The Offensive Security Certified Professional (OSCP) exam and its accompanying credential have become infamous within the penetration testing community. The reason why can be quickly ascertained by simply reading Offensive Security’s motto: “Try Harder.” Hailed by many as one of the most respected certifications for security penetration testers, the credential is sought after by aspiring white hats all over the world. A growing percentage of cybersecurity-related businesses are requiring that a prospective hire possess this certification to even be considered for a position responsible for doing penetration testing. So, why would a 17-year veteran penetration tester undergo the somewhat costly, time-consuming, and challenging ordeal to obtain what may be considered an entry-level certification?
Ok, I’ll be 100% honest: My upline management made me do it. Like many cybersecurity firms, I suspect Rapid7 is looking to the OSCP to help demonstrate that each member of our penetration testing team possesses a minimum baseline of common skills and knowledge. Having said that, despite all the time, anxiety, and long hours of personal time spent to successfully prepare for and pass the exam, I am genuinely glad I did it.
Don’t get me wrong. When I first found out that each of us were expected to obtain OSCP certification, there was a small part of me that was slightly miffed. After all, when I started in penetration testing, this credential didn’t exist! It was my generation of security testers that refined the art of white hat hacking and turned it into what it is today, and my generation collaborated and designed Metasploit as an open source framework to simplify penetration testing (yes, the same Metasploit that later became the backbone of Rapid7’s product offerings). I wondered why I was expected to prove my skills this way.
But then my more professional side chastised me: “Are you upset because it’s beneath you? Or because you’re afraid you can’t do it?” That got me. I quickly worked with my manager to get signed up for the pre-exam lab. I was going to do this if only to prove to myself that I am worth what I am being paid and can still run with the young pups. Besides, I wasn’t the one paying for it. I figured I might as well take advantage of the chance to get a few more letters after my name.
Class is in session!
So, I began the pilgrimage along with several others on the team. First up, lab time. I spent long days and nights going through the Penetration Testing with Kali Linux (PWK) course designed to teach the core techniques and tools needed to pass the exam. For this course, each student is given access to a large online lab of vulnerable systems interconnected in a virtual network. Nearly every conceivable type of vulnerability is represented within this lab. The student’s task is to hack as many hosts as possible and gain access to the deeper layers of the network, including the
admin subnet. The guide also teaches how to perform old-school buffer overflow attacks by designing one’s own exploit code. This last bit is one of the most difficult parts of the OSCP for the newer aspiring white hats. For me, it was old material. I had designed plenty of buffer overflow exploits in my time and used plenty of others designed by friends and colleagues, so this part didn’t bother me.
However, this doesn’t mean it was a walk in the park. Not by a long shot. I used every minute of my lab time to get control of 20 hosts out of a possible 40 or so. By the end, I was starting to wonder whether I was going to pull this off. Along the way, I also learned some new techniques that I hadn’t used before because I just hadn’t needed to, or I had the “old” way of doing it and that had always worked for me. Beware! The OSCP has a way of turning your tried-and true-methods on their heads and forcing you to Try Harder. Obvious vulnerabilities turned out to not be as exploitable as one would hope. In fact, they were often red herrings to waste your time. By the end, I got good at quickly recognizing an exploit wasn’t working because the vulnerability was “broken” and moving on to the next possible flaw. At the same time, I was developing a habit of digging deeper and really giving my all when I knew I had the right vulnerability.
The home stretch
Midway through the lab period, my wife approached me and gave me an ultimatum:
Wife: You better pass this the first time.
Me: Well I’m certainly doing my best, why?
Wife: Because if you don’t, I’m divorcing you and marrying a deployed soldier, so I can at least have some time with my husband every now and then.
Exaggeration aside, no greater incentive exists. After all, my wife’s a keeper! So, I doubled my efforts. I spent more time researching things I didn’t understand as much as I thought I did. I spent more time stepping back from my desk and re-evaluating what I knew about the current target and what the implications were. Most of all, I spent a ton more time doing additional recon on each host looking for that one piece of the puzzle I was missing. Hosts began to fall to my more carefully planned attacks. One host led to another, then a new network, then the admin network!
To make a long story short, I passed the exam and got my newest set of four letters to put after my name. While I’ve done the same plenty of times before for other certifications, I can honestly say this one is one of the few I am most proud to add to my signature block. It represents a challenge accepted and won—not just because my bosses wanted me to, but because I had to prove to myself that I really had gained some skills over the years. This process made me work harder than I’ve had to work in a long time to get a low-privilege command shell, then even harder to elevate to a privileged shell. I learned things about Windows and Linux that I had never known, even after 17 years. But most of all, I learned that trying just a little bit harder reaps great rewards. I’ve already seen that have a positive effect on my day-to-day work. The OSCP is not easy, but it’s not a waste of time.
So, why did a 17-year veteran penetration tester take the OSCP? Because it was there. And because it was worth it!