Sign in
OSCP

How I passed OSCP with "2 times"

Or4nge16

6 min read
How I passed OSCP with "2 times"

In this blog, I will share my journey of overcoming OSCP. I will be documenting my experience to prepare for the OSCP as well as my exam day experience with the experience of a newbie and 2 times đŸ˜” (so expensive with anyone failed). I can only sum it up in one proverb - Diligence in place of intelligence.

Course Outline

As I am sure many of you guys reading this know about the OSCP as well as what the course entails, I would not be going too deep into what the course consists of. The summary of the different domains learnt through the OSCP course duration is as such:

  • Penetration Testing Methodology
  • Information Gathering
  • Different Web Attacks (SQLi, LFI, etc
)
  • Client-Side Attacks
  • Locating and Fixing Public Exploits
  • Password Attacks
  • Privilege Escalation
  • Tunneling
  • Active Directory Enumeration and Attacks

Preparation

To prepare for the OSCP, I learnt the Certified Bug Bounty Hunter (CBBH) from my friend HackTheBox account, PortSwigger and basic knowledge with kali linux (OverTheWire: Bandit). After spending a few months on the above 3 platforms, I purchased the OSCP package, include Course & Cert Exam Bundle 90-day access + 1 exam. After buying the OSCP package, I proceeded to book my exam attempt on 1 February 2024 for my 1st exam and 29 February 2024 for my 2nd exam. I was studying part-time beside my pentester job, about 4–5 hours a day. So the duration depends on your time availability first and dedication second.

10 Bonus Points

For those who don't know, OSCP version 2023 has 2 conditions that need to be met to get 10 bonus points.

However, my purpose in coming to this course is to gain knowledge so I ignore the bonus points and will use my own knowledge to overcome it (or that's what I thought before I failed the first time 🙂).

Exam Day: Fail at first try

I woke up at 6 am to prepare and started the exam at 7 am (I recommend you choose the morning exam time because then you will have a whole day to do it and that is also when you are most conscious). I start by recon all the assigned ip ranges, then check through them to evaluate whether to start with standalone machines or AD set. Finally I chose AD set to start. However after 4 hours without any initial foothold on the first machine, I thought maybe I should switch to standalone machines, maybe after solving 1 or 2 machines I will have other thoughts.

So I decided to come back with the information I got after recon from standalone machines after taking a lunch break and a 30 minute sleep. Actually standalone machines can easily see the vulnerable functions, but I really don't know how to exploit them. Besides they have so many rabbit holes that I have been stuck for a long time somewhere around 5 6 hours.

Honestly, if you focus on something for more than 10 hours without any results, you will fall into a state of panic.

Try as I might until around 4am the next morning and I still hadn't gotten any points. The panic was at its peak and sitting for so long and staring at the screen was giving me such a headache that I decided to close the paper and go to bed. And that was when I really failed the first exam. 😭

Exam Day: The miraculous return

After the first exam, it was the Lunar New Year holiday. This was supposed to be the time for me to celebrate passing the oscp but no, I failed 🙂. So as soon as the holiday ended, I immediately went back to studying for revenge. Now is the time to "Try Harder"

Decided to choose 10am on February 29th to retake the exam (not too long but enough time to review all the knowledge and think about the machines I encountered in the previous exam). Just like last time, I woke up and got ready for this exam. After 1 hour of reconfiguring all assigned IP ranges, I still checked everything one time to preview.

What the heck, 2/3 of the standalone machines are exactly the same as last time. The good news is I know what the bug is but the bad news is I couldn't exploit it last time, so what am I going to do this time? But this time with the confidence and knowledge learned from my brothers, I learned a lesson: Don't trust too much in automated tools, sometimes there are very simple test cases but the tool doesn't perform them. A machine with ftp open and using an easy to guess default password account but nmap can't actually scan it

After having the first initial access, it was not too difficult to get the first 20 points in just over an hour. Confidence increased significantly đŸ”„. After only about 2 hours, I had captured another standalone machine with 20 points. This time I learned my lesson, I ate and took a nap for about an hour. In the afternoon I came back and was ready to start the AD set (because even if I finished 3 stand problems, I still couldn't pass with 60 points, and the AD set had to be completed to get 40 points).

Not as easy as the 2 standalone problems, the AD set took me quite a bit of time and had a lot of rabbit holes. By midnight, I started having panic attacks. Bad thoughts were popping into my head like "am I going to have to take the exam again for the third time?" or "am I really going to pass this exam?". Sitting until 4am I really couldn't do anything, decided to sleep on the table and set the alarm for 5:30am to wake up to regain alertness.

Decided to try all the commands I had noted during my studies. And surprisingly, by around 8am, I had taken over the first machine in the AD set.

Did you think that was the end of the surprise? Not at all! You know what, the following 2 machines in the AD set are very easy to take over and escalate privileges. All 3 machines use SeImpersonatePrivilege

I completed the AD set in just 30 minutes. Breathe a sigh of relief and calm down, take a photo of all the PoCs I just did. After checking that there was no missing PoC, I decided to close the test 30 minutes before the deadline.

With that, I have completed the OSCP exam with 80/100 points!

Some advice (non-technical)

  1. Never spend more than 2 hours on a single exploit. If it doesn’t work, it doesn’t work :(. Your time is better off used in enumerating/exploiting the other targets.
  2. Be wary of rabbit holes. Know when enough is enough, personally, I feel that although there weren’t much rabbit holes within my exam environment, there were still some specially crafted to waste exam taker’s time. Be very wary of those as it is possible to waste hours and hours on a vector that “looks” exploitable.
  3. Take ample breaks. I know, cliche, “OSCP is a 24 hour exam, remember to take breaks”- Yes you have 24 hours to work so don't regret 1 hour of sleep to regain concentration .
  4. Try Harder. 😔

Conclusion

In conclusion, throughout the course of taking the OSCP exam, I have learnt a lot about the penetration testing methodology and to have the “Try Harder” mentality when faced with a particularly difficult obstacle.

I am grateful to Offensive Security for creating such a comprehensive and in-depth course/certification on the intricacies of penetration testing. I have truly enjoyed every second in my time preparing for and taking the OSCP exam!

— Or4nge16