Introduction
You’ve probably read a million articles talking about people’s OSCP experience and their tips to pass the exam. “Try harder”, “Enumerate enumerate enumerate”, “take regular breaks”, you must’ve read them all by now. Hence, this article will not be that.
This is my first post and I thought I’d write about something different, something you probably won’t come across anywhere else — How to fail OSCP. I’m going to be talking about all the mistakes I made along the way and what I learnt from them through the course of OSCP. I read a lot of articles before and during my OSCP, so I know what’s out there and I can promise you, this is not that. Of course, the intent of this article is not to help you fail but rather help you see shortcomings you might find yourself faced with but not realize. With that, let’s begin :)
What is OSCP? [Edit May 2, 2019]
Wow, this article has gained a lot of momentum since I first wrote it. I even find people who have no idea of what OSCP is landing up here. If you fall in that category, this section is for you. The rest may skip this section!
OSCP stands for Offensive Security Certified Professional. It’s a certification hosted by Offensive Security that’s both revered and feared by the security community. The course looks to train students in the art of offensive security with raw hands-on practice. You will be legit hacking very realisticly created systems in their virtual labs to practice your skills. Furthermore, you will be provided with bare metal to work with. In short, no one will spoonfeed you. You will be taught the basics and have to somehow figure out how to convert knowledge into skill. OSCP veterans know the hard work that’s required for this course, so asking them for help will lead you to the most common mantra of any OSCP student — TRY HARDER. If that’s not enough, the exam is a 24 hour long gruesome one, where your job is to hack. You are given a number of machines to hack, and if you can’t within 24 hours, you fail, as simple as that. Don’t believe me? Check them out.
Target Audience
Let’s just get this out of the way before we begin. My target audience is essentially people who have just gotten into OSCP, i.e, enrolled and maybe just starting out, or midway through the labs. If you’re yet to get into OSCP, you’re welcome to read this article, but you’ll probably understand things better once you do. Choice is yours.
Do not Fear the Rabbit hole!
What’re you saying?! Rabbit holes? I should be avoiding them! Yes, you should, but with a clause.
For the uninitiated, rabbit holes are one of the biggest fears of people attempting their OSCP. A rabbit hole is essentially a route you ‘think’ is the right way into pwning that system but is acutally a dupe which you end up wasting a lot of time on with no result. Obviously, this is something you must avoid, but easier said than done.
You must avoid rabbit holes, but not fear them. When do you decide that a path is a rabbit hole? I always had a problem with this. I was so scared of falling into rabbit holes and wasting my time that I missed the actual entry point. Many a time, there were so many big signs right in my face, but when things didn’t go my way, I’d instantly assume it was a rabbit hole and crawl out. This was because I read so many articles about how people waste hours and days on a given system but are trapped in rabbit holes.
So my advice? Avoid rabbit holes, but don’t fear them. Know how deep you need to go before you decide it’s a rabbit hole. It’s a gamble, but it’s better to go down a 100 rabbit holes and be sure they’re rabbit holes than miss the actual entry point because you pre-maturely evaluated it. Even with the correct entry path, things may not always work as smoothly as you’d expect. Technical errors, things you overlook, so many reasons that may have you doubt it as a rabbit hole. Give each system the time they require, that may mean having to go down a few rabbit holes too.
It’s not about how many labs you crack
It really isn’t. Don’t let anyone tell you it is. I had a lot of people telling me I need to crack atleast X systems in order for my exam to go well. Where is this written? Nowhere. Becuase it’s not true.
Let’s go a little into my OSCP experience here. I’m no pro at red teaming/pentesting, etc. I work on the defensive side of things at work and while I have great interest towards breaking things, other than playing some CTFs and reading articles, I really had nothing else. I tried HackTheBox, but to be honest, I really couldn’t crack even the easy boxes before my OSCP. But what I would do is once the box expired, I would watch the walkthrough. Some may protest this approach, but I’d only watch the walkthrough after I was exhausted trying myself. So, I barely had any experience when I took the PWK 60 day lab pack. It comes down to how effectively you use these 60 days. I spent close to a month really grinding through all the video lectures + book + exercises. And in around 20–25 days, I was able to break 23 machines completely.
Back to the point. It’s not about how many systems you crack, but how you crack them. If you think the OSCP exam is to test just your technical skill, you’re wrong. With some smart googling and a basic technical background, you can probably find everything you’re looking for. The reason why the exam is 24 hours and known to be gruesome, is because they test your process. The OffSec guys want to know that you not only have the technical knowledge but a process to efficiently apply it. What do I mean by process? I mean the ability to enumerate well, prioritize where to put effort, understand the situation, select the right exploits and then doing the same for priv esc. This is a finer skill which develops with practice. In fact, in the forums, there’s a write-up for a specific lab system by g0tm1lk that I highly recommend going through to understand his process.
Finally, if you were to just power through systems just to get your pwn count higher, things are not going to go well. I’ve heard of people who have cracked 8 lab machines and have passed the exam as well as ones who have cracked all the labs but have still failed the exam. So the number of labs you’ve cracked determines nothing.
Use of OffSec Forums
There’s a lot of scepticism around whether the use of forums are good or not. Here’s my take on it. You won’t have forums in the exam. But they do exist for a reason.
The forums will never give you the answer directly. But they give you very close to it in the form of badly obscured clues that will validate if you’re in the right direction or not. As little as that sounds, it’s a lot when you’re stuck and frustrated. But to use the forums when you’re just starting out with a system? Not a good idea. There was a time when I would run scans on my target and in the meanwhile go through the forums. This was a horrible habbit that a friend had to kick me out of. Using this method, Sufferance was the first system I broke. It gave me a lot of confidence initially, but later on I realized it was worse to have cracked it using as much of the forums as I did.
So when to use it? When you’re absolutely at witts end. If you had a plan and it didn’t work out, don’t look at the forums. If you’ve exhausted all your options and have no leads, don’t look at the forum. If you’ve spent days and got nothing, don’t look at the forums. But when you’ve faced all of the above, backed up, forced yourself to try the same approach multiple times with no success and are absolutely out of ideas, then perhaps it’s time to peek into the forums. When I say peek, I don’t mean read every article through in the forum. There are a hundred others on that forum who have faced the same issue you’re facing. So you might hit a post and think “OMG that’s EXACTLY what I’m facing!”, but don’t be surprised. Read a few posts and something will hit you. When it does, shut the forums and repeat the above process.
Once again, the exam will not have any forums. So get used to using them extremely minimally. But don’t starve yourself of them. Some people get the pentesting juices flowing through them easily, while others need a little kick. Remember, a little kick.
Unlocking your ‘Third Eye’
Perhaps this analogy comes from my Indian roots. But call it whatever you like, I feel this is the most essential thing, without which, you will fail.
I touched upon this point a little before but without using this term. The Third Eye is essentially your vulnerability catching eye. It means how well can you spot a needle in a haystack. How well can you spot the vulnerable service amongst 20 others. It doesn’t mean you’ll always get it right, but it can save you a lot of time. When you’re enumerating a system, you are going to come across many services which may look new to you and leave you confused on where to start. With practice, this will change. When enumerating a system, I write down all my findings using pen and paper. Then, I start ranking my findings in order of which I’d like to investigate first. This ranking is essentially using your ‘third eye’. Your ranking will determine how quickly you find the right way in and how quick you dismiss something as a rabbit hole. Over time, services will stop looking weird to you. You’ll start realizing with minimal effort that an Apache server is probably not the best place to start hammering on first.
In the beginning it may be difficult to stay calm until you write down the services you’ve enumerated. An issue I faced was that direclty after my network scans completed, I’d see something and think “THIS IS IT, IMA TRY IT NOW!”. Now this. This is bad. If you have this feeling, you need to get rid of it because it works counterproductively to your third eye. This was a big issue for me because just by an initial scan, I was sure I had it and began looking for exploits. This not only wastes your time but kills your motivation. You may get it right once in a while, but you’re going to get it wrong more often. You need to change this urge to think “Hmm.. this looks interesting. I’m going to note it down and try it as soon as I’m done enumerating everything else”. The point is, everything looks it’s ‘the one’, but don’t jump on it until you’re really sure there’s nothing better out there (cue life analogy).
As you continue to practice this method, you will realize that your rankings get a lot more accurate and you’re able to crack the system on your first or second guess. This is how you really sharpen that third eye. There was a point in my journey, where easy systems were crackable in 10 minutes or less. I’d enumerate, take one look and know ‘that’s the one’. And this time, I could trust that instinct (or eye) and more often than not, it worked. In short, train the eye before you use it.
Things may not work the first time
Sometimes, the right exploit may not work the first time. Why? I don’t know. I’m someone who tries to find out why something didn’t work. But with OSCP, sometimes, that habit went out the window. Some things just didn’t work. The point here is that — don’t be demotivated when it doesn’t. It still could be the right one but it isn’t working for some reason. Try again. Sometimes, you might need to revert and try again even. But if something looks like it’s perfect given the circumstances you’re in, it probably is and requires you to just try again.
I saw this often happening to me with privilege escalation. Everything looked PERFECT. But it didn’t work.. or it hung.. why?! I don’t know why. Revert and try again. Many times I’ve left the right exploit thinking I’m in a rabbit hole, when all I needed was a revert.
Spend Minimum 12 Hours a Day
Gosh. I’ve heard this one so many times. People telling me “to pass OSCP, you need to spend a minimum of X hours a day”. And that X ranges from anywhere between 6–425287hours. In my humble opinion, this is bullshit. Does OSCP require time? Most definitely. But this point is interpretted as you must set aside these many hours a day in order to prepare for OSCP. And honestly, that’s not true. You don’t have to do anything that hard bound. Initially, when I was grinding through the PDF + videos, I spent 3, max 4 hours in a day. And I was proud of myself for it. Many people told me I wasn’t spending enough time, but there’s only so much I could read/watch in a day after work.
The amount of time you spend on OSCP is purely based on you, don’t force yourself to conform to time limits set by others. As you dive deeper into the course, you will automatically find yourself spending more time on it. Once the labs starts, you’ll end up looking into your laptop in the morning and by the time you look away, the sun’s gone. If you’re prematurely going to block out 8 hours or whatever in a day, you’re simply going to have slow learning or end up wasting time and feeling bad about it. My point is this — OSCP does take time. No doubt. Keep in mind that you will have to invest a lot of time into it. But don’t go setting harsh timelines for yourself right in the beginning because you’re going to either mess up and feel bad or rush through and not get the complete learning. You do you. And at the end of it, you too will be part of the club saying “Oh yea.. I spent 2391203hours on preparing for OSCP per day.. it was hell!”.
Bad Ideas
- Taking lab time and extending it without attempting the exam: This was my initial idea. I had taken the 60 day lab pack. And I thought “Hmm. If by the end of 50 days I don’t feel confident enough for the exam, I’ll simply extend by another 30 days”. BAD IDEA. Something I did not realize — with every lab pack, you get 1 exam attempt, don’t waste it. After 50 days if you feel you’re not confident, take the exam anyway, fail if you must, and then extend your lab and you’ll get another exam attempt with it. You can extend lab time even after yours expires.
- Ignoring the IRC: The IRC is great. And I don’t know why people are not on it more often. The IRC bot gives hints for almost all machines. They’re useless most of the time, but sometimes can be helpful. But the real reason for joining the IRC is you get to meet some real OffSec veterans and discuss on the main channels. You won’t get any hints, so don’t ask. But neither did this article give you any ‘hints’, but it did help, yes? Point is, whether it is just for OSCP or even beyond, you meet some amazingly talented people on the IRC and is definitely worth checking out. I spend a lot of my time on the IRC even now and have made some pretty good friends.
- EternalBlue and DirtyCow: If you don’t know what they are, this point isn’t for you. If you do know what they are, I hope you don’t use them. Majority machines can be pwned without using either of these 2, even though they might be applicable. If you’re really looking to learn, stay away from these. These 2 are the ‘easy way’ out. Do you really want that? I can guarantee you that in most cases, there are other better ways to pwn, ways that’ll teach you so much more. I hardly used either of these two. Even when I did, I would go back and look for alternative ways later.
Random Thoughts on Things
Metasploit
Some people like to use metasploit in the labs. Others don’t. As you’d know, you can only use Metasploit once in the exam. But don’t fear Metasploit, you’re getting a chance to learn it. I would stick to manual exploits as much as possible, but occasionally I’d try a Metasploit exploit as well, but not without also getting the manual exploit to work too.
In the exam, the use of /multi/handler is not limited to 1 use. You can use this as many times as you want. But Meterpreter IS. That means that staged and stageless payloads are okay. Stageless payloads can be caught with a simple netcat listener, but for staged you’ll need /multi/handler and that you may use unlimited. The moment you use a meterpreter payload, that’s when you your limited usage restriction comes in.
Timetable
I find this extremely useful. I was advised by a friend to make a timetable, and it helped me so much. A time table means, mapping out how your exam will go and how long you will spend on each machine. It doesn’t have to be followed to a T, but some sort of structure will prevent you from spending too much time on one machine. Here’s a picture of my timetable.
Things did not go according to plan (does it ever?). But it did give me a place to start.
Outro
This article got longer than I expected. I feel like I had some more tips for the exam but I’ll cut it here. If people are still interested, maybe I share more at a later time.
In a nutshell, the above points are what, had I personally not done, would’ve ensured my failure in the exam. Neither did I find any other OSCP articles I read so far talk about these points. And if you’ve found them helpful, the best thing you can do for me is to share these points in whatever way you like with others who aspire to be an OSCP. And for sure, feedback is welcome.
This is the end of the article, you made it! I’ve kept myself out of this article as much as possible but if you want to know about me, you can read the section below. Else, thanks and try harder! :)
P.S — OSCP aspirants have you heard this song?
My Story
So, you wrote an article about failing OSCP, does that mean you failed? Well. Tricky question. I attempted the exam and I passed. But I fell into all the holes that I mentioned above. Luckily, I had some great people around me who pointed it out just in time for me to mend my ways. If it wasn’t for them, I would’ve failed and this posts title would’ve been a lot more apt. And non-existent.
Offensive security is a passion of mine even though I work on the defensive side within office walls. Out of pure interest, I have a few certifications under my belt — OSCP, CCNP, CCNA, CEH. I’m always up for meeting new people passionate about the same things as I am. If you’d like to connect with me, find me on Twitter.
Last but definitely not the least, I’d like to give a big shout out to Dyntra, whom I met on the OffSec IRC. Always have a Dyntra in your corner. Like many others, he didn’t give me any hints with regard to the labs or the exam. But I learnt a lot of tiny things about the course, the exam and security in general from him; majority of the content you read in this post even. I’d tag his Twitter if he had one, but if you’d like to see the cool stuff he’s into, check out his website: https://www.revolutionelite.co.uk/
