James Hay | OSCP | OSWE | CRTO

Hello, my friend. Stay a while and listen.

6 minute read

I have started this post in various forms and shapes over the years. It has been almost exactly 2 years to the day since I last took an offsec exam, and every time I have opened up this draft since then, I have gotten a little less angry. So much so I actually canned the draft entirely, thinking I was free.

The recent OSCP changes that happened over the weekend have brought to surface the vitriol I thought had passed through me. It turns out I am still angry and since it has been a few months since my last post, its opportune. This is a cathartic exercise and provides little nutritional value to the reader. It is important for me to exorcise these feelings and put to paper why I don’t want to cert chase anymore and hopefully squash the unease I have about not wanting to sit another course.

offsec

I will preface this with a note; not a warning, nor a challenge, but a koan, an understanding: I may have my certs revoked. I may not, because I probably am not as important as I think I am, but I remember what was going on with the silent bans and revocations against those who spoke out against offsec in 2018 onwards. I was there and I saw it, you cannot lie to me and say it has never happened. I have my physical copies on my shelf and you cannot take them away from me.

I’m just going to put the bottom line up front - professionals who are testing day in day out dont have time to sit through the 24/48 hours proctored meatgrinder. we have shit to do, and in a stroke of pure irony, a fair bit of that involves actually staying current.

“but it only goes for one or two days!” except it absolutely DOESNT. you have to coordinate your entire life around these days since you cannot have anyone even step foot into the area youre taking the exam in, doesnt have enough time to properly sleep so you cant be on heavy duty engagements until you recover, forcing you to perform what would be scoped at a minimum a weeks worth of testing into a single day; its taxing.

The way TCM and Zero Point handle their examinations is fantastic and appropriate. The CRTO exam kinda felt like going to work; I dropped in and out when I needed to, actually slept each day between sessions and was not burnt out afterwards. It was fantastic and felt like I was being treated as an adult.

grown

“but what about cheaters? offsec stops cheating with the proctors!” wrong-o there bob-o, can you please put the puzzle pieces of logic together for me and tell me how a proctor who was making up examination rules during the exam is possibly able to detect cheating? My OSWE exam was one of the single most awful processes of my life. Every time I would tell the proctor I was stepping away, he would disconnect my VPN. “because its in the rules” except it definitely fucking wasnt. I was FORCED to sit at my computer while a time based blind sqli was bruteforcing in the background, because your “anti cheaters” do not understand the rules. I had no need to be there, and wasted much of my limited remaining brain power and goodwill because I truly did not know if pointing the proctor back to the ruleset would have had my exam terminated. As stated above, I have witnessed many overreactions from offsec and expected one of them myself if I complained.

The rest of my goodwill was burnt on the materials. If we take “try harder” to its most logical conclusion, ie the outcome expected, this phrase can be swapped out wholesale with “just look it up”. after consuming the materials and the lab, I knew I was not equipped to pass the exam. I got a PentesterLab subscription, spent a month on Louis’s vulnerable language snippets, and learnt more than the 10 months I had been spinning my wheels on the OSWE materials. The offsec experience can be summed up thusly

owl

Ah and the rules, no burp pro! You want me to sit and do what would be a MINIMUM of a fortnights worth of web app work (2x apps whitebox), in two days, withOUT the tools I would actually use to get that bullshit across the line? Get absolutely and completely fucked. And to pay for the privilege of being fucked around like this is the icing on my shit sandwich.

I am proud to have my OSCP, and the stars aligned and it opened doors for me (protip for anyone looking to use this to discredit this post - both roles I got because I had OSCP were NOT in infosec), but it is hard to recommend anyone to take offsec materials in the modern era. When my hacking homie and myself undertook the OSCP in the aftermath of the cyb3rsick leaks, we are at the most bullshit period to take the exam. It was crushing; the exams did not at all reflect the materials, and the labs had server 2000 machines for fucks sake. It was unfair and it was bullshit, but we did it, because what other choice was there? It was either grind ourselves into dust for OSCP, get CEH and be laughed at, or take out a loan for a SANS course worth more than my WRX was.

But that was over half a decade ago, and TCM, Zero Point and Altered Sec have all appeared. I am sure at one point SANS was the king dick swinger, and offsec stole their crown, but they have slowly, slowly been usurped by the passage of time and resting too hard on their legacy from a long time ago.

I used to recommend that those looking to secure employment go through PentesterLab and CRTO to get the skills needed to test, and an OSCP to prove you are a bad enough dude to survive the meat grinder. but that was when OSCP was worth a damn. Watering down the OSCP by having the OSCP+ auto move to an OSCP despite the + being an easier exam (I will NOT listen to feedback about this being unfair since the exam hasnt been released - initial access on the OSCP is ALWAYS the hardest part)

Perhaps the dilution was inevitable; much the same way the CCNA now holds zero weight and you must get a CCNP to prove a skillset, the OSCP will eventually lose its once revered status, as a CCNA in the early 2000s had.

Scroll through enough of my posts and you will see I shill no starch at every opportunity despite them not giving me anything for it, you will realise I like to talk about the training I like, because when you are an underpaid sysad at a shitty msp trying to grind out a better life, you dont have the time or money to spend on bad training. I am changing my recommendation so that going forward, the employment trifecta I recommend will be:

PentesterLab, CRTO, PNPT

I just cant recommend people suffer through the bullshit practices of offsec any more. It was insanely eye opening to see how much I didn’t know despite having the certificate infosec at large kept saying would get me job ready. It was incredible how many foundational concepts Louis covered in his code review course that do not even get thought about during OSWE. It is obscene to me that professional testers who perform exceptional testing routinely struggle to fit themselves into the OSCP exam box because it is nothing like a real engagement. How can this be seen as the crucible examination any longer?

Im going to close this rant with two tweets I saw over the weekend. take note of whose these posters are.

alex

rasta

You May Also Enjoy

Simulating discovery of CVE-2003-0344

13 minute read

This is going to be a very long, very large post where I pontificate quite a bit to empty out my head. There’s a lot of disparate thoughts rattling around th...

Code Execution out of VST Plugins

5 minute read

For the second time this month I have been forced to realise that I need to build up a golden image for a dedicated development machine. Unrelated to this po...

The Price of Good

6 minute read

Alternative titles for this post I came up with included “What is premium?” and the exceedingly clever “Premium and the art of good enough”. This post wa...

GraphQL Denial of Service with DVGA

9 minute read

In an act of sheer irony, after passing my OSWE, I have been on all manner of odd, bespoke testing but not as much web work as I was doing before taking the ...