Becoming an Offensive Security Certified Professional while having a full-time job

Heinz-Werner Haas
Nov 20 · 9 min read
Image for post
Image for post

There are a lot of people who would like to do certifications alongside their job but don’t know if they can make it in time. Here I will tell you about my experiences.

Before going into detail my experiences during obtaining the certificate, I will give you an overview of the company, my person and the OSCP certification itself.

Earlier this year, I graduated from Karlsruhe University of Applied Sciences and started working for Digital Frontiers GmbH & Co. KG, a consulting company with a focus on software development.

How did I get the idea to do the OSCP?

The reason for my decision to get this certificate was my own interest in security and my bachelor thesis, which was about developing a security pipeline for web applications in the context of continuous integration and continuous delivery. My thesis supervisor, who is a security analyst himself, also recommended the OSCP to me, as it is a very respected and well-known certification in the security context. The reason for this is that obtaining it does not only require theoretical knowledge, but also a practical final examination.

Even though security was not a strong focus field of my company at the time, I expressed the wish to do this certification and outlined its qualities and benefits. Although penetration testing is not a part of the company’s portfolio, they were immediately willing to let me do the training and cover all costs.

What exactly is the OSCP certification?

To receive the certificate, you must complete a course where you learn the important steps and methods for performing a professional penetration test.

This course is provided by Offensive Security. It is an international company operating in the fields of information security, penetration testing and digital forensics. They also maintain the kali linux distribution and exploit-db, which are both respected and heavily used in the security community.
Everything you learn while you take a course at Offensive Security reminds you of their motto: “Try Harder”. How exactly this motto came about and what is behind it in detail can be read here.

The course for Offensive Security Certified Professional is pretty packed and covers a lot of different topics. The skills that I gained or improved include, amongst others:

  • Writing basic scripts and tools to support in the penetration testing process
  • Analyzing, correcting, modifying, cross-compiling, and transferring public exploit code
  • Remotely controlled, local privilege escalation and client-side attacks
  • Identifying and exploiting XSS, SQL injection and file integration vulnerabilities in web applications
  • Use of tunnelling techniques to pivot between networks
  • Creative problem solving and the ability to think “outside the box”

My preparation for OSCP

After it was clear that I wanted to become an Offensive Security Certified Professional I started to find out what requirements are necessary to get the certification. At that point I realized that my current knowledge about penetration testing was still too low to even take the course.

In order to prepare myself I used the following two resources:

  • Hack The Box VIP, to get a feeling for penetration testing
  • Videos from IppSec on Youtube, because he offers a great explanation of pen testing mindset and common tools

Hack The Box is an online penetration testing platform that includes a variety of virtual machines that you can try to hack in order to improve your skills. But be prepared: To even gain access to Hack The Box, you will have to pass a small challenge so you can generate an activation code for yourself. Once you have generated your activation code, you will have the opportunity to access their offer. In the free level you may try to attack the 20 currently active machines. If you want to have access to decommissioned machines, you must have VIP access. The price for this is £10 per month, but as preparation for the certificate this was definitely money well spent.

As a result from training with Hack The Box and watching various walkthroughs from IppSec I obtained some basic knowlege about penetration testing and felt ready for the OSCP course.

My road to OSCP

Image for post
Image for post

I started the course with a 3 month access to the virtual training labs to get enough time to train my skills and live up to the Offensive Security mentality of Try Harder.
The course also provides a script as well as videos on the topics.

The script contains detailed explanations of the topics the course is intended to cover, and there are also various tasks to deepen the acquired knowledge. The videos offer additional entry points to those topics and sometimes show the examples in the script in a practical way.

Before I started the practical part, I worked through the whole pdf script. To avoid a gap in my knowledge, I first watched the videos of a chapter, then worked through it in the script and finally did all the exercises for this chapter.
After 3 weeks and many hours of time I was through the whole course material and got all exercises done.

By studying the course material, you get a feeling for how the different scenarios for compromising a system work and which tools can be helpful.

Having acquired basic theoretical knowledge, I decided to begin with the first lab machine.

The lab is the heart of the course, which helps to prepare for the exam. You start in a public network with nothing more than a list of IP addresses. The practical application of the skills you obtained usually starts with scanning the machines and looking for low-hanging fruits.
Eventually you will find some machines that are connected to additional networks. Once you have fully compromised these machines, you can use a technique called pivoting to access these internal networks.
Pivoting is a method of using the access from another machine to be able to “move” inside the compromised network. As the lab goes on, you need to apply advanced techniques and use everything you have learned during the course (and sometimes even more) to compromise the machines.

Soon I realised that the course material was only a small starting point and I quickly realised that my current knowledge was insufficient. In order to proceed, I had to google and try out a lot of things. After a long week of trial and error, I finally experienced a sense of achievement. The first machine had fallen. This increased my ambition and finally I became better and better and compromised the machines increasingly faster.

Managing the training alongside a full-time job

Luckily for me, when starting at Digital Frontiers I was not immediately thrown into a project and had the greatest share of my time for the certification. But by this point, I started working on a customer project, so it was not as easy anymore to deal with the training lab after a full working day at the customer’s site.

So my day consisted of 8 hours of work for the project and then 2 – 4 hours of training in the lab every day, depending on my daily form.

In order to still have enough time for the the certification, the business model of my company was very beneficial to me. It includes only spending 80% of your time on work for customers and offers 20% for side projects and education. This gave me a full business day every Friday for the course. Read more about it in this article my colleague wrote.

After three months, I had finally compromised 30 of the over 70 provided machines in the lab. I had the feeling that this might not be enough to pass the OSCP exam. Therefore I scheduled the exam for 2 months after the end of the lab access, so I could further improve my skills in the meantime. To do so, I started with a Hack The Box once more and trained another two months.

The OSCP Exam

In preparation of the exam I took all my notes again and went through the exam regulations several times to make sure I didn’t make any mistakes during the exam.

The exam itself consists of a practical part, where you have 24 hours to compromise the provided machines. Depending on the gained access rights you will receive points. You have to achieve 70 out of 100 points to pass this part. Afterwards you have another 24 hours to write a professional report about the vulnerabilities and send it to OffSec.

As the practical part lasts a full day, you should think about preparing food and planning breaks. Laying out a plan in advance can save a lot of time during the exam and help to proceed in a more structured way.

Don’t panic if you have a rough start. For me, in the beginning, it went rather bad. I made a mistake in my own exploit and wondered why it didn’t go the way I wanted. I went through each step several times, also based on the course material and started to get nervous. What finally helped me discover my error was a short break and slowly going through each step again. I was able to fix the exploit and was able to bring the machine to its knees. After that I was in the flow and mentally arrived at the exam. Going from machine to machine, after 12 hours I had reached the 70 points.

Afterwards I wanted to try to sleep a little, but I found no rest. So I decided to try to compromise the other machines.When there were only two hours left until the end of the exam I started to check my notes and screenshots. I recommend doing this very thoroughly to make sure that you don’t forget anything for the following documentation.

The practical part can be exhausting and I was glad when I could finally go to sleep. But the exam was not done yet, as already mentioned you also have to write a professional report. Even though I had some time to regenerate, it took me around 8 hours to get everything I had done in the report.

I submitted everything and after 2 business days, I received the good news that I passed the certificate.

Image for post
Image for post

Conclusion

Back to the initial question: Is getting an OSCP possible alongside a full-time job?

Obviously: yes. It is, but it will not be easy and take a lot of work.
To do it, you will have to be passionate about it and prepare and structure yourself well. Also support from your company can be very helpful.

Here is a summary of the most important points you should be prepared for, when you are ready to take the OSCP course:

  1. You will be spending a lot of time researching.
  2. Do not expect the Supervisors or even other students to give you answers easily.
  3. Plan to make a commitment to this and have an open mindset to learning new things.
  4. Know your tools! There are certain tools that you cannot use for the exam. However, that does not mean you should skip over them. Take some time to understand them because you may have to use them on an actual engagement or in the field.

But nevertheless I can say in conclusion that the 5 months of stress and hard work were totally worth it.

Image for post
Image for post

The mentality of never giving up has engraved itself in my thoughts, as well as thinking outside the box.

If you’re thinking about becoming an Offensive Security Certified Professional or obtaining another certification yourself, I hope this post may help you in making your decision and wish you the best of luck for your exams.

Thanks for reading! If you have any questions, suggestions or criticism on this topic, please feel free to contact me.

You might be interested in the other posts published in the Digital Frontiers blog, announced on our Twitter account.

Digital Frontiers — Das Blog

Dies ist das Blog der Digital Frontiers GmbH & Co.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store