Tips for an Information Security Analyst/Pentester career - Ep. 69: My failed OSCP exam attempt- What I did wrong and what I'd change

On Monday I just completed my first OSCP exam attempt.

I didn't feel ready for it and I was right because I failed miserably.

I couldn't hack a single machine.

I realized, working as a professional pentester, that OSCP exam looks much more like a CTF than a real-world pentest.

I'm glad I don't have to rely on that cert to work in the industry so far.

I can't hack machines this fast and I need to improve on that.

Even though the exam machines weren't impossible per se, time ticking away is a factor that severely puts your nerves to the test.

I ended up having a horrible headache from all the thinking and trying.

I tried to keep my cool, ran all my enumeration scripts and I found very detailed information about my target.

I ran nikto, dirbuster and dirsearch on web servers.

I tried to look for manual exploits online for each possible vulnerable service detected, but none of the ones I found would work.

I kept going for 10 hours until I was exhausted at 2 am.

I slept for seven hours and then I kept going for a while until I realized that was it.

The development machine is pretty straightforward but, unlike the lab, you don't have PUTTY on it and I don't thrive in a strict Windows environment.

I hate having to run Python on Windows.

I need to brush up my command prompt skills.

What I did wrong

• I focused too much on lab machines and, though I learned a lot from them, I didn't improve my detection and recon skills enough and they're paramount in the exam. Quickly sensing what services are vulnerable and can be leveraged for an exploit is a very important skill and I need to improve on that. In a real-world pentest, you normally have way more time to complete an engagement. I scanned some machines for more than a week. You don't have this benefit in the OSCP exam, so you need to quickly assess what you can attack. Sometimes it took me days to hack a single machine in the lab. I need to dramatically improve this skill.
• I started getting discouraged and, though I took breaks, I started losing my focus. I'm not a quitter and I never will, but the exam hit me like a brick wall and, man, it hurts big time!
• I'm too harsh to myself. I started hating myself for not being able to pull this off, and additionally, a bunch of services didn't work. I ended up getting too frustrated to keep going, which is something I'm really ashamed of.
• I couldn't find enough time to re-study the lab material. Studying is paramount and knowing the concepts from the lab manual better helps a lot with exploitation.
• Focusing too much on UNIX/Linux. Most machines in the exam were Windows and I find Windows lacks so many features that it's way harder to work with it than it is with UNIX/Linux. I need to create scenarios where I can't rely on my friendly Bash shell.

What I'd change

• Improve programming skills, especially Python and C
• Integrate lab machines with CTF machines from Vulnhub, Hack the Box and more: I need to get into a CTF mindset more than behaving like the professional pentester I am. I need to hack these machines quickly. So, I need to have at least 2-3 machines pwned over the first 8-10 hours of the exam, if I want to have a slight success chance. I should've spent some time working on Hack the Box and Vulnhub, too, because that's what the exam looks more alike. Additionally, some of those boxes are alike OSCP machines.
• Studying programming (especially buffer overflow) more, also by using external sources. Through I like the lab guide, it's not always the best and it can sometimes be a little too lacking in details. The lab manual itself invites you to look for alternative sources and that's what I need to do to learn better.
• Get better at privilege escalation. I recently learned more tricks about it, but I'm too damn slow. 24 hours are definitely not a lot for you to hack 5 machines.
• Becoming more familiar with Windows and PowerShell commands

Wrap-up

I thought I would consider this attempt as a mere recon stage, as I did not feel ready, but I secretly hoped I could've done better.

I was in for a rude awakening. 

I couldn't study the right way for 2-3 months when I was in my previous job and that's why I didn't pass.

I wasn't sharp enough, badass enough, focused enough and I believe mental and physical tiredness completed the recipe for the disaster.

Focusing on something like that for 24 hours requires a huge determination.

I'm determined but I started to get tired and lose motivation.

The fact is I'm a pentester already and experience is more important than any certifications, so I started thinking I was already working as a pentester, so what the hell..

However, the higher I can get the more I can make and I can always find a job, because I'm more marketable.

Additionally, my company fully supported my efforts 100% and I need to thank all of them.

I'd recommend having a look at a very good post explaining this very important concept.

Take a test and find out if you're interested or committed.

I'm committed, I don't make any excuses, I hit a brick wall and I got hurt.

But I raised again and started over even stronger than before because now I know what I have to do and what I did wrong.

This isn't the end, but simply a delay.

I will take more time and go back to the drawing board until I can be where I need to be.

When I'm ready and I'll be able to hack other 20 machines, gain more confidence with programing languages and web application pentesting, I'll give OSCP another go.

I had a setback, but each setbacks I had helped me get closer to my goals.

You should love your setbacks because they're a reality check you need to experience in order to understand what you really need to do.

I thought maybe I was a rising star, when I'm simply a n00b who needs to learn his way around, improve and deliver every single day.

A painful punch in the face, but healthy.

I guess I needed it, but this type of experience is helpful only if you learn from it.