My 2 year OSCP journey is finally over!

griffondg

Received the glorious email this morning that I had finally passed. As the title states, I signed up for 90 days of access back in April of 2015. Was gung ho for a couple of months and then work, family, life intervened and I sort of half-assed my effort for the next 9-10 months, getting an extension or two but not really making more than token progress. Finally got serious about a year ago and took the exam...and failed hard. Took it THREE more times and came close to passing but couldn't get over the hump (insanity is doing the same thing over and over again and expecting different results). Put it aside again until February this year and I decided to start over from scratch in the labs and purchased 90 days. That was a very good decision and I learned so much more this time and really dedicated every waking moment out of work (and some at work!) to perfecting my methodology. Took the exam this weekend and got two full shells and two partial shells so I knew it would be VERY close, depending on how they score the partial shells. Including the 10 points for lab report and exercises I figured I had a minimum of 65 points and a maximum of 75, so was sweating waiting to get the email. Obviously I had enough.

It's frankly embarrassing to tell people you failed an exam multiple times, but let me tell you it's all worth it now.

UnixGuy

Well done! you didn't give up, and you got what you wanted. Now it's safe to say that your material very well

Congratulations!!

JoJoCal19

Congrats on the pass man! Good on never giving up!

SaSkiller

Congratulations. How would you say your methodology changed?

griffondg

Thanks guys!

SaSkiller wrote: »

Congratulations. How would you say your methodology changed?

When it comes down it, passing the exam comes down to methodology and enumeration - you can get away with poor methodology in the labs but it will kill you on the exam. What do I mean by that?
1. I used to scan a system and see something intersting like a web app running on port 80 and I was off to the races, looking for login pages, potential sql injection, etc and could easily spend hours going down a rabbit hole only to find out that there was another obvious atatck vector I overlooked because I jumped in without looking at the big picture on the server. There is an awesome post on the offsec forums where they break down an attack on one of the lab servers and it really opened my eyes.
2. For privilege escalation don't just run one of the common priv esc scripts out there and expect it to do the work for you. They are good but they have limits and you need to understand how to manually enumerate a target.
3. Don't assume just because a tool tells you X service is running on X port that it's true. You can make a banner say ANYTHING so always investigate all open ports even if they appear uninteresting. I can't go into specifics but let's just say this one bit me.

NetworkNewb

Congrats Griffon!

JoJoCal19

griffondg wrote: »

Thanks guys!


There is an awesome post on the offsec forums where they break down an attack on one of the lab servers and it really opened my eyes.

Unless it violates their ToS, if you could copy that post scrub any specific machine identifying information, and post it here that would be awesome. It would really help to understand the flow of attack and way to attack the machines in the lab.

griffondg

JoJoCal19 wrote: »

Unless it violates their ToS, if you could copy that post scrub any specific machine identifying information, and post it here that would be awesome. It would really help to understand the flow of attack and way to attack the machines in the lab.

The post is so detailed that I don't really think I can do it justice by summarizing. Seriously, it's 3 pages of forum posts dedicated to exploiting one machine!

JoJoCal19

griffondg wrote: »

The post is so detailed that I don't really think I can do it justice by summarizing. Seriously, it's 3 pages of forum posts dedicated to exploiting one machine!

Can you give me a thread number or title? Will be signing up after my CISA and PMP exams are done in the next 2 months or so and would like to reference it.

dialectical

I would fail this exam no matter how many times I took it. Not embarrassing. This is a serious achievement!

Also you have something to talk about if asked in an interview about "a time that you overcame failure".

griffondg

JoJoCal19 wrote: »

Can you give me a thread number or title? Will be signing up after my CISA and PMP exams are done in the next 2 months or so and would like to reference it.

It's at htttps://forums.offensive-security.com. Once you register for the course you will get access to it under: Pentesting With Kali > Lab Machines > Public Network > 10.11.1.71 and it's the sticky at the top of the page.

Good luck!

griffondg

dialectical wrote: »

I would fail this exam no matter how many times I took it. Not embarrassing. This is a serious achievement!

Also you have something to talk about if asked in an interview about "a time that you overcame failure".

If you want it bad enough you can pass it so don't sell yourself short!
I'll have to remember that the next time I'm in an interview, lol

Mooseboost

Congrats on the pass man. That is definitely some persistence.

Blade3D

Congrats man, this seems to be the exact same thing happening to me. I signed up for 90 days back in July or August of 2015, didn't get through much. I then signed up for 30 days 2 more time in the next 5-6 months and didn't accomplish anything really. I've been considering getting another 30 days, busting my ass, and getting through it. This is a cert that really interests me, it's just hard to dedicate the time.

griffondg

Thanks guys

Blade3D wrote: »

Congrats man, this seems to be the exact same thing happening to me. I signed up for 90 days back in July or August of 2015, didn't get through much. I then signed up for 30 days 2 more time in the next 5-6 months and didn't accomplish anything really. I've been considering getting another 30 days, busting my ass, and getting through it. This is a cert that really interests me, it's just hard to dedicate the time.

I totally understand. I have a wife and 3 kids so finding time and motivation was always a struggle. In the end I just forced myself to dedicate time and effort to it to get it done. If I were you I would set an exam date to force yourself to get prepared. Even if you fail you will learn so much during the exam and hey, the retakes are only $60 each. Believe me, I know

Chilltech

Congrats man! No shame in failing trying to achieve something great. much respect.

Blade3D

Thanks, I've been considering reupping after my vacation this weekend. I could spend June working on it and take it the 4th extended weekend. I'm leaning heavily towards doing this, just don't want to waste anymore money. I passed the CISSP almost 2 months ago so I need to start working on something. I'm also considering getting a Master's degree from WGU but I don't really have the money at this time, thinking I'll wait and hopefully find a new job that would pay for most of it.

chrisone

griffondg wrote: »

It's frankly embarrassing to tell people you failed an exam multiple times

its only embarrassing if you quit and gave up after failing.

Congrats on your victory! It was a long and tough road but I am sure you learned a few things about how to stay focused etc

Dr. Fluxx

You would probably make one of the best teachers out there as a tutor for the exam.
Id say youre a valuable asset.

griffondg

Thanks for the love, guys! I mainly posted my story so others in the same boat know that it's possible to tame this beast if you really want it. Just received my certificate in the mail yesterday and let me state again it's all worth it

LonerVamp

Grats on the hard work, learning, and win!

JasminLandry

Congrats on the pass! Good to know you didn't give up and kept going at it.

golab011

Did you met that "lazy admin" too ?

griffondg

golab011 wrote: »

Did you met that "lazy admin" too ?

I did on the exam before and didn't get I but after looking at my notes I think I figured out how to get a shell and was hoping to get it again.

golab011

I also thought same after first encounter, but second time met him again without success

Paolo264

Never ever ring the bell... well done.