OSCE: An Artistic Telling

I'm still missing the cards for OSEE and OSWE. Unfortunately, both of those require live training and seem a little scarce.

Some day.

OSCE (Offensive Security Certified Expert) is another security cert from the offsec team. One set of sufficient prerequisites are an OSCP and a little bit of assembly experience. There is an online mini-CTF here if you want to register. Or if you just want to do an online mini-CTF.

In comparison to OSCP the book is only about 200 pages, there aren't really any labs, the exam is 48 hours rather than 24, it is more about advanced exploitation techinques than the more general picture of pentetration testing that OSCP teaches.

0. Through Dana White Shoops

A friend was starting OSCP as I was starting OSCE. I had been very busy at the end of my previous work for a month and decided we should powerlevel (cram) to catch up. I whipped this up to give the discussion thread a little more spice.

At this point I was about half way through the material. Nothing too challenging, but very interesting. A somewhat unrelated fact I heard in the same interval was the following: Make a hello world in C, see if it doesn't set off most antiviruses on VirusTotal. Paranoid. For more info check this out.

I was running out of lab days and although you can extend for about $150, I wanted to challenge that. In the last 10 day stretch I caught a flu. The text posted with this image was simply 'GRAAAAAAAAAAAAAAAAAAHHH!'

I'd finished in time for the exam. For the first half of the material I had been creating automation scripts, and had intended to do that for every exercise. The sickness cost me that, but I went on to do the exam knowing that repeating it was cheaper than extending lab days

I fucking failed at the last part. Even given 48 hours, I ran out of time. My advice: Automate every technique you learn before you do the exam. I scheduled to repeat the exam one week later.

Remembering that I failed still makes me grumble slightly. If you ever do OSCE, check out that one giant thread about that one part of the exam.

Unlike the OSCP, the exam stays the same each time with OSCE. I had beaten every other computer and had much more time to focus on this last box.

Without giving away any details, I had overcomplicated it. I solved the problem and became an OSCE, making this image to end the thread.

1. Aftermath

OSCE, OSWP and OSCP are a really powerful combination on the job market at the moment. They're well respected enough to get you the interviews, and the knowledge will help you pass technical questions.

I'm left wanting more. Many cert-collectors say OSCE was the hardest one they've ever done. Some even say it was the hardest thing they have ever done in their life. I hope this is not the case, or at least in the future we'll see some sequels or I'll get to do OSEE or OSWE. It is not that OSCE wasn't challenging, but it seems many other certs in infosec are multiple choice questions. Easily gameable. One can simply memorise rather than really understand.

id0-rsa.pub and mdsec's online labs associated with the Web Application Hacker's Handbook are satiating me for now, along with a few books. Also checking out various protocols like bittorrent, XMPP, bitcoin, TLS, etc. So, there's always plenty to learn and it's all relativeily easy to access.

Stiiiiiiill, I want to hunt more certs. Difficult ones.

2. Well?

Thoroughly recommended for anyone in information security.

↑ Top  ⌂ Home