Why I failed OSCP…

Viewing 20 reply threads
  • Author
    Posts
    • #5800
      caissyd
      Participant

      Ok, here is my story. I will be completely honest here so others can benefit from my experience.

      Background
      I finished my Bachelor Degree in Computer Science in 1999. Since then, I have spent most of my time has a web application developer to eventually became a Java application architect. I have also been a database administrator on Oracle SQL-Server and MySQL. Finally, I have been a business analyst (I hate this job), a team lead, a project manager and even an assistant director (4 month replacement)!

      After school, I never stop studying. I started a Master in Computer Science (Distributed Algorithms) that I didn’t finish (2 babies arrived in the middle of it…). I own 3 certifications: Project Management Professional (PMP), GSEC and CEH.

      I started my own company more than 3 years ago. I now do consulting as a Java system architect.

      All that to say that I am not 17 years old (I am 34!) and I am very serious when I start something.

      IT Security path
      After 10 years as a web apps developer, I needed another challenge. I was hesitating between 3 things: 1) IT Sec, 2) Developing my own application and 3) become a full time woodworker and build kitchen cabinets! (I am currently building mine…). I gave myself a full year to investigate these three options. But after 6 months, it became clear to me that: 1) I L-O-V-E It Sec!!, 2) After 3 prototypes of applications (2 XBox 360 games and a web app scanner) –> postpone in the future, 3) Woodworking will be my hobby. So go for IT Sec!

      Although I always was interested in IT Security, I really started to study this topic in February 2009. And up to August 2009, I was more “poking” around to find out if I really wanted to do that. Defcon 17 (July/August 2009) was a revelation to me! So since then, I have spent an enormous amount of time studying. And by that, I mean an average of 2 hours a day for a full year! To me, this isn’t work, it is a game! I love it!

      I studied for CEH and GSEC more or less at the same time. I wrote both exams with only 8 days between the two (January 2010). After that, I started Penetration testing With Backtrack (PWB) in March of this year.


      Penetration testing With Backtrack (PWB)

      What a great course! Nothing compares to this. Really, this is the best way for me to learn. Period. This forum is full of reviews about this course and my post is becoming quite long, so I will keep it short. I would give a 95% mark to this great and excellent course.

      Preparation for the OSCP exam
      I have been through the PWBv3 videos 3 times.

      The first time, I just sat down, relaxed and enjoy all the information coming at me. My goal was to get an overview of all the material.

      Then, I did all the “normal” exercises. I went in the lab and hack my way into something like 8 machines. Things were becoming tougher, so I decided to go through the videos again.

      The third time I watched the videos, I did all the “Extra Mile” exercises, read the 400 page long PDF (many things aren’t in the videos!) and hack a total of 18 machines, including pivoting into other subnets. I also took a total of 120 days of lab time!!!

      I this point, I had learned a gigantic amount of stuff. I became good I writing Python scripts and I developed my own pen testing methodology. At the end, I was randomly choosing a machine in the lab and I could hack it in about 2 hours (my last 6 targets took me about 2 hours each). So I figured it was time for me to challenge the OSCP exam.


      OSCP: First attempt

      I cannot say anything regarding the exam, but my own vision of it is that it is much tougher than the machines in the lab. In the lab, the Offensive Security team says that there is always at least 2 different ways of pawning a box. Maybe it is not the case for the exam? I can’t tell. Also, I never spent more than 5 or 6 hours strait in the lab. In the exam, after 20 hours, you start to make stupid mistakes… But anyway, I got a mark of 60% (you need 70% to pass!).

      OSCP: Second attempt
      I then realize that I needed more tools in my toolbox. So right after this exam, I focused big time on what I had missed. By far the biggest thing was privilege escalation. So I spent a lot of time on this. Than a little bit more than 2 weeks after the first attempt, I tried it again.

      After 45 minutes into this second exam, I already had 60 points (I let you make the relation with the first attempt…). So first, I was a bit disappointed to get a “similar” exam. Than I though that I would go for 100%. But after 24 intense hours of hard work, I failed it again… Mark: 60%.

      My first failure was tough to take, but this one was very difficult. Other than OSCP, I failed 2 exams in my entire life (1 at the university, and CEH because I studied the wrong material…)! I spent 16 hours trying to convert a shell into root/admin and couldn’t do it! At this point, I was ready to give up on OSCP…


      OSCP: Third attempt

      Two months and a half after the second attempt, I gave it a third try. After three times, even if you get a 100% mark, you would still have a bitter taste in your mouth. So between the second and the third attempt, I read my scans 20 times, installed new VMs in my lab and added more tools in my toolbox. Believe me, you can ask me any questions related to the course material and I would know the answer. In addition, I have practice them all many times.

      So I got my exam yesterday morning and it was tougher! Only one of my previous tricks worked and after 9 hours, I only had 10 points. So I stopped and call it a day.


      My personal opinion

      • PWBv3 is an excellent course, close to being perfect. But the certification exam requires you to know (and master!) way more than what is in the course. I would say the course, including the lab and the exercises covert about 60% of the exam. Again, this is my personal subjective opinion!
      • I don’t think the exam is faithful representation of a real pen test for many reasons: 1) You can’t use a vulnerability scanner; 2) You can only use Metasploit once and can’t use Core Impact, etc; 3) You cannot do reconnaissance; 4) Many old and vulnerable services are installed but hardened in the backend. This creates many dead-ends; 5) No firewalls/IDS/IPS blocks you (good for students but not real-life…); 6) You have to do everything in 24 hours
      • Also, if I was doing a real pen test, I am pretty sure I would have done a very good job! I mean when you have a shell or you are able the dump the backend database, crash an application or even just show exploits for vulnerable services, you have already done a lot! In real life, you don’t get half the points for “only” having a shell…
      • The course lacks two things: 1) Privilege escalation techniques and 2) Penetration testing methodology. Otherwise, great course!
      • The lab machines are easier to hack then the one in the exam. Again, my humble opinion.
      • This great certification should maybe be separated from the course. So anyone could go straight to the exam if they are already experts. This way, if the course doesn’t teach you everything you need to know, then it is ok.
      • People with a server admin background are definitively starting way ahead of network and developers…

      Bottom line
      Although failing exams is never a good feeling, I am not frustrated at all. I have learned so much. I don’t have the certification, but I got knowledge now, which will help me continue in this field. After all, my ultimate goal is not doing a pen test of networks, but to pen test web applications. So I will probably continue on my learning path and move on from OSCP. I may give it a try in a few years, but for now, I need to move on.

      Thanks for reading this rather long post!

    • #36349
      rattis
      Participant

      H1t M0nk3y,

      I’m sorry to hear that you failed 3 times.

      What kind of training materials did you go through before taking the class (Beyond CEH and GSEC)?

      I’m thinking of working my way through Grendel’s book (Professional Penetration Testing), at least once, before I even try to take the OSCP class. I’ll probably do the 120 days of lab time too.

      Any tips for staying motivated through the course?

    • #36350
      caissyd
      Participant

      I also have Grendel’s book, which is great, especially for setting up labs and using vulnerable VMs.

      What I did was to go straight to the PWB course. After one full pass, I started buying books on things I was missing. I think I bought like 12 books! But I am a bit crazy, you don’t have to do that. In addition, it depends on your background.

      I would say start with PWB and take breaks once in a while to go get what you are missing.

      And the course keeps you motivated big time because you learn at a crazy pace! Getting ready for the exam is another story because it’s hard to know what you are against too before actually sitting the exam…

    • #36351
      MaXe
      Participant

      Sorry to hear that H1t M0nk3y, but did you read these?
      The Penetration Testers Open Source Toolkit vol. 2
      and NIST SP800-42 (it’s outdated I know, but read it anyway. It will give you some good ideas you can use when you perform pentests.)

      Also, about privilege escalation:
      – On Windows, the Meterpreter shell has a lot of options including privilege escalation, is it not possible to use that only? (Code your own exploits, and use a meterpreter as a payload.)

      – On Linux, did you search on Exploit-DB for privilege escalation exploits and checked what was running on the target machine as root with “ps faux”?

      It’s just a few ideas, to help you the next time you attempt OSCP because I actually believed you would pass  😉

      For now I would say that you could (or should) play with similar challenges and prepare for your last and final retake (where you will certainly pass).

      Nothing is impossible, it just takes time!  🙂

      Anyway, good luck with whatever you choose to do now. I’m sure you will pass OSCP the next time if you study hard for a long time and prepare yourself even more, remember, expect the unexpected. Especially during OffSec exam challenges 😉

      Best regards,
      MaXe

    • #36352
      T_Bone
      Participant

      @H1t M0nk3y

      I am sorry to hear this.

      I have heard mixed views on the OSCP exam and the general opinion is that it is not an easy at all.

      I am currently preparing myself for the CREST Registered Tester exam due next month at the moment and want to go onto to perform the CREST Certified Tester exam next year (provided I pass the CRT  :))

      I would love to know how the OSCP compares with the CREST CCT exams but am aware that CREST is yet to establish itself world wide and is still very much the main cert to have in the UK.

    • #36353
      sil
      Participant

      So you failed the exam… So what. I failed the CISM 2x for lack of 1) wanting to take the exam 2) lack of studying 3) lack of being able to swap reality versus “managerial fluff” I will however state, I expect to take the CISM exam just not now 😉 Maybe June ’11. I have to finish this paper to complete the RWSP, then I have the GREM, CREA in the 1st quarter of 11.

      So the hard question now sprouts: H1t, did you feel you learned anything from the exam? NOT passing the exam makes you no less of a pentester in fact, the vast majority of my friends and peers I’ve had the pleasure to meet throughout the years, don’t have the certs but they sure have “the stuff” and that’s what it all boils down to.

      When I took the RWSP (btw forum members, the review has been done, waiting for it to be posted here… PM Don!)… When I took the RWSP, there was a gentleman with us who worked at one of the biggest financial firms in the US. He opted NOT to take the exam. He really didn’t need to take it, he solely wanted to learn from it. Understandable… You don’t always need a cert.

      You definitely don’t need to pass an exam to benefit from the content in this industry, the certs are mainly used for two things (note the word mainly, not solely): 1) self-gratification 2) passing through the HR filters. It’s WHO you know, followed by WHAT you know… I’ve met plenty of people who were/are cert’d down and don’t understand an IOTA of what they’re certified in.

      I for one applaud you H1t for taking the time and actually going through the process and sharing it with others. Let this be quite a few lessons: a) technical tests are far more superior than paper based testing… there is nothing to memorize, either you know it or you don’t. b) patience is a virtue but planning dominates the pentesting landscape. c) planning planning planning and oh yea… Planning.

      H1t: I believe I responded prior, to perhaps a post you made, instructing on the need and method for properly developing a plan of attack. I don’t mean this as harsh but more of a nudge for future endeavors: “You need to make a plan. Period.” Same as you would for say the SDLC (you’re a programmer!). A plan would have had you OFF of that one machine that you spent hours on or at least had other processes running in the background.

      NOTE TO TEST TAKERS: If you’re ONLY DOING ONE THING during the exam, then you are wasting time. There is nothing wrong with developing a pre-defined plan, then pre-defining your own program to assist in tackling this exam and others like it.

      E.g., CCIE labs, nothing other than time stops you from scripting your routers to do things like pinging, showing routes, etc., same goes for this exam. There is nothing in the “terms of service on the exam” that says: “Thou shall not create a shell script to perform the vast majority of time consuming tasks!” (e.g., scanning, hydra, searching/parsing local/remote exploits)

    • #36354
      hayabusa
      Participant

      @H1tM0nk3y –

      Sorry to hear you had a rough go, again.  I completely understand your views, and while you’ve learned a ton, I’m certain, I fully empathize on the feelings of despair, when you’ve beaten yourself up hard, in working towards a goal.

      As MaXe said, I was confident you’d be able to pass, and I still am.  Whether you take it anytime in the near future, or give yourself a break (sometimes, walking away for a while can be of great benefit) before coming back to it, I think, in the end, you’ll succeed.

      And as sil noted, you’ve done a great job sharing your experience for others, and I applaud you, too, for being very honest about your attempts, and helping others, through your posts.  (The writeup was very well done, IMHO.)

      Good luck, whichever route you pursue, and stay active here.  You’ll continue to learn a TON by listening to / reading from others.

    • #36355
      hayabusa
      Participant

      @sil wrote:

      NOTE TO TEST TAKERS: If you’re ONLY DOING ONE THING during the exam, then you are wasting time. There is nothing wrong with developing a pre-defined plan, then pre-defining your own program to assist in tackling this exam and others like it.

      Oh yes, and AMEN!  This is one of the most valid and useful points for anyone taking this, or any other similarly formatted course and exam.  Absolutely give yourself multiple avenues to pursue, and don’t limit yourself solely to one target, for any length of time, or it’s ALMOST certain you won’t complete the exam (unless you’re already well-versed, and well ahead of the curve, already.)

      As the quote reads, in my ‘current’ signature:

      “Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” – Sun Tzu, ‘The Art of War’

    • #36356
      caissyd
      Participant

      Thanks everyone!! I really appreciate your comments!

      @MaXe

      Also, about privilege escalation:
      – On Windows, the Meterpreter shell has a lot of options including privilege escalation, is it not possible to use that only? (Code your own exploits, and use a meterpreter as a payload.)

      – On Linux, did you search on Exploit-DB for privilege escalation exploits and checked what was running on the target machine as root with “ps faux”?

      Oh yes, I tried these things, along with “getsystem” and trying to migrate to other processes and channels from the meterpreter. I also spent lost of time on running processes, and it worked once. But only once…

      @sil

      So you failed the exam… So what. I failed the CISM 2x for lack of 1) wanting to take the exam 2) lack of studying 3) lack of being able to swap reality versus “managerial fluff” I will however state, I expect to take the CISM exam just not now Maybe June ’11.

      Congratulation for being honest too!

      So the hard question now sprouts: H1t, did you feel you learned anything from the exam? NOT passing the exam makes you no less of a pentester in fact, the vast majority of my friends and peers I’ve had the pleasure to meet throughout the years, don’t have the certs but they sure have “the stuff” and that’s what it all boils down to.

      I did learn a lot from these attempts, especially the first one. The only thing I didn’t get from this whole experience is a piece of paper… I now feel I know enough now to learn a lot by myself through books and hacking in my lab. I am now confortable talking to anyone about security: even if they know way more than me on a given subject, I can still understand what they are talking about!

      And you know what? Yesterday I stopped for a minute and realized what I just did. Without saying anything about the exam, I realized I have done many complex commands without even looking at my notes. I was going crazy fast to open an application or review this and launching that. In a few words, I was confortable doing my job. That felt great!!

      Let this be quite a few lessons: a) technical tests are far more superior than paper based testing… there is nothing to memorize, either you know it or you don’t. b) patience is a virtue but planning dominates the pentesting landscape. c) planning planning planning and oh yea… Planning.

      I totally agree! I just need to work a bit more on c)… 🙂

      @Hayabusa

      And as sil noted, you’ve done a great job sharing your experience for others, and I applaud you, too, for being very honest about your attempts, and helping others, through your posts.  (The writeup was very well done, IMHO.)

      Thanks hayabusa. You can only improve when you are honest with yourself.

      I will try it again next year or something like that. But don’t worry, I will continue full speed in IT security. Books, personal lab and keeping up to date with these sites!

      Thanks chrisj, MaXe, sil, T_Bone and Hayabusa very encouraging posts!

    • #36357
      rattis
      Participant

      I just scanned through your original post, but I don’t think you’ve said yet.

      What’s next? What are you working on? Wasn’t there something about a school hacking club?

      I can agree with Sil, I’ve interviewed CCNAs for positions that couldn’t even subnet. It really is what you’ve learned and can show that matter. Even if you’re the only one you can show it to right now.

    • #36358
      dante
      Participant

      It takes courage and very high self confidence to share failures H1t M0nk3y.  Go on. You will rock.

    • #36359
      mallaigh
      Participant

      H1t, as some one who is coming up behind you and planning on taking the OSCP in about a year, I greatly appreciate you sharing where you struggled with the exam.  It sounds like you have learned a lot from this whole process, and it sounds like you should knock it out of the park on your next attempt.

    • #36360
      caissyd
      Participant

      @chrisj:
      The next step for me are more than likely GPEN and CISSP. SANS/GIAC certs and the CISSP are both very good here to pass HR screenings and that’s why I am targetting them.

      I think GPEN is close to OSCP in term of knowledge, plus the business side, wireless and other little things. I may do this one first.

      Everyone asks me if I have my CISSP. Like sil said in another post, CISSP has little to do with pen testing, but this one will really help me open doors. Again, I am a consultant and I change clients several times a year.

      So 1) GPEN and 2) CISSP. But I am in no rush. I will take the time to study and when I am ready, then I will move on.

      @dante: That’s very encouraging. Thanks!

      @mallaigh: I wrote this for people like you, so you can better prepare yourself! Good luck!

    • #36361
      j0rDy
      Participant

      Wow, i really dont know what to say, but i will give it a try anyway. it sucks that you didnt pass the exam, but the fact you learned a lot from it makes up the effort you put into it to get to the point you are now. giving the 60% score i can well say that you have a lot of knowledge about the pentesting field, which makes me look up to you and your skills. And the fact you shared this experience with us makes me respect you even more. i really thought you would nail it and i even thought about you during the weekend. In some weird way this affects me in the decision in re-taking the exam :- Anyway keep up the good work and never loose the enthusiasm you have for the IT-sec field!

    • #36362
      caissyd
      Participant

      Hey j0rDy!

      Thank you for your comments, I appreciate it!

      But man, don’t get discouraged by my story!!! I know how you feel right now and this exam is indeed very tough, but maybe I didn’t see a big obvious thing that you will spot right away. Just keep on working hard toward your goal and you will eventually succeed. Just learn from my experience, don’t get discourage!

      I am targetting GPEN now, so I am still 100% focus on IT-sec!  😉

      Good luck j0rDy!

    • #36363
      uid0
      Participant

      Hi H1t M0nk3y ,

      Please tell me they allow you to retake the exam for $60 or you have to take course/VPN again?

    • #36364
      UNIX
      Participant

      If you fail the exam, you can retake it without the need to buy course time again.

    • #36365
      MaXe
      Participant

      @uid0 wrote:

      Hi H1t M0nk3y ,

      Please tell me they allow you to retake the exam for $60 or you have to take course/VPN again?

      If you’ve already taken the exam once at their official site, then you can just retake the exam for 60$ if that’s the current price, and then schedule a new exam.  🙂

    • #36366
      SephStorm
      Participant

      I know this is an older post, but I wanted to say thank you to the original poster. I had not seen this post, and it gave me some info I will need if I go for OSCP this year, thanks a lot. 🙂

    • #36367
      dynamik
      Participant

      I missed this one too.

      I’m going to buck the trend and tell you keep trying until you pass 8)

      Even if you know the technical material, it seems like there is still room for improvement in your approach/organization/methodology. Further strengthening those skills would like make you a better web app tester as well. Plus, it’s not like web app testing is isolated only to the application itself (it obviously could be scoped this way; I’m speaking generally). You’ll want to make the most of that PHP shell and demonstrate how damage can really be done. Which report is going to have more impact, the one that shows a screenshot of a shell, or one that shows how that can be used to pivot through and compromise the entire network?

      Honestly, I’m really surprised you struggled with this one so much. When we spoke at DefCon, it was obvious you had the right mindset and you weren’t just someone who was good at memorizing a bunch of technical details. I think you’re very close to passing this, and you’re certainly more than capable. Giving up now goes against everything the course stands for. Try Harder! 😉

      Also, I’m very well aware of how easy it is for me to say all this without having attempted the exam myself ;D I promise I’ll take a stab at it in 2012…

    • #36368
      WCNA
      Participant

      Sorry to hear about this. BUT don’t sweat it. It sounds like you learned a lot and that is the most important thing there is.

Viewing 20 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?