Ok, I finally got their answer: I failed.

But, I take it with a smile. I needed 70 points and I got 60. Without saying too much about the exam, each machine is worth a different amount of points and you need to be root/admin/system to earn the max amount of points.

I got root or admin on 2 boxes and only a shell on a third one. If I would have had admin privileges on the third box, I would have had 70 points total.

The exam was tough but fair (and also fun actually). I took many little breaks, but I didn't sleep at all (5 espressos and 3 red bulls keep you awake!) and I didn't even had time for breakfast! So yes, it was tough...

I started studying in IT security exactly a year ago. So I am still pretty happy with what I have learned since then!

But come one, 2 days before the exam, I was asking on this forum how to achieve privilege escalation!!! In addition, I only hacked my way into 8 machines in the lab... So it is entirely my fault...

But I enjoyed doing the exam. Call me a masochist, but I truly had fun doing it. Maybe my years in the infantry helped me stay awake all night, but it felt like 7 hours instead of 24. I had a big smile on my face at the end, and here is why:

I learned many things during this exam. I rooted a box in the first 2 hours and then, I had to work for a full 16 hours before getting a shell on the next one (at exactly 4:40 am). But then, things when much quicker. It is hard to explain, but it is like I said: "now I get it!". After that, every 20 minutes on so, I was making important discoveries. I new what to do! I changed my way of approaching the exam and things got "easier" for me: I got admin privileges then another shell, then... I ran out of time! 

So my feeling after the exam was changing rapidly:

1) I first hope they will consider all the exercises I have done and let me pass.

2) Then I though a bit more. I shouldn't pass. I don't deserve it. So if I end up passing, I would act like if I failed: buy more lab time until I feel I know what I am talking about! I wouldn't feel very happy about the result. I am not doing it for a piece of paper, but to learn and gain experience!

Then when I learned  today that I have failed, it kind of felt right. In a sense, I am happy they failed me because it gives more credibility to the certification. They don't give it to anyone. But I was very close to make it. Very close!  So I am not that hopeless...

Another thing, my VM at home froze at 7:30am. After restarting it, my leo file was corrupted!!!! I lost 30 minutes trying to rebuild it and as a result, I lost many scan results... That pissed me off big time!!!

Oh and by the way, because I had this technical issue and because I was very close to making it (I guess!), the Offensive Security team gave me a free exam! So kudos to them, they were fair to the others by not letting me go away with the cert but at the same time, they made me feel like I was someone, not just another student... 

So now what?

I am waiting for my new exam date. I will buy more lab time and I will practice, practice and practice more! I need to practice mainly two things: my methodology and privilege escalation. I want to pwn at least 20 boxes before I write the exam again! I am close and I will not let this discourage me!!! 

One of my favorite quotes is: "What does not kill you, makes you stronger!"

So I will be stronger next time... 

Thanks everyone for your encouragement, you are the only one I know who really understand what I am going through right now... But I keep the moral!!!   

That sounds like a really beneficial experience for you. You've come a very long way in just a year, so it sounds like you did very well, all things considered. I need to upgrade my materials and take a shot at it later this year. I'm already getting anxious

That's awesome you got a free retake. I'm sure you'll slay it the next time around.

That's too bad Well at least you learned something from it and were close to passing.

I also have trouble escalating privileges usually. You spawn a shell and think you're in, only to realise you have to hack it again to achieve the goal

Keep going and hopefully you will pass next time!

Thank you very much guys, I currently have a big smile on my face just by reading your posts!!! 

Next time will come pretty soon. No it's time to hack and hack and hack!!!

Now I really now how to prepare myself!

first of all, too bad you didnt pass, but second of all, thats a hell of a score for someone as fresh as you! i am currently in the same boat (which got me scared a little bit right now) cause i am in the security business for a year myself, but giving the fact i had so much fun in the labs i would not call it a downside if you get the chance to play in it again! just dont give up cause i know you will pass it for sure! if i can help in any way just let me know!

Nice post and sorry you didn't pass this attempt. As you've mentioned, certainly nothing to worry or feel ashamed about, you've learned a whole lot along the way! For that, job well done. Continue to press on and knock it out on your next attempt (pretty sweet that's at no additional cost to you!).

You haven't failed, you just haven't passed yet. My dad always kept a big sign hanging in our garage that always reminded me to keep going, no matter what it was: "You never fail until you stop trying." Good luck on the next round.

BillV

Sorry you didn't pass the exam I know the feeling, I felt cheated for failing the CISM even after I tried to not think in technical terms this time around. Anyhow, so now that you know what it's like, it's time to think about strategies.

<insert long_ramble_here>

1) You should have already learned about enumeration
2) You should have already learned about mapping vulnerabilities to enumeration
3) Who the hell said you can't multitask

I could be wrong, but when I read your post (description of the exam your hours spent, etc.) I couldn't help but wonder what kind of strategy you used. Compromising a machine is best when you have a strategy and for the OSCP exam, you need to create a form of strategy. No one at OSCP is telling you: "You must attack/compromise in this order" This means, you're free to tackle the exam anyway you want. Strategize for the exam. e.g.:


You know have a framework to work with. In your networkMaps folder, you don't have to wait for the output of nmap to move on to the next task. Placing things in the background works wonders OR you can split it up. E.g.:


Those scans are now in the background and you could move on to another or even another block if need be. The syntax may differ for what you're doing as should the variables -T0 -T5 depending on your impatience.


Prep your directories with whatever wordlists you're going to use to get them ready. From here is where a few things should occur. 1) bruteforcing if that's what you choose, hydra, crack, etc. e.g.:


And so on and so forth. Be wise with your time remember, time is of the essence here and you should NEVER waste it waiting on nmap or some other process to finish before you move to another process. If you're not doing something, you're wasting your time!

-----

I haz shell now what?!

Remember that post? So you have a shell account... Not the right privs eh? Know something, take a look at /etc/passwd, jot down the users and feed it into hydra, jot down the OS and place the information into a quick vi/nano $this.host.txt Can you sniff the wire? So you rooted one box... Did you run a sniffer on that machine after it was owned? If not... Why didn't you? systemtools systemtools, systemtools... grep is your friend (or awk '/regexp/' or whatever you choose)...


Doesn't matter that you will likely find a trove of garbage, you'd likely find something of interest as well. Same goes for configuration files: (.conf, cfg, etc)


Why not view configs... Treasure trove of information... Strategize. Plot and plan instead of swinging wildly Now guess what? All the data you lost because of vmware, is still around. You can take this data to create your presentation. Be descriptive about it.

When I took the exam, (and I believe I mentioned it before), I actually scripted out a shell script just like this. I made my directories for the data I would accumulate, then shellscripted in commands (attacks) to run based on the output of what it was I was doing, e.g.:




Imagination + scripting + strategy ... Strategy IS key though

</insert long_ramble_here>

trove of garbage kid ya not. Configuration files rock on pentests and many testers overlook this. E.g., webserver? I'd be the first to find /path/to/apache||http||www and make an entire list:

find /var/www/htdocs > wwwdir.txt

Then parse it out for stuff. Know how many times I've seen junior/inexperienced admins throw up some crazily misconfigured binary. E.g., I did an incident response on a VoIP company (one of Columbia's (the country) biggest providers). Their admins had all sorts of personal wordpress, joomla directories in there. All with readable config.php files... DB = Game over. Passwords were the same as their logins (ssh)... Logins all had sudo privs with NOPASSWD: ALL was funny as heck...

ONE machine was all I needed to traverse their network between two continents (North and South America) spread throughout 1 /22 and about 3 /27's. Sure most of their devices had ipfw/ipchains/Checkpoint rules to disallow X from untrusted sources... It was their admins who weren't to be trusted.

Config files for all their VoIP devices (ATA's, PBX's) since they had exposed autoprovisioning online... Was a seriously scary thing for them since they had so much exposed that they never even thought about. It's one thing for silly admin joomla accounts, but another to have client configs in plain readale sight. I mopped up that pentest in no time. Userdata? Access to maybe 700k+ accounts.

So let's think about how easy it would have been for me to call and say: "Hi, I'm a client, this is my MAC, this is my account ID, this is my name, etc., what card do you have on file, I'd like to change it... " Caller ID, no problem my company does VoIP, I could have mimicked the account holders Caller ID and make it more believable. (you'd be surprised how many ppl rely on CID as an identifier)

When I disclosed this in a report to their CEO he was livid and sad. I explained to him about proper training, the need to create groups and roles and have oversight. I still do IR for them from time to time but its like FAAAAAAAAR and between. After the pentest, OSSIM went in with OSSIM-AGENTS, OSSEC-AGENTS, sudo with strong passwords and a centralized logging system. Scripted OSSIM to be responsive to alarms... He decided to send two of his admins for OSCP training to handle system administration and security. (Unsure if they did it or not, this was about a year ago).

Nowadays I still get emails to an account I created to monitor for events:


Nothing major though... But yup... treasure trove or garbage I found on their machines