.

Why I failed OSCP...

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Nov 12, 2010 9:28 am

Why I failed OSCP...

Ok, here is my story. I will be completely honest here so others can benefit from my experience.

Background
I finished my Bachelor Degree in Computer Science in 1999. Since then, I have spent most of my time has a web application developer to eventually became a Java application architect. I have also been a database administrator on Oracle SQL-Server and MySQL. Finally, I have been a business analyst (I hate this job), a team lead, a project manager and even an assistant director (4 month replacement)!

After school, I never stop studying. I started a Master in Computer Science (Distributed Algorithms) that I didn't finish (2 babies arrived in the middle of it...). I own 3 certifications: Project Management Professional (PMP), GSEC and CEH.

I started my own company more than 3 years ago. I now do consulting as a Java system architect.

All that to say that I am not 17 years old (I am 34!) and I am very serious when I start something.


IT Security path
After 10 years as a web apps developer, I needed another challenge. I was hesitating between 3 things: 1) IT Sec, 2) Developing my own application and 3) become a full time woodworker and build kitchen cabinets! (I am currently building mine...). I gave myself a full year to investigate these three options. But after 6 months, it became clear to me that: 1) I L-O-V-E It Sec!!, 2) After 3 prototypes of applications (2 XBox 360 games and a web app scanner) --> postpone in the future, 3) Woodworking will be my hobby. So go for IT Sec!

Although I always was interested in IT Security, I really started to study this topic in February 2009. And up to August 2009, I was more "poking" around to find out if I really wanted to do that. Defcon 17 (July/August 2009) was a revelation to me! So since then, I have spent an enormous amount of time studying. And by that, I mean an average of 2 hours a day for a full year! To me, this isn't work, it is a game! I love it!

I studied for CEH and GSEC more or less at the same time. I wrote both exams with only 8 days between the two (January 2010). After that, I started Penetration testing With Backtrack (PWB) in March of this year.


Penetration testing With Backtrack (PWB)

What a great course! Nothing compares to this. Really, this is the best way for me to learn. Period. This forum is full of reviews about this course and my post is becoming quite long, so I will keep it short. I would give a 95% mark to this great and excellent course.


Preparation for the OSCP exam
I have been through the PWBv3 videos 3 times.

The first time, I just sat down, relaxed and enjoy all the information coming at me. My goal was to get an overview of all the material.

Then, I did all the "normal" exercises. I went in the lab and hack my way into something like 8 machines. Things were becoming tougher, so I decided to go through the videos again.

The third time I watched the videos, I did all the "Extra Mile" exercises, read the 400 page long PDF (many things aren't in the videos!) and hack a total of 18 machines, including pivoting into other subnets. I also took a total of 120 days of lab time!!!

I this point, I had learned a gigantic amount of stuff. I became good I writing Python scripts and I developed my own pen testing methodology. At the end, I was randomly choosing a machine in the lab and I could hack it in about 2 hours (my last 6 targets took me about 2 hours each). So I figured it was time for me to challenge the OSCP exam.


OSCP: First attempt

I cannot say anything regarding the exam, but my own vision of it is that it is much tougher than the machines in the lab. In the lab, the Offensive Security team says that there is always at least 2 different ways of pawning a box. Maybe it is not the case for the exam? I can't tell. Also, I never spent more than 5 or 6 hours strait in the lab. In the exam, after 20 hours, you start to make stupid mistakes... But anyway, I got a mark of 60% (you need 70% to pass!).



OSCP: Second attempt
I then realize that I needed more tools in my toolbox. So right after this exam, I focused big time on what I had missed. By far the biggest thing was privilege escalation. So I spent a lot of time on this. Than a little bit more than 2 weeks after the first attempt, I tried it again.

After 45 minutes into this second exam, I already had 60 points (I let you make the relation with the first attempt...). So first, I was a bit disappointed to get a "similar" exam. Than I though that I would go for 100%. But after 24 intense hours of hard work, I failed it again... Mark: 60%.

My first failure was tough to take, but this one was very difficult. Other than OSCP, I failed 2 exams in my entire life (1 at the university, and CEH because I studied the wrong material...)! I spent 16 hours trying to convert a shell into root/admin and couldn't do it! At this point, I was ready to give up on OSCP...


OSCP: Third attempt

Two months and a half after the second attempt, I gave it a third try. After three times, even if you get a 100% mark, you would still have a bitter taste in your mouth. So between the second and the third attempt, I read my scans 20 times, installed new VMs in my lab and added more tools in my toolbox. Believe me, you can ask me any questions related to the course material and I would know the answer. In addition, I have practice them all many times.

So I got my exam yesterday morning and it was tougher! Only one of my previous tricks worked and after 9 hours, I only had 10 points. So I stopped and call it a day.


My personal opinion

• PWBv3 is an excellent course, close to being perfect. But the certification exam requires you to know (and master!) way more than what is in the course. I would say the course, including the lab and the exercises covert about 60% of the exam. Again, this is my personal subjective opinion!
• I don't think the exam is faithful representation of a real pen test for many reasons: 1) You can't use a vulnerability scanner; 2) You can only use Metasploit once and can't use Core Impact, etc; 3) You cannot do reconnaissance; 4) Many old and vulnerable services are installed but hardened in the backend. This creates many dead-ends; 5) No firewalls/IDS/IPS blocks you (good for students but not real-life...); 6) You have to do everything in 24 hours
• Also, if I was doing a real pen test, I am pretty sure I would have done a very good job! I mean when you have a shell or you are able the dump the backend database, crash an application or even just show exploits for vulnerable services, you have already done a lot! In real life, you don't get half the points for "only" having a shell...
• The course lacks two things: 1) Privilege escalation techniques and 2) Penetration testing methodology. Otherwise, great course!
• The lab machines are easier to hack then the one in the exam. Again, my humble opinion.
• This great certification should maybe be separated from the course. So anyone could go straight to the exam if they are already experts. This way, if the course doesn't teach you everything you need to know, then it is ok.
• People with a server admin background are definitively starting way ahead of network and developers...


Bottom line
Although failing exams is never a good feeling, I am not frustrated at all. I have learned so much. I don't have the certification, but I got knowledge now, which will help me continue in this field. After all, my ultimate goal is not doing a pen test of networks, but to pen test web applications. So I will probably continue on my learning path and move on from OSCP. I may give it a try in a few years, but for now, I need to move on.

Thanks for reading this rather long post!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Nov 12, 2010 10:45 am

Re: Why I failed OSCP...

H1t M0nk3y,

I'm sorry to hear that you failed 3 times.

What kind of training materials did you go through before taking the class (Beyond CEH and GSEC)?

I'm thinking of working my way through Grendel's book (Professional Penetration Testing), at least once, before I even try to take the OSCP class. I'll probably do the 120 days of lab time too.

Any tips for staying motivated through the course?
OSWP, Sec+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Nov 12, 2010 11:06 am

Re: Why I failed OSCP...

I also have Grendel's book, which is great, especially for setting up labs and using vulnerable VMs.

What I did was to go straight to the PWB course. After one full pass, I started buying books on things I was missing. I think I bought like 12 books! But I am a bit crazy, you don't have to do that. In addition, it depends on your background.

I would say start with PWB and take breaks once in a while to go get what you are missing.

And the course keeps you motivated big time because you learn at a crazy pace! Getting ready for the exam is another story because it's hard to know what you are against too before actually sitting the exam...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Nov 12, 2010 11:28 am

Re: Why I failed OSCP...

Sorry to hear that H1t M0nk3y, but did you read these?
The Penetration Testers Open Source Toolkit vol. 2
and NIST SP800-42 (it's outdated I know, but read it anyway. It will give you some good ideas you can use when you perform pentests.)

Also, about privilege escalation:
- On Windows, the Meterpreter shell has a lot of options including privilege escalation, is it not possible to use that only? (Code your own exploits, and use a meterpreter as a payload.)

- On Linux, did you search on Exploit-DB for privilege escalation exploits and checked what was running on the target machine as root with "ps faux"?

It's just a few ideas, to help you the next time you attempt OSCP because I actually believed you would pass  ;)

For now I would say that you could (or should) play with similar challenges and prepare for your last and final retake (where you will certainly pass).


Nothing is impossible, it just takes time!  :)

Anyway, good luck with whatever you choose to do now. I'm sure you will pass OSCP the next time if you study hard for a long time and prepare yourself even more, remember, expect the unexpected. Especially during OffSec exam challenges ;-)



Best regards,
MaXe
I'm an InterN0T'er
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Fri Nov 12, 2010 12:01 pm

Re: Why I failed OSCP...

@H1t M0nk3y

I am sorry to hear this.

I have heard mixed views on the OSCP exam and the general opinion is that it is not an easy at all.

I am currently preparing myself for the CREST Registered Tester exam due next month at the moment and want to go onto to perform the CREST Certified Tester exam next year (provided I pass the CRT  :))

I would love to know how the OSCP compares with the CREST CCT exams but am aware that CREST is yet to establish itself world wide and is still very much the main cert to have in the UK.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Nov 12, 2010 12:38 pm

Re: Why I failed OSCP...

So you failed the exam... So what. I failed the CISM 2x for lack of 1) wanting to take the exam 2) lack of studying 3) lack of being able to swap reality versus "managerial fluff" I will however state, I expect to take the CISM exam just not now ;) Maybe June '11. I have to finish this paper to complete the RWSP, then I have the GREM, CREA in the 1st quarter of 11.

So the hard question now sprouts: H1t, did you feel you learned anything from the exam? NOT passing the exam makes you no less of a pentester in fact, the vast majority of my friends and peers I've had the pleasure to meet throughout the years, don't have the certs but they sure have "the stuff" and that's what it all boils down to.

When I took the RWSP (btw forum members, the review has been done, waiting for it to be posted here... PM Don!)... When I took the RWSP, there was a gentleman with us who worked at one of the biggest financial firms in the US. He opted NOT to take the exam. He really didn't need to take it, he solely wanted to learn from it. Understandable... You don't always need a cert.

You definitely don't need to pass an exam to benefit from the content in this industry, the certs are mainly used for two things (note the word mainly, not solely): 1) self-gratification 2) passing through the HR filters. It's WHO you know, followed by WHAT you know... I've met plenty of people who were/are cert'd down and don't understand an IOTA of what they're certified in.

I for one applaud you H1t for taking the time and actually going through the process and sharing it with others. Let this be quite a few lessons: a) technical tests are far more superior than paper based testing... there is nothing to memorize, either you know it or you don't. b) patience is a virtue but planning dominates the pentesting landscape. c) planning planning planning and oh yea... Planning.

H1t: I believe I responded prior, to perhaps a post you made, instructing on the need and method for properly developing a plan of attack. I don't mean this as harsh but more of a nudge for future endeavors: "You need to make a plan. Period." Same as you would for say the SDLC (you're a programmer!). A plan would have had you OFF of that one machine that you spent hours on or at least had other processes running in the background.

NOTE TO TEST TAKERS: If you're ONLY DOING ONE THING during the exam, then you are wasting time. There is nothing wrong with developing a pre-defined plan, then pre-defining your own program to assist in tackling this exam and others like it.

E.g., CCIE labs, nothing other than time stops you from scripting your routers to do things like pinging, showing routes, etc., same goes for this exam. There is nothing in the "terms of service on the exam" that says: "Thou shall not create a shell script to perform the vast majority of time consuming tasks!" (e.g., scanning, hydra, searching/parsing local/remote exploits)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Nov 12, 2010 12:43 pm

Re: Why I failed OSCP...

@H1tM0nk3y -

Sorry to hear you had a rough go, again.  I completely understand your views, and while you've learned a ton, I'm certain, I fully empathize on the feelings of despair, when you've beaten yourself up hard, in working towards a goal.

As MaXe said, I was confident you'd be able to pass, and I still am.  Whether you take it anytime in the near future, or give yourself a break (sometimes, walking away for a while can be of great benefit) before coming back to it, I think, in the end, you'll succeed.

And as sil noted, you've done a great job sharing your experience for others, and I applaud you, too, for being very honest about your attempts, and helping others, through your posts.  (The writeup was very well done, IMHO.)

Good luck, whichever route you pursue, and stay active here.  You'll continue to learn a TON by listening to / reading from others.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Nov 12, 2010 12:47 pm

Re: Why I failed OSCP...

sil wrote:NOTE TO TEST TAKERS: If you're ONLY DOING ONE THING during the exam, then you are wasting time. There is nothing wrong with developing a pre-defined plan, then pre-defining your own program to assist in tackling this exam and others like it.


Oh yes, and AMEN!  This is one of the most valid and useful points for anyone taking this, or any other similarly formatted course and exam.  Absolutely give yourself multiple avenues to pursue, and don't limit yourself solely to one target, for any length of time, or it's ALMOST certain you won't complete the exam (unless you're already well-versed, and well ahead of the curve, already.)

As the quote reads, in my 'current' signature:

"Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat." - Sun Tzu, 'The Art of War'
Last edited by hayabusa on Fri Nov 12, 2010 12:51 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Nov 12, 2010 2:01 pm

Re: Why I failed OSCP...

Thanks everyone!! I really appreciate your comments!

@MaXe
Also, about privilege escalation:
- On Windows, the Meterpreter shell has a lot of options including privilege escalation, is it not possible to use that only? (Code your own exploits, and use a meterpreter as a payload.)

- On Linux, did you search on Exploit-DB for privilege escalation exploits and checked what was running on the target machine as root with "ps faux"?

Oh yes, I tried these things, along with "getsystem" and trying to migrate to other processes and channels from the meterpreter. I also spent lost of time on running processes, and it worked once. But only once...

@sil
So you failed the exam... So what. I failed the CISM 2x for lack of 1) wanting to take the exam 2) lack of studying 3) lack of being able to swap reality versus "managerial fluff" I will however state, I expect to take the CISM exam just not now Maybe June '11.

Congratulation for being honest too!

So the hard question now sprouts: H1t, did you feel you learned anything from the exam? NOT passing the exam makes you no less of a pentester in fact, the vast majority of my friends and peers I've had the pleasure to meet throughout the years, don't have the certs but they sure have "the stuff" and that's what it all boils down to.

I did learn a lot from these attempts, especially the first one. The only thing I didn't get from this whole experience is a piece of paper... I now feel I know enough now to learn a lot by myself through books and hacking in my lab. I am now confortable talking to anyone about security: even if they know way more than me on a given subject, I can still understand what they are talking about!

And you know what? Yesterday I stopped for a minute and realized what I just did. Without saying anything about the exam, I realized I have done many complex commands without even looking at my notes. I was going crazy fast to open an application or review this and launching that. In a few words, I was confortable doing my job. That felt great!!

Let this be quite a few lessons: a) technical tests are far more superior than paper based testing... there is nothing to memorize, either you know it or you don't. b) patience is a virtue but planning dominates the pentesting landscape. c) planning planning planning and oh yea... Planning.

I totally agree! I just need to work a bit more on c)... :)


@Hayabusa
And as sil noted, you've done a great job sharing your experience for others, and I applaud you, too, for being very honest about your attempts, and helping others, through your posts.  (The writeup was very well done, IMHO.)

Thanks hayabusa. You can only improve when you are honest with yourself.

I will try it again next year or something like that. But don't worry, I will continue full speed in IT security. Books, personal lab and keeping up to date with these sites!

Thanks chrisj, MaXe, sil, T_Bone and Hayabusa very encouraging posts!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Nov 12, 2010 2:55 pm

Re: Why I failed OSCP...

I just scanned through your original post, but I don't think you've said yet.

What's next? What are you working on? Wasn't there something about a school hacking club?


I can agree with Sil, I've interviewed CCNAs for positions that couldn't even subnet. It really is what you've learned and can show that matter. Even if you're the only one you can show it to right now.
OSWP, Sec+
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Fri Nov 12, 2010 3:49 pm

Re: Why I failed OSCP...

It takes courage and very high self confidence to share failures H1t M0nk3y.  Go on. You will rock.
<<

mallaigh

User avatar

Jr. Member
Jr. Member

Posts: 65

Joined: Fri Jul 16, 2010 12:36 am

Post Fri Nov 12, 2010 7:45 pm

Re: Why I failed OSCP...

H1t, as some one who is coming up behind you and planning on taking the OSCP in about a year, I greatly appreciate you sharing where you struggled with the exam.  It sounds like you have learned a lot from this whole process, and it sounds like you should knock it out of the park on your next attempt.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Sat Nov 13, 2010 5:33 am

Re: Why I failed OSCP...

@chrisj:
The next step for me are more than likely GPEN and CISSP. SANS/GIAC certs and the CISSP are both very good here to pass HR screenings and that's why I am targetting them.

I think GPEN is close to OSCP in term of knowledge, plus the business side, wireless and other little things. I may do this one first.

Everyone asks me if I have my CISSP. Like sil said in another post, CISSP has little to do with pen testing, but this one will really help me open doors. Again, I am a consultant and I change clients several times a year.

So 1) GPEN and 2) CISSP. But I am in no rush. I will take the time to study and when I am ready, then I will move on.


@dante: That's very encouraging. Thanks!


@mallaigh: I wrote this for people like you, so you can better prepare yourself! Good luck!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Sun Nov 14, 2010 10:25 am

Re: Why I failed OSCP...

Wow, i really dont know what to say, but i will give it a try anyway. it sucks that you didnt pass the exam, but the fact you learned a lot from it makes up the effort you put into it to get to the point you are now. giving the 60% score i can well say that you have a lot of knowledge about the pentesting field, which makes me look up to you and your skills. And the fact you shared this experience with us makes me respect you even more. i really thought you would nail it and i even thought about you during the weekend. In some weird way this affects me in the decision in re-taking the exam :-\ Anyway keep up the good work and never loose the enthusiasm you have for the IT-sec field!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Nov 15, 2010 7:32 am

Re: Why I failed OSCP...

Hey j0rDy!

Thank you for your comments, I appreciate it!

But man, don't get discouraged by my story!!! I know how you feel right now and this exam is indeed very tough, but maybe I didn't see a big obvious thing that you will spot right away. Just keep on working hard toward your goal and you will eventually succeed. Just learn from my experience, don't get discourage!

I am targetting GPEN now, so I am still 100% focus on IT-sec!  ;)

Good luck j0rDy!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
Next

Return to OSCP - Offensive Security Certified Professional

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software