I spent a lot of 2023 studying for one of the most sought-after certifications in cybersecurity. For those of you who are not aware of the OSCP certification, it is a certification in penetration testing (or “legal hacking” as I have often called it informally). This certification is coveted by many as it is quoted as “the golden ticket to a job in penetration testing”. While I don’t think I would go that far, it is a certification that forces you to get the basics in a lot of areas. It requires a good understanding of operating systems, networking, web technologies and how to enumerate and hack machines. 

While the specific certification is mostly relevant if you are interested in security, this blog gives perspectives on the upsides and downsides of certifications in general. The goal is not to sell you on the idea of taking a ton of certifications, but to show that it is a tool you can use in the development of your career.

The Backstory

I have been playing around with hacking exercises online in my spare time for a few years now. Sites like HackTheBox and TryHackMe have made it much easier to get into hacking in various shapes and forms in recent years. If you work in software development the base concepts will not be foreign to you. It is all about using a set of tools to get the results you want. So while hacking seems intimidating when you don't know anything about the subject, it is a field you can get into if you are interested in throwing some time at it.

In late 2022 I was ranked in the top 2% of all users on TryHackMe, which sounds more impressive than it is. I was only scratching the surface of where I wanted to be. I just spent more time than most other students on the site, which meant I climbed the leaderboard almost by accident. I had the basics down, but I still regularly followed tutorials in the exercises to get to the solutions. I wanted to level up further. While researching options for improving in this area, I came upon the OSCP certification. I was aware that it was one of many certifications in the field, but I had not considered this an option previously. After looking over the syllabus, I figured it could be an interesting challenge.

After thinking it over for a month or two, I discussed it at a 1–1, and my boss and I decided it would be a good way for me to develop my skills. As a Security Engineer at Lunar, penetration testing is not directly part of my job description. However, the skill set and methodology that come with the mindset of a penetration tester would still be a beneficial addition to my capabilities in the long run. So we agreed I would be able to split the time for the certification roughly evenly between spare time and work time, to allow me to progress through the course without having to forego the essentials like sleeping or eating.

The Course Itself

The Honeymoon Period

As with many things, the course seemed excellent at first. I always enjoyed learning new things, and this was no exception. Almost every day, I came home from work and spent an hour or two reading the material and doing the practical exercises. Usually, I spent around between half a day and a full day working on it over the weekends as well. Additionally, I agreed with my team that each Wednesday I would spend my time until lunch focusing on the course. So it wasn't all done in my spare time. All this time spent made it feel like I was flying through the course material. I was highly motivated.

The exercises consisted of small examples of what I had just read to illustrate different concepts. In the section about SQL Injection, I would have to do some SQL injections in a vulnerable web application, for example. I always found that the mixture of reading material with practical exercises is a great way to learn technical stuff. You can only learn so much tech by reading or watching videos. At some point, you have to get it "into your fingers" by toying with things.

After about 3 months of this, I completed the reading material and the accompanying exercises of the course. Things were going great.

The Not-So-Honeymoon Period

The next half of the course consisted of sets of machines that required you to put the pieces together and hack machines without more starting information than an IP Address. Gaining the skill set to do this quickly was the entire goal of the course, but this is where I started struggling. I got stuck with the machines very quickly, and I felt like I was using too many hints on their Discord server to progress through the machines. I started feeling less energized and motivated, I battled through it. My approach to this was a mistake in hindsight. Rather than powering through, I should have adjusted to the situation and changed my approach and mindset a little bit.

The Solution

In hindsight, the solution was rather simple. The OSCP is popular enough that plenty of unofficial guides are made to help students progress through the course in a good way. I ended up using some practice machines created by OffSec that were roughly the same level as the course machines would be. That allowed me to keep grinding new machines without running out. 

I am a firm believer that anyone can theoretically pick up any skill if they work hard enough. This course was no exception to that. I will admit I had my doubts at various stages of taking the course, but sure enough, the process of enumerating the machines, finding the exploit to get initial access, and finally privilege escalating to root was getting easier and easier with every machine I did. The pieces were beginning to fall into place and sure enough, I managed to pass the exam in December. It took me longer to get through the certification than I had hoped, but I did it in the end. When I got that confirmation mail, I felt a massive amount of pride and satisfaction. This was not an easy achievement and it's important to celebrate wins like that in your career.

Was it worth it?

In short, yes it was definitely worth it. While the course turned out to be challenging, taking it has also improved my skills in a number of ways. My understanding of the deeper levels of Windows and Linux has improved massively. It has also improved my understanding of networking, web technologies and Active Directory. Finally, it obviously improved my hacking skills massively overall. 

While I don't actively use my hacking skills for doing in-house penetration tests on a daily basis, understanding the methodology helps me understand how an attacker might look at our toolstack. Skills like this help with threat modeling, digital forensics and other areas where I need to understand how an attacker would behave. Overall, I have no doubt this certification improves my skills for my job. So while I don't use all of the tools and technologies in my daily job, the certification pushed me in some good directions.

Reflections on certifications

When should you consider a certification?

There are a lot of valid opinions on certifications. The world of certifications is an industry on its own that you can love or hate. I am not advocating that everyone should gather as many certifications as possible. However, they are a valid tool for developing your technical abilities. In some cases, this will allow you to grow in directions not available to you in your current job position. Maybe you work primarily as a frontender, but you would love to become a better backend engineer or the other way around. Or maybe you keep hearing words like Route53, Lambda and KMS and think to yourself "I would love to know what all those AWS concepts are".

For some, sitting down and watching Youtube videos and reading blog posts about their new tech interests is enough. They may even be able to do a few playground projects in their spare time. That way, they learn organically at whatever pace they need to build their projects. But if the new technology seems too daunting to get started with, doing all that can be easier said than done. There are also plenty of people that simply don't have the spare time to sit down and geek out over tech stuff in their spare time due to family and responsibilities. In situations like that, it can be an easier path to buy into a package deal that gets you theory and practice in one. If you can make some arrangement with your employer that allows you to spend some work time on a certification, it could benefit you both.

Depending on the type of certification you are considering, it may also put you in touch with a community of other people who are on a similar path as you. The certification I took came with access to a discord server that enabled me to ask questions about specific parts of the course material as well as general questions about concepts or tools. An online community like that can help you get through the certification easier than if you had been entirely alone. However, if colleagues or friends are interested in the same thing as you, consider bringing other people along for the journey. Creating a study group around the material you are going through will help you soak in the knowledge and debate the parts of the course you may find difficult with others. I believe that some of my issues with the course would have been greatly alleviated if I had taken the course alongside a companion with whom I could discuss the harder parts of the material.

Don't do it for all the wrong reasons

Almost every technology you can think of will have some company trying to sell you a certification. You can become certified in every programming language, cloud technology and open source software you can think of. However, that does not mean I am advocating that the goal of engineers should have as many certifications as possible. A lot of people learn organically by working with technologies at their jobs or in their spare time and often that is just as good or even better than grinding certifications. When you learn this way, you learn about what the technology is like to work with in the real world and how it plays together with other technologies. When taking a certification you may learn what the technology is like according to some predefined course and exam.

There is also the matter of taking a certification because it looks good on the resume. While that may be the case, I am personally of the belief that the knowledge you gain when taking a course is more important than the piece of (digital) paper that says you have taken the course. Certifications can be a way to improve your resume and eventually move to new job opportunities, but it shouldn't be the piece of paper that improves your "net worth" on the job market. It should be your skills and knowledge that does that. And for those of you out there afraid to ask your employer for a certification "because it looks good on the resume", I would say it's all about framing it in a way that makes it clear that it's in everyone's interest to invest in their employees. There is the famous Henry Ford quote: 

Conclusion

I am not saying we should all be running around grabbing all the certifications we can get our hands on. It is merely a tool you can use to improve your skills. Do your research before jumping out into it, and if you take the leap know that you will probably hit a roadblock or two on the way. Hitting roadblocks is okay as taking courses like this can be challenging alone. So you either have to be prepared to grind through that or you could consider making a study group to get through it together with a colleague or friend. Finally, make sure you know why you are taking the certification.

All in all, make sure  you are not taken hostage in your current job position because you can't go anywhere else. There is always a chance to grow in your career, and you are very much in the driver's seat to take things in the direction of your choosing!

Shameless Plug

If you liked this post, consider having a look my Medium profile, which you can find here. On there, I have played around with writing a few write-ups in my sparetime. A few, that might interest you are:

• Hacking 101 - an intro for techies

• OSCP: Before You Buy