On July 14th I attempted the OSCP exam and I failed. While it was extremely disappointing, I was very close to having a passing score. Obviously this sucks, however great things did come out of this 23 hour and 45 minute experience.
The day before the exam I was really nervous and excited. I had been preparing for around a year now and was ready to get it over with and get on with my life. I went to bed early and woke up at around 07:30 took a shower and got all my things ready for a daunting 24 hours of exam time. When the exam started, I scanned the whole network and all ports/services on every machine. Then started attacking the first box and after about 3-4 hours I popped it, now I had a feel for what these boxes would be like. No tricks, no cryptic CTF-like bullsh*t, just realistic machines. Which are great because they emulate real life. Now I can switch my thinking to attacking a realistic environment instead of tricky CTF boxes. After a few more hours of looking at other boxes and dying to get somewhere I decided to take a break and come back. When I came back I just decided to do the buffer overflow machine, which was very basic. Once that was popped I moved on to my third box which I had spent time on before the buffer overflow so I did have user access already. After about 10 minutes I had full privileges (I did a happy dance). Now I had two boxes left I went back and forth between them trying to find anything, just something! After some hours of tinkering I found a way in to one of the boxes. I now had around 5 hours to get full privileges on this box. I was enumerating everything I knew to enumerate, the fact that I don't really use the operating system it was very much did not help. Sadly I did not get elevated privileges and did not meet the requirement of 70 points to pass the exam.
After the exam I was frustrated and really let down. I really wanted to get this on my first try so I can get on with my life and focus on some fun future projects! After some time of moping around, I thought about why I am even taking the exam. I am taking the exam to learn, it's for me, not for my friends or my family. This is for advancing my skills in security and penetration testing to be the elite hacker I always wanted to be ;}.
What I Gained/Learned
Like I said great things did come out of this failure. One of the obvious ones is honestly just learning to fail, how to deal with failure and what I am going to do about it (not wine and mope).
Things I learned:
- More Windows privilege escalation techniques
- Enumerate everything even if what you are enumerating may not exist
- More about binary exploitation
- Try harder than you are trying even if you are already trying harder ;}
- Failures are stepping stones to success, without failure you will never succeed or gain anything
- Try and map out the box and understand what is happening and what is on the box. Does the box have a name? If so, what? Is it a mail server is it an admin's machine?
- Practice Practice Practice
- ENUMERATION. IS. THE. MOST. IMPORTANT. THING.
- Try and find multiple ways to move files between you and the target
- Gain control of as many things/services as possible. These can be used for leverage. For example if you can enable RDP as your current user do it! It will make your life easier.
- If any data seems sensitive save it for later
- Quintuple check everything because maybe ITS NOT ACTUALLY CORRECT
- TAKE BREAKS! TAKE BREAKS! TAKE BREAKS! I could not say this enough refresh your thoughts and mind. Get water, a snack, eat a dinner, whatever but rest your mind
- Prepare your computer and tools before the exam, for example create a directory for each box and put a folder for report screenshots/notes.
- Don't give up, never give up! You aren't done until that VPN disconnects you!!!!!
Addressing the mystical
I have heard a lot of questions like:
- Is the PWK hard?
- Is the PWK harder than HTB?
- How many boxes should I pwn before I do my OSCP?
- Is the OSCP hard?
- The PWK has boxes from beginner to what I would say is intermediate and a couple that I could call a little harder than the intermediate. I pwnd the hard boxes (There's 4). Also what makes these boxes different is they are associated with each other. Maybe box1 has a password on it for box3 or you need to use box2 to access box 4 etc.
- I would say the medium HTB boxes where you need to enumerate a bit would be at the same difficulty as the harder boxes in PWK. However remember that HTB boxes are mostly just by themselves, where in the PWK boxes can integrate with each other.
- I would say a good number of boxes to pwn before doing OSCP is around 100. This also depends on your skill level to be honest. But if you are 100% noob go for 150 boxes. I also recommend trying to find as many Windows labs to attack as possible! There are some great ones out there like RastaLabs from HTB. But remember pwning boxes isn't all of it, make sure to get some exploitation development experience as well.
- The OSCP boxes are what I would consider easy to medium. I think what make the exam hard is the pressure to pwn the boxes in less than 24 hours. Just make sure to enumerate as much as possible and have some experience (100 CTF VM's) under your belt and you should do well!
I learned a lot from the OSCP exam and the PWK labs, I 101% recommend taking them on! I will retake OSCP and pass it no matter how long it takes! Don't let your failures keep you down! Keep on pwning!!!