In January 2024, I started my infosec journey as a cyber security intern. During the course of my internship I was taught about different roles and teams that work in IT security operations. Out of all these roles what stood out to me at the time was being a security analyst. I used to spend all my free time studying from different resources to become a security analyst. My favorite resource of all was watching ippsec solve Hack The Box sherlocks. For those unaware, HTB sherlocks are CTFs for security analysts/digital forensics/blue teamers. One day, the YouTube algorithm decided to recommend ippsecs most watched video- HackTheBox - Bashed . It was love at first sight. I used to think that pentesting was boring and checking off items from a checklist- but I couldn’t have been more wrong. Without realizing it, I had started spending more of my time watching offensive security content than blue teaming content. By the time I graduated, I realized I had unfortunately missed application deadlines for masters degree at most universities. However, this cloud had a very shiny silver lining. I could spend the next six months upskilling and pursuing whatever I wanted. The way I decided to do this was through certifications.
OSCP
I had heard of the legendary OSCP before- but didn't consider taking the exam because I was under the very very wrong impression that it was an "expert level certification." However, after taking a look at its syllabus, I realized that I was familiar with more than 75 percent of topics. Considering I had six months to go, I decided to bite the bullet and go for it. I started the course, and surprisingly finished all the course modules within 10 days. After completing the modules, I dived into the challenge labs- Medtech and Relia. These were large active directory networks with lots of post exploitation involved. I got through them pretty easily and was feeling confident, so I booked the exam for 15 days from then. However, when I started with the OSCP A,B,C challenge labs I thought I had made a terrible mistake. I was stuck on them for hours and needed multiple hints for some of the challenge labs. By this point I had finished most of TJ null's list but still thought I was underprepared because of the difficulty I faced during the practice exams. When I gave the exam, they had bonus points you could get by completing 80% of modules and half the challenge labs- so, I needed to score 60/100 on the exam. My strategy was to complete the AD section first to gain the 40 points and then go for 20 points based on machine difficulty.
I started my exam in the afternoon and instantly dived into the AD section. I was extremely delighted to find that I had gotten root access on the first machine after only an hour! Not wanting to lose my momentum I continued enumerating and scanning, but I had hit a wall. I wasn’t able to move to the second machine and after spending 8 more hours on it, I decided to go to sleep. After waking up in the morning I shifted my attention to the other 3 standalone machines and managed to root one and get user access on another. However, I could not get enough points to pass. Depressed, I decided to not even turn in a report.
After my crushing defeat, I looked for some advice on a discord server and someone mentioned that if I was struggling with AD, AD Attacks Lab (CRTP) is the best resource. I signed up for its 30 day lab option and was surprised to see the depth in which the concepts were explained. I think Altered Security is one of the most underrated platforms for learning AD security. After going through all the material, I now had a much better understanding of AD, because the course went much more in depth and also covered things not in the course such as very basic AV evasion, cross trust attacks, ADCS and a lot more. After completing the course, I took the exam and found it to be very easy. It took less than 3 hours for me to reach enterprise admin. I finished up my report and submitted it happily.
After my failed OSCP attempt, I realized that I also had a long way to go in rooting standalone boxes. I found the Lainkusanagi OSCP List. I completed all HTB, PG practice machines in it, but I still had time before my OSCP reattempt so I decided to purchase Virtual Hacking Labs . And just like I had heard, these lab resembled the boxes on OSCP- from initial access to privilege escalation. I completed almost all boxes in VHL from the list- solving around 3-4 boxes per day. With practice, my speed was improving and I was realizing that I was getting better at picking up on things that stood out.
Then, the day came. I was nervous but knew I was prepared. I started the exam and to my surprise one of the standalones was a machine I had rooted in my previous attempt. I quickly grabbed and submitted the flags from that machine and moved on to the AD section. Initial access was the hardest part in this network. But, after some enumeration I found the way in and luckily the lateral movement was easy in this machine. I escalated to domain admin and celebrated as I had finally passed the OSCP!
OSEP
I had initially thought that it would take me more than the 90 days to complete the OSCP but I had completed it in half the time. So the question was- what next? Naturally, the next step was to go for the OSCP's older brother OSEP. As compared to OSCP, OSEP didn't have that many resources available for practice- so I decided to directly enrol anyway. I was quite comfortable reading/writing C# so I had a breeze through the first few modules. Most of the course covered different initial access techniques and bypassing AV, with about a quarter of the course focusing on lateral movement and post exploitation. However, because of my experience with CRTP, I was quite comfortable with that part. The section that I liked the most in the OSEP was the Linux post exploitation and Linux lateral movement section- it had some really interesting tricks I had never seen before. After completing the course, I booked my exam and moved into the challenge labs- these test most of the concepts taught in the course and help you build your methodology. Unfortunately, some of the initial access techniques taught in the course like phishing with word macros and hta files no longer work(Macros from the internet are blocked by default in Office). However, some things still work- such as lnk files. After completing the challenge labs, I was feeling quite confident.
The course teaches you to use meterpreter as a C2 but I decided to use this as an opportunity to learn a different C2- sliver. Sliver is by far my favourite C2. I just love the way it handles multiple listeners and the customizability it provides the operator. I solved all challenge labs once with meterpreter and 2-3 times with sliver. I also suggest routinely going through the offsec channels and looking at how other people solved the labs as it may give you some ideas. I also suggest experimenting with different payloads for the same purpose as you never know what will be detected by AV.
I started my exam in the morning, and was stuck on initial access for about 12 hours. After getting in , I managed to get 7/10 flags in around 2 hours. After a long day, I decided to go to sleep and the next morning finished up my exam in around 2 more hours. I was ecstatic that I had managed to pass a "300-level certification". I was proud of myself, and decided to take up the next challenge.
OSWE
With 3 months to go before I started my masters, I decided I had enough time to pursue the OSCE3. Initially I thought each course would take the 90 days but I realized I could do each of them in around 30 days and with each course I did, I became more comfortable with learning new concepts. Next, I decided to pursue OSWE.
I have never really been a fan of web exploitation(maybe because I suck at it) but, it is the most in demand section in pentesting and I knew I had to get better at it. In preparation for OSCP, I had completed most of the sections in Learning paths | Web Security Academy - PortSwigger so I was familiar with most of the concepts like deserialization, SSRF and websockets. I started the course and followed through with the videos but was quite overwhelmed as I thought I would never be able to find this in a real codebase. While just casually chatting in a group, I got the best piece of advice someone could give me.
"In the end you will go through it function by function. So that way you are actually looking at snippets. Just go through everything, get a basic understanding of what is told and in the end it will just click when you're doing the challenges."
This couldn’t be more true. When doing the challenges, everything really did click. The challenges in OSWE are different as compared to OSEP and OSCP. There are multiple vulnerabilities in each application and multiple paths for both privesc and RCE. I had a blast with these challenges and in my opinion they are much better than those in OSEP and OSCP. By the end I was enjoying code review and whitebox testing.
I booked my exam and got ready for it. I didn’t use any external resources and was quite nervous as compared to my OSEP and OSCP passing attempts. However, after 24 hours I found enough flags to pass and I was extremely happy. The exam was about as difficult as I expected- definitely the toughest one so far.
OSED
With OSWE done, I only had OSED to tackle. During my bachelor's I had a lot of classes on assembly and operating systems, so I was comfortable with low level concepts- I might even go so far as to say it was my favorite. I started the course and was very happy with it. The course starts off with basics like traditional stack overflow, and slowly builds into things like egghunters and defence bypasses like ASLR and DEP. Out of all the Offsec courses, I think OSED is the best one and makes a challenging topic like binary exploitation feel very approachable.
I completed all the extra miles in this course and strongly encourage others to do so as well. Some of them do require some additional research but they help cement the concepts you learnt during the course.
The exam for OSED was in my opinion the extremely easy. Nothing was from outside the course and the instructions were very clear.
Final Overview
After all that, I had finally managed to complete the OSCE3. The complaint I hear the most regarding OffSec and their training is their price point. I do agree it is quite expensive, but if you compare it to formal universities, the cost of all courses combined is less than that of a semester in a high end university. Do I regret it? Absolutely not. These last few months have been the absolute best few months of my life, and I probably have learnt more over them than I did during my 4 years in college.
Certifications don’t make you a master or an expert—real experience matters far more. But they do provide a structured way to learn, expose you to challenging scenarios, and connect you with others on the same journey. Throughout OSCE3, I found immense value in learning alongside others, exchanging ideas, and getting insights from OffSec Student Mentors who guided me.
So what’s next for me? I will be doing my masters degree and in my free time I'll probably learn mobile pentesting and try to get an internship.
Final tips and course reviews
- Take your exam in the morning, it doesn’t make sense to start when you’re tired
- Make sure you take lots of breaks in between. I took a break almost every 45 minutes.
- Help others in the Offsec channels and see how they approached a problem differently
- Read up on other methods to exploit a vulnerability and practice everything
- Complete all challenge labs
- Complete as many extra miles as you can
- Remember to have fun
Course Ratings:
These are subjective, but I just decided to rate all courses, challenge labs and exam enjoyability
OSCP:
Course- 6/10
Challenge Labs- 8/10
Exam- 7/10
OSEP:
Course- 7/10
Challenge Labs- 8/10
Exam- 9/10
OSWE:
Course- 8/10
Challenge Labs- 9/10
Exam- 8/10
OSED:
Course- 10/10
Challenge Labs- 6/10
Exam- 9/10