The OSCP

I had recently taken the OSCP (Offensive Security Certified Professional) certification exam and boy was that an adventure to say the least. The exam itself was 24 hours long, not to mention the hundreds of hours in preparation.

It’s unfortunate to say, but I did not pass the exam. I took it twice and got the closest score to physically passing, but couldn’t get past the final privilege escalation (gaining full system privileges). I would be livid with the outcome, but I realized that the time wasn’t quite right.

I had attacked the certification head on and received a higher score than 90% of other first try-ees. I did this with less than 1 year of cyber security experience and only 1 month of OSCP lab time (a virtual environment for practicing penetration testing). Definitely NOT a good decision.

I will be retaking it this summer after I extend the lab time. The key term here is ‘lab time’ because it’s the most important part of the whole certification. The extent of what you can practice with lab time is truly incredible and something that I took for granted. This is a perfect case of ‘it’s the journey not the destination’ sort of thing.

Despite the recent shortcomings, I learned some insane things. For starters, I now know how to make malicious payloads that, when opened via email or other file transfer utility, will grant me access to someone’s computer. I also learned about buffer overflows which seems like the epitome of hacking. I mean look at this screenshot – looks like something out of a CIA movie.

Image result for immunity debugger buffer overflow

The reality of hacking is so far from the Hollywood depiction of it. There are hundreds of methods that hackers use to essentially reverse engineer computer programs and human thinking. The whole “let me just press a few buttons on my expensive device” mantra is frustrating to see because it undermines the art of penetration testing (lawful penetration testing that is).

It all makes me a bit paranoid about technology, though. The idea of gaining full control over someone’s computer remotely is a pretty wild idea. It shows the type of control that experienced hackers could have over someone’s online presence. And almost everything is online now.

The one piece of advice that I will offer is: KEEP YOUR STUFF UPDATED!

It is humbling to have experienced the infamous OSCP. Third time’s the charm as they say.