Werebug Security Journal : Why the OSCE exam was (for me) easier than the OSCP

Why the OSCE exam was (for me) easier than the OSCP

On December 3, after about one month and a half since the beginning of the course, I started my OSCE exam.

As I did for OSCP, before the exam I searched online in order to find as many information as possible, for OSCP this was very useful, especially reading recommendation about how to organize the time in order to make it in 24 hours.

For OSCE I found many resources, mostly about how to prepare for the exam from a technical point of view, and all reviews about the exam agreed that it was an amazing and super complicated journey.

I passed the exam, at my first attempt, and it was a lot easier than I expected. Here is why.

Preparation

For OSCP I studied for two months in the Offensive Security lab (one month while studying the course material and one month to practice), and about a month and a half on HackTheBox.

In the Offensive Security lab I owned very few machines, I don’t remember the exact number but about 10 and all of them in the public network. Every machine was a birth. I didn’t use Metasploit at all if not for the exercises that required it, I wanted to understand everything of what I was doing and it required a lot of time.

On HackTheBox the situation wasn’t very different. Every machine required a day, at least. Some of them required two, some almost a week. It was a super slow process.

The day before the OSCP exam, the idea that I had only 24 hours for 5 machines was extremely scary. I would have not bet a single euro on my success. I’m honest. I went for the exam with the mentality of seeing what it was about in order to better prepare for the next time.

Then I started the exam and I rooted all systems in 15 hours. I was surprised and full of adrenaline. The reason for this unexpected result is one: the exam is… an exam. There’s a little bit of everything, covering most of the arguments in the course but in a very precise and academic way. If you go for the exam, you will will probably understand better what I mean.

For OSCE I started the course on October 20, and took the exam on December 3. I practiced mostly developing exploits for VulnServer (you can find posts about them in this same blog) and trying to reproduce some exploits from exploit-db. I also practiced hard on antivirus avoidance and payload injection in PE files. I was able to write custom shellcode far beyond the simple jumps or encoding shown in the course, I was able to bypass modern and updated Windows Defender on Windows 10, and I also went the extra mile with payload injection (combining different payloads, patching them, using threads).

After the experience with OSCP, at this point I knew that what I did was definitely more than what was covered in the course. I expected the exam to cover the course arguments more or less like OSCP exam did, and I felt ready for most of it. I expected there would be a web application, and I didn’t know what to expect about that, but I couldn’t do much to practice for web applications, and practicing on HackTheBox seemed again to be the best thing I could do.

While for OSCP I had the feeling that there were too many possible scenarios and that I was ready only for few of them, for OSCE I thought that taking the exam was in fact the only way to find out if there was something I missed.

Objectives

The feeling I had during preparation really matched the way objectives for the two exams were given.

For both exams the first thing you do is to connect to the student exam page and read objectives.

Objectives for OSCP are more or less like this:

Welcome. In your exam there are these 5 machines. Machine number 1 has to be exploited through a buffer overflow in this application. The other four machines? We need these files from each machine. Good luck.

Note: objectives are not like this, but…

Objectives for OSCE?? A complete different thing.

Welcome. This is what you have to do on machine 1. This is what you have to do on machine 2. This is what you have to do on machine 3. This is what you have to do on machine 4.

I know it doesn’t sound much different, but it’s a world of difference. Reading objectives and feeling like “ok, I can do it”, it’s a great boost to morale at the very beginning of the exam.

Time

Time is also an important factor.

24 hours for OSCP are not a lot. It took me 15 hours to root all machines, and I decided to write the documentation the same day because I wanted to be sure to have all screenshots and the only way to be sure was to write it while I still had access to the exam lab.

I woke up at 5 am, started the exam at 6 am and write the last page of documentation at 5 am of the next day. I was tired, and my body was shaking for all the energy drinks that I drank during the day. My comment to friends was: amazing, I loved it, but I wouldn’t do it again before half an year.

On the contrary 48 hours for OSCE were more than enough. I started the exam at 8 am, at 1:30 pm I was done with the “hard” buffer overflow target. At 5:30 pm I was done with the second high value target. This was a huge morale boost. It was still afternoon and I had the whole next day and only the two easy objectives to complete, and I only needed to complete one of them to get the score I needed to pass the exam. Around 8 pm I was done with the first of them and I took a break. Before going to sleep I decided to give a quick try to the last objective, I tried the first thing that came to my mind and it didn’t work, but I went to sleep knowing exactly what was the next step to try. Next morning I woke up around 8:30, at 9:30 I was done with the last objective. I had the whole day to write the documentation while still having access to the lab.

I filed my documentation even before my 48 hours for the exam were passed. The next day? I could have done it again.

Conclusion

If you prepare properly, OSCE exam not only doesn’t have any surprise, but it’s also structred in a way that you won’t panic about time or about not having a clue about what to do next.

I assume most (if not all) of the people doing OSCE have already done OSCP, so I assume that everybody will be able to use their OSCP exam as a comparison to understand how the exams are structured and what they can expect from the OSCE one.

Don’t fall for the horror stories available online of people being unable to get any high value target in 48 hours. It only means that something went terribly wrong during their preparation.

And now… AWAE will start at the end of the year. Looking forward to it.