Zero to OSCP in 292 Days... or How I Accidentally the Whole Thing - Part 1

Intro

I have been meaning to write this blog post for a while now, since I got confirmation exactly a month ago and my physical certificate just came in the mail this week.

People have been posting "My weird path to #infosec" threads. I originally wanted to write a post on how I passed OSCP from scratch, and somehow it ended up being my autobiography. I apologize in advance; make sure you have your coffee/beer/whisky/drinkofchoice ready.

Dostoevsky and Sullbrix were kind enough to add me as an author to their blog to let me tell my story.

https://twitter.com/dostoevskylabs
https://twitter.com/sullbrix

This is going to be a two parter, first will be the backstory and how I ended up where I am now. The second part will be infosec and OSCP prep, including things I wish I had known before I started.

I have tried to get the dates right and keep everything as accurate as possible, but I never kept a journal so this is all from memory. I hope my story is entertaining and helps you in some way. Feel free to jump to part two if you want to skip straight to the infosec stuff.

Thank you to Steve Becker for his ninja editing skills:

https://twitter.com/CowbellSteve

Childhood

I grew up in Surrey, British Columbia, near Vancouver and didn't move to New Jersey until 1999.

I learned to read on a computer, on one of these bad boys right here:

https://www.scrapmetalforum.com/vintage-electronics/28833-vintage-ogivar-486-a.html

DSC_0194
DSC_0186

I have a picture of me sitting in an office chair barely able to see over the desk, playing Reader Rabbit. I would have to dig through old family photo albums to find it, so I'll save that for another time.

https://en.wikipedia.org/wiki/Reader_Rabbit

I have always been a tinkerer and PC Gamer since the beginning, my father worked from home when I was a kid and I was lucky enough to get my own desktop computer because he didn't want me messing with his work one. One of the first things I did was take it apart and put it back together.

I grew up through a lot of PC Gaming classics, such as X-wing, Tie-Fighter, Dark Forces, Warcraft 1 & 2, Elder Scrolls, Command & Conquer, Wolfenstein3d, Doom/Quake, and Baldur's Gate. We had a dial-up internet connection very early on, and I used to play Discworld MUD, Jedi MUD, and other online games. My first experience with an MMO was Ultima Online, which developed into a really serious addiction and I vowed to never play another MMO again, which I've stuck to for the most part.

I vaguely remember borrowing a disk for Mandrake Linux from a friend's Dad back in the day and wiping my machine and installing it, I was like wow this is pretty cool, but I can't game on it so I have no real use for it.

High School

Fast forward to freshman year of high school, my dad got a job offer in NYC, and the company offered to move us 3,000 miles to New Jersey.

I ended up enrolling in AP Computer Science, it was C++ and taught by the school Calculus teacher. I found it somewhat interesting, but the class was extremely uninspiring. My newfound friends and I had more fun trying to get the computers to do things they shouldn't do, or playing games.

I remember exploiting the library's Admin account with friends in order to install Diablo 2 and Warcraft 3, so we could play in school. It only got worse as we got older and started getting our driver's licenses. Wi-Fi had just started getting popular and people were getting it in their homes. It was so insecure, everyone was leaving default credentials.

My dad had a cigarette lighter power inverter I would borrow and we would all hop in the car with our laptops and drive around using KismetWireless in SlackWare back then, wondering how we could scrounge up enough money to buy more powerful antennas.

The worst damage we would do was print stuff out on networked printers, or leave funny text documents on people's desktops.

We'd then make our way to our local diner in the middle of the night to take advantage of unlimited coffee refills, watching Hackers on our laptops thinking we were hot shit.

College

I took an economics class in high school, and like most of them they usually have a stock market game, which I ended up winning. I really enjoyed that class, because the teacher was so engaging. Unlike most of my teachers he was young, and tried to teach us personal finance as well, which is rare even today.

When it came time to apply to colleges, I had a hard time. I was a C student, from not applying myself. I would get home from school, and just play Counter-Strike from afternoon until early morning. I got in constant fights with my parents and teachers over my grades, and I don't remember doing a single homework assignment, unless it was a group project since I didn't want to screw over the whole group. I would get A's on all the tests because I could read a textbook and sit for a multiple choice exam, but without the homework my grades were shit.

My SAT scores were pretty decent, I think I got a 1390 out of 1600. I remember applying to Rutgers and talking to the admissions counselor, she said "Your SAT scores are great but your grades are so bad, what do you do all day?" "Play video games," I replied.

"Ok, here's what you're going to do. Go to community college for one semester, prove you can get good grades, and it'll be almost guaranteed admission when you transfer."

I enrolled in Union County College for Business, I didn't want major in Finance and get stuck there or have to change majors if I didn't like it. The professors handed you the syllabus day one, here's the textbook, here's the exam date to show up for. No busywork, no bullshit homework assignments. This is fucking amazing, ended up getting a 4.0 my first semester.

I decided to stick it out the full two years, got my Associate's Degree in Business. When it came time to transfer, I ended up going to Kean University, another New Jersey state school. It was closer and less expensive, since I was commuting.

I ended up graduating from Kean University with a Bachelor's Degree in Management Science, and again really enjoying my finance courses. We had just come out of the dot-com bubble era a few years prior, and I had been a fan of the movies Wall Street, Glengarry Glen-Ross, and Boiler Room.

I wanted to get my MBA, but was tired of being a broke college student. I know what I'll do, I'll become a stock broker!

Workin Chaz

I got my first job out of college at a small firm as a Stock Broker trainee, they would pay you a salary, and sponsor you to get your Series 7 license. Then after the first 6 months, you would build your own book of clients and transition to full commission only.

https://en.wikipedia.org/wiki/Series_7_exam

Once again, I read the study guides no problem. Sat for the multiple choice exam, and passed easily.

nice-your-gonna-have-a-bad-time-meme-you-re-gonna-have-a-bad-time-fimfiction-your-gonna-have-a-bad-time-meme

Let me tell you, when you're a nerdy kid and the most talking you've done is the shit-talking in online games. It is an eye-opening experience, trying to make 500 to 600 cold calls a day.

The hazing that takes place, like a boss making you do pushups in the morning meetings. You think the bro culture is bad in tech companies? No office chairs, you gotta stand all day; no coffee either, chairs and coffee are for closers.

After transitioning to full commission and getting burnt out immediately, I decided I had to get out of there. I managed to snag a job at Merrill Lynch since I already had my Series 7 license, everyone in my training group had gone to school for finance but were studying to take their Series 7.

They sponsored you to get more licenses, Series 63 and 65:
https://en.wikipedia.org/wiki/Uniform_Securities_Agent_State_Law_Exam
https://en.wikipedia.org/wiki/Uniform_Investment_Adviser_Law_Exam

It was a much smoother experience being an investment advisor. We got a salary, so the job was less commission dependent. We started with existing clients, but also had goals to bring in new clients.

I still wasn't really enjoying being an investment advisor either, and I caught on to the hypocrisy and conflict of interest pretty early. "Wait... If I get commission to sell these clients products? How am I expected to do what is right for the client, which is more often than not to do nothing?

I was at the middle or bottom of the sales ranking every month, because I was giving out actual good advice. “Yeah, your asset allocation is fine. Yeah, your diversification is fine.”

Feeling unfulfilled I was looking at other positions to apply for to transition internally, ever since the stock market game in high school. I had always been interested in trading and the markets. I started looking into moving to a trading or analyst role. Not having gone to school for finance, this was going to be tough.

I looked into the Chartered Financial Analyst (CFA) Designation, which is essentially the OSCP of finance; it is extremely time consuming, with low pass rates, and is highly sought after. https://en.wikipedia.org/wiki/Chartered_Financial_Analyst

I started studying and sat for the first level of the exam.

Mortgage Crisis/Online Poker

Out of the blue the mortgage crisis hit. It was a very strange time to be at the beginning of your career in finance. The office had a very weird vibe to it, there were people who had spent their whole life at the company, and were crying or at the brink of tears.

I remember the Friday night nobody wanted to leave the office because we didn't know if we were going to have jobs Monday morning. Luckily that Sunday Bank of America agreed to buy Merrill Lynch, and we were saved at least for a little while.

Then came the shuffling, B of A had their senior advisors, while ML had theirs. My manager had told me there was a position available for me in New Account Opening, where I would be onboarding new clients and helping them set up their accounts.

I didn't spend all this time studying for my licenses, and I was already unhappy where I was it was the perfect chance to get out, so I had asked them to lay me off, which they were more than happy to do.

Now what? I'm never going to get a job in finance in this climate.

I had been playing online poker on Full Tilt and PokerStars just for fun on the weekends, even though I had never played poker in my life until right around that time. I loved the fact that it was a skill game, and as long as you were better than the players you were playing with, in the end you were going to take their money off them. It was almost similar to day trading, but with less factors out of your control.

Kids were making obscene amounts of money around then and prior to, with a lot of professional StarCraft players and Magic the Gathering players switching to poker with huge success.

Tom Dwan from Edison, just one town away from me was killing the game. Some of these kids had started playing under-age, and were printing money, they had so much they didn't know what to do with it.

https://en.wikipedia.org/wiki/Tom_Dwan

I did what I am currently trying to do with infosec and I tried to become friends with the top players in the industry, get mentors, buckle down and study and network my ass off.

I found the twoplustwo forums:
https://forumserver.twoplustwo.com/

Then came watching training videos and becoming active on training sites:
http://www.deucescracked.com/
https://www.cardrunners.com/

I tried to get some poker students of my own. The best way to learn something is to teach it right?

I wasn't balling out of control like some of these other kids, but I was making decent work from home and had good “I still live with my parents” money.

Online Poker Black Friday 4/15/11

Seized_Website_image
https://en.wikipedia.org/wiki/United_States_v._Scheinberg

After 2 years, I woke up in the morning, and go to log into my Full Tilt and PokerStars account and get met with that sweet image.

Tldr; Online poker players were paying income tax on their winnings, however the online sites were hosted over seas and weren't paying corporate taxes. Even though they weren't breaking any laws it was more of a grey area.

The DOJ seized all the sites' assets including upwards of $600 million in players' money, under the Wire Act of 1961, which states you can't bet on horse racing over the telephone. It took the DOJ 3 years to admit that that law doesn't apply and give all the players their money back, after crippling the entire industry.

I worked on (wrote the English subtitles) for a documentary about the whole situation, which is available for free on Amazon Prime and I highly recommend it:

Shit... I gotta get a real job

I went back to the Barnes and Noble I worked at during college, did cash jobs, and got a job as a Personal Banker at Chase, selling checking and savings accounts. It was awful making like $15 for opening a checking account compared to the fat commissions I was used to getting, but all my licenses had expired and I didn't want to get back in that industry anyway.

I looked briefly into getting OSCP in 2013. I wish I pulled the trigger back then, but I ended up getting a job as Business Development Manager at Maingear Computers:

https://www.maingear.com/

I met one of my closest friends there during 3 years with the company, doing everything from building machines, burn-in testing, support, and sales.

I hit the ceiling of upward mobility pretty fast, and was stagnating, not learning anything new day-to-day.

I ended up getting laid off in 2016.

Chaz gets married, Carotid Artery Dissection, u wot m8?

Jeremy-Chisamore-Wedding-1

3 weeks after getting laid off I married my college sweetheart of 12 years, and about a month after that I tore my left Carotid Artery.

https://en.wikipedia.org/wiki/Carotid_artery_dissection

What? Exactly.

The doctors still don't know how it happened, they’ve said we may never know. It could have been from working out, could have been from lifting a window air conditioner. It can happen from sports, shampooing your hair, getting in a fender-bender, or just random bad luck.

I had started getting headaches every day, not bad, but like 1 out of 10 pain. I just chalked it up to not drinking enough water. I started taking Advil, so the headache would go away for 4-6 hours then come back.

One morning I look at myself in the mirror and my pupils looked different. The left one was tiny, but the right one was normal. So I do what everyone would do, which is to hop on WebMD and see why I'm dying. Turns out it's called Horner's Syndrome, and I figured if it didn't go away in a few days I'd go to the doctor.

After about a week, I was having breakfast one morning and my entire right arm went numb from the shoulder down. Uh-oh. I have a set of dumbbells in my living room. I go over to them and pick them up with my right arm. Weird... It still works? I just can't feel it.

I take my phone out of my pocket and dial 911:

"911 what's the emergency?"
"Ummm... I can't feel my right arm, I think I might be having a heart attack or something."
"OK, are you in an apartment, if you're on another floor stay there and we'll come get you."
"I feel fine... I'll meet you in the lobby."
The ambulance arrives:
"Where do you want us to take you?
"Dude, I don't know I think I'm having a heart attack or something. Wherever's closest."

They take me to Trinitas Regional Medical Center in Elizabeth, I'm sitting in the ER waiting to be seen. My wife rushes over from work, yelling at me for not telling them to take me to Overlook Hospital where her mother had worked for 30+ years. ¯\(ツ)

As I'm sitting waiting my face starts going numb, I tell my wife to go get a doctor, and this nice nurse comes over and gives me an IV. She doesn't speak a word of English. I tell her my face is going numb and she smiles... I'm going to die here.

The doctor comes over with my wife:

"Did you take any drugs or alcohol?"

"No, I only take vitamins."

"That's not all, tell him everything." My wife says.

"Why is your wife so concerned, what are you not telling me."

"I take like 5000 IUs of vitamin D a day because I sit at the computer all day and get no sunlight."
"I take a large pack of athletic vitamins, and I'm on the ketogenic diet for weight loss."
"Also I do P90x and jump up and down like an idiot in my living room every day."

"Oh. OK well we're going to get you in for a CAT scan."

I have the CAT scan, they bring me back to the ER and await the results.

All of the sudden everyone comes running over, they rush me to a private room.

"500 mikes of Heparin," they hook it up to my IV, the doctor comes in.

"Hey Jeremy, so you have what's called a Carotid Artery Dissection. You've torn your left Carotid Artery going to your brain, and you've had a stroke. There's a blot clot since it's trying to heal itself."

"OK, well a blood clot is small right, just like a little speck in my vein."

"No, no," he shows me the length with his fingers "You have a 4 inch clot going from under your eye, under your jawbone, and down your neck."

"Uhhh... You guys can deal with that here right?"

"Of course."

A few hours later:

"Yea... We can't deal with this here, we're going to get you a special ambulance to transport you to JFK Hospital in Edison, they have the best stroke center in the state."

$6500 ambulance ride later... I could have taken an uber.

JFK Neuro-ICU

"When did they give you the radioactive dye for your CAT scan?"

"I don't know man... Am I supposed to keep track of this stuff?"

"OK, we'll give you another CAT scan without the dye since we don't have your scans yet."

They stick me in the machine and scan me again, before taking me up to the Neuro-ICU. At this point it's the middle of the night, I'm so fucking thirsty, but they won't give me water because I might be having surgery.

This was on a Monday, it was a week before I ended up having surgery. I was poked and prodded all week for blood tests, more tests, cholesterol tests, EKGs, EEGs.

"Your cholesterol is borderline high, but only because your good cholesterol is through the roof? What do you eat?

"Like a ton of bacon, eggs, avocado, almonds, olive oil, sardines."

"Oh. That'll do it."

"what's your favorite subject in history?"

"World War II."

"When was Pearl Harbor?" Looks at their phone.

"December 7, 1941."

"When was D-Day?" Looks at their phone.

"June 6, 1944."

"OK, name as many animals as you can in 60 seconds." Busts out the stopwatch. My wife and her aunt look at me nervously holding hands.

"Uhhhh... dog... cat... turtle... giraffe... (other animals) Man I wasn't ready for this."

"It's fine you got more than enough, your memory is fine."

Surgery Time

Now I've never had a broken bone or any serious illness worse than the flu my whole life, so naturally I was freaking out.

A hospital therapist came to do an evaluation.

"I think you are anxious, I'm going to prescribe you Xanax."

"No shit I'm anxious, I want to go home. I don't want Xanax."

"Ok, I'm going to prescribe it for you anyway if you change your mind."

Finally on Thursday night my Neurologist/Neurosurgeon comes to see me.

"So you're the famous Jeremy I keep hearing about."

"And you're the famous Dr. Kirmani I keep hearing about."

He went on to explain what a Carotid Artery Dissection was and why they were waiting all week to decide what to do. The blood clot/blockage was so large it was pushing on the nerves in my neck and that's why I lost feeling in my arm. It wasn't a blood flow issue and that's why I could still lift weights with my arm.

Normally they would just put me on blood thinners for 6 months and the problem should resolve itself, but in my situation, the blockage was so bad that if it heals itself and 6 months down the line the artery is still tight or constricted there will be nothing he can do about it.

His recommendation was to do an angioplasty, where they cut open your femoral artery in your groin/leg and go up through your heart with a camera and check it out, and then thread a wire up there with a balloon and a titanium/nickel stent (like a Chinese finger trap). He said there is minimal risk for complications and wasn't doing this surgery because it's cool, but because it's the best course of action.

"OK. Where do I sign."

The next morning I had the surgery, which was four and a half hours of being awake so they could ask me questions. They had to put three stents in because the artery was so blocked, and everything went well.

I had to be on a blood thinner called Plavix and Baby Aspirin for 6 months. Now I just have to go yearly for a CAT scan to make sure everything is okay, as well as take a Baby Aspirin every morning.

Modern medical procedures are amazing, not sure about the pharmaceutical industry, but surgeons are fucking wizards.

But hey I made the news:

Next stop... Infosec Land

... To be continued...

https://blog.mallardlabs.com/zero-to-oscp-in-292-days-or-how-i-accidentally-the-whole-thing-part-2/