Failing the OSCP Challenge
I’ve documented my first attempt at the OSCP exam.
(Failing) The Challenge
I was a ball of nervous energy for the whole exam and for several days before. Although I had initially planned to sleep, as it drew closer to the day, reality hit me. I realized I wouldn’t be able to sleep for 5 hours if I knew I had to get up and continue the exam.
That day, I felt positive coming into the exam although I also felt very tense. I did acknowledge that I would probably fail and tried to approach the challenge as a learning experience. I didn’t want to be overly disappointed or nervous about the outcome.
My exam began at 09:00 on a Saturday. I started with network reconnaissance against all the targets. As the service results came in, I began to poke at them manually and also enter scan information into Cherrytree.
I spent about 1.5 hours going over the recon scans and copying relevant information into my notes for each host. I conducted a bit of research into the service versions that were running, noting any high level vulnerability hypotheses where applicable.
I switched gears and worked on the custom buffer overflow exploit. I planned to work on the buffer overflow exploit first since I figured it would take the longest and give me the most trouble. Thankfully, I took detailed notes when working through the examples from the course and had those to review for the steps. I took a couple of 20 minute breaks during this time and an hour break around 18:00 for dinner. I think I should have gone and walked around outside more but it was rainy and I was focused on the exam.
On the Board
Around 22:00, I got my first flag!
I did a dance when I tested my exploit and it worked. My partner heard me celebrating and came to celebrate. The dog ran in after him, causing a brief commotion! I successfully ran the exploit and got the flag!!!
It would be the only one.
Nothing
I spent the next 9 hours bashing my head against the 4 other machines in a caffeine-fueled trainwreck of a time which included:
- Lots of failed exploit attempts
- A service whose version I tried to derive from changelog notes and a JavaScript library I found running, and even then I could only estimate to a range of versions
- A box full of rabbit holes in which I never found even a hint of a valid vulnerability
- A service I later discovered that I had completely missed in the scan output
By 06:00 I was wishing I had slept but there was no point in trying to do that. I had to press on and try to get more points. I tried to use my Metasploit exploit and Meterpreter payload as a last ditch attempt…but it was too late. My exam was complete. My exhausted brain didn’t even realize what time my exam ended.
The Aftermath
I slept until 16:00 on Sunday. I worked on my report later that night but I eventually succumbed to exhaustion. There’s nothing like staying up for 26 hours straight to mess up your schedule, brain function, etc. temporarily.
I tried to submit the report Monday morning but ultimately couldn’t get it completed until about 1.5 hours past the deadline. The good news is that I navigated most of the potential issues I’ll encounter with my note-taking and report generation method the next time around. I have a nice template ready to go in addition to organized notes about the buffer overflow exploit I completed.
Retrospective
Two things that became completely obvious to me almost immediately after the exam was over:
I should have been running the recon tools regularly.
At times, I was looking at the hosts’ network services from a point in time rather than getting the most up to date information. I kept asking myself “What am I missing?” Perhaps I was missing up to date scan information! 🙃
For my next attempt, I’ll use a cron job to automate recon activities and keep my scans updated every 2-4 hours. I might automatically diff the current and previous nmap scan XML with ndiff in order to highlight any differences.
I FORGOT PERSISTENCE/POST-EXPLOITATION.
I had blinders on and I’m not sure why. Nerves? Exhaustion? I was stuck in a cycle of looking at boxes in their own vacuums rather than as systems I could potentially leverage to attack the others. I could maybe have used the buffer overflow system as a pivot point to potentially access additional services. I could have spent time with post-exploitation information gathering, but I didn’t. I didn’t even look. It’s been several days and I am still incredibly frustrated with myself about this oversight. I won’t forget next time.
Next time, I’ll proceed as if I only have one shot to run my exploit and establish a foothold in the network and loot and pillage the hell out of it.
An insight that came later as I was struggling to write my report Sunday night (still so tired):
I should have enforced several (2-5) hours of downtime.
Even if I could not manage to sleep, I should have allowed myself some quiet, restful time. I was a ball of anxious, nervous energy NONSTOP. It didn’t feel healthy and I doubt it helped me to think clearly.
Unfinished Business
The OSCP exam challenge was definitely a learning opportunity. I surprised myself by getting the custom buffer overflow exploit. I know what some of my main weaknesses are: privilege escalation, buffer overflows, and enumeration (which became obvious with this attempt). I’m excited to give it another go in May.
In the meantime, it’s back to the lab for me! Clearly I need to spend a bit more time on my methodology (and all other things)! ⚡️💻✨
Check out the current version of some resources I’ve been compiling that may help you on your offensive security journey, if you’re so inclined: alexiasa/oscp-omnibus