My Journey into Cyber Security: eJPT to eCPPT to OSCP (Part II)

In the first part of this blog post I delved into the beginnings of my journey in cyber security. This began with starting a Master’s degree and progressed onto getting my eCPPTv2 penetration testing certification. Following this, I decided to tackle the well-renowned OSCP which, despite it’s prevalence in the industry, has certainly divided opinions.

Now you may be wondering why I would go for the OSCP after getting what many people deem to be an equivalent entry level penetration testing certification in the eCPPTv2, and that is a good question. At the time, and probably still, the OSCP was the defacto penetration testing certification to get if you wanted to break into the industry. It proved you had the technical skills required, you could perform under pressure (24 hour exam), and you could write a report to document your findings. All the great influences in the offensive cyber security space had the certification (Dave Kennedy, John Hammond, Neil Bridges, etc.) and it was seen as a requirement by many HR people. My ultimate goal was getting this certification so that I could get a junior penetration tester role and, with that in mind, I brought 30 days lab access (back when that was still a thing) and began my quest for the fabled OSCP. This was around the end of August after I had submitted my eCPPTv2 report for marking and with my Master’s course officially finishing in October.

The OSCP course material is delivered in a mammoth 750 page PDF document with accompanying videos in case you get bored of reading. None of the material was revolutionary compared to what I had learned for the eCPPT. However, I was introduced to new attack paths and privilege escalation strategies which were not covered in the eCPPT. The material in this course was less focused on the technical details of hacking and, instead, looked to cover a wide array of techniques in a too the point fashion. This style of teaching was not particularly a bad thing but did assume more fundamental knowledge than the eCPPT. This required you to do more external research outside of the course material if you wanted to fully understand the topic the material was covering. Once I had completed the course material I could begin practising what I had learned in the lab environment. This lab environment was not like the labs in the eCPPT which let you practice one technique you had learned against a target and guided you through the process. Instead, it was a whole enterprise environment with machines tuned to be vulnerable to different techniques you had learned. You had to scan all the machines, perform enumeration, and then select a target to practise a technique on based on the information you could gather. This approach had it’s pros and cons. For one it was much more realistic and forced the student to value the importance of good enumeration skills over blindly throwing exploits at a target. However, the approach did not let you practise a specific technique to solidify what you had learned. Ideally there would be individual labs where you could practise a technique, perhaps browser-based, and then a wider lab environment at the end of the course where you had to perform enumeration and target your attacks. Even so, the lab environment was well setup and it was fun to practise against a range of hosts. Also, the much scorned Offensive Security mantra of “try harder” was not really a problem for me. I have heard many people moan about the lack of support shown by the Offensive Security team and the moderators who help students out when they get stuck on compromising a machine. It got to the point where I was afraid if I asked for help then men in balaclavas would turn up outside my house and beat me up! Much of this moaning was unfounded in my experience. Whenever I got stuck I’d simply reach out to a moderator, tell them where I was at with a machine, then they would say “perhaps you should try to enumerate this” or “keep looking at this particular service” and I’d be back on my merry way to popping a shell.

When my lab time expired I decided to take some more time to hone my skills before moving onto the dreaded 24 hour OSCP exam. I brought a month of OSPG (Offensive Security’s virtual hacking platform where you can practice exploiting vulnerable machines, much like Hack the Box), along with Tiberius’ privilege escalation courses for Linux and Windows on Udemy. These courses were a god send as they introduced my to privilege escalation vectors I hadn’t seen before and gave me confidence in my post-exploitation abilities. Privilege escalation is a crucial step in scoring points in the OSCP exam. Once you have compromised a machine you must try to escalate your privileges to root/system to capture an additional flag on the system and, with it, score additional points. When my month of OSPG practice had expired I blocked off 48 hours in my calendar and scheduled my exam (24 to take the exam and 24 to write the proceeding report).

I am not going to lie the OSCP exam is brutal. It is 24 hours of straight hacking to compromise 5 machines with a minimum of 75 points out of 100 to pass. You get points by capturing flags which are scored by difficulty. For instance, you might compromise an easy rated machine and score 10 or compromise a hard machine and get 15 + 10 if you can escalate your privileges to root. This was in the days before they introduced the new active directory portion of the exam. It took me 20 hours of consistent hacking to get 75 points with two 30 minute breaks for lunch and dinner, after which I was completely exhausted but elated I had managed to get the required points to pass. Looking back the exam it really wan’t that difficult. You used off-the-shelf exploits to compromise the machines, you could freely read your notes and Google things, and the privilege escalation paths were relatively basic. What made the exam so stressful was the time limit and being looked over by a proctor constantly. One of my proctors seemed set on trying to prove I was trying to cheat somehow whenever I looked down to think about a problem.

After finishing the technical part of the exam I was onto the reporting part. This part was made easy by following along with John Hammond’s suggestion of using a nice tool called Pandoc to turn a markdown file into a PDF document using a LaTeX template. This meant I was able to write the report as I hacked machines and made notes in Markdown. Then, when it came to the actual report writing, I simply added some more context to my notes and automatically generated the required PDF report to submit using a shell script. Automation is king! For a full breakdown on this process I suggest watching John’s video. With the report written I double checked the submission requirements (Offensive Security is very particular about how you submit your report — luckily John has a few scripts to help with that) and pressed Submit. I was done and it was time to sleep! A few days later I got the congratulatory “You Passed!” email and I had another A4 certificate to hang up on my office wall.

Now, comes the real question. I have all the certifications I wanted to get and a Master’s degree in Cyber Security Engineering… did this help me get a job?

Yes, but not a junior penetration tester.

After job hunting for months the best (only) offer I got was for a role as an EDR & Threat Intelligence Analyst at a managed services provider. This was a good position and a great entry point into the cyber security industry. I learned a lot and developed tremendously both technically and professionally. That said, it wasn’t the role I originally set out to get. What went wrong? Why was I unable to land a penetration testing role despite having all the certs and a Master’s degree? The truth is there is not many penetration testing positions, everyone wants one, and company’s hiring heavily favour experience over anything else. Without having an in with a company I think it is very hard, if not impossible, to get an entry level position as a penetration tester (at least in the UK) with no professional experience. You are far better not spending your money on certs (or at least not several certs), finding a classic SOC analyst level 1 position, and building your professional portfolio from there. Get your employer to invest in your learning through certifications and work your way into a penetration testing role through industry experience. Cyber security is hard enough to get into without trying to get into one of the most contested roles. I recommend getting your foot in the door and then transitioning into the role your really want from there.

I don’t regret the path I took because it has opened up so many doors for me. The Master’s degree has got me past the dreaded HR filters and the penetration testing certifications prove I have knowledge of offensive cyber. The work I did help me distinguish myself from others in the field and have accelerate my progression up the proverbial job ladder. By being able to go for “the best of both worlds” (a Master’s degree and certifications) there are very few job requirements that I don’t meet and I constantly have recruiters reaching out on LinkedIn!

An issue to breaking into cyber security is always going to be experience. A few strategies to try to tackle this is participating in bug bounties, building a home lab with an accompanying blog post, or participating in open source projects. A well-know secret in the industry is that employers will waive experience requirements if you can demonstrate you can do what the job entails. You just need to find a way to demonstrate this.

I hope by describing my journey into a cyber security it can help you decide the approach you want to take. It may seem like a daunting experience and constantly getting turn down for jobs can be deflating, but if I can do it then so can you. Just keep persevering, make a good LinkedIn page, demonstrate your expertise, and you’ll eventually break in!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Goss

Adam Goss

89 Followers

Cyber security professional who merges offensive and defensive paradigms to solve new and exciting security challenges | Penetration Tester | Threat Hunter