege-escalation-for-beginners">Windows Privilege Escalation </a>and <a href="https://academy.tcm-sec.com/p/linux-privilege-escalation">Linux Privilege Escalation courses</a></td><td>Very useful. After the courses, I felt much better equipped to start doing practice boxes.</td><td></td></tr><tr><td><a href="https://tryhackme.com/hacktivities#network-rooms">TryHackMe Networks</a>: <a href="https://tryhackme.com/room/hololive">Holo</a>, <a href="https://tryhackme.com/room/wreath">Wreath</a>, etc.</td><td>Very important. These networks taught me lateral movement across Active Directory instances.</td><td></td></tr><tr><td>TryHackMe Machines: <a href="https://tryhackme.com/room/mrrobot">Mr Robot CTF</a>, <a href="https://tryhackme.com/room/hydra">Hydra</a>, <a href="https://tryhackme.com/room/chillhack">Chill Hack</a>, <a href="https://tryhackme.com/room/internal">Internal</a>, <a href="https://tryhackme.com/room/sqlinjectionlm">SQL Injection</a>, etc.</td><td>Easy machines that were good practice for building a pentesting methodology.</td><td></td></tr><tr><td>54 Proving Grounds Practice machines from <a href="https://docs.google.com/spreadsheets/u/0/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview">TJ Null's OSCP-like VM's List</a>. </td><td>The "meat and potatoes" of my OSCP journey. I would wake up, solve 2 boxes in PG, then do it the next day. I did this for about a month.</td><td></td></tr><tr><td>30 PEN-200 Lab machines</td><td>This was done to get the <a href="https://www.offsec.com/offsec/sunsetting-pen-200-legacy-topic-exercises/">10 bonus points</a> for the OSCP exam.</td><td></td></tr><tr><td>Practice Exams 1 &#x26; 2 : <a href="https://twitter.com/cyberseclabsuk?lang=en">CyberSecLabs</a> <a href="https://www.youtube.com/watch?v=pmaeQlFkFV0">Spray</a>, <a href="https://youtu.be/DetWc55UOZw?si=bhyo0u9pDdkx8QHn">Pipercoin</a>, <a href="https://youtu.be/CndMDvjX8dg?si=KPCoP7zz25os45pc">Toast</a>, <a href="https://youtu.be/ndBZSWKo54c?si=6_EyCghYwoOrkHjt">Sync</a>, <a href="https://youtu.be/8nnVjdtO5kM?si=IPAzCFRnxp4Bs015">Glass</a>, <a href="https://youtu.be/PcV3tOw7f_k?si=Vhk3O7B4iizQMF4W">Office</a>, <a href="https://youtu.be/ZwYqDZOvUpY?si=HLPcOem0brE7FGAa">Casino</a>, etc.</td><td>I did practice exams and wrote exam reports using machines from <a data-footnote-ref href="#user-content-fn-6">CSL</a>. </td><td></td></tr></tbody></table>

### Review

The exam was **much** easier than I expected. Lateral movement, something I learned in [Holo](https://tryhackme.com/room/hololive), turned out to be **incredibly** important. Although I used [chisel](https://github.com/jpillora/chisel), nowadays I would recommend using [ligolo-ng](https://github.com/nicocha30/ligolo-ng).

Although it may look like I overprepared,  I look back at this intensive preparation as laying a strong foundation for my future endeavors. To me, learning is a continuous journey, where knowledge builds upon each other. [I paid the startup cost of understanding ](https://youtu.be/7Ysy6iA2sqA?si=VISz34ggmyXIZXrh\&t=523)topics like Active Directory well, which was later helpful when I studied for the OSEP.

### Tips

1. Make a writeup for every machine as you complete it.

When pentesting, take notes about each machine and synthesize a writeup as you go . This will save a lot of time when you have to write a report for the OSCP exam. Furthermore, with each writeup you make, you now have a case study to reference when doing similar machines. \
When learning new topics, I also suggest taking [Atomic Notes](https://grahamhelton.com/blog/atomicnotes/) so you can network concepts and easily refer to them later.&#x20;

2. Look up similar walkthroughs while pentesting.

Whenever you're stuck, I highly recommend looking at [0xdf's](https://0xdf.gitlab.io/tags)/[IppSec's ](https://ippsec.rocks/?)website to see how similar machines were rooted. \
Suppose I was pentesting a [flask ](https://flask.palletsprojects.com/en/3.0.x/)web machine. I'd pull up [HackTricks ](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/flask)and [0xdf](https://0xdf.gitlab.io/tags#flask) on a second monitor to look at [flask-specific attack vectors](#user-content-fn-7)[^7]. There's a great chance that one of these vectors is the way forward.\
Whenever I got stuck for longer than 2 hours, [I would look up a walkthrough for the machine](#user-content-fn-8)[^8]. I would note down what I missed, and move on.\
After completing a box, I would compare my writeup with those online. Did I miss an alternative attack vector? Did they use a different tool? I would then update my writeup accordingly.

3. Do Practice Exams.

About a week before my scheduled OSCP exam, I would simulate the OSCP test environment by using machines of the same type and the same time constraints. This **significantly** reduced my nervousness during the actual exam.

## OSWE

For the OSWE, I spent **472** hours, studying an average of **6 hours and 2 minutes** a day.

*When possible, I scripted the solutions to each machine/study resource with python. I got comfortable using python's* [*requests library,*](https://requests.readthedocs.io/en/latest/) *which was essential in the OSWE exam.*

<table><thead><tr><th width="364">Study Resource</th><th>Review</th><th data-hidden></th></tr></thead><tbody><tr><td><a href="https://learnpythonthehardway.org/python3/">Learn Python3 the Hard Way</a></td><td>Really enjoyed the practice-centric approach.</td><td></td></tr><tr><td><a href="https://scrimba.com/learn/learnjavascript">Scrimba: Learn JavaScript for free</a></td><td>I like the interactive client. Videos were approachable and enjoyable. Good practice-centric approach to JavaScript.</td><td></td></tr><tr><td><a href="https://www.youtube.com/watch?v=OK_JCtrrv-c">freecodecamp PHP</a>, <a href="https://www.youtube.com/watch?v=GhQdlIFylQ8">C#</a></td><td>I used these videos to get used to reading PHP/C# syntax.</td><td></td></tr><tr><td>Code With Mosh <a href="https://codewithmosh.com/p/the-ultimate-java-mastery-series">Java</a>, <a href="https://codewithmosh.com/p/complete-sql-mastery">SQL</a>, <a href="https://codewithmosh.com/p/the-ultimate-django-series">Django</a></td><td>Good introductory resource. I took the Django course because some OSWE reviews said you should learn <a data-footnote-ref href="#user-content-fn-9">what a MVC framework is</a>. </td><td></td></tr><tr><td><a href="https://taggartinstitute.org/p/pwst">Practical Web Application Security and Testing </a></td><td>This course was formerly at TCM Academy. It was more on the blackbox side and not that relevant to the OSWE.</td><td></td></tr><tr><td><a href="https://youtube.com/playlist?list=PLwnDE0CN30Q83Ym58wJdPkbdpTfnv36m9&#x26;si=s4PCiE5RhUsudzjc">SecAura's Build it and Break it</a></td><td>This was a gentle introduction to PHP and web attacks.</td><td></td></tr><tr><td><a href="https://portswigger.net/web-security">WebSecurityAcademy </a><a href="https://portswigger.net/web-security/sql-injection">SQLi</a>, <a href="https://portswigger.net/web-security/cross-site-scripting">XSS</a>, <a href="https://portswigger.net/web-security/csrf">CSRF</a>, <a href="https://portswigger.net/web-security/deserialization">Deserialization</a>, <a href="https://portswigger.net/web-security/prototype-pollution">Prototype Pollution</a>, <a href="https://portswigger.net/web-security/xxe">XXE</a>, <a href="https://portswigger.net/web-security/os-command-injection">Command Injection</a>, <a href="https://portswigger.net/web-security/logic-flaws">Business Logic</a>, <a href="https://portswigger.net/web-security/cors">CORS</a>, <a href="https://portswigger.net/web-security/access-control">Access Control labs</a>.</td><td>The "meat and potatoes" of my OSWE journey. I learned a lot by first manually solving each challenge lab, then writing a python script that'll solve </td><td></td></tr><tr><td>OSWE Course Materials and Extra Miles</td><td>As the scripts written in the Course Materials were in Python2, I would rewrite them all in Python3. I also completed every extra mile.</td><td></td></tr><tr><td>Challenge Lab: Squeakr</td><td>Although this was a blackbox challenge, the lessons learned were very applicable to the exam.</td><td></td></tr><tr><td>Practice Exam 1: bmddy's <a href="https://github.com/bmdyy/tudo">tudo </a>and <a href="https://github.com/bmdyy/testr">testr</a></td><td>Very useful. Great practice.</td><td></td></tr><tr><td>Practice Exam 2: Answers and Docedit</td><td>These were the challenge labs in the OSWE course and were really great practice for the actual exam.</td><td></td></tr></tbody></table>

### Review

Initially, the OSWE intimidated me because I had **zero** prior programming experience. A source code review exam sounded like a nightmare. I remember telling a friend, "I don't know how to read source code, how am I'm supposed to audit it and write exploits?"\
\
It didn't help that most of the OSWE reviews at that time, were from software engineers who had experience programming. Well, I'm living proof that you can get the OSWE from absolutely **zero** programming knowledge.

The exam was **moderately** easier than what I expected.

### Tips

1. [Stop Studying Programming](https://youtu.be/QMbx0dTWJIQ?si=EkdpKZ6FSrX6tgrS)

Initially, I got stuck because I was afraid of the requests library. I felt that I "wasn't good enough yet" and would jump around programming tutorials, hoping that after the next one I'd be "good enough" to learn how to write exploits. \
\
I think this kind of [procrastination was a **protective strategy** for coping with the conflicting fear of failing and the desire to succeed](https://youtu.be/52lZmIafep4?si=cYwv5DDQIpzQ5jCi\&t=646). It wasn't that I was unmotivated - in fact, I was **overmotivated**. However, if I failed to "learn" the requests library, then I felt it would mean that I had "failed" the OSWE. It seemed much safer to just study one more programming tutorial than risking it all.

What got me out of this predicament was **just doing it** - Out of frustration, I wrote an "exploit script" for [SecAura's Build it and Break it](https://github.com/SecAuraYT/OSWE/tree/main/SecAura%20Blog%20PHP%20Web%20App). I "chained" vulnerabilities I thought made sense, and in the process, had to confront the big scary monster that was the requests library documentation. It turned out to be incredibly readable and approachable.\
\
If you're ever in a similar situation, I recommend **just diving in**. You can learn anything with enough [time, effort and persistence](https://betonit.substack.com/p/do-ten-times-as-much). You never "learn" something one-and-done. It's a continuous journey where you pick up and put down things along the way.

Nowadays, I also recommend using LLMs like [ChatGPT](https://chat.openai.com/) to ask "How do I use the requests library?" and to clarify any worries you may have. Asking questions to a helpful programming coach can break down "impossible" tasks into approachable ones.

Looking back, it seems so stupid that I wasted time on programming tutorials instead of just [Reading The Fun Manual (RTFM)](https://www.youtube.com/watch?v=M9nonbu7tHA). Thankfully, now that I'm old and wise, I'll never make the same mistake again... so of course recently I fell into the same trap.

When I was learning C/C++ in preparation for the EXP-401. I would scour online posts looking for the "right" resources for learning. Thankfully, I thought back to my experience learning python, and **just jumped into** OpenSecurityTraining2's [Vulns 1001](https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Vulns1001_C-family+2023_v1/course/) and [Vulns 1002](https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Vulns1002_C-family+2023_v1/course/) course, where I got to stare at vulnerable C/C++ code all day. I learned far more C/C++ by reading vulnerable code, than I did watching yet another programming tutorial.

## Interlude

After spending **\~1123** hours chasing certifications, I wanted to verify whether these certificates were actually useful, so I thought about getting an internship - but who would hire someone with zero job experience and no college degree?&#x20;

### Social Engineering Experts

In January 2023, I joined [Social Engineering Experts](https://seetf.sg/), a Singaporean CTF team. At that time, I was studying for the OSWE and thought that Web CTF challenges were a good way to practice for it. It was a great decision - I made a lot of friends and even wrote my own [CTF challenge for SEETF 2023](https://infosec.jaelkoh.com/2023/seetf-2023-fu).

### KPMG

In May 2023, I interned at KPMG's Cyber Defense, doing mobile, web (blackbox and whitebox) penetration tests. It was a good experience applying the knowledge and methodology I earned through studying the OSCP and OSWE to make websites safer.\
I also did some open source security research and found [CVE-2023-3552. ](https://huntr.dev/bounties/aeb2f43f-0602-4ac6-9685-273e87ff4ded/)\
I ended the internship going on a [Department Trip to Vietnam](https://www.linkedin.com/posts/jaelkoh_internship-kpmg-cybersecurity-activity-7093216085151256576-bkdm), which was nice.

*Note: There are valid criticisms about* [*consulting*](#user-content-fn-10)[^10] *roles, but I didn't really mind because I was very early into my career.*

### BSCP

While I was at KPMG, I got access to [Burp Suite Pro](https://portswigger.net/burp/pro), which allowed me to take the [Burp Suite Certified Practitioner](https://portswigger.net/web-security/certification) (BSCP) exam. I didn't bother tracking the hours I spent studying. I just did all the Apprentice, Practitioner labs and the Practice exam.

The BSCP exam was incredibly stressful due to the short time constraints (4 hours). I remember reading exam reviews where students failed on multiple occasions, so I went into it expecting to fail at least ten times before passing. Surprisingly, I passed on my first try with **3 minutes left**, my hand trembling as I hurriedly submitted the last flag.\
\
\&#xNAN;*If you're considering taking the BSCP exam, I found this* [*github repo by botesjuan* ](https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study)*incredibly useful for referencing during the exam.*

### Second Gap Year

Emerging from my internship, I knew I wanted to get the OSCE3. Thus, I declined my offer from the [National University of Singapore's Information Security programme](https://www.comp.nus.edu.sg/programmes/ug/isc/) to [take another gap year. ](#user-content-fn-11)[^11]

## OSEP

For the OSEP, I spent  [**345** hours](#user-content-fn-12)[^12], studying an average of [**6 hours 20 minutes**](#user-content-fn-13)[^13] a day.

<table><thead><tr><th width="370">Study Resources</th><th>Review</th><th data-hidden></th></tr></thead><tbody><tr><td>OSEP Course Materials and Extra Miles</td><td>I did most of the extra miles. The sections "Bypassing Network Filters" and "Kiosk Breakouts" were not relevant to my exam.</td><td></td></tr><tr><td>Challenges 1-6</td><td>These were really easy.</td><td></td></tr><tr><td>Exam Attempt #1</td><td>Failed. The exam was a very different beast from what I was expected.</td><td></td></tr><tr><td><a href="https://www.vulnlab.com/">VulnLab</a>: <a href="https://wiki.vulnlab.com/hints-and-walkthroughs/easy/baby">Baby</a>, <a href="https://wiki.vulnlab.com/hints-and-walkthroughs/medium/job">Job</a>, <a href="https://wiki.vulnlab.com/hints-and-walkthroughs/medium/lustrous-chain">Lustrous</a></td><td>Well designed boxes that taught me some new attack techniques.</td><td></td></tr><tr><td><a href="https://app.hackthebox.com/prolabs/overview/cybernetics">HTB: Cybernetics</a></td><td>I found this network messy and confusing.</td><td></td></tr><tr><td><a href="https://www.youtube.com/watch?v=FYWGhdaDcZo&#x26;list=PLPBVZbjvnjVkIgFavcRiBKbDSricFJeoD">VulnLab: Shinra</a></td><td>Very well designed network that was instrumental in passing the exam.</td><td></td></tr><tr><td><a href="https://www.youtube.com/watch?v=QpQ66IaR06U&#x26;list=PLPBVZbjvnjVkOHMqB39eiqSdNLdezIw1X">VulnLab: Wutai</a></td><td>This was designed with realism in mind, which my methodology lacked. </td><td></td></tr></tbody></table>

### Review

The OSEP is a good course. It takes complicated topics like Active Directory exploitation and Antivirus Evasion and distills it into an approachable format. From a purely learning standpoint, it's well-made.

Unfortunately, the OSEP exam has some issues.&#x20;

1. [The exam is not a good reflection of the course materials, extra miles and challenges.](#user-content-fn-14)[^14]
2. I ran into technical difficulties on **both** my exam attempts.

The exam was **harder** than what I was expecting. The majority of the course focused on Phishing and AV evasion and the Challenge machines were easy, so I expected the exam to be similar. Unfortunately, the exam leans towards standard OSCP-like exploitation and Lateral Movement.&#x20;

#### Exam Attempt 1

I encountered technical difficulties in the exam network, and informed the proctor. The technical staff did not find any issues, and the exam continued. Later, I again informed the proctor about the issues , but upon reevaluation, they determined that no issues were present.

#### Exam Attempt 2

Once again, I encountered the same exam set, with the **same** technical difficulties. Fortunately, it was determined that there **were** technical difficulties present. I was given an extension of 2 hours, a free exam retake attempt, and a waiver of the cooling-off period. \
Nevertheless, I was able to find an alternative foothold that I missed on my first Exam Attempt, which allowed me to pass the exam.

In retrospect, I think most of my troubles stemmed from inaccurate expectations of what the OSEP exam was like. Had I approached the OSEP more like the 2022 OSCP, and trained more on other platforms, I think I would have had a much better experience.&#x20;

I think before you take the OSEP exam, you should be comfortable with Lateral Movement using [ligolo-ng](https://github.com/nicocha30/ligolo-ng), Active Directory Enumeration with [BloodHound ](https://github.com/SpecterOps/BloodHound) and Exploitation using [crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec). You should be familiar with OSCP-like foothold exploitation and privilege escalation. Your payloads also shouldn't trigger the AV in the Challenges.

### Tips

1. Be prepared

I maintained a secondary Windows VM dedicated to compiling Shellcode Runners, MSSQL exploits and phishing documents. This allowed me to efficiently transfer files to my Kali virtual machine using Shared Folders - a method that was simpler and faster compared to using the course's debug machine.

I kept a folder containing all my AMSI bypasses, Shellcode Runners, Enumeration Scripts and Post-Exploitation utilities. Using a Python web server, I could quickly transfer anything I needed onto the target machine.

I also wrote an enumeration script to automate a part of the enumeration process. You can find it here:&#x20;

{% embed url="<https://github.com/jayesther/OSEP_OSED_TOOLS/blob/main/OSEP_enum.ps1>" %}

## OSED

For the OSED, I spent [**262** hours](#user-content-fn-12)[^12], studying an average of [**6 hours 20 minutes**](#user-content-fn-15)[^15] a day.

<table><thead><tr><th>Study Resources</th><th>Review</th><th data-hidden></th></tr></thead><tbody><tr><td>Course Materials and Extra Miles</td><td>I did most of the Extra Miles except Faronics.</td><td></td></tr><tr><td>Challenge 2</td><td>I found this to be quite easy.</td><td></td></tr><tr><td>Custom Shellcode Exercises: MessageBox, download and run .msi over HTTP</td><td>This was really fun, I got comfortable reading MSDN for Win32 APIs.</td><td></td></tr><tr><td>Practice Exam 1: bmddy's <a href="https://github.com/bmdyy/signatus">Signatus </a>and <a href="https://github.com/bmdyy/quote_db">QuoteDB</a></td><td>Well made, great practice for the exam.</td><td></td></tr><tr><td><a href="https://github.com/xct/vulnbins">xct's Rainbow</a></td><td>Well made, great practice for the exam.</td><td></td></tr></tbody></table>

### Review

The exam was **about as** difficult as I expected, which might come off as a surprise because the OSED is [often ranked the hardest of the OSCE3](#user-content-fn-16)[^16]. I think the OSED is painted in a bad light because topics like Assembly and Binary Exploitation look intimidating. That's a real shame, because it's a **great** course that teaches the fundamentals of Windows Binary Exploitation.

I myself have been guilty of this; I probably wouldn't have taken the OSED if it weren't a part of the OSCE3. I wrongly assumed that exploit development was too technical and "low level" for me. Looking back, I should have [given it five minutes](https://signalvnoise.com/posts/3124-give-it-five-minutes) - watched a [simple video](https://youtube.com/watch?v=qpyRz5lkRjE) about buffer overflows, before  disregarding an[ entire field of infosec](#user-content-fn-17)[^17].

If it's any help, I'm living proof that you can achieve the OSED from absolutely zero binary exploitation experience.

I believe a key component of my success, was approaching these "intimidating" topics like [Structured Exception Handler Overwrites](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/seh-based-buffer-overflow) and [Egghunters ](https://fuzzysecurity.com/tutorials/expDev/4.html)**head on**, and asking ChatGPT to explain these concepts until they made sense. I learned that the Structured Exception Handler is basically like an operations room that calls a phone number in a log book whenever an exception occurs. By overwriting the log book ( SEH record ), you can make the program call ( execute ) your malicious phone number ( your code ).

### Tips

1. [Write your own tooling](https://www.youtube.com/watch?v=At-SWQyp-DY)

Writing custom shellcode and return oriented programming, is a really detail-oriented activity. You have to keep track of bad characters, offsets and gadgets. Instead of relying on my fallible mind, I combined [ommadawn46's win-x86-shellcoder](https://github.com/ommadawn46/win-x86-shellcoder) and the RopChain class from  [@Tan90909090's OSED blog post](https://tan.hatenadiary.jp/entry/2023/10/30/020524) into an all-in one script. \
\
You can find the exploit template I wrote here:

{% embed url="<https://github.com/jayesther/OSEP_OSED_TOOLS/blob/main/OSED_exploit.py>" %}

## OSCE3

Two months after earning the OSCE3 Certification, I received my physical certificate and challenge coin.

<figure><img src="https://1805220041-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNikY1d6pYYbsB18oO39J%2Fuploads%2FATIr4b5eIlZCHVcd6Mgx%2FIMG_9085.png?alt=media&#x26;token=14af4e03-bb0e-47a9-8af1-7319bf9bf20a" alt=""><figcaption><p>Maybe the most expensive piece of paper I'll ever buy.</p></figcaption></figure>

My [Linkedin post](https://www.linkedin.com/posts/jaelkoh_osce3-certification-secured-if-its-activity-7135779491062173696-6Lw4?utm_source=share\&utm_medium=member_desktop) about obtaining the OSCE3 did pretty well - 129,111 impressions.&#x20;

<figure><img src="https://1805220041-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNikY1d6pYYbsB18oO39J%2Fuploads%2FihHbmms9vmYSPshv6Fzu%2Fimage.png?alt=media&#x26;token=c84d0d3e-7049-411a-bab4-27201dde26ec" alt=""><figcaption><p>Ever wondered how many views an OSCE3 post on LinkedIn receives? </p></figcaption></figure>

Surprisingly, I received **0** messages from recruiters after getting an OSCE3. I didn't really mind, but I think this was probably due to the [bad job market ](#user-content-fn-18)[^18]and me not being in college[^19].&#x20;

### Reflections

I realized that with each certificate I obtained, I took less and less time getting the next one. \
That's surprising, because I think I took the courses in **increasing** order of difficulty. I attribute this result to [knowledge transfer](#user-content-fn-20)[^20], [changes that increasing my productivity](#user-content-fn-21)[^21] and shifting towards working a [less intense schedule over time](#user-content-fn-22)[^22].

For what it's worth, I think this gap year was worth it. I got to make new friends, experiences and learn difficult, technical skills. I'm a more competent, competitive candidate than when I first started. I feel much more confident applying for internships and learning other technical subjects.&#x20;

I do wish I didn't fall for the myth that there are [millions of cybersecurity jobs ](https://brothke.medium.com/the-big-lie-of-millions-of-information-security-jobs-a7cb1b30c5b6)available. \
I also wish someone with these certificates told me that they weren't the end-all-be-all of information security. I probably would have still took a gap year, but I would've had realistic expectations about what the OSCE3 can do for your career.

From all that I've asked/read, I think that it can set you apart from other candidates and get you into the interview room, but you still need the chops to get the role.\
Until I actually start looking for roles, I still don't know for sure how useful the OSCE3 is. For now, I'll keep my head down low and continue studying until I'm [so good they can't ignore you](https://youtu.be/qwOdU02SE0w?si=aK10t7zRAP0rST3f).

#### Trends

When I first started,[ there weren't any college undergrads with the OSCE3 in Singapore](#user-content-fn-23)[^23]. Now, excluding me, there are around 3. Recently,[ ***another*** 19 year old has achieved the OSCE3](https://www.linkedin.com/posts/redmeow_offensivesecurity-osce3-offsec-activity-7155081753592823808-xse5?utm_source=share\&utm_medium=member_desktop). I think infosec is shifting [towards certifications and academic degrees over Github Profiles](https://lcamtuf.substack.com/p/confessions-of-an-infosec-has-been), and I'm not sure how I feel about it.

### Should you get the OSCE3?

*Although I never intended for this article to encourage/discourage people from going after the OSCE3, I'm sure I'll get this question so* *I'll try my best to "answer" it.* \
*Also see:* [*The perils of general advice*](https://grahamhelton.com/blog/certificationindustrialcomplex/)*, and why advice about certificates are usually a recipe for disaster.*

As a 22-year old with \~3 months of job experience, I'm one of the least qualified persons to dish out career advice, so I won't. However, I think these questions are worth asking:

* Can you afford [**\~$7800**](#user-content-fn-24)[^24] worth of course materials?&#x20;
* Can you make a lot ([ **1000++ hours** ](#user-content-fn-25)[^25]) of time for self studying?&#x20;
* Most people I know study these courses while in work/school, and can take significantly ( [**\~11 months**](#user-content-fn-26)[^26] ) longer than the [<90 days I took for each course](#user-content-fn-27)[^27].&#x20;
* Are you [earlier ](#user-content-fn-28)[^28]in your career?

### Should you take a gap year to study the OSCE3?

When I started, there were barely any resources and documentation about gap years. I think it's an incredibly personal decision, and I can't in good faith, give advice. Here are some questions that might be worth asking:&#x20;

* Do you have **1 year or more** of living expenses? &#x20;
* [Do you have prior experience/the ability to work for months self-directed at a time?](#user-content-fn-29)[^29]
* Do you have sources of support from friends and/or family?
* Are you okay with being misunderstood/isolated for long periods of time?
* Do you have the discipline to study consistently and focus for long periods of time?
* The value of the OSCE3 is indeterminate, is that okay with you?

It's also worth considering the possibility that on your deathbed, [no one will remember or care about the certificates you got](https://lcamtuf.substack.com/p/on-corporate-life).

### Why am I still planning to attend college?

*Interestingly, this is the number one question I get, whenever I tell others I'm taking a gap year to study certificates.*

The [education premium](https://www.betonit.ai/p/the-case-against-education-makes) for college graduates is [incredibly high ](https://nces.ed.gov/programs/digest/d22/tables/dt22_502.30.asp)(\~50%). [ Assuming you can graduate](https://www.betonit.ai/p/three_graphs_abhtml), college remains [one of the best ways to increase your income](#user-content-fn-30)[^30].[^31] \
I think gap years **may** be a great way to complement a college experience. Showing up as a driven, skilled candidate can give you a leg up in internships, which **may** compound into a [larger advantage down the line.](https://en.wikipedia.org/wiki/Matthew_effect)

## What's next?

Right now, I'm [hard at work studying](#user-content-fn-32)[^32] for the [OffSec's EXP-401 course](https://www.offsec.com/courses/exp-401/), arguably the hardest exploit development course in infosec. Later this year, I'll be attending [Corelan Advanced in Sydney](https://www.eventbrite.com.au/e/advanced-heap-exploitation-for-windows-tickets-692944855717?aff=oddtdtcreator), [Yarden Shafir's Windows Internals for Security Engineers](https://www.offensivecon.org/trainings/2024/windows-internals-for-security-engineers.html), [OffensiveCon 2024](https://www.offensivecon.org/) and [SINCON 2024's EXP-401 Live Training](https://www.infosec-city.com/event-details-registration/sin24-t-exp-401). If you're attending **any** of these, please send me a message via [LinkedIn ](https://www.linkedin.com/in/jaelkoh/)or [X/Twitter](https://twitter.com/_jaelkoh) *s*o we can meet up!

*Fun fact: As I was writing this article, I realized that I reached my 2000 hour studying anniversary. Here's to* [*8000* ](https://www.scotthyoung.com/blog/2024/01/23/10000-hr-rule-myth/)*more. 🎉*

[^1]: This is an **extremely rough** number. While I did log every work split, my start and end times were usually rounded to the nearest 15 minutes. Take this number with a big grain of salt.

[^2]: This is unconfirmed, as OffSec does not disclose the ages of their certificate holders. All I'm basing this off is [this ](https://www.linkedin.com/feed/update/urn:li:ugcPost:7135639960761618432?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7135639960761618432%2C7135794229464752129%29\&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287135794229464752129%2Curn%3Ali%3AugcPost%3A7135639960761618432%29)comment.

[^3]: *For more about this,* [*Graham Helton*](https://grahamhelton.com/) *has a great article about* [*certifications*](https://grahamhelton.com/blog/certificationindustrialcomplex/)*, and alternative ways to demonstrate competence.* \
    [*Louis Nyffenegger*](https://twitter.com/snyff) *has a great* [*talk* ](https://youtube.com/watch?v=Ys66llx4PvA)*about how to improve in this industry and the limitations of certificates.*

[^4]: *A controversial take, but I think the OSCP is one of the better options for getting your foot in the door for entry level roles. ( by no means the ONLY way. )*

[^5]: On one hand, I hated every moment of sitting around learning the difference between a CAT5 and a CAT6 cable. On the other hand, I may have avoided the pitfalls of[ "Just In Time learning"](https://youtu.be/Ys66llx4PvA?si=ZKkWkpAJWU4dctDz\&t=193)

[^6]: *Unfortunately they have since shut down.*

[^7]: *I've written a* [*flask challenge*](https://infosec.jaelkoh.com/2023/seetf-2023-fu) *before!*

[^8]: *Back then, there was this culture of "Don't read walkthroughs, just try harder".*\
    *I think two hours is a sweet spot of "trying harder" and "not wasting time".* <br>

    *Walkthroughs are an essential part of learning because they allow you to introspect into the methodology of others.*

[^9]: These days, I couldn't tell you what it stands for. 🤣

[^10]: This [article by assume\_breach](https://assume-breach.medium.com/im-not-a-pentester-and-you-might-not-want-to-be-one-either-8b5701808dfc) shares why you might not want to be a pentester.

[^11]: *Technically*, this means the post should be titled "My First 15 months in Security", but it isn't as catchy.

[^12]: This number is **even more** inaccurate than usual because I failed the OSEP on my first attempt, so I ended up studying the OSED while waiting for the [exam cooling off period. ](https://help.offsec.com/hc/en-us/articles/4406830092564-What-is-the-Exam-Retake-Policy)

[^13]: This value is the same with the OSED because I failed the OSEP on my first attempt and ended up studying for the OSED while waiting for the[ cooling off period](https://help.offsec.com/hc/en-us/articles/4406830092564-What-is-the-Exam-Retake-Policy)

[^14]: In my opinion, the exam should reflect the course materials, as the certification demonstrates completion and understanding of the course.

[^15]: This value is the same with the OSEP because I failed the OSEP on my first attempt and ended up studying for the OSED while waiting for the[ cooling off period](https://help.offsec.com/hc/en-us/articles/4406830092564-What-is-the-Exam-Retake-Policy)

[^16]: Mostly from exam reviews I've read and comments from OffSec's discord server.

[^17]: This [keynote](https://youtu.be/s_Hk-35YTwE?si=ezCGwYESnOhgxmQz) by [Valentina Palmiotti](https://twitter.com/chompie1337), is a great overview of security research roles.

[^18]: Infosec layoffs: [layoffs.fyi](https://layoffs.fyi/)\
    Also see: [The big lie of millions of information security jobs](https://brothke.medium.com/the-big-lie-of-millions-of-information-security-jobs-a7cb1b30c5b6)

[^19]: I'll be entering college in August 2024.

[^20]: I didn't have to learn python again for the OSED. My OSCP knowledge helped me with parts of the OSEP.

[^21]: I started using a fixed sleep schedule, exercising every day and studying elsewhere from my bedroom.

[^22]: During the OSCP and OSWE, I only took a rest day when I felt I needed to ( every \~10 days) :grimacing:. These days, I force myself to take one rest day a week.

[^23]: To the best of my knowledge.

[^24]: *Assumes 3x Learn One ( $2599 )*\
    *Amount is likely higher due to subscriptions to other training services.*

[^25]: obviously HIGHLY dependent on your prior expertise with the topics, your ability to self study, etc.

[^26]: VERY loose number taken from some examples off the top of my head.

[^27]: I was able to study full time for these certificates.

[^28]: Certificates can help you get your foot in the door in entry level roles. See this [article ](https://grahamhelton.com/blog/certificationindustrialcomplex/)( Certification Pros section )

[^29]: This [article](https://colah.github.io/posts/2020-05-University/) is about how to think about whether to go to college, but it can be mapped onto gap years too.

[^30]: For more about this, I recommend reading  [Bryan Caplan's The Case Against Education.](https://en.wikipedia.org/wiki/The_Case_Against_Education)

[^31]:

[^32]: I actually signed up for the EXP-401 before even starting the OSED course, but that's a story for next year's review.