Blog

OSCP & OSCE in 2020: A Retrospective

Apr 9, 2020 | 4 minutes read

Tags: Security, Rant

I got my OSCE exam results today. I passed! 🎉

The OSCE exam pass email

That means it’s time to do a retrospective/review blog post like everyone else I guess. Mine will be a little different than the usual ones though. This won’t be a study guide — there are plenty of those, and especially for the OSCE some of them are practically exam spoilers. Instead I’d like to talk about where I think the OSCP and OSCE courses and exams fit into today’s world.

The OSCP Course and Exam

The OSCP is OffSec’s flagship course for good reason. I took the previous version (before they updated it for Windows 10/Server 2016+) and even then it was everything that it was held up to be. It was challenging, practical, required out-of-the-box thinking, and a ton of fun. I’d have recommended the previous version wholeheartedly to anybody at the start (and maybe later) of a career in security. The OSCP exam material varies by try, so you can’t just brute-force it. You actually have to learn the material! I was lucky enough to have my employer fund my course and the lab extension I ended up needing, but honestly I’d have paid for it myself in a heartbeat. The labs were kind of outdated, but there was a lot of machines to play with and they all required different exploits, with some requiring information or access from other machines. It was a great playground. I’ve seen the updated materials and they’re even better. If you’re at all considering taking the course, you should definitely do it.

The OSCE Course and Exam

On the other hand, the OSCE course… is less awesome. You have to solve a little challenge to even be allowed to take it, which was kind of fun. Unfortunately, the actual material is honestly just plain outdated:

  1. Introduction
  2. The Web Application Angle
    1. Cross-Site Scripting Attacks
    2. Directory Traversal
  3. The Backdoor Angle
    1. Backdooring PE files under Windows Vista
    2. AV Evasion
  4. Advanced Exploitation Techniques
    1. MS07-017 — Dealing with Vista
    2. Cracking the Egghunter
  5. The 0Day angle
    1. Windows TFTP Server — Case study #1
    2. HP Openview NNM — Case study #2
  6. The Networking Angle — Attacking the Infrastructure

The web app section is relevant but extremely basic — if you care about web app security at all you’ll get infinitely more out of the PortSwigger Web Security Academy or OffSec’s own OSWE. The OSCE material even uses PortSwigger’s tools, and the techniques shown on the OSCE material are entirely standard at this point in time. The “Backdoor Angle” covers techniques that… don’t really work anymore. Modern AV is so much more advanced than what was available at the time the course was written that the evasion techniques they cover is basically useless. The ASLR bypass technique they cover is still good (ish), and egghunters are certainly still useful, but you could totally teach yourself that with some Google searching. The two 0days they cover are a decent enough intro to a full fuzzing/exploit dev cycle, but modern techniques are again way better — coverage-guided fuzzing gets you much better results much quicker. Finally, the “networking angle” is an incredibly specific edge case of Cisco misconfiguration that I have no doubt has happened in the past but I’d be astonished if it was still a thing that could happen.

Overall, I’d say about half the material has anything resembling relevance in a modern world, and most of that could be learned elsewhere for free. Having it all rolled up into a real course with walkthroughs and demo machines is nice, but isn’t worth the cost of admission (maybe if you get your work to pay for it like I did — thanks, ISE!). I didn’t even find the exam that challenging; I had all the flags in under 24 hours, even taking breaks for meals and sleep.

Other OffSec Courses

The OSCP and OSCE aren’t the only OffSec courses, of course. I’m hoping to take the OSEE next year (assuming everything is back to normal from the current apocalypse) since it covers real modern Windows exploit development. The OSWE, their web app specific course, is less interesting to me personally but I’ve heard that it’s pretty good (and the exam is apparently quite difficult). OffSec’s last course, OSWP has such a small scope and the material — basic WiFi pentesting — is so well covered in so many other places that I can’t see any value in it at all.

Conclusion

In summary: If you don’t have the OSCP and you think you might want it, go for it! On the other hand, you should probably skip the OSCE unless you can get someone else to pay.