Friday, 11 March 2011

Farewell OSCP :0(

So... It's all over. After three months spent in the offsec labs, this week I passed the OSCP exam.

I have endured many exams over my career, and I usually get a relieved feeling when I walk out of an exam with a pass. However, this time around I felt different - almost disappointed.

I had spent the last three months in what I can only describe as a hacker's Disney Land: a virtual lab with around 60 or so vulnerable servers just waiting to get owned. With every OS you can think of this side of the millennium, along with simulated users eager to open whatever payload you decide to email them, you can begin to get an idea of just how much fun is to be had here.

Time quickly came for the fun to stop though. I had root on almost all the lab machines in the student network and one or two on the other networks. It was now my chance to prove that I have been "trying harder", and take on the dreaded 24 hour exam.

I knew the course material cover-to-cover and had completed 90% of the extra mile challenges, so I was confident this was enough to tame this beast. How wrong I was!

24 hours went by like 24 minutes. 8 hours in, and I was still on the first of the five servers! Panic sets in, and you start to feel really demoralised at this point. "I shouldn't be a pentester", I told myself, "I havent even got the first server yet... throw in the towel now - this is not for you - go back to being a sys admin...".

Time out, let's get another coffee. Damn - I wish I still smoked!

Then suddenly things seemed clearer and exploits started working; the time was after midnight and tiredness was now long past. The first hurdle was cleared and I felt good again. So good, in fact, that I breezed throught the second server also. "That's 45 points and I still have 10 hours left. I'm going to make it easily", I thought. "I might even grab some sleep".

10 hours later, no sleep was had and I was still on the third box! I needed this (and another) to get the 70 points required to pass. I had shell, but could not escalate. It was then that I ran out of time (I can now understand why they give you 24 hours).

There aren't any single steps to root in this exam; you need to fight for a limited shell, then fight harder to escalate to admin, before grabbing the trophy from  the admin's desktop.

I picked up my sorry ass and re-booked the exam right away. This time I passed, but it was still a 12 hour battle, despite having the knowledge from the first exam.

Anyway, if you're reading this and are considering the course for yourself, then please do. It is not like any other you will take. By the time you  finish the exam, you will have earned the right to deservingly call yourself a security professional.

Okay, so now what? Well, other courses just don't do it for me anymore - they are all the same:-

Listen to the instructor, read the book, try a few excersises and pick an answer from a to e.

I am missing the offsec labs already, after only a week! All I can think about now is how to get my next offsec fix.

OSCE maybe ??!

Anyway, I'd like to say thanks, first to offensive security for such a well designed course and lab environment, and secondly to B0nd from for the support and encouragement throughout the course.

My only gripe I guess with the course, is that the trademark term "Try Harder!" is often overused when you need help within the labs. It can be rather fustrating sometimes when you are really stuck, to not be given even a point in the right direction, especially if you cannot afford to spend months on end playing around in the labs, and need that little help to get the most out of the course on a limited budget.
That said, some of the offsec admins DID help me out a couple of times with a few tips to help me focus in the right direction, so it would be worth trying a few of them before giving up, you may catch one having a really good day.


  1. Heartily congratulations to you s3an! You have achieved the marvelous and surely a proud professional now.

    Best wishes for your future endeavors mate!

  2. Congrats buddy. You've passed one of the most toughest examinations for a pentester.
    Kudos to you. :)

  3. I agree with you on the overuse of "Try Harder" by the admins - It pissed me off at first. However, I got mad at myself every time I had to ask them question for something I could find on the internet. Sometimes you are lucky enough to know somebody who took PWB/OSCP, and this person might be willing to give you few hints beyond the "try harder" approach.

    I saw myself many times going back to the old fashion educational system of getting answers without thinking (like GPEN and CEH). I would bug an admin and they would send me away with more questions and a nice "try harder"(it was painful).

    This what I believe:
    Admins at #offsec are not allowed to give you any hints (there are meant to force you to think outside the box). None to say that there are people who prefer to cheat instead of trying harder.

    The benefit of "Trying Harder":
    What I love about "trying harder" is when you pwn everything on your own ... and you are asked to perform the same thing during an interview like I did and get your first pen-testing job right after taking PWB/OSCP.

    Like me, you did your best. I will never forget this training because PWB/OSCP is the best investment I did to my career.

    PWB is just the beginning. Keep walking!

    I wish you the best.


    OSCP as of 01/12/2011


  4. Congrats. I managed to pass my OSCP on my first try but it took ALL of the 24 hours. I have my OSCE retake (after failing to pass about a month ago) starting in about 8 hours. Believe me that class is also worth it but the exam is 100 times tougher than OSCP which is saying something. I also miss the PWB labs... good times...

    1. Did you pass? I am thinking of this one after my crest

    2. Just enrolled in the OSCP program. Some Q if you don't mind. I have security+ with CCNA and 3 years experience. I am finding it difficult but am motivated to get it done. The PWK guide that has been provided , has it got all the information to get certification or are there any other resources / books that you recommend.

  5. Congrats...i really like your OSCP log...ehehe...

    I agree with you, to do the pwb, some good hint is needed, "try harder" is sometimes too poor, because if you dont know where to try you cannot try harder...
    i'm still trying to get PWB....

  6. Hey,

    My hearty congrats to all who have cleared OSCP..

    I am planning to fight this beast. I am a web app security professional and wanted to learn more on network \ system pwning. Can you guys suggest me any books???

    1. Books by Bruce Schneier would be the ones to look at. One that comes to mind is "Secrets and Lies" It's relatively old now, but the ideas and structure of security is still very valid

  7. That was indeed a nice article. Thanx for sharing.

    On the other hand, is the exam kind of with Remote Connection to the lab or u have to visit some of their labs???

  8. Hey, I am taking the course now and appreciate your post very much. Congrats.
    What's the best kind of exploit you tried that helped you escalate privileges faster?

  9. Congrats mate....