“We are happy to inform you that you have successfully completed the Cracking the Perimeter certification challenge and have obtained your Offensive Security Certified Expert (OSCE) certification.”
I recently completed the Cracking the Perimeter course and exam to gain the Offensive Security Certified Expert (OSCE) certification; along the way I realized that I know less about information security than when I started. This may seem strange to some, but I think those that have been through the course know what I’m talking about. After passing the OSCP exam I felt more confident in my abilities as a penetration tester. After passing the OSCE exam I know that I have so much more to learn in the field of information security. The best way I can describe it is it’s like getting to the top of a mountain only to look around and see an entire mountain range before you. Similar to my post about my experience with PWK/OSCP I will start with a review of the course and exam, and then try to end with some lessons I learned along the way.
Course Overview
CTP Course Material
The course material provided was professional and well put together which seems to be the standard for Offensive Security. The combined format of videos and written material works well for the way I learn, and the instruction makes it all look so very easy.
Lab Environment
I purchased 60 days of lab time which included the exam fee similar to the PWK course. The lab environment is not nearly as large because overall CTP is a very different experience. The techniques described in CTP were far more advanced than in the PWK course, and you’ll spend a lot time staring at a debugger. If this sounds scary to you don’t worry. If you have a real interest in the material then it’s possible to get through this course and exam. The course material covers non-trivial web exploits, AV evasion techniques, and some really interesting exploit case studies. What I liked most about the lab material is that many of the exercises did not work exactly like what was shown in the video or guide. I believe this is by design, and it’s a wonderful way to reinforce learning. Everything will work as shown up to a point, and then it’s up to you to figure out the “trick” to get an exploit working.
Exam Experience
First things first – I failed my first attempt at the OSCE exam. My hat is off to anyone that passed on the first try. I felt really confident with the exercises in the lab and getting around the debugger, but the OSCE exam was much harder than I thought it would be. It wasn’t unfair by any means. It just highlighted how much I did not know at the time. My major downfall was getting tunnel vision and spending far too much time on some of the problems. After my first attempt I set out to fill-in the gaps in my knowledge base. I have read several reviews that said that the CTP course material includes everything you need to pass the exam -well yes and no. Of course you have to use what you learned in the lab for the exam, but I did a lot of external research also. This is just my own experience so, as they say, results may vary. After about an additional month of preparing I started my second attempt. The exam was still challenging, but in the end I gained enough points to pass.
Lessons Learned
The main lesson I learned throughout this experience was that persistence is sometimes enough. If you want it bad enough you’ll make it happen. There were times when I was stuck on a problem and out of ideas, but just kept at it. Sometimes I was ready to smash my monitor because I didn’t think I was getting anywhere, and then I realized that over time I had made a lot of incremental progress towards a solution. I guess the lesson can be summed up with this – keep trying harder ( as frustrating as that may be).
One question that I keep getting is, “Do I need to know how to program/script/etc to pass the OSCE exam?”. My response is that you should be comfortable reading and writing code. You do not have to be a programmer or super script writer, but I would really suggest that you understand the basics before attempting the exam.