Open in app

Sign in

Write

Sign in

My experiences with the Offensive Security certifications

Andy Vermeulen
7 min readJul 2, 2021

--

As a web application developer for many many years, my background has not been in security or penetration testing. As I shifted my career towards application security in recent years, I saw mentions of the Offensive Security Certified Professional (OSCP) exam and was curious to find out more. Since then I have developed a love/hate relationship with Offensive Security (like many others before me).

I recently sat through the harrowing experience of my third exam, the 48hr Offensive Security Web Expert (OSWE) exam, which seemed like an opportune time to reflect and share my experiences with the Offensive Security courses.

2018 — Offensive Security Wireless Professional (OSWP)

I started my adventure with the Offensive Security Wireless Professional (OSWP) certification and related course (WiFu/PEN-210). Why? It was the cheapest offering available to evaluate the quality of the OffSec offerings.

I initially found the course to be disappointing, covering mostly legacy WEP and older WPA attacks, while newer WiFi standards and related vulnerabilities were completely omitted. The training materials themselves were OK but far from noteworthy. Not a great start…

The exam on the other hand felt amazing: doing actual hands-on exploitation rather than guessing your way through endless multi-choice questions. It provided an immense sense of achievement when I passed the exam. “I can actually really do this, for REAL!”. The challenges were similar enough to, yet sufficiently more complicated than, the coursework. All the necessary topics to pass the exam were covered in the course but I don’t believe the course was in-depth enough to pass the exam without some additional research.

Given I had zero knowledge about WiFi attacks going in, this experience actually worked out pretty well for me. I had to start, well, at the start… learning about the earliest 802.11 specifications and the security issues that were introduced, when they were discovered, how they were exploited, and how some have now been mitigated in newer versions of the standards.

The course materials didn’t keep up with the latest developments but that forced my hand to do my own research:

  • I found out who the most prominent security researchers are in the WiFi space (historically and today) and subscribed to their blogs and Twitter accounts
  • I discovered the relevant exploits and tools (most long-abandoned, some still maintained) and followed those repositories and their owner’s Github accounts
  • I reviewed the release notes of up-to-date offensive tools to learn about more recent exploits (plus read the associated research papers and reviewed the mitigations vendors have attempted to put in)

Thanks to my OSWP experience, I now continue to follow the developments in WiFi standards and attacks today, rather than having merely “ticked the box” of passing the exam. To me, that is a successful outcome.

I continue to explore WiFi hacking, here with my Pwnagotchi.ai
I continue to explore WiFi hacking, here with my Pwnagotchi.ai

2019 — Offensive Security Certified Professional (OSCP)

The Penetration Testing with Kali Linux (PWK/PEN-200) course was next and turned out to be a lot more challenging for me.

I similarly started the course with close-to-zero experience in black-box penetration testing and limited knowledge about vulnerabilities, except perhaps the OWASP Top 10, which I was aware of due to my background as a web developer. Having little prior experience backfired big time!

The breath and scope of topics in the PWK/OSCP was much much larger than I had anticipated. As before, the course materials provided only “introduce” a certain vulnerability class or attack vector. You need to Google-fu your way to various other blogs, course reviews, tools, etc and dig much deeper. This takes time, too much time, during which you don’t want to be paying exuberant amounts to OffSec for lab access while you are catching up on basics like:

  • Command-line familiarity with different versions of Windows, multiple flavours of Linux, and oddities like Solaris
  • Basic knowledge of multiple coding languages to fix up exploits: Python, Perl, Bash, PowerShell, C/C++, and various web languages and frameworks
  • Different offensive tactics and techniques: reconnaissance, initial access, privilege escalation, lateral movement, data exfiltration
  • A wide range of vulnerabilities: C-style exploits (buffer overflows), web exploits (XSS, SQLi, etc), business logic vulnerabilities, and various bypasses
  • All the shells and all the payloads! Reverse shells, bind shells, web shells.

I took well over a year between signing up for the course and taking the exam. That time was spent methodologically deep-diving on the offensive tactics and techniques relevant to the course, before paying for brief periods of OffSec lab access to validate my learnings and gain the confidence I had learnt enough to move on to the next topic and ultimately the exam.

When I kicked off the 24hr exam, I still wasn’t comfortable with one or two topics. Those were almost enough for me to fail. Fortunately I was able to scrape by and collected just enough points to pass the OSCP on my first attempt (with about 5 hours of poor quality sleep included!).

I learnt an immense amount during this time and no other course I have taken to date comes even close. You can argue PWK/PEN-200 didn’t teach me that much either (as most of my time was spent on Google-fu and not the course materials) but I would not have dedicated 100+ hours without the fear of failing and having to repeat the 24hr exam. Another successful but highly stressful experience.

That feeling of achievement when you pass an OffSec exam. “I can actually really do this, for REAL!”
That feeling of achievement when you pass an OffSec exam. “I can actually really do this, for REAL!”

2021 — Offensive Security Web Expert (OSWE)

Most recently, I completed the Advanced Web Attacks and Exploitation (WEB-300) and passed the Offensive Security Web Expert (OSWE) exam.

The course material introduces walks through multiple weaknesses and vulnerabilities in the code of several applications, which can be chained together to obtain a shell on the target machines. I didn’t find the vulnerabilities themselves to be that novel or modern and they also overlap significantly with OSCP and OWASP Top 10. Having to discover those vulnerabilities in code and then write custom exploits for them is an entirely new experience however; you can not simply “steal” exploits from the Internet like you do for the OSCP.

Unfortunately this is also where I felt the course falls short (and what my prior experience as a web application developer luckily made up for). The course introduces a vulnerability class and immediately shows which part of the code is vulnerable to it. I believe it fails to provide sufficient guidance in how to systematically discover these vulnerabilities in a large code base. Yes, it talks about grep, however that assumes a lot of prior knowledge about the code base already. The course also doesn’t introduce a repeatable methodology on how to perform code reviews effectively and thoroughly.

The course does provide “extra mile” exercises which are definitely worth doing. Not only do you have to do the hard work for yourself, the techniques and code developed here may well be reusable or customisable for challenges during the exam, which can be a huge time saver.

The course ends with three undocumented applications, which are an equivalent experience to what you will encounter on the exam. I found them to be invaluable to practice on; to review a code base from scratch and build up a suitable code review methodology.

The exam itself is pretty much as advertised: “a marathon and not a sprint”. I took plenty of short breaks, every hour or two at most, to refocus and assess where I was at. I also took longer lunch/dinner breaks with the family, and made sure I got some decent sleep.

The biggest exam takeaway for me was about being systematic. Having a methodology or checklist ready to go that includes a code review task for all the topics on the course syllabus and running through them one at a time. I kept a separate “to do” or “curious” list for anything encountered along the way and wanted to loop back to but avoided jumping around and getting distracted.

All considered, I did find the OSWE significantly easier — your milage may vary — despite spending about 17 hours on one challenge with no progress to show whatsoever… just rabbit holes that lead to nowhere. It can be a very demoralising feeling, especially towards the end of exam day 2. This course is about persistence and resilience as much as it is about technical skills.

Some of my preparation efforts Offensive Security Web Expert (OSWE) exam
Some of my preparation efforts Offensive Security Web Expert (OSWE) exam

2022 — Offensive Security [INSERT CERTIFICATION HERE]

Three certifications later, I continue to loathe the depth and quality of the OffSec course materials offered but love the hands-on exams. I am in desperate need for the motivation that the fear of a failed 24hr or 48hr plus exam provides.

For me, that is the ultimate “value” of Offensive Security trainings. They do not provide all the answers on a silver platter. They are not the holy grail of all knowledge about certain technologies, attacks, vulnerabilities, etc. However they are a very effective motivator for me to go out there and “Try Harder” than I would bother with otherwise.

I expect to start work on my next course soon and hope to report back in roughly a year with another Offensive Security story…

Oscp
Awae
Oswe
Offensive Security
Oswp

--

--

Andy Vermeulen
Andy Vermeulen

Written by Andy Vermeulen

25 Followers
18 Following

https://linktr.ee/hobietje

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams