Like the title states, I failed my first attempt at the OSCP exam last week. I came close, really close, but unfortunately couldn’t quite get myself over the line. This post will cover the exam attempt itself, why I failed and what I’m going to do from here.
The Exam Attempt
My exam started at 9am local time, and I was able to get myself set up with the proctoring conditions without too much issue. I started off by running my scans on the exam machines whilst I worked on the Buffer Overflow, which I was able to complete fairly quickly. A good start, getting 25 points within an hour and a half. From here I rotated my way through various machines, spending some time enumerating and looking for any interesting services available on the machines. I was starting to get a little frustrated and decided to take a risk by using my Metasploit attempt on the 20 point machine. Thankfully, it worked and I was also able to use Metasploit again for privilege escalation. 45 points, 6 hours down. After trying harder on the 10 point machine, I was finally able to get root after a solid 3 hours of effort. Although the 10 point machine was more difficult than I thought it would be, I was feeling good with 55 points in 9 hours. I took a quick break, and after returning was able to navigate my way through a difficult web application to obtain a low privilege reverse shell after another 3 hours. I was feeling confident and just needed to escalate privileges on the 20 point machine or obtain another low privilege shell on the 25 point machine and I would have been home. However, it wasn’t to be. I spent the next 12 hours grinding both machines but ultimately got nowhere. A quick 4 hour nap didn’t help much either, and when my exam time ran down I felt as though I was never going to be able to make that final push.
A final breakdown of the points I was able to get are as follows:
25 point Buffer Overflow
20 point machine
10 point machine
20 point machine (low priv)
If we assume that the low privilege shell on the 20 point machine is worth half points (Offensive Security don’t disclose the exact value of low privilege shells) – it means I ended on 65 points out of the required 70.
Looking back on the attempt, I can’t help but kick myself for not being better. I got to the aforementioned 65 point mark around 12 hours in, just before the half way mark of the 24 hours total you are granted but completely hit a wall that I unfortunately wasn’t able to overcome.
What’s even more frustrating is that I actually did complete a lab report, which would have been able to secure me the last remaining 5 points required to pass. However, I only realized after my lab time had finished that I missed 1 set of course exercises, and so didn’t have a complete lab report. Despite everything else being fine, Offensive Security were strict on their requirements of a fully complete lab report (and rightfully so). With the barely incomplete lab report factored in, I was probably the closest you could possibly be to passing the exam, which makes this attempt all the more frustrating.
The Wait
I knew I was going to be very close, and submitted everything in the hope that I would be able to show that I did enough to justify a pass. Little did I know that the wait for results was almost as difficult as the exam itself. Offensive Security sent me a confirmation that my reports had been received a few hours after I submitted them, and stated that results would become available within 5 business days. Almost all cases I read online said results came through within 24-48 hours of submitting, but mine took an excruciatingly long 7 days before I was delivered the bad news. I even sent an email to support asking for an update on my results after 5 business days had passed, and received a prompt response informing me my exam documents were still under review. I guess they also had some difficulty deciding whether my attempt would scrape a pass or just fall short.
Still, I’m oddly satisfied with my exam attempt. I genuinely feel like I gave it everything I could and I did a lot better than I had thought I would going into it. Once I get over this initial disappointment (I sat down to write this immediately after receiving my result), I’ll be ready to dive right back in and give this exam another go.
What Next?
I’m not able to book my second exam attempt yet, as I still need to wait for the cool down period of 1 week to pass before I’m able to do so. Once I am able, I intend to schedule another exam for somewhere between 1-2 months from now. Between now and then I will probably continue what I have been doing these past few weeks – primarily using HackTheBox and IppSec’s videos. To accompany that, I’ll spend time targeting the areas I need to specifically work on. Hopefully by the time I sit my second exam attempt I’ll have shored up some of these weaknesses and be able to breeze through.
The core areas I need to improve on are:
Privilege Escalation – if I was better at this I would have passed already. I knew going into this exam attempt that I was weak in this area, and unfortunately it ended up being my downfall in the end. I’m hoping my privilege escalation ability will be improved through practice which is something I intend to do a lot of.
SQL injection – I’ve never felt too comfortable at SQL injection, and I might have been able to find something interesting on the 25 point machine if I was. Definitely something I need to brush up on before my next attempt.
Databases – It’s not uncommon to encounter machines with databases, and for these databases to be relevant to the exploitation or privilege escalation procedure. However, I have always struggled with these – even down to making a connection to them. It’s not something the PWK course covered very well, but is still relevant to penetration testing as a whole so will definitely be worthwhile to study up on.
—
I think that pretty much covers everything for what went wrong during this exam attempt and my direction moving forward. I’ll do my best to keep these blog posts up by updating what HackTheBox machines I’ve attempted and what I learned from each.
Thanks for reading!
Onwards and upwards,
Kento.
KentoSec 
Hi Kento
thanks for the great write ups. i am on the same path as you. just one question. how did you practice for the buffer overflow section?
LikeLike
Hey, thanks for the kind words, I think the PwK covers everything you’ll need to know for the Buffer Overflow section!
LikeLike
“missed 1 set of course exercises’
what is that??
LikeLike
“missed 1 set of course exercises’
what is that??
LikeLike
Hi Kento
Always nice to read others people experiences
I will share my experience pretty quick. Had the exam yesterday I really, really s***d. Started at 7am, several hours without gettin a single thing. Only enumerating, Web applications were my killers.
25 point machine buffer overflow: took me a few hours but were able to do it, was even simpler than in course but still took me time
10 point machine, savvy service, this was supposed to be very straight forward with a known exploit, never worked both msf and python script
25 point machine: 2 web applications: First web page totally owned with SQLi, bypassed auth and were able to retrieve root password, this machine did not have port opened and tried this credentials in other machines MySQL port and also ssh, no luck, this was a dead end, no use of this. Went to the other application, file thingie 2.5.8, known vulnerabilities for previous version and never got to make it work nor upload a working php.
20 point machine with 3 web interfaces: 1 PHP MyAdmin, could not log in, the other a monitoring page and the other wonder cms 2.3.1 with stored XSS vuln, but not able to exploit further
20 machine: The hardest, Orchard CMS, no point of attack this box, only option to fuzz post with hydra and patator, never worked
Will not even bother to send report: At the very best my grade: 25 points for the only box rooted, 5 points for lab report, I will assume 15 points for SQLi (optimistic), and 5 points for the other 2 machines for enumeration. This is a very optimistic scenario that would give me 55 points at the very best.
Next, I plan to practice with PG practice and HTB and may be look for another good resource, suggestion are welcome, thank you
LikeLike
good reflexion
LikeLike