My First Year In InfoSec: Zero to OSCE3
Last updated
Last updated
In August 2022, I took a gap year to study OffSec certifications to "break into" the information security industry. In total, I spent * hours studying, acquiring the , , , , , certifications. As of Feb 2024, I'm the youngest * in Singapore.
In this blogpost, I share my experience going from absolute zero to OSCE3. I've written this guide to share:
How long it took for me to acquire these certificates
What study resources I used to go from absolute zero to OSCE3
Some tools I created which should help you with these exams
My reflections after obtaining the OSCE3
At the end, I'll also try to answer questions like, "Was the gap year worth it?" and "Why am I still planning to attend college after this?".
Please note: This article is a reflection of my experience. Your experience with studying certifications may be different. The learning path I took is not the . What works for me, may not work for you.
Certifications are a controversial topic in information security. In my opinion, certifications for practical, proctored exams are a great way to demonstrate your ability to employers.
I've found OffSec courses to be a well-structured environment where I could learn different areas of offensive security, while having a challenging exam as a end goal.
After serving , I had little direction on where I wanted to go career-wise. Analyzing my potential options, I found information security to be a technical, , and safe option. Importantly, I saw that there were certifications like the OSCP which were considered the .
If I could acquire these certifications, it could make me a more competitive candidate in job applications. A gap year to focus entirely on certificates seemed like an investment with . In the worst case, I would lose a year. In the best case, I might get my hands on a .
For the OSCP, I spent 651 hours, pwning a total of 136 machines and studying an average of 7 hours and 33 minutes a day.
Below is a rough list of the study resources I used to pass the OSCP exam:
Very useful. After the courses, I felt much better equipped to start doing practice boxes.
Very important. These networks taught me lateral movement across Active Directory instances.
Easy machines that were good practice for building a pentesting methodology.
The "meat and potatoes" of my OSCP journey. I would wake up, solve 2 boxes in PG, then do it the next day. I did this for about a month.
30 PEN-200 Lab machines
I did practice exams and wrote exam reports using machines from .
Make a writeup for every machine as you complete it.
Look up similar walkthroughs while pentesting.
Do Practice Exams.
About a week before my scheduled OSCP exam, I would simulate the OSCP test environment by using machines of the same type and the same time constraints. This significantly reduced my nervousness during the actual exam.
For the OSWE, I spent 472 hours, studying an average of 6 hours and 2 minutes a day.
Really enjoyed the practice-centric approach.
I like the interactive client. Videos were approachable and enjoyable. Good practice-centric approach to JavaScript.
I used these videos to get used to reading PHP/C# syntax.
Good introductory resource. I took the Django course because some OSWE reviews said you should learn .
This course was formerly at TCM Academy. It was more on the blackbox side and not that relevant to the OSWE.
This was a gentle introduction to PHP and web attacks.
The "meat and potatoes" of my OSWE journey. I learned a lot by first manually solving each challenge lab, then writing a python script that'll solve
OSWE Course Materials and Extra Miles
As the scripts written in the Course Materials were in Python2, I would rewrite them all in Python3. I also completed every extra mile.
Challenge Lab: Squeakr
Although this was a blackbox challenge, the lessons learned were very applicable to the exam.
Very useful. Great practice.
Practice Exam 2: Answers and Docedit
These were the challenge labs in the OSWE course and were really great practice for the actual exam.
Initially, the OSWE intimidated me because I had zero prior programming experience. A source code review exam sounded like a nightmare. I remember telling a friend, "I don't know how to read source code, how am I'm supposed to audit it and write exploits?" It didn't help that most of the OSWE reviews at that time, were from software engineers who had experience programming. Well, I'm living proof that you can get the OSWE from absolutely zero programming knowledge.
The exam was moderately easier than what I expected.
After spending ~1123 hours chasing certifications, I wanted to verify whether these certificates were actually useful, so I thought about getting an internship - but who would hire someone with zero job experience and no college degree?
Note: There are valid criticisms about roles, but I didn't really mind because I was very early into my career.
For the OSEP, I spent , studying an average of a day.
OSEP Course Materials and Extra Miles
I did most of the extra miles. The sections "Bypassing Network Filters" and "Kiosk Breakouts" were not relevant to my exam.
Challenges 1-6
These were really easy.
Exam Attempt #1
Failed. The exam was a very different beast from what I was expected.
Well designed boxes that taught me some new attack techniques.
I found this network messy and confusing.
Very well designed network that was instrumental in passing the exam.
This was designed with realism in mind, which my methodology lacked.
The OSEP is a good course. It takes complicated topics like Active Directory exploitation and Antivirus Evasion and distills it into an approachable format. From a purely learning standpoint, it's well-made.
Unfortunately, the OSEP exam has some issues.
I ran into technical difficulties on both my exam attempts.
The exam was harder than what I was expecting. The majority of the course focused on Phishing and AV evasion and the Challenge machines were easy, so I expected the exam to be similar. Unfortunately, the exam leans towards standard OSCP-like exploitation and Lateral Movement.
I encountered technical difficulties in the exam network, and informed the proctor. The technical staff did not find any issues, and the exam continued. Later, I again informed the proctor about the issues , but upon reevaluation, they determined that no issues were present.
Once again, I encountered the same exam set, with the same technical difficulties. Fortunately, it was determined that there were technical difficulties present. I was given an extension of 2 hours, a free exam retake attempt, and a waiver of the cooling-off period. Nevertheless, I was able to find an alternative foothold that I missed on my first Exam Attempt, which allowed me to pass the exam.
In retrospect, I think most of my troubles stemmed from inaccurate expectations of what the OSEP exam was like. Had I approached the OSEP more like the 2022 OSCP, and trained more on other platforms, I think I would have had a much better experience.
Be prepared
I maintained a secondary Windows VM dedicated to compiling Shellcode Runners, MSSQL exploits and phishing documents. This allowed me to efficiently transfer files to my Kali virtual machine using Shared Folders - a method that was simpler and faster compared to using the course's debug machine.
I kept a folder containing all my AMSI bypasses, Shellcode Runners, Enumeration Scripts and Post-Exploitation utilities. Using a Python web server, I could quickly transfer anything I needed onto the target machine.
I also wrote an enumeration script to automate a part of the enumeration process. You can find it here:
For the OSED, I spent , studying an average of a day.
Course Materials and Extra Miles
I did most of the Extra Miles except Faronics.
Challenge 2
I found this to be quite easy.
Custom Shellcode Exercises: MessageBox, download and run .msi over HTTP
This was really fun, I got comfortable reading MSDN for Win32 APIs.
Well made, great practice for the exam.
Well made, great practice for the exam.
The exam was about as difficult as I expected, which might come off as a surprise because the OSED is . I think the OSED is painted in a bad light because topics like Assembly and Binary Exploitation look intimidating. That's a real shame, because it's a great course that teaches the fundamentals of Windows Binary Exploitation.
If it's any help, I'm living proof that you can achieve the OSED from absolutely zero binary exploitation experience.
Two months after earning the OSCE3 Certification, I received my physical certificate and challenge coin.
Surprisingly, I received 0 messages from recruiters after getting an OSCE3. I didn't really mind, but I think this was probably due to the and me not being in .
I realized that with each certificate I obtained, I took less and less time getting the next one. That's surprising, because I think I took the courses in increasing order of difficulty. I attribute this result to , and shifting towards working a .
For what it's worth, I think this gap year was worth it. I got to make new friends, experiences and learn difficult, technical skills. I'm a more competent, competitive candidate than when I first started. I feel much more confident applying for internships and learning other technical subjects.
As a 22-year old with ~3 months of job experience, I'm one of the least qualified persons to dish out career advice, so I won't. However, I think these questions are worth asking:
Can you afford worth of course materials?
Can you make a lot () of time for self studying?
Most people I know study these courses while in work/school, and can take significantly ( ) longer than the .
Are you in your career?
When I started, there were barely any resources and documentation about gap years. I think it's an incredibly personal decision, and I can't in good faith, give advice. Here are some questions that might be worth asking:
Do you have 1 year or more of living expenses?
Do you have sources of support from friends and/or family?
Are you okay with being misunderstood/isolated for long periods of time?
Do you have the discipline to study consistently and focus for long periods of time?
The value of the OSCE3 is indeterminate, is that okay with you?
Interestingly, this is the number one question I get, whenever I tell others I'm taking a gap year to study certificates.
Note: I took the . In 2023, the OSCP was .
As with all my other OffSec courses, I purchased the bundle instead of the subscription. Before purchasing a course from OffSec, you may want to try reaching out to them for goodwill discounts. Alternatively, OffSec offers discounts for and at the .
and
. If you're not short on time, I would recommend Professor Messer's and course.
, and
: , , etc.
TryHackMe Machines: , , , , , etc.
54 Proving Grounds Practice machines from .
This was done to get the for the OSCP exam.
Practice Exams 1 & 2 : , , , , , , , etc.
The exam was much easier than I expected. Lateral movement, something I learned in , turned out to be incredibly important. Although I used , nowadays I would recommend using .
Although it may look like I overprepared, I look back at this intensive preparation as laying a strong foundation for my future endeavors. To me, learning is a continuous journey, where knowledge builds upon each other. topics like Active Directory well, which was later helpful when I studied for the OSEP.
When pentesting, take notes about each machine and synthesize a writeup as you go . This will save a lot of time when you have to write a report for the OSCP exam. Furthermore, with each writeup you make, you now have a case study to reference when doing similar machines. When learning new topics, I also suggest taking so you can network concepts and easily refer to them later.
Whenever you're stuck, I highly recommend looking at /website to see how similar machines were rooted. Suppose I was pentesting a web machine. I'd pull up and on a second monitor to look at . There's a great chance that one of these vectors is the way forward. Whenever I got stuck for longer than 2 hours, . I would note down what I missed, and move on. After completing a box, I would compare my writeup with those online. Did I miss an alternative attack vector? Did they use a different tool? I would then update my writeup accordingly.
When possible, I scripted the solutions to each machine/study resource with python. I got comfortable using python's which was essential in the OSWE exam.
,
Code With Mosh , ,
, , , , , , , , , .
Practice Exam 1: bmddy's and
Initially, I got stuck because I was afraid of the requests library. I felt that I "wasn't good enough yet" and would jump around programming tutorials, hoping that after the next one I'd be "good enough" to learn how to write exploits. I think this kind of . It wasn't that I was unmotivated - in fact, I was overmotivated. However, if I failed to "learn" the requests library, then I felt it would mean that I had "failed" the OSWE. It seemed much safer to just study one more programming tutorial than risking it all.
What got me out of this predicament was just doing it - Out of frustration, I wrote an "exploit script" for . I "chained" vulnerabilities I thought made sense, and in the process, had to confront the big scary monster that was the requests library documentation. It turned out to be incredibly readable and approachable. If you're ever in a similar situation, I recommend just diving in. You can learn anything with enough . You never "learn" something one-and-done. It's a continuous journey where you pick up and put down things along the way.
Nowadays, I also recommend using LLMs like to ask "How do I use the requests library?" and to clarify any worries you may have. Asking questions to a helpful programming coach can break down "impossible" tasks into approachable ones.
Looking back, it seems so stupid that I wasted time on programming tutorials instead of just . Thankfully, now that I'm old and wise, I'll never make the same mistake again... so of course recently I fell into the same trap.
When I was learning C/C++ in preparation for the EXP-401. I would scour online posts looking for the "right" resources for learning. Thankfully, I thought back to my experience learning python, and just jumped into OpenSecurityTraining2's and course, where I got to stare at vulnerable C/C++ code all day. I learned far more C/C++ by reading vulnerable code, than I did watching yet another programming tutorial.
In January 2023, I joined , a Singaporean CTF team. At that time, I was studying for the OSWE and thought that Web CTF challenges were a good way to practice for it. It was a great decision - I made a lot of friends and even wrote my own .
In May 2023, I interned at KPMG's Cyber Defense, doing mobile, web (blackbox and whitebox) penetration tests. It was a good experience applying the knowledge and methodology I earned through studying the OSCP and OSWE to make websites safer. I also did some open source security research and found I ended the internship going on a , which was nice.
While I was at KPMG, I got access to , which allowed me to take the (BSCP) exam. I didn't bother tracking the hours I spent studying. I just did all the Apprentice, Practitioner labs and the Practice exam.
The BSCP exam was incredibly stressful due to the short time constraints (4 hours). I remember reading exam reviews where students failed on multiple occasions, so I went into it expecting to fail at least ten times before passing. Surprisingly, I passed on my first try with 3 minutes left, my hand trembling as I hurriedly submitted the last flag. If you're considering taking the BSCP exam, I found this incredibly useful for referencing during the exam.
Emerging from my internship, I knew I wanted to get the OSCE3. Thus, I declined my offer from the to
: , ,
I think before you take the OSEP exam, you should be comfortable with Lateral Movement using , Active Directory Enumeration with and Exploitation using . You should be familiar with OSCP-like foothold exploitation and privilege escalation. Your payloads also shouldn't trigger the AV in the Challenges.
Practice Exam 1: bmddy's and
I myself have been guilty of this; I probably wouldn't have taken the OSED if it weren't a part of the OSCE3. I wrongly assumed that exploit development was too technical and "low level" for me. Looking back, I should have - watched a about buffer overflows, before disregarding an.
I believe a key component of my success, was approaching these "intimidating" topics like and head on, and asking ChatGPT to explain these concepts until they made sense. I learned that the Structured Exception Handler is basically like an operations room that calls a phone number in a log book whenever an exception occurs. By overwriting the log book ( SEH record ), you can make the program call ( execute ) your malicious phone number ( your code ).
Writing custom shellcode and return oriented programming, is a really detail-oriented activity. You have to keep track of bad characters, offsets and gadgets. Instead of relying on my fallible mind, I combined and the RopChain class from into an all-in one script. You can find the exploit template I wrote here:
My about obtaining the OSCE3 did pretty well - 129,111 impressions.
I do wish I didn't fall for the myth that there are available. I also wish someone with these certificates told me that they weren't the end-all-be-all of information security. I probably would have still took a gap year, but I would've had realistic expectations about what the OSCE3 can do for your career.
From all that I've asked/read, I think that it can set you apart from other candidates and get you into the interview room, but you still need the chops to get the role. Until I actually start looking for roles, I still don't know for sure how useful the OSCE3 is. For now, I'll keep my head down low and continue studying until I'm .
When I first started,. Now, excluding me, there are around 3. Recently,. I think infosec is shifting , and I'm not sure how I feel about it.
Although I never intended for this article to encourage/discourage people from going after the OSCE3, I'm sure I'll get this question so I'll try my best to "answer" it. Also see: , and why advice about certificates are usually a recipe for disaster.
It's also worth considering the possibility that on your deathbed, .
The for college graduates is (~50%). , college remains I think gap years may be a great way to complement a college experience. Showing up as a driven, skilled candidate can give you a leg up in internships, which may compound into a
Right now, I'm for the , arguably the hardest exploit development course in infosec. Later this year, I'll be attending , , and . If you're attending any of these, please send me a message via or so we can meet up!
Fun fact: As I was writing this article, I realized that I reached my 2000 hour studying anniversary. Here's to more. 🎉
