My Offensive-Security Journey — Part 1
Introduction
3 Months ago I passed my OSWE exam which means I have finished my Offensive-security journey. Now that the world is facing a pandemic, and here I am without much to do, I decided to make a story about my offensive-Security journey. My reasons to write this are to have a journal to remind myself in the future and to share my experience. I will split this story into a two-part story.
I don’t plan to focus or go deep on the technical side of the courses and exams, but more on the experience and the thoughts that I had when I went through each of the courses. This is because I believe there are plenty of offensive security course reviews on the Internet already and I don’t think I can write better technical reviews than those. So this story won’t really give you in-depth tips and tricks or preparation strategies. If you decide to keep reading this, I hope you can gain good things out of my experience.
OSCP — PWB/K
If remember correctly the first time I knew about OSCP was around 2011. That was the year where I discovered cybersecurity. I remember I was an average college student in his third year that didn’t have any specialty and was looking for something to focus at. Until I met one of my seniors who introduced me into hacking and I was into it immediately. He also told me that Offensive-security, the maker of Backtrack Linux, had a hard certification called Offensive Security Certified Professional (OSCP) which had a practical exam and a number of labs for you to hack in for practice.
When hearing that I was like “Oh my God!, that is so cool”. The concept of a practical hacking exam at that time was still a new thing, well at least for me. In addition, all reviews at the time were saying the labs are challenging and the exam was super hard. Hearing this made me determined to pass it one day as a milestone for my new beginning cybersecurity journey. I made OSCP as one of my life goals along with the other 4 offensive security certificates.
Fast forward to the end of 2014, I was about to graduate from my study (yes, I spent 6 years in college). I finally enrolled in PWK course. I took before I had graduated because at that time cybersecurity wasn’t really booming (yet), at least in my country. I remembered that it was so hard to find an IT security opening at that time (let alone a penetration tester role), and if there were any they didn’t really accept a fresh grad candidate. I was thinking that I should have something which could help me to get into the cyber industry, and my answer was OSCP (even though CEH was more popular and in higher demand at that time).
The Lab
This was my first time doing Offensive Security lab and I had only been doing cybersecurity as a hobby for around 3 years. I was so overwhelmed by it. I had a lot of difficulties solving the machines in the practice lab. If I remember correctly I only got around 15–20 machines in the period of 2 months lab. So yeah, I don’t think I was doing well there. I even still remember the frustration that I had at that time. Fun time. After my lab had finished I scheduled the exam in February 2015
The Exam
Well, as any other people have mentioned on the Internet, the exam was hard. The exam format was pretty much still the same as today’s format. I had 5 machines to hack and the passing score was 70. I was struggling of course, and part of it because I didn’t really have any strategies to do the exam. I just sat there in front of my computer and tried my best to solve all the challenges that I had. I didn’t even know that one of the machines would always be a BoF challenge.
I didn’t sleep at all during the exam, which is not very recommended. I could have actually slept. But it was my first exam and I didn’t really know how it worked (not to mention I didn’t have anyone that I know that had taken the exam). I forced myself to get all the points that I could, just to be safe. My final result was 4 roots and 1 user, the user was the 20 point machine. After the exam had ended I went to sleep, woke up, wrote my report, and sent it.
OSCP Earned
In February 2015, I received an email from Offensive Security saying I had passed the exam and had earned OSCP. I was ecstatic, I finally had the cert that I had been wanting since 2011. I reached my first cybersecurity milestone. It was so rewarding.
Two months after that I landed my first job as a Security Consultant specialized in Penetration testing. This is of course thanks to the OSCP cert, it helped me build my credibility as a fresh graduate that knew a thing or two about penetration testing. I was very thankful to God that everything went just as I planned.
OSCE — CTP
If someone asks me what is one of the things that I regret the most, my answer would be not trying to get OSCE as soon as possible. I registered in CTP course in November 2017 and my lab started in early December 2017. It took me two years after passing OSCP to finally make an attempt at OSCE.
I think the reason because I was kinda overwhelmed by OSCP to the point I got scared of taking OSCE lol. Reading a lot of OSCE reviews certainly didn’t really help me. every review that I read said OSCE was really hard or the hardest exam that they had ever taken. Until one day, I read one review that said OSCE was hard but not Impossible hard. That one review opened my eyes. No matter how hard it is, it’s not something that is out of this world.
The Lab
OSCE lab is very different compared to OSCP lab, you will get a dedicated lab (unlike OSCP which is shared with other students) and you will only get a few lab machines instead of 30+ lab machines. These machines are for you to follow along and redo what is taught in the PDF and video materials. Technically, if you can understand everything by only reading the pdf and watching the videos. You don’t really need the lab machines.
It took me around 2 weeks to get through all the materials, I took the lab a bit slowly, but I think if you want to rush it you can finish it in around a week. So opting for a 1-month lab is recommended unless you are really really busy and don’t have much time to work on the lab.
The materials are amazing but a little bit outdated to be honest. But even if it’s outdated I believe the knowledge that is taught in this course is still the knowledge that you need to know if you want to deep dive into the exploit development world. I would say most of the materials are not crazy hard, If you can finish the pre-register test by yourself, you shouldn’t have any problems following the materials in the course. Except maybe, the infamous NMM module. That one gave a lot of people quite a headache. You can say the NMM module is the highlight of the course. It was so crazy but beautiful at the same time (it’s very hard to describe without spoiling a few things, you should enrol to the course if you want to see what I mean.). That particular module demonstrates creativity in exploit development.
After finishing the lab what I did next was of course finding other learning resources. If you know offensive security, they will always put curveballs in the exam. So only relying on course materials alone might not be enough to get you to pass the exam. Two additional resources that I got through were Corelan and FuzzySecurity (up to egghunter material), and one or two blog posts that covered the peach framework for software fuzzing. I believe corelan and fuzzysecurity are enough as additional resources for exam preparation. Many people suggest SLAE as an additional learning resource. I didn’t do it, but I revisited opensecuritytraining.info Assembly course (revisit as I had gone through this course before I took CTP course). Their assembly course is really well taught, covers very basic things about assembly in a way it’s easy to understand (at least for me), and most important of all, it’s free.
I booked the exam in February 2018, a month after my lab had ended. I waited for a month because I was still a bit scared of the exam, but at the same time I just wanted it to be over as soon as possible.I thought a month should be enough for me to be mentally prepared.
The Exam
Out of all of the Offensive Security exams that I had, OSCE was the most tiring one for me. Sure OSEE is harder, but in OSEE you have 72 hours to solve 2 challenges compared to OSCE which gives you 48 hours to solve 4 challenges. I felt OSCE was a bit tighter in terms of time. The challenges were hard but not impossible. If you have a good understanding of the course materials, it’s very doable to pass.
One thing that caught me off guard was the machine that had nothing to do with exploit development, I was stuck for hours trying to get into this machine. On the other hand, I was doing really well on the other big point machine that a lot of people had a problem with. I think it was because I had been preparing so much on the exploit development side but didn’t really put enough attention on the other aspects of the course. The machine that gave me problems actually wasn’t that hard, I am pretty sure anyone who has OSCP would be able to finish it. I think I was just being dumb at that time. Eventually I managed to finish it with not much time left (close call). At this point I had completed all the challenges which should give me full points as long as I don’t mess up my report.
After my exam had ended, as usual, I went to get my sleep, woke up, wrote the report, and sent it.
OSCE Earned
In February 2018, two years after I passed my OSCP Exam, I received an email from Offensive security saying I had passed my exam and earned my Offensive Security Certified Expert (OSCE) certification. Was I happy? You bet I was! Passing OSCE really was another milestone for me.
I learned two important things during my journey in this course. First, offensive security exams are hard, but they are not impossible. Second, I realized it was okay to fail the exam. The reason why I kept postponing OSCE mostly was because I was scared. I was scared of the materials and the exam, and that cost me 2 years of my time. If I had just man up and taken it earlier, I could have maybe got it a year earlier. Sure doing it earlier would probably make me fail on my first attempt, but then again, there is nothing wrong with that. I believe Failing on your exam attempts but being able to pass in a year is still way better than having 2 years of preparation just to pass on your first attempt.
After realizing these two things I became more risk-taking on my approaches to all offensive security courses and exams.
OSEE — AWE
OSEE had always been my ultimate life achievement goal. As a lot of people know, there is no online course for AWE. Offensive Security usually holds the offline course at Black Hat US (it’s not the only one, but I am not sure what the others are), and the competition to get a seat at that course is high, the seats are always gone in a short time.
So getting a seat to the course itself is a challenge, not to mention the amount of money for the course fee and accommodation plus flight ticket to the US. Looking at these facts, I always thought of OSEE as my someday goal. I would have never imagined that it would be my third offensive security certification. But it happened! I was extremely lucky, offensive security decided to hold AWE at Black Hat Asia 2019 in Singapore for the first time. The day Black Hat Asia announced the training list, I booked the seat without thinking twice.
The Course
One month before the training had started, Offensive security sent an “AWE challenge” along with a few materials to read to all the course participants. The challenge served to test if you have the knowledge to follow the course.
Solving this challenge represents the minimal technical prerequisites required for this course at Black Hat. If you find this challenge too difficult, you may want to reconsider your registration for the class.
The challenge was definitely not for someone who is new in the exploit development field. It required you to already have some knowledge around Hex, assembly, reverse engineering, shellcode. Having said that though, the challenge was not that crazy hard. If you have OSCE, by right, you should be able to solve it in one day. The challenge itself was not mandatory, my friend didn’t do the challenge and was still able to join the course (and he has passed his OSEE exam as well)
The training was held from 26 to 29 March 2019 at Marina Bay, Singapore. At the beginning of the course, we were greeted with this slide
That is very motivating 😂.
When the instructors told us that we were gonna “suffer”. They weren’t joking (the instructors were Blomster81 and sickness btw). The first day was supposed to be the “easiest” day and it was already hard. I was lost after the first 3 hours. The course pace was also the reason it was very hard to follow. The instructors didn’t really wait for you to fully understand everything. Having said that though, the trainees can still ask the instructors of course, especially when doing the practical session.
The reason for the fast pace was time constraints. Black hat only gave 4 days for the AWE course which was not ideal to teach all the materials in the syllabus (according to the instructors). I remembered that we even had to start earlier and finish later than the Blackhat training schedule (around 15 minutes). Which makes it very reasonable to speed up the course pace. But be honest, even though the course pace was slower, I don’t think it would make any difference for me. I would still not be able to digest all the things the course throws at me.
I managed to survive the 4 days training with only absorbing less than 20% of what had been taught. It was simply because it was the hardest course that I have ever taken in my life (or I was just being stupid lol). I talked to several people and they were in the same situation as me, more or less. It was just impossible to understand and master all of the materials in 4 days. This is why all the students are expected to do self-study to re-read all the materials again. Especially if they have a plan to take the OSEE Exam.
The Exam
I booked my exam on 12 May 2019. I was actually not sure if I was prepared to take it one and a half months after the course had ended. But learning from my OSCE experience, it’s okay to fail but keep moving rather than keep postponing to prepare for the exam because afraid to fail. having said this tho, I still tried to push back the exam date 2 weeks because I felt a bit less-prepared but ended up didn’t do it because the exam slot was full and the earliest available exam slot was in July which is way too long (i was planning to push it back 2 weeks max). I decided to stick with the initial schedule.
My exam preparation is very standard. I pretty much only studied from the course module. The modules already cover a lot of (hard) stuff. Sure I did look up one or two additional reading materials that are related to the course but only went as far as reading them. I didn’t set up any additional labs whatsoever.
In my opinion, no matter how much you prepare for offensive security exams. You will face the curveballs, the traps, the tricky parts, or whatever you want to call it that the offensive security team has set up. You would eventually google for additional stuff/resources to overcome the obstacles when doing the exam, no matter how much you prepare. So instead of filling my head with more information than I could handle. I chose to only stick with the course modules (which again, are already very hard)
My exam started at 04:00 AM. The exam had two challenges, one had a bigger point than the other. The smaller point challenge had two ways of solving it. You could choose the easy way or the hard way. Of course, the hard way would give you a full point whereby the easy way will only give you half. But it actually doesn’t really matter. as long as you solve the bigger point challenge, you will have enough points to pass regardless of which route you take for the smaller point challenge.
When I read the details of the challenges, I was a bit surprised. Because the challenges were easier than what I had imagined. By any means, I am not saying that they were easy. I am just saying, If you compare them with AWE modules, the modules are way harder than the exam challenges.
Despite thinking that it was easier than what I had imagined, I still couldn’t solve anything on my first day. Between the two challenges, I went with the bigger one first. I spent the first day trying to understand the challenge, find the entry point, find how to bypass the protections, etc. I hit a few problems, but I kinda had several ideas on how to overcome those problems. I was slow but making progress.
On the night of the second day I managed to solve the bigger challenge. I could have finished a lot earlier if I hadn’t looked in the wrong direction. The smaller challenge was done within a few hours on the morning of the third day. I went the easy way, of course, I still had time to do it the hard way, but I didn’t bother,. I took all the screenshots I needed, wrote the report, and sent it on the next day.
OSEE Earned
I earned my OSEE certification on 17 May 2019. It was indeed a big achievement and a milestone for me. To be able to pass a hard certification that seemed very impossible 8 years ago was a very satisfying and rewarding feeling. I feel that all the time that i had spent learning information security was not in vain. I did make progress.
Overall, the AWE journey was a very meaningful journey to me. It was indeed the hardest course I have ever taken. It introduced me to a whole new world of exploit development.
AWE will definitely help you to get started in the world of “advanced” exploit development. The course itself was never meant to be as the end of the journey. It is actually for people who want to start their journey in the world of “advanced exploit development” or at least get a taste of it.
I’ll continue my story in part as this article is already too long. Thanks for reading up until this point.
