OSCP: The Importance of Trying Harder

Last Update: Jan 09, 2022

Earlier this year I decided that it was time to challenge myself and after a fair amount of research I decided that I wanted to obtain the OSCP qualification. I’d chatted to seasoned pen testers who described some of the challenges they had faced in the labs and spoken about how it often pushed them to new limits.

I was immediately intrigued.

Many things have been written about the OSCP exam, and prior to my decision to do the labs and write the exam I read every last bit of material I could find.

I don’t honestly think I can provide more information than many of the posts I’ve already linked to, but I’d like to share my story around the exam in particular, and why it’s so important that you focus on the OSCP mantra of Try Harder.

Background and Preparation

For those interested:

  • I come from a fairly technical background, having spent over 20 years in IT with a keen focus on Information Security for most of that time.

  • I’ve never considered myself a l33t h4x0r by any means (and I never will) but I have always been able to hold my own technically and achieve what I needed to.

  • I am fairly proficient with Perl, Python, PHP and C.

  • I purchased three months of lab time; due to my work schedule I spent a minimum of 2 hours each night in the lab practicing my craft prior to writing the exam.

  • I completed all the exercises and compiled the lab report in the hopes that I could gain an additional 10 points in the exam should I fall short of the 70 required points to pass.

The day before the exam, I bought snacks and drinks that I anticipated needing during the exam and then I made sure to get a decent nights rest so I could tackle the exam feeling fully awake and refreshed.

Exam Approach

One of the things that concerned me around the exam was that I could potentially get stuck on a system and spend more time on it than I should, resulting in my 24 hours of access to the Exam network ending without me compromising a single system. To that end, I set up a Timer that notified me aurally and visually when three hours had elapsed. This helped me to ensure that I didn’t more than 3-6 hours on any single system.

My goal was to spend the first 3 hours developing the buffer overflow code while my enumeration scans ran in the background for the remaining systems.

Exam Hours 1-4

Once I got notification that my exam had begun and gained access to the Exam lab I immediately kicked off my enumeration scans and began working on the buffer overflow. I felt confident that my preparation and time in the labs (and beyond) would be sufficient.

And then reality hit…

Around 90 minutes into developing the buffer overflow I had a working exploit and was rewarded with a reverse shell from the development machine I was working on. However, when executing the code against the intended target the service on the target machine would crash and no reverse shell was obtained.

For the next 3 hours I tried various modifications to the code. I changed payloads, reverting the target multiple times as I started to grow more and more concerned at the reverts dwindling away and the failures stacking up.

At four hours in I looked at the clock, realising I had not yet earned a single point. My confidence was shaken… the possibility of failure became real, tangible, terrifying.

Exam Hours 5-8

At this point I decided to step away for 15 minutes to clear my head, have a drink and something to eat and then returned, with the intention of rather focusing on the other systems in the hopes that I could come back to the buffer overflow later.

Possibly around 30 minutes later I had a low privilege shell on one of the boxes, and 60 minutes later I had my first system completely owned. With the failure of the buffer overflow still hanging over my head I began working on the next system and possibly 60 minutes later I had compromised a second system fully.

At this point I had 35 of the required 70 points, and I was still fairly sure that I wasn’t going to make it. I started working on the next system and at around the 8 hour mark of the exam I fully compromised the system, putting me at 50 points. Success was in sight.

Exam Hours 9-12

At this point I stopped to eat something for dinner, and made the conscious decision to go back to the buffer overflow and begin development of the exploit code from the beginning in an effort to find any mistakes I had made the first time around. With time now on my side I worked slowly and meticulously through the process and eventually did find a small mistake that I had made on my initial attempt.

With a massive lump in my throat at around 11 hours into the exam I executed the buffer overflow exploit against the target machine and literally jumped out of my chair screaming in jubilation as the reverse shell opened up. With 75 points now in hand I now had enough points to pass the exam as long as I didn’t bungle the report.

Exam Hours 13-18

At this point I decided that it would be optimal to get some sleep and come back thereafter to tackle the last machine in the lab and begin compilation of the report… and that’s just what I did.

Exam Hours 19-24

After some restless sleep I spent around 90 minutes on the last box, but was unfortunately unable to find a method to exploit it. At this point I decided to begin the report and used this opportunity to ensure that I had all the revelant data, screenshots and information I would need for the report.

This time was valuable for me especially since some of my initial screenshots were messy with additional code/errors etc. in them and as such re-doing them to show only relevant information really assisted in improving the quality of my overall report.

At 23 hours and 45 minutes into my exam, I archived my reports and sent them through. I had complete the 48 hour OSCP exam in under 24 hours.

Result and Conclusion

Just over 24 hours later I got a mail confirming that I had indeed passed my OSCP.

I’m extremely proud of this achievement and I would highly recommend that any information security professional take the time to obtain the qualification.

Looking back, it would have been easy to give up around the 4 hour mark; to call it quits and walk away. This exam, and the time constraints under which you must complete it are challenging to say the least and it’s easy to feel overwhelmed and to submit to failure. The mantra behind the OSCP is to Try Harder and never is that more appropriate or important than in the Exam.

Put your self-doubt away. Do not give up.

Try Harder!!