My First Year In InfoSec: Zero to OSCE3

In August 2022, I took a gap year to study OffSec certifications to "break into" the information security industry. In total, I spent 1732* hours studying, acquiring the OSCP, OSWE, BSCP, OSEP, OSED, OSCE3 certifications. As of Feb 2024, I'm the youngest OSCE3* in Singapore.

In this blogpost, I share my experience going from absolute zero to OSCE3. I've written this guide to share:

• How long it took for me to acquire these certificates

• What study resources I used to go from absolute zero to OSCE3

• Some tools I created which should help you with these exams

• My reflections after obtaining the OSCE3

At the end, I'll also try to answer questions like, "Was the gap year worth it?" and "Why am I still planning to attend college after this?".

Please note: This article is a reflection of my experience. Your experience with studying certifications may be different. The learning path I took is not the royal road. What works for me, may not work for you.

Why Certifications?

Certifications are a controversial topic in information security. In my opinion, certifications for practical, proctored exams are a great way to demonstrate your ability to employers. However, they are not the ONLY way.

I've found OffSec courses to be a well-structured environment where I could learn different areas of offensive security, while having a challenging exam as a end goal.

Why a Gap Year?

After serving mandatory national service, I had little direction on where I wanted to go career-wise. Analyzing my potential options, I found information security to be a technical, well-paid, impactful and safe option. Importantly, I saw that there were certifications like the OSCP which were considered the "gold standard"*.

If I could acquire these certifications, it could make me a more competitive candidate in job applications. A gap year to focus entirely on certificates seemed like an investment with asymmetric returns. In the worst case, I would lose a year. In the best case, I might get my hands on a miracle year.

OSCP

Note: I took the 2022 OSCP Exam. In 2023, the OSCP was updated.

As with all my other OffSec courses, I purchased the "90 Days Course & Exam" bundle instead of the Learn One subscription. Before purchasing a course from OffSec, you may want to try reaching out to them for goodwill discounts. Alternatively, OffSec offers discounts for students and at the year's end.

For the OSCP, I spent 651 hours, pwning a total of 136 machines and studying an average of 7 hours and 33 minutes a day.

Below is a rough list of the study resources I used to pass the OSCP exam:

Review

The exam was much easier than I expected. Lateral movement, something I learned in Holo, turned out to be incredibly important. Although I used chisel, nowadays I would recommend using ligolo-ng.

Although it may look like I overprepared, I look back at this intensive preparation as laying a strong foundation for my future endeavors. To me, learning is a continuous journey, where knowledge builds upon each other. I paid the startup cost of understanding topics like Active Directory well, which was later helpful when I studied for the OSEP.

Tips

1. Make a writeup for every machine as you complete it.

When pentesting, take notes about each machine and synthesize a writeup as you go . This will save a lot of time when you have to write a report for the OSCP exam. Furthermore, with each writeup you make, you now have a case study to reference when doing similar machines. When learning new topics, I also suggest taking Atomic Notes so you can network concepts and easily refer to them later.

1. Look up similar walkthroughs while pentesting.

Whenever you're stuck, I highly recommend looking at 0xdf's/IppSec's website to see how similar machines were rooted. Suppose I was pentesting a flask web machine. I'd pull up HackTricks and 0xdf on a second monitor to look at flask-specific attack vectors. There's a great chance that one of these vectors is the way forward. Whenever I got stuck for longer than 2 hours, I would look up a walkthrough for the machine. I would note down what I missed, and move on. After completing a box, I would compare my writeup with those online. Did I miss an alternative attack vector? Did they use a different tool? I would then update my writeup accordingly.

1. Do Practice Exams.

About a week before my scheduled OSCP exam, I would simulate the OSCP test environment by using machines of the same type and the same time constraints. This significantly reduced my nervousness during the actual exam.

OSWE

For the OSWE, I spent 472 hours, studying an average of 6 hours and 2 minutes a day.

When possible, I scripted the solutions to each machine/study resource with python. I got comfortable using python's requests library, which was essential in the OSWE exam.

Review

Initially, the OSWE intimidated me because I had zero prior programming experience. A source code review exam sounded like a nightmare. I remember telling a friend, "I don't know how to read source code, how am I'm supposed to audit it and write exploits?" It didn't help that most of the OSWE reviews at that time, were from software engineers who had experience programming. Well, I'm living proof that you can get the OSWE from absolutely zero programming knowledge.

The exam was moderately easier than what I expected.

Tips

1. Stop Studying Programming

Initially, I got stuck because I was afraid of the requests library. I felt that I "wasn't good enough yet" and would jump around programming tutorials, hoping that after the next one I'd be "good enough" to learn how to write exploits. I think this kind of procrastination was a protective strategy for coping with the conflicting fear of failing and the desire to succeed. It wasn't that I was unmotivated - in fact, I was overmotivated. However, if I failed to "learn" the requests library, then I felt it would mean that I had "failed" the OSWE. It seemed much safer to just study one more programming tutorial than risking it all.

What got me out of this predicament was just doing it - Out of frustration, I wrote an "exploit script" for SecAura's Build it and Break it. I "chained" vulnerabilities I thought made sense, and in the process, had to confront the big scary monster that was the requests library documentation. It turned out to be incredibly readable and approachable. If you're ever in a similar situation, I recommend just diving in. You can learn anything with enough time, effort and persistence. You never "learn" something one-and-done. It's a continuous journey where you pick up and put down things along the way.

Nowadays, I also recommend using LLMs like ChatGPT to ask "How do I use the requests library?" and to clarify any worries you may have. Asking questions to a helpful programming coach can break down "impossible" tasks into approachable ones.

Looking back, it seems so stupid that I wasted time on programming tutorials instead of just Reading The Fun Manual (RTFM). Thankfully, now that I'm old and wise, I'll never make the same mistake again... so of course recently I fell into the same trap.

When I was learning C/C++ in preparation for the EXP-401. I would scour online posts looking for the "right" resources for learning. Thankfully, I thought back to my experience learning python, and just jumped into OpenSecurityTraining2's Vulns 1001 and Vulns 1002 course, where I got to stare at vulnerable C/C++ code all day. I learned far more C/C++ by reading vulnerable code, than I did watching yet another programming tutorial.

Interlude

After spending ~1123 hours chasing certifications, I wanted to verify whether these certificates were actually useful, so I thought about getting an internship - but who would hire someone with zero job experience and no college degree?

Social Engineering Experts

In January 2023, I joined Social Engineering Experts, a Singaporean CTF team. At that time, I was studying for the OSWE and thought that Web CTF challenges were a good way to practice for it. It was a great decision - I made a lot of friends and even wrote my own CTF challenge for SEETF 2023.

KPMG

In May 2023, I interned at KPMG's Cyber Defense, doing mobile, web (blackbox and whitebox) penetration tests. It was a good experience applying the knowledge and methodology I earned through studying the OSCP and OSWE to make websites safer. I also did some open source security research and found CVE-2023-3552. I ended the internship going on a Department Trip to Vietnam, which was nice.

Note: There are valid criticisms about consulting roles, but I didn't really mind because I was very early into my career.

BSCP

While I was at KPMG, I got access to Burp Suite Pro, which allowed me to take the Burp Suite Certified Practitioner (BSCP) exam. I didn't bother tracking the hours I spent studying. I just did all the Apprentice, Practitioner labs and the Practice exam.

The BSCP exam was incredibly stressful due to the short time constraints (4 hours). I remember reading exam reviews where students failed on multiple occasions, so I went into it expecting to fail at least ten times before passing. Surprisingly, I passed on my first try with 3 minutes left, my hand trembling as I hurriedly submitted the last flag. If you're considering taking the BSCP exam, I found this github repo by botesjuan incredibly useful for referencing during the exam.

Second Gap Year

Emerging from my internship, I knew I wanted to get the OSCE3. Thus, I declined my offer from the National University of Singapore's Information Security programme to take another gap year.

OSEP

For the OSEP, I spent 345 hours, studying an average of 6 hours 20 minutes a day.

Review

The OSEP is a good course. It takes complicated topics like Active Directory exploitation and Antivirus Evasion and distills it into an approachable format. From a purely learning standpoint, it's well-made.

Unfortunately, the OSEP exam has some issues.

1. The exam is not a good reflection of the course materials, extra miles and challenges.

2. I ran into technical difficulties on both my exam attempts.

The exam was harder than what I was expecting. The majority of the course focused on Phishing and AV evasion and the Challenge machines were easy, so I expected the exam to be similar. Unfortunately, the exam leans towards standard OSCP-like exploitation and Lateral Movement.

Exam Attempt 1

I encountered technical difficulties in the exam network, and informed the proctor. The technical staff did not find any issues, and the exam continued. Later, I again informed the proctor about the issues , but upon reevaluation, they determined that no issues were present.

Exam Attempt 2

Once again, I encountered the same exam set, with the same technical difficulties. Fortunately, it was determined that there were technical difficulties present. I was given an extension of 2 hours, a free exam retake attempt, and a waiver of the cooling-off period. Nevertheless, I was able to find an alternative foothold that I missed on my first Exam Attempt, which allowed me to pass the exam.

In retrospect, I think most of my troubles stemmed from inaccurate expectations of what the OSEP exam was like. Had I approached the OSEP more like the 2022 OSCP, and trained more on other platforms, I think I would have had a much better experience.

I think before you take the OSEP exam, you should be comfortable with Lateral Movement using ligolo-ng, Active Directory Enumeration with BloodHound and Exploitation using crackmapexec. You should be familiar with OSCP-like foothold exploitation and privilege escalation. Your payloads also shouldn't trigger the AV in the Challenges.

Tips

1. Be prepared

I maintained a secondary Windows VM dedicated to compiling Shellcode Runners, MSSQL exploits and phishing documents. This allowed me to efficiently transfer files to my Kali virtual machine using Shared Folders - a method that was simpler and faster compared to using the course's debug machine.

I kept a folder containing all my AMSI bypasses, Shellcode Runners, Enumeration Scripts and Post-Exploitation utilities. Using a Python web server, I could quickly transfer anything I needed onto the target machine.

I also wrote an enumeration script to automate a part of the enumeration process. You can find it here:

OSED

For the OSED, I spent 262 hours, studying an average of 6 hours 20 minutes a day.

Review

The exam was about as difficult as I expected, which might come off as a surprise because the OSED is often ranked the hardest of the OSCE3. I think the OSED is painted in a bad light because topics like Assembly and Binary Exploitation look intimidating. That's a real shame, because it's a great course that teaches the fundamentals of Windows Binary Exploitation.

I myself have been guilty of this; I probably wouldn't have taken the OSED if it weren't a part of the OSCE3. I wrongly assumed that exploit development was too technical and "low level" for me. Looking back, I should have given it five minutes - watched a simple video about buffer overflows, before disregarding an entire field of infosec.

If it's any help, I'm living proof that you can achieve the OSED from absolutely zero binary exploitation experience.

I believe a key component of my success, was approaching these "intimidating" topics like Structured Exception Handler Overwrites and Egghunters head on, and asking ChatGPT to explain these concepts until they made sense. I learned that the Structured Exception Handler is basically like an operations room that calls a phone number in a log book whenever an exception occurs. By overwriting the log book ( SEH record ), you can make the program call ( execute ) your malicious phone number ( your code ).

Tips

1. Write your own tooling

Writing custom shellcode and return oriented programming, is a really detail-oriented activity. You have to keep track of bad characters, offsets and gadgets. Instead of relying on my fallible mind, I combined ommadawn46's win-x86-shellcoder and the RopChain class from @Tan90909090's OSED blog post into an all-in one script. You can find the exploit template I wrote here:

OSCE3

Two months after earning the OSCE3 Certification, I received my physical certificate and challenge coin.

My Linkedin post about obtaining the OSCE3 did pretty well - 129,111 impressions.

Surprisingly, I received 0 messages from recruiters after getting an OSCE3. I didn't really mind, but I think this was probably due to the bad job market and me not being in college.

Reflections

I realized that with each certificate I obtained, I took less and less time getting the next one. That's surprising, because I think I took the courses in increasing order of difficulty. I attribute this result to knowledge transfer, changes that increasing my productivity and shifting towards working a less intense schedule over time.

For what it's worth, I think this gap year was worth it. I got to make new friends, experiences and learn difficult, technical skills. I'm a more competent, competitive candidate than when I first started. I feel much more confident applying for internships and learning other technical subjects.

I do wish I didn't fall for the myth that there are millions of cybersecurity jobs available. I also wish someone with these certificates told me that they weren't the end-all-be-all of information security. I probably would have still took a gap year, but I would've had realistic expectations about what the OSCE3 can do for your career.

From all that I've asked/read, I think that it can set you apart from other candidates and get you into the interview room, but you still need the chops to get the role. Until I actually start looking for roles, I still don't know for sure how useful the OSCE3 is. For now, I'll keep my head down low and continue studying until I'm so good they can't ignore you.

Trends

When I first started, there weren't any college undergrads with the OSCE3 in Singapore. Now, excluding me, there are around 3. Recently, another 19 year old has achieved the OSCE3. I think infosec is shifting towards certifications and academic degrees over Github Profiles, and I'm not sure how I feel about it.

Should you get the OSCE3?

Although I never intended for this article to encourage/discourage people from going after the OSCE3, I'm sure I'll get this question so I'll try my best to "answer" it. Also see: The perils of general advice, and why advice about certificates are usually a recipe for disaster.

As a 22-year old with ~3 months of job experience, I'm one of the least qualified persons to dish out career advice, so I won't. However, I think these questions are worth asking:

• Can you afford ~$7800 worth of course materials?

• Can you make a lot ( 1000++ hours ) of time for self studying?

• Most people I know study these courses while in work/school, and can take significantly ( ~11 months ) longer than the <90 days I took for each course.

• Are you earlier in your career?

Should you take a gap year to study the OSCE3?

When I started, there were barely any resources and documentation about gap years. I think it's an incredibly personal decision, and I can't in good faith, give advice. Here are some questions that might be worth asking:

• Do you have 1 year or more of living expenses?

• Do you have prior experience/the ability to work for months self-directed at a time?

• Do you have sources of support from friends and/or family?

• Are you okay with being misunderstood/isolated for long periods of time?

• Do you have the discipline to study consistently and focus for long periods of time?

• The value of the OSCE3 is indeterminate, is that okay with you?

It's also worth considering the possibility that on your deathbed, no one will remember or care about the certificates you got.

Why am I still planning to attend college?

Interestingly, this is the number one question I get, whenever I tell others I'm taking a gap year to study certificates.

The education premium for college graduates is incredibly high (~50%). Assuming you can graduate, college remains one of the best ways to increase your income. I think gap years may be a great way to complement a college experience. Showing up as a driven, skilled candidate can give you a leg up in internships, which may compound into a larger advantage down the line.

What's next?

Right now, I'm hard at work studying for the OffSec's EXP-401 course, arguably the hardest exploit development course in infosec. Later this year, I'll be attending Corelan Advanced in Sydney, Yarden Shafir's Windows Internals for Security Engineers, OffensiveCon 2024 and SINCON 2024's EXP-401 Live Training. If you're attending any of these, please send me a message via LinkedIn or X/Twitter so we can meet up!

Fun fact: As I was writing this article, I realized that I reached my 2000 hour studying anniversary. Here's to 8000 more. 🎉