Some days ago I got a very weird email:
I felt like something was very wrong. What with the “Professional” word in there (“Offensive Security Certified Professional“)? I don’t feel that professional. Specifically, this XKCD is so much expressing me:
So, as I’m not feeling that professional, this organization must be wrong to call me one. Yet, I actually pwned the machines required to “pass”, and be considered one. So, what am I?
Am I an OSCΗ (Offensive Security Certified Hobbyist)?
Being an OSCP means that you can do an Internal Penetration Test, and deliver some report. While the report requirements are too low (IMHO), the market is full of bad actual Penetration Test reports anyway, so it’s only fair. Yet, does this make you a Professional?
It (at least) makes you *Professional* on Capture The Flag
The infamous OSCP Lab and the Exam itself are basically CTFs. Nothing more. So, you don’t need to be a professional to play CTFs. I know 16-year-olds that play CTFs. And they think about batman half of the day. They could skill-wise earn an OSCP most probably.
But, then, skill is not the only thing needed to earn an OSCP. Far from it…
The ingredients of the OSCP recipe
Well, to know computers is the easy part of the OSCP. In case you don’t know the well known process of OSCP exam, it goes as follows (as of 5/19):
- You have 24 hours
- You are presented with 5 hosts (Windows or Linux)
- 25 point host – considered quite difficult
- 25 point host with BoF – considered a gift from OffSec
- 2 x 20 point boxes – difficult enough but doable
- 1 x 10 point box – single remote exploit to
- You have to get
Administrator/SYSTEMto 4 out of 5 boxes – 75/100 points to pass
- The process is proctored
- You are being watched and recorded for the whole 24-hour thing
- Your screen is also watched and recorded
- You have to write on a chat and get permission to take a break, even for a minute.
- Metasploit and
meterpretercan be used (successfully or not) only to one box.
- When you finish, you get 24 more non-proctored hours to write a report and send it over to OffSec, with very specific/intimidating rules for packaging it.
- If you have a report from 10 machines of the Lab and **all** the PDF exercises, you can submit them for 5 more points.
So, which part of this is something that makes you a Professional?
For me, what made the whole exam a bearable experience that didn’t result in a mental breakdown, was handling it Professionally altogether. And by that, I mean bringing it to its logical proportions, evaluating what the exam actually means for me, my skills and my life in general.
Being a Professional on Penetration Testing some years now (without being OSCP), I’ve learned that there is a possibility that I won’t “hack” my way in some company. It happens. To even the best, and I don’t claim to be one of them. So there is some fat chance that I won’t get the enlightenment needed to get the Privilege Escalation for the 25 point box. Or find the exploit for the 10 point box (which was actually the case for me). And this is not a moment. This can be a 6-hour state of not finding this Privilege Escalation, that keeps you under the 75 passing points.
The ones that can patiently accept their not enlightened selves for 6 hours, falling back these 75 precious points, while calmly and constantly trying their best to earn them – these are Professionals.
Flawed Psychology Fucks People (FP2)
Given the situation of someone having 70 points (just under the passing line) for 6 hours (with the exam finishing in 2 hours) many bad things can cross one’s mind. It vastly depends on the background, but for me, problematic parenting (that happened long ago anyway), combined with bad school environment, some moderate impostor syndrome, a huge expectation from everyone I know that it’s a piece of cake for me (hence pressure), gave me plenty of triggers for bad thoughts.
Some of them:
- I’m not enough / I’m not made for this (classic impostor syndrome verse)
- If I had done the PDF exercises and Lab Report I could have the 5 points that I now miss (pointless regret)
- “You can’t do it, it’s very difficult” (typical bad-fatherish voice)
- I’m gonna fail and all my friends will realize that I’m not that good at hacking.
- I had to study Windows/Linux Privilege Escalation more. It’s my fault. (another pointless regret).
- If I fail this then I’m not a good hacker. And I haven’t invested to anything as much as hacking.
Continuing to look for the correct Privilege Escalation vector, while these thoughts knock your head’s door is not a simple task. It is not only about not opening to them. It is about minimizing them out of existence. About fortifying and allowing yourself to care only as much as needed and no more. Plus, all these thoughts count towards your thinking capacity, and you need all of it anyway.
What with the non-stop 24 hours?
There is no direction. It is 24 hours and a
.ovpn file. Everything is up to you. You can sleep, eat, go out for beers, go pee every five minutes or get on an LSD trip. If somewhere in there you manage to get 4/5 root flags, and the next day you report it slightly better than a young monkey, you are an OSCP. That’s it. That’s the deal.
So it tests the maturity of your time managing skills. Do you get into rabbit-holes a lot? Do you stay in rabbit-holes out of stubborness of investing time to them? Do you have the tendency to procrastinate when you are looking up something on Github? Do you maybe check your phone every X minutes (X < 10)? These things are gonna cost. They cost in life anyway, but this 24-hour exam they are gonna cost X100.
Handling all the above while pwning 4/5 boxes in 24 hours is not easy. This is what makes you a Professional. This is OSCP.
The Trying Harder, the classic quote of OffSec is not about the boxes. Is about fixing the flaws that plague oneself, to refine the person as a whole. The challenge could very well be anything else. Yet, it’s not out of coincidence that the subject of a test that goes so deep into one’s psychology is an IT Security one. It has been well proven that IT Security and Human Psychology are well connected. I found somewhere a blog just about that. I think it was called securo-something…