OSCP: A Success After A Failure
I did it, I passed the exam attempt and I “own” now the Offensive Security Certified Professional certification. The OSCP certification by Offensive Security is the first - serious - step you may try to become a certified penetration tester, it’s recognized everywhere and almost everyone knows it.
I know, yes I know…you may be the best pentester or sysadmin without any certification, it’s true. I’m the first who say it, my mentor - my dear friend Franco - as far as I know never took an IT certification and during the last 20 years (my IT years, he is active since early ‘90) and I never found someone better than him. Unfortunately if you’re not running your own firm or you want to change position, change IT dept or you want to learn something new in a good manner you need to follow a course and/or a certification. The reasons? My free time (and probably your free time) is not enough to start looking around to several websites or uncomplete guides, you need someone who is running a complete course, a good one. A lot of firms are looking for certified specialist (and your pay will be better of course) due to ISO standard or special requirements. Is it really working? NO, it could means nothing sometimes and some certifications are just a multiple choices answers, just flip the coin if you’re not sure and you may have a certification without any knowledge.
OK, it seems I hate certifications or I hate the idea of being “certified in XYZ”. False, sorry. What I want is being trained and the exam is just the funny part at the end of the training, the last step after hours and hours of practice, books and so on. This is the real reason why I chose to be trained by Offsec, why I chose to pay for an Offsec course and why I spent my free time with the OSCP course. And the exam is hands on, no multiple choices, no coins flipped, just you and five machines to compromise. Less cheaters and less possibility to be lucky, only you and what you learned VS five machines who want to be compromised.
In this post I don’t want to write “I passed the exam, try harder and you’ll pass it” or “this is my amazing cheat sheet”, the Internet is full of good/bad articles about…you don’t need another article on that topic. In this article I want to explain why I failed the first exam attempt and how I was able to fix this.
Before starting I’ll write my background in 2021: 20 years of Unix/Linux, 15 years as sysadmin Unix/Linux, almost 0/null knowledge of Windows. Why I chose this course? In the last few years I started learning better the security stuff for the IT, before that I was barely involved in security and I had a lack - a great one - on knowledge. Another reason is why not studying something useful for changing IT dept. or starting a new career in a pentesting firm. Last but not least: if you’re able to think as a red team you could be a good blue team (or which color you prefer).
I bought a three months training (three months of lab access), I spent the first month learning the entire book. There was a lot of stuff used daily during work, there was something new (are you saying the Windows part? YES) and something I used but not in depth. During the second month and part of the third I completed 69 of the 70 machines (one sandbox…one sandbox…) and I booked the first exam attempt. I failed it, just 2 machines of the 5 were properly compromied. One month later I took the second attempt, 5 machine of 5 compromised, 100% done in 13 hours plus another 10 hours the day after for a 90-pages report. Is the exam hard? Yes it is and what is really hard is the time management, you (and your brain/emotions) and your body (you need to be feeded…we’re not robot). Don’t be afraid to use Proving Grounds or Hack The Box, both have some nice machines very similar to the labs ones, sometimes the challenge is a little bit more or sometimes is the same.
I talked to few newbie guys (as the same of me) who compromised just the 10 machines of the learning path with a walk through and they tried the exam, they failed of course…it’s normal. You need to practice, a lot. You need to understand how to use the Offsec methodology, how to use all the tools, you need to PRACTICE. Stop. If you fail (and I failed) it’s your fault, Offsec is giving us what we need to pass the exam a the first attemp (or during the second :) ).
One tip, just one: use the official discord chat of Offensive Security, chat and ask questions about the machines (if you’re not able to compromise them) and try to find a mate, talk to him…the brain storming is the best idea in that cases. If you’re not a “real” pentester you need help, I had less know-how in some topic and a good know-how in others, if you find someone who wants help and give you help…you’re fine!
Why I failed the first time?
Ok, I passed the exam, my knowledge between the two attempts was more or less the same…what changed? Everything and nothing. What changed was the way that I handled the exam.
DON’T BE AGITATED . I know, it seems a catchphrase but it’s not. During the first attempt I was more worried about failing than finding the way to solve/complete the exam. You’ve 24 hours, maybe less ok…19 hours? Good. Don’t be agitated, it’s more than enough. The 50% of the exam is you focused and concentrated on the victory and the 50% is applying what you learned during the course. Don’t leave ANYTHING behind you, anything. Every chapter is important. Every one. Offsec is not asking you to recompile a Linux kernel or compile a Windows exploit with a particulary lib on Visual Studio…they just want to check if you learned what they wrote and you’re able to use the techniques (or use more than one technique).
DON’T BE SEATED FOR HOURS . Get up from the chair, walk 50/100 steps, drink water/coffe, watch outside, eat something. Every hour, take a small break every hour. It’s not common for me to be seated for hours but during the first exam attempt I was seated in front of the monitor for more than two hours few times. A waste of time and brain.
DON’T UNDERSTIMATE THE ENUMERATION . I don’t personally use automations/script during the first/second scan. Use nmap without any other fancy script in front, enumerate every single port, every single service, fuzz the services, use several wordlist and so on. During the first exam attempt, due I was agitated, I badly enumerated some services and I failed. Simple enough. There is a reason why you can’t find a vector on a static HTML page…or not? This is the most important part, the Offsec motto is Try Harder and the second one could be Enumerate Harder. Otherwise you fail.
BE STUBBORN…BUT NOT TOO MUCH . The good practice is simple: if you are not able to find a vector in 2/3 hours and you trying to use the same exploit since ages…change your idea. Restart from scratch, check other services. What I learned during the lab time is clear, if I’m not able to find a proper attack vector in less than 2 hours I’ve a problem: I enumerated badly or this is not the correct exploit/services to use. Don’t be stubborn on something you may think is the attack vector. Sometimes a classic Wordpress installation is not the answer, maybe the hidden service running on port 666 you found is (or maybe the opposite). During the exam you’ve to leave all your possible doors open, check every port and every exploit. This machines were built in order to have one or more vulnerability, it’s not rocket science…don’t overstimate the problems and find them. Try Harder but think differently sometimes!
DON’T FORGET TO DRINK AND EAT . According to my Garmin smart watch during the day of the exam I burned 3200 calories. It’s a lot, I usually burn 3000 calories during a normal day with 10K steps and 1/2 hours of sport. Eat a protein bar, drink water or something you like…don’t forget to eat and drink something every hour or two.