Thoughts on an “Obsessive Simulation of a Critical Procedure”

Written by johnytor

The Email

Some days ago I got a very weird email:

OSCP mail

I felt like something was very wrong. What with the “Professional” word in there (“Offensive Security Certified Professional“)? I don’t feel that professional. Specifically, this XKCD is so much expressing me:

lease

 

A professional?

So, as I’m not feeling that professional, this organization must be wrong to call me one. Yet, I actually pwned the machines required to “pass”, and be considered one. So, what am I?

Am I an OSCΗ (Offensive Security Certified Hobbyist)?

Being an OSCP means that you can do an Internal Penetration Test, and deliver some report. While the report requirements are too low (IMHO), the market is full of bad actual Penetration Test reports anyway, so it’s only fair. Yet, does this make you a Professional?

It (at least) makes you *Professional* on Capture The Flag

The infamous OSCP Lab and the Exam itself are basically CTFs. Nothing more. So, you don’t need to be a professional to play CTFs. I know 16-year-olds that play CTFs. And they think about batman half of the day. They could skill-wise earn an OSCP most probably.

But, then, skill is not the only thing needed to earn an OSCP. Far from it…

 

The ingredients of the OSCP recipe

The Exam

Well, to know computers is the easy part of the OSCP. In case you don’t know the well known process of OSCP exam, it goes as follows (as of 5/19):

  • You have 24 hours
  • You are presented with 5 hosts (Windows or Linux)
    • 25 point host – considered quite difficult
    • 25 point host with BoF – considered a gift from OffSec
    • 2 x 20 point boxes – difficult enough but doable
    • 1 x 10 point box – single remote exploit to root
  • You have to get root or Administrator/SYSTEM to 4 out of 5 boxes – 75/100 points to pass
  • The process is proctored
    • You are being watched and recorded for the whole 24-hour thing
    • Your screen is also watched and recorded
    • You have to write on a chat and get permission to take a break, even for a minute.
  • Metasploit and meterpreter can be used (successfully or not) only to one box.
  • When you finish, you get 24 more non-proctored hours to write a report and send it over to OffSec, with very specific/intimidating rules for packaging it.
  • If you have a report from 10 machines of the Lab and **all** the PDF exercises, you can submit them for 5 more points.

So, which part of this is something that makes you a Professional?

 

Mentality

For me, what made the whole exam a bearable experience that didn’t result in a mental breakdown, was handling it Professionally altogether. And by that, I mean bringing it to its logical proportions, evaluating what the exam actually means for me, my skills and my life in general.

Being a Professional on Penetration Testing some years now (without being OSCP), I’ve learned that there is a possibility that I won’t “hack” my way in some company. It happens. To even the best, and I don’t claim to be one of them. So there is some fat chance that I won’t get the enlightenment needed to get the Privilege Escalation for the 25 point box. Or find the exploit for the 10 point box (which was actually the case for me). And this is not a moment. This can be a 6-hour state of not finding this Privilege Escalation, that keeps you under the 75 passing points.

The ones that can patiently accept their not enlightened selves for 6 hours, falling back these 75 precious points, while calmly and constantly trying their best to earn them – these are Professionals.

 

Flawed Psychology Fucks People (FP2)

Given the situation of someone having 70 points (just under the passing line) for 6 hours (with the exam finishing in 2 hours) many bad things can cross one’s mind. It vastly depends on the background, but for me, problematic parenting (that happened long ago anyway), combined with bad school environment, some moderate impostor syndrome, a huge expectation from everyone I know that it’s a piece of cake for me (hence pressure), gave me plenty of triggers for bad thoughts.

Some of them:

  • I’m not enough / I’m not made for this (classic impostor syndrome verse)
  • If I had done the PDF exercises and Lab Report I could have the 5 points that I now miss (pointless regret)
  • “You can’t do it, it’s very difficult” (typical bad-fatherish voice)
  • I’m gonna fail and all my friends will realize that I’m not that good at hacking.
  • I had to study Windows/Linux Privilege Escalation more. It’s my fault. (another pointless regret).
  • If I fail this then I’m not a good hacker. And I haven’t invested to anything as much as hacking.

Continuing to look for the correct Privilege Escalation vector, while these thoughts knock your head’s door is not a simple task. It is not only about not opening to them. It is about minimizing them out of existence. About fortifying and allowing yourself to care only as much as needed and no more. Plus, all these thoughts count towards your thinking capacity, and you need all of it anyway.

What with the non-stop 24 hours?

There is no direction. It is 24 hours and a .ovpn file. Everything is up to you. You can sleep, eat, go out for beers, go pee every five minutes or get on an LSD trip. If somewhere in there you manage to get 4/5 root flags, and the next day you report it slightly better than a young monkey, you are an OSCP. That’s it. That’s the deal.

So it tests the maturity of your time managing skills. Do you get into rabbit-holes a lot? Do you stay in rabbit-holes out of stubborness of investing time to them? Do you have the tendency to procrastinate when you are looking up something on Github? Do you maybe check your phone every X minutes (X < 10)? These things are gonna cost. They cost in life anyway, but this 24-hour exam they are gonna cost X100.

 

“Try Harder”

Handling all the above while pwning 4/5 boxes in 24 hours is not easy. This is what makes you a Professional. This is OSCP.

The Trying Harder, the classic quote of OffSec is not about the boxes. Is about fixing the flaws that plague oneself, to refine the person as a whole. The challenge could very well be anything else. Yet, it’s not out of coincidence that the subject of a test that goes so deep into one’s psychology is an IT Security one. It has been well proven that IT Security and Human Psychology are well connected. I found somewhere a blog just about that. I think it was called securo-something

2 thoughts on “Thoughts on an “Obsessive Simulation of a Critical Procedure”

  1. I just wanted to say thank you for putting your thoughts here and addressing the state of security in a down to earth manner. Even though I do not consider myself an IT expert – far from it, with enough obsessiveness about the details (which I have found to be part of my character) I have passed OSCP as well as part of my hobby. However, qualifications I use to do my current job, tell me that I am a Fitness Instructor. A Fitness Instructor for crying out loud! I am supposed to instruct others how to take care of one’s fitness levels but the technical “education” I have received is nowhere near applicable to the environment I am in. Think in terms of clockwork orange but in a more humane place. Less about do the “start jumps for 10 reps”, more about “tell me how it feels to walk in your shoes” kinda approach. Maybe all qualifications we wear should force us to develop our fresh POV on the subject…. i don’t know.

    I especially value your posts because you seem to put forward your own understanding of the subject as opposed to the idea of using qualifications to describe how you should look at yourself. I am nowhere near a professional either but the new world I am trying to step into bombards me with the false sense of ego boosting, smooth talking, corporate speak messages that make me supposed to “feel” like one. It is confusing. I am torn. It is like listening to two vectors pointing into opposite directions.

    I grew in a belief that a so called professional is somebody who has committed years to his craft and knows the subject through and through, but these days it seems like this badge can be slapped to any qualification you are willing to pay for. Mixed feelings that make me feel like a fraud sometimes. Usually one speaks to his father or friends about that, but neither of them in my case are willing to understand. I don’t usually respond to posts, I am a guy who keeps it to himself, when you ask me how life is going I am going to say “Fine”, but your posts just make me nurture that vector of myself that is looking for an essence in things over appearance of things. I don’t know why yet I yearn for that direction so much. Thank you for introducing some healthy balance in my life. It makes me feel less hopeless.

    Like

Leave a comment