Interview - Chris (newly OSCP Certified)
Eat. Sleep. Take breaks. Don't be afraid to switch targets. Take deep breaths when you feel stressed. Move around. And if at first you don't succeed, try, try again. And harder.
About half a year ago, I interviewed my friend who was looking to acquire his OSCP. Now, he managed to get OSCP certified. I thought that his story might be an interesting one and might help people looking to acquire their OSCP. This interview was held in a text chat on Discord. We're both involved in the cybersecurity organization x9security.
Cyrus: Alright, are you ready?
Chris: Yepppp 😎
Now, here is a story all about how my life got flipped, turned upside-down. I'd like to take a minute, just sit right there, I'll tell you how I became [OSCP CERTIFIED]
Cyrus: Quite the introduction. This interview will be similar to the other interview that we did. I'm anticipating that it will be a lot shorter, but I don't know how in depth you want to be. As usual, I have a list of some questions I want to ask and it's up to you how in depth you'd like to be. I understand that you can't answer some questions regarding the OSCP and that's okay, just let me know when I ask you a question you can't answer. Do you have any questions for me before we start?
Chris: Nope! I'm ready when you are.
Cyrus: We already went over some more personal aspects of who you are and what your goals are in our last interview, but do you think you could give a brief summary of who you are and what your goals are for this interview? I say brief, but you can be as detailed as you like.
My name's Chris. I'm a life-student. I've been passionate about computers and security since I was a child
Chris: My name's Chris. I'm a life-student. I've been passionate about computers and security since I was a child, and have finally passed my first hurdle on the path to "going pro." In February 2019, I decided to turn my hacker hobby into a proper career, and after eight months of studying and four months of course-work, I finally obtained my OSCP certification. Now I'm pursuing a career as a pentester, which is exciting and scary. But I'm accustomed to diving into the unfamiliar; it's become a regular theme in my life. My goals for this interview are to provide useful information, perhaps tell a good story, but mostly, to have a good time with Cyrus.
Cyrus: What made you decide that the OSCP was right for you?
Chris: As one of the most widely-recognized and respected entry-level certifications, I felt that the OSCP provided the greatest cost-benefit ratio among the certifications in my price-range. After quitting my previous job to devote myself to this new career, I had to consider the cost of the certification, speed of completion, and job-placement value. Since I was paying out-of-pocket, the biggest consideration would be job placement—my savings will only last for so long, and I'm paying for both living and education expenses. The OSCP seemed like the best bet for my first certification, and I'm hoping future employers will be willing to pay (or assist with) the costs of further certification and education.
Cyrus: Our first interview happened back in March. Since then, have you had any significant realizations about yourself or your goals? Additionally, what kind of struggles have you had to overcome to get where you're at now?
There are a lot of highly technical people out there who don't really know how to break down complex concepts into layman's terms, and a lot of damn good tech journalists who love to write about tech but only have a cursory understanding of the intricacies beneath the surface. But where those two circles overlap, there exists a rare breed who not only know the arcane technical mysteries behind the latest security developments, but can also translate that knowledge effectively for the common people.
Chris: That's a good question. I try to evaluate my performance every day, looking for areas to improve or achievements to celebrate. I've learned greater self-discipline and patience, and I've learned the value of taking breaks, diet, exercise and sleep. There haven't been any major epiphanies or breakthroughs between then and now, though I have begun looking at opportunities to combine my experience in writing with my experience in security. I love teaching, writing, and learning, and believe that the Information Security industry would benefit from people with strong writing and communication skills. There are a lot of highly technical people out there who don't really know how to break down complex concepts into layman's terms, and a lot of damn good tech journalists who love to write about tech but only have a cursory understanding of the intricacies beneath the surface. But where those two circles overlap, there exists a rare breed who not only know the arcane technical mysteries behind the latest security developments, but can also translate that knowledge effectively for the common people. I think those people are essential, because InfoSec isn't just about red-vs-blue; it's not just a bunch of hackers and sysops duking it out in a digital battlefield. Security is part of everyday life for every human on Earth. Security is everybody's problem, and security journalism is a key element in spreading information and awareness.
Long story short... I'm looking at opportunities in InfoSec Journalism as well as in Penetration Testing.
My first time taking the exam, I failed. Hard.
As for struggles, I'd say that the greatest struggles originate from within. My first time taking the exam, I failed. Hard. Largely due to technical difficulties and their inherent frustrations. I got angry and impatient, couldn't focus on the systems I was trying to attack, and I wound up giving up after six hours. I had a friend over, and I decided I'd rather spend the evening enjoying my friend's company than raging against the machine.
Even if I failed, I knew I would learn something valuable, which would be a win in my book.
The second time around, I took precautions to ensure that my test went smoothly, and I tried my best to stay in-the-moment, allowing my curiosity and excitement about the challenge motivates me, rather than my desire to "win." I've found that becoming attached to uncertain outcomes leads to needless stress and suffering. Instead of aiming to pass the test, I approached the test like a fun CTF challenge, and aimed to see how far I could get in the 24 hours I was given. Even if I failed, I knew I would learn something valuable, which would be a win in my book.
This helped to alleviate whatever stress I might have experienced, and helped me to feel OK with taking breaks and getting food and rest. I even took an hour-long break and played Mario Kart 64 with my buddy for a while.
Cyrus: Did you have any misconceptions going in with this that you realized were horribly wrong? If so, what were they, and how did you realize they were wrong? If you could go back in time and tell your past self anything, what would it be?
Chris: I think, coming into the PWK/OSCP course, I had a different understanding of the phrase "Try Harder." It's this running joke in the community, to the extent that there are troll-face memes of OffSec support telling struggling students to "Try Harder."
Passion is wonderful, but passion alone doesn't drive success.
The idea I had was that "try harder" was the ideological opposite of the "script-kiddie" mentality—rather than trying to look cool using scripts and hacks they don't understand, a true hacker takes pride in understanding the inner workings of the system. For me, "try harder" meant simply "be willing to really understand what's going on." And yeah, that's part of what "try harder" means... but I've come to recognize that it also implies strong independence and self-sufficiency, adaptability, and motivation. Passion is wonderful, but passion alone doesn't drive success.
As hackers, we exist in a state of accelerated change. We are constantly facing situations and technologies with which we are unfamiliar. It's vital that we be self-motivated and persistent in our pursuit of knowledge and skill.
There were moments when I was going through the lab documentation, frustrated with the fact that the instructions were out-of-date. Change is inevitable, but surely they could release better instructional content? Looking back, while I still see room for improvement (nobody's perfect), I recognize that if it weren't for the faults in the documentation, I wouldn't have had to research the tools independently, and I wouldn't have become so familiar with them.
As hackers, we exist in a state of accelerated change. We are constantly facing situations and technologies with which we are unfamiliar. It's vital that we be self-motivated and persistent in our pursuit of knowledge and skill. The point isn't to learn which exploit to use against which software; the point is to adopt a stance of adaptability and self-sufficiency.
That independent pursuit of excellence is what makes people really stand out, regardless of the industry.
Cyrus: What did the OSCP itself consist of? What sort of study materials and courses did you use to succeed?
Chris: To obtain the OSCP certification, one must first work through the PWK course. The PWK includes instructional videos and written documentation, as well as a penetration testing lab with dozens of systems and multiple sub-networks. Students are encouraged to complete a Lab Report during the PWK course, which includes a penetration test report for the lab systems, as well as written responses to course exercises. The lab report is worth up to five additional points on the OSCP exam, as long as it is complete.
The OSCP exam comprises a small number of systems, each assigned a point value. To obtain full credit on a system, one must gain administrative control over the system, including documentation. The systems are worth a total of 100 points, and 70 points are required to pass. Partial credit may be given for gaining low-privilege shells on a target system. One of the systems requires the pentester to craft a custom buffer-overflow exploit from scratch. The exam takes place over the course of 24 hours, and the exam and lab report must be turned in within 24 hours of completing the exam attempt.
Prior to beginning the PWK course-work, I read Georgia Weidman's book Penetration Testing: A Hands-On Introduction to Hacking, which introduced me to some of the tools and technologies I'd be using in the labs. Before that, I had a fairly solid understanding of the basics, but most of the tools I knew were around in the early '00s—I wasn't familiar with more modern tools like BurpSuite or Metasploit. (Metasploit was around back then, but it was young, and so was I, and I believed that tools like Metasploit were script-kiddie fodder.) Weidman's book helped give me a head-start.
I also worked through Justin Steven's tutorial on buffer overflow exploit development, entitled The Presentation and Tutorial for Cross-Site Scripters Who Can't Stack Buffer Overflow Good and Want to Do Other Stuff Good Too. It's a fantastic walk-through of the exploit development process, and really helped me to understand the ins and outs of the craft.
Cyrus: What did you struggle the most with during the certification?
As someone with ADHD, there are two struggles which tend to stand out. The first is the struggle to stay focused and keep working when I'm being drawn to distraction... The second struggle is the flip-side of the coin. When I'm wrapped up in a project that challenges my abilities, I have the tendency to hyper-focus, to the point that the rest of the world disappears.
Chris: Hmm... As someone with ADHD, there are two struggles which tend to stand out. The first is the struggle to stay focused and keep working when I'm being drawn to distraction. Working from home, it would be easy for me to skive off and play video games all day, or to spend the whole day with my friends when they've got a day off. My wife and I love to spend time together, watching movies or playing games or whatever. Having the self-control to balance work life and home life, especially when you work from home, can be quite difficult. Add to that the distractions presented by technology—Twitter, Discord, Facebook, etc.—and staying on-task can be a real feat.
The second struggle is the flip-side of the coin. When I'm wrapped up in a project that challenges my abilities, I have the tendency to hyper-focus, to the point that the rest of the world disappears. If I'm not careful, I can spend a whole day on my computer, forgetting to eat or drink water or move around. There were days when my wife would pop into my office to say goodbye before work, and by the time she came back home, I'd still be sitting where she left me, hacking away in the labs. This ability to hyper-focus can be wonderful—it's that "flow state" everyone aims for—but it's vital that I take care of myself and my household responsibilities too. Again, this comes down to that work-life/home-life balance.
Fortunately, I've had a lot of practice, and I'm pretty good at keeping all my plates spinning.
A tangentially-related struggle is that of knowing when to step away from a challenge. Chasing rabbits can be fun, but when there's a deadline, sometimes concessions must be made. Not to mention, getting stuck in rabbit holes can blind you to other possibilities; I can't tell you how many times I'd be stuck on a system, and then I'd go take a nap or visit with a friend, only to figure out the solution to the problem I'd been struggling with. I keep a pen and paper (or a phone with a voice recorder) with me always, so that I'll be ready when inspiration strikes.
Cyrus: As someone who has ADHD too, I understand that struggle. Sometimes it's hard to pay attention to what someone is saying to me sometimes and other times I get hyperfocused on the most miniscule of details.
Who would you recommend take the OSCP?
There's a lot to learn, and it is a good addition to your resumé.
Chris: I would say that students interested in penetration testing as a career should definitely take the OSCP. There's a lot to learn, and it is a good addition to your resumé. However, if you're just a hobbyist, there's no reason to drop $1,000 on two months of PWK lab time when HTB is $10 a month. Everything you can learn in the PWK course can be learned elsewhere, and there are plenty of labs and VulnHub systems to practice on. The PWK/OSCP provides benefit in the form of instructional guides and videos, a specially-crafted lab environment, a community of students working together on the same goals, and (most of all) an official certification by a trusted organization proving that you've got the skills and discipline needed to pass. That, for me, is the greatest value; I don't have a lot of on-the-job experience, nor a computer-related college degree. Certification is a way that I can demonstrate my skill, despite my lack of other credentials.
Cyrus: To anyone reading this who might be considering the OSCP, what advice do you have for them?
Honestly though... If you don't pass, it's not the end of the world. Keep trying, don't give up... It's hard work, but it's 100% attainable.
Chris: Eat. Sleep. Take breaks. Don't be afraid to switch targets. Take deep breaths when you feel stressed. Move around. And if at first you don't succeed, try, try again. And harder.
Honestly though... If you don't pass, it's not the end of the world. Keep trying, don't give up. I went from driving 18-wheelers around the USA to passing my OSCP in only 5 or 6 months. It's hard work, but it's 100% attainable.
Cyrus: Anything else that you would like to add before the interview ends?
Chris: Well, there's the obvious self-promotion stuff... My website is https://haxys.net/. If anyone wants to hire an entry-level penetration tester in the Dallas/Fort Worth area of Texas, or for remote pentesting work, please get in touch. And if you're new to pentesting and looking for a way to get started, don't be afraid to say hello!
Cyrus: Alright, this was an interesting interview and I thank you for your time. Good luck with things.
Chris: Thanks! Let me know when you post it. 😊