Learning from Failure: OSCP Exam Attempt #1

Published on May 4, 2020 and last updated on May 18, 2020.

Disclaimer: This post does not include disclosure of the Offensive Security OSCP labs, course work, exam, and other proprietary and prohibited information including, but not limited to, technical implementation, scoring metrics, communications, exam machines, and attack vectors. This post is entirely a personal subjective experience and not meant to give you a shortcut.

Purpose

The post is essentially a healthy exercise in honestly identifying and confronting my failures and shortcomings in not passing the OSCP exam, ways I can fix those failures and shortcomings, and then how I plan to proceed going forward. 

I feel the only way to make progress and pass further exam attempts is to be honest where I fall short or have gaps, and then aggressively attack them. It was a skill instilled in me by chess coaching and it applies here as well. If you truly want to get better, you have to identify with brutal honesty where you fall short and then work to fill in that gap in skill. You can’t shortcut your way there or lie about it to yourself if you want to truly get real skills that will stick with you going forward.

OK, let us get to it. I hope this would be helpful to you in some way.

Review

Unfortunately, I failed the exam and I expected to knock it out of the park! It was humbling. After reflecting on it for a week now, I am grateful for failing the exam. It helped to highlight areas I can improve.

Here is a timeline of how the exam 24 hours played out for me.

  • 17:55 – Verified by the proctor, waiting for 18:00 for email with exam info to begin. See Proctoring FAQ and Proctoring Tool Student Manual. I minimized the window after everything was OK. When you get messages from the proctor there’s a bell chime, but I still checked it from time to time during the exam, in case I missed something. Let them know when you leave and come back. The proctors are kind and professional.
  • 18:30 – Started enumerating the targets, got everything stored in my note-taking application, and well organized to begin (this filtered log is from that effort, too). I started off with AutoRecon, which is an amazing tool.
  • 20:25 – 25 points earned and did it all from memory, which felt good and gave a boost of confidence. I moved on to reviewing enumerated content.
  • 22:25 – Still no real progress, after coming off the confidence boost from before I was starting to get bummed out, I thought I’d have got into at least one other machine!
  • 22:45 – Took a break.
  • 23:10 – Back from break and 10 points earned, missed something simple previously. This should have been a sign to take a longer break or simply go to sleep. A downward spiral started after this.
  • 02:05 – Frustrated that I still made no progress. I now knew it wasn’t going to be a slam dunk. I was started to really get frustrated and confused as to why I’m not making progress with the targets! I had done harder machines faster, and this was killing me!
  • 03:20 – I made some headway on a machine I’d been banging my head against, felt solving it was within sight. Felt I had hit a speedbump earlier, it happens, but the tide was shifting back into territory I was used to being in. I am going to get the OSCP certification, it is going to happen for me!
  • 05:10 – Still working on that same machine and made no real additional progress. It was beyond frustrating. I knew it wasn’t a rabbit hole because it was real, I just couldn’t find the next step. Everything was guiding me in this direction but I just couldn’t find what I was supposed to find! It was difficult to take a break or step away, I felt I was right there, on the tip of my fingers. I was starting to get worried I was going to fail the exam now. Any confidence I had was now gone, I kept trying to reset and it never helped.
  • 05:50 – I had enough. I took a break, all other options were exhausted and I took the “risk” of wasting time to try to sleep or otherwise not think about the exam. I went and laid down in bed. I tried to sleep, but I had a full pot of coffee and 4 cups of tea in me… there was no way I was going to sleep. I was able to mentally not think about the exam for a bit though, which helped a lot.
  • 07:25 – I came back to the exam. I decided to start on other machines, starting fresh, even redoing enumeration on machines. I was starting to find things I missed previously, which was great. I thought I found all the things previously… I was wrong.
  • 12:45 – I got local.txt on a machine, it felt good and I got a bit of confidence to actually have done something. I hadn’t done anything for over 12 hours! I had 5 hours left on the exam and only 45 points of the 70 needed to pass. I was defeated, exhausted, and was surprised I hadn’t solved all the objectives already. No one was more surprised than me.
  • 15:20 – Still no progress on anything. I reset a couple of times (the machines and enumeration) and simply couldn’t make progress on anything. It was here that I really saw the writing on the wall and knew I wasn’t going to pass the OSCP exam.
  • 16:50 – I told the proctor I wanted to end the exam and the exam ended.

In retrospect, I see that my emotional state impacted my objectivity far more than I thought it did. I was tired, frustrated, and felt under the gun to get stuff done in time.

I spent a ton of time investing in the pentesting skillset and getting the OSCP certification. I thought I would have it and OSCP would be behind me, and I’d be in the OSCP certification club. But that just didn’t happen.

As time passed in the exam without progress being made, I felt more pressure to get things done. It is a timed exam after all, and the clock was ticking, with each tick getting louder and more important as time went on.

After not making progress for 12 hours, I already felt I was a dead man walking anyway. I simply didn’t get why I wasn’t seeing how to progress, when I have always found ways (most of the time) before. It further compounded my emotional state.

I felt like a fraud at the table I had no right to be at, but I knew that was insane.

I was simply drained of objectivity and mental clarity. This was the part of the exam I hadn’t expected.

I prepared for hacking into the machines and used what I had previously on other CTF machines. It worked, I knew it worked, and I had done it many times in the past.

The head game part is what got me and what I didn’t know to prepare for. It sapped my technical ability and I failed the exam because of it.

Thankfully, I can take the exam again, after learning all these things and make improvements for the next exam attempt. In the next section, I’ll go over what key things I learned from my own experience with the exam.

Learnings

These are the big things I learned from taking the exam.

While there are other areas I can improve on, it isn’t worth mentioning here and are somewhat minor… mostly things I can dismiss due to lack of objectivity and being in a bad headspace.

Taking Breaks & Why It Is The Most Popular Advice

If you ask people that have taken the exam what is one piece of advice for the exam and you’ll usually get something along the lines of “ensure you get enough sleep” and “take breaks and go for a walk”.

At the time before the exam and especially during the exam, I didn’t get why this was so important. It isn’t just because getting a fresh head and getting blood pumping/oxygen in your brain is great. I think it is much more than that.

It is for resetting your mental state, to reduce/remove emotional impairments to regain objectivity and mental clarity with problem-solving.

During the exam my mental state was progressively getting worse, except I didn’t realize it. As my mental state got worse and worse and sadly I also took fewer and fewer breaks because as I felt I was on the cusp of a breakthrough in making progress.

I felt I didn’t have time for breaks; I felt I was fine. I was mostly wide awake and only slightly groggy, I was pushing through. It was no big deal. I was ignoring the Pomodoro timer telling me to take breaks. I was ignoring other people I respect also that advised me to take breaks.

One of the most important things I could have done was take a long break, for hours. Even taking a 3-hour break at 12 PM when the exam ends at 6 PM would have been a game-changer.

Not taking breaks cost me the exam.

I failed to reset my mental state and get back objectivity and clarity. I failed to realize how much in the bad I was until after the exam was over. I failed to follow the advice of people I respect.

My Windows PrivEsc Knowledge & Ability Is Lacking

While working on the exam, I realized an area I was weak in and had gaps in was Windows Privilege Escalation. Note that this wasn’t key to me passing or failing the exam, but it was highlighted as an area I am weak in.

During the exam for me, I was mentally exhausted (even though I didn’t realize it), and it really shone a spotlight on things I didn’t have at 100%. I think that when I’m mentally taxed, I should still be able to do things if I knew the information really well.

I should be able to do Windows PrivEsc “in my sleep”, in that it should be instinctual and automatic. I wasted a ton of time on Windows PrivEsc when it could have been really simple (I wish I could find out after-the-fact where I fell short).

I spent time going through Windows PrivEsc cheatsheets during the exam, which was the wrong time to do that. Sure, I learned a lot more since it was hammered into my brain when I was emotional, but ultimately wasn’t helpful in passing the exam.

Remediations

These are things I’ll do to make the Windows PrivEsc stuff more instinctual and automatic. Even if I don’t know what to do, I’ll still have a method of figuring out what to do that I’m used to, comfortable with, and is proven to work.

Windows PrivEsc Cheatsheet Study & Memorization

I’ve used some cheatsheets against Hack The Box machines, but it definitely was just me going down the list and trying stuff. What I really need to do is really study them, memorize the key points of attack and some idea of what it is doing, and apply the knowledge.

I need to do more than just know the cheatsheets exist but need to commit them to part of my natural instincts and abilities.

These are the ones in the list below are the ones I’ll be working with.

And use this checklist: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

Attack More Windows Machines

There are a lot of Windows machines on HTB that I haven’t solved yet. So, my goal is to solve all of them. I usually don’t like the idea of referencing walkthroughs for machines, but the purpose of doing this exercise is to learn PrivEsc stuff, so I don’t mind using guides to get the point cemented in my brain.

I already solved 80% of machines and challenges before, I can do it again. Not worried about proving stuff, and retired machines don’t count for points!

Here are the available Easy and Medium difficult Windows machines in the retired section for me. There are a few available to be solved!

I also may try out TryHackMe and I hear it is the next new thing.

Complete Courses

I prefer structured learning where available and don’t mind paying for it. My brain aligns better with structure. These are some courses available that I have.

“Windows Privilege Escalation” by Tib3rius

I completed Tib3rius’ course “Windows Privilege Escalation” previously, but some things weren’t automatic and didn’t “stick”. So I need to go through it again.

You can find his course on Udemy.

“Windows Privilege Escalation for Beginners” by Heath Adams

I instantly purchased the “Windows Privilege Escalation for Beginners” by Heath Adams, a/k/a TheCyberMentor, when it became available. I have his other course on ethical hacking and it was great.

I went over it a bit, and look forward to really diving in this week. It seems to be more complete than other guides and courses I’ve seen so far, which I greatly appreciate.

I love how he included lab machines to demonstrate topics, including ones he made himself on TryHackMe. This is great because I was already going to hack the Windows machines on Hack The Box, and this is simply an added bonus!

You can find the course on Udemy.

Exam Attempt #2

I purchased and scheduled the second exam at the beginning of June.

It was the soonest I could get so I could get it on a weekend. Ideally, I don’t want to take time off and would prefer to take the exam and do the report all within a weekend.

After all the stuff I learned from the first exam attempt, I feel confident that I can pass the exam the second time. By exam time, I’ll have filled in the gaps of knowledge and am currently aware of the trap of getting into the bad headspace.

  • Taking breaks is amazingly vitally important. I’ll take them even if I feel like I don’t need them.
  • I’ll have a strong Windows Privilege Escalation ability.

I’m grateful for the exam, in that it highlights things about me that I can improve. Many things come to light in stress.

Thank you

After talking to my friends and on Twitter, it seems that many folks fail the first exam attempt. That is a comfort.

I loved the support from Twitter and friends after I failed the exam and greatly appreciate everyone that supported me. It means the world to me!

So, thank you to everyone that has supported me, given me comfort, shared advice, and otherwise has been there for me.

I am grateful.

I will ride the good vibes to success!