Whew! What a week!

I took my second OSCP attempt over the course of 48 hours, from October 17th to 19th. Anyone who recalls my first attempt will remember how stressful and frustrating the experience had been. I believe the word I used was “fiasco.”

The second attempt was everything the first attempt failed to be. From start to finish, a smooth experience. Props to Offensive Security for their hard work! The second attempt was truly a pleasure.

It all began the morning of October 17th. I woke at 11am after a long night’s rest. During breakfast, I checked Twitter for a little while, just to see if the #InfoSec community had posted any exciting new cat pictures while I slept. There were insufficient cats in my Twitter feed, so I made this one from some spare bits I found lying about on the internet:

With that important bit of business out of the way, I opened the email from Offensive Security regarding the exam. They had a link to the updated exam guide, wherein I discovered that the proctor software had changed. Now, if you recall my first attempt, the proctor software had been a major problem for me in the beginning. I wound up having to reinstall my OS in a blind rush before my test, and it left me frazzled and discombobulated. Well, I learned from that mistake. For the past two months, I’ve been periodically checking to ensure that the proctor software still works with my machine, so that when the time came for the exam, I knew I’d be prepared.

So when I discovered that they’d changed the proctor software, I felt a tinge of panic. I didn’t know they changed it… I’ve been testing the wrong software! What if this one doesn’t work? But I took a deep breath and reminded myself: The proctors worked with me last time, they’ll work with me this time. If I have trouble, I’ll sort it out. I can handle this. As it turned out, the new proctor software is a significant improvement over the prior software. Seriously. The old software was a bit obnoxious and finicky. The new software worked out-of-the-box, with no struggle and no fuss, and it combined everything into one central browser window, which made it easy for me to manage.

My day was off to an excellent start. I logged in, authenticated with my proctor, exchanged pleasantries, and got to work.

I started off strong, automating my enumeration while I worked on the Buffer Overflow exercise. My first attempt, I finished the BoF in 1 hour. During my second attempt, I took twice that. I’d like to say this was due to the fact that I was writing the report as I worked, instead of waiting until after the test. (This takes more time, but helps me keep my thoughts in-order, and helps me to ensure that I don’t miss a screenshot or forget a flag.) However, I did the same thing during my first attempt. The truth of the matter was that I hadn’t written a BoF in the two months since my first attempt, and I was working by-the-book to make sure I didn’t skip a step. And this time, offensive Security threw me a fun twist that had me scratching my head for a bit. (No spoilers, don’t worry.)

After finishing the BoF, I returned to my completed enumeration scans. There were four remaining boxes: one worth 25 points, two worth 20, and one worth 10. I prioritized them by their value, attacking higher-value targets first. When I felt stuck, I’d move on to another system, and come back later. Sometimes taking a step back was exactly what I needed to clear my mind, enabling me to see a solution I hadn’t previously considered.

It was in this way that my dear friend Doss helped immeasurably. On the day of my test, he had a day off, so he’d pop in now and then, ask if I needed any water, or suggest I take a break and go on a walk with him and his dog. We took a break about mid-way through my exam and played some Mario Kart 64 for an hour.

At 2am, when I’d been hammering away at the exam for 12 hours, Doss suggested I get some sleep. Which was damn good advice; I’d been stuck on a particular problem, and couldn’t think of a solution, and I was exhausted. As I lay in bed, pondering whether to set my alarm for 7am or sleep until 9, I had a flash of inspiration. I got up, wrote down my idea, and went back to bed. The next morning, I checked on my note. It still made sense, which was promising – quite often, my late-night brilliance seems dim by the light of morning. I jumped back into the lab, put the idea into practice, and it worked!

I wouldn’t have passed this test without sleep and regular breaks. If you’re reading this article in the hopes of finding some magical technique that will help you succeed at the OSCP, this is it. Sleep well, and take breaks.

With only two hours left, I narrowed my sights on my final target. I was already familiar with the system – I’d read the scans prior to going to sleep. I found a vulnerability, but the non-Metasploit Proof-of-Concept code would need a lot of work, and time was of the essence. Fortunately, I’d avoided using Metasploit earlier in the exam, and a Metasploit module existed for the target’s vulnerability. I scanned the module, decided it was worth the shot, and fired it off.

With fifteen minutes on the clock, I got my last shell and wrapped up the test, grateful to have kept Metasploit in my pocket rather than expend it on an earlier system. It was my pocket ace, and I’m glad I held on to it.

Revising the report didn’t take terribly long, as I’d already finished writing it. With everything said and done, I double- and triple-checked the submission requirements to make sure I hadn’t missed anything. Finally, at 9am on the 19th, I submitted my exam to be graded, assuming that I wouldn’t hear back from Offensive Security for another week or two.

That evening, I attended a birthday party, and the test was out-of-sight, out-of-mind. I didn’t think about it at all on the 20th. On the 21st, I sat down to work on my resumé, and realized I needed to check my email to see when I first began the OSCP course. As soon as I logged in, I saw an email in my inbox.

📧 Penetration Testing with Kali Linux - OSCP Certification Exam Results

I couldn’t tell whether I’d passed or failed based on the message preview, but the fact that they got back to me so quickly made me feel a twinge of panic. My PWK lab report was extensive; coupled with my exam report, there were over 300 pages. (This wasn’t by necessity – I included more than was absolutely necessary in the lab report.) Most of the report comprised pictures and source code, so it’s not as bad as, say, a 300-page doctoral dissertation, or the PATRIOT act – but still, two days?

I was a little afraid to read the email. I assumed I’d failed. No big deal, I thought. I’ll dive back into the labs and dominate my third try. But my heart was pounding and The Fear was in me.

I took a deep breath, left the email alone, found the information I’d been looking for, and finished editing my resumé. Only then, having completed the task I had originally undertaken, did I return to the email.

I read the first line, then read it again. Then I checked the sender, in case the message was spoofed. I looked for any signs that the email might be a phishing attempt, but everything seemed to be in order. Then I read it again:

We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.

There was a lot of dancing and laughing and jumping around the house. My pets thought I’d lost my mind. Finally, my months of practice and learning had paid off! This meant the end of my time in the PWK labs, which was bittersweet. While I’d learned a great deal in my four months, I hadn’t rooted every system and popped every shell possible. There was a whole sub-section of the network I still hadn’t explored! So many things to learn, so much the labs could teach me! But alas, my savings account has its limits, and the best lessons are learned in the field.

My new mission is to seek gainful employment. Onward and upward!