OSCP+, the morning after defeat

2025-04-26 10:07:00

Like I said this morning at four: I'm gutted. I was expecting to fail the OSCP+ exam, but not this badly. 

As outlined in the exam guide I was given six targets: three in an Active Directory environment, three individual hosts.

In the end I only got my initial footholds on two of the individual hosts.

One of them I only managed to get because I found exactly one blog post from three years ago which, in very great detail, explained how the authors had researched a very obscure piece of software and wrote a perfectly functional exploit for it. I literally only had a port number to go on when I researched this issue, because the software in question did not give any response at all unless you gave it the exact right input. 

I failed at privilege escalation on these hosts for a multitude of reasons. On one of the hosts I was either overlooking very clear hints, or I was performing an exploit incorrectly. And in a few cases I just couldn't get the C exploit code compiled well and quickly enough. 

I'm livid that I didn't manage to get a foothold on that third host. I should not have that much difficulty getting around input filters on a bloody webapp. 

Despite my best efforts I was not able to escalate privileges on even the very first Windows AD host. If they were going for the vulnerability which I think they were, I have to say the required skill level is absolutely crazy. I can't say which CVE I thought it was, but it's literally from 2025 and only a month old with no published proof-of-concept / exploit. 

That is why I think I might have been barking up the wrong tree after all. But if absolutely wonderful tools like itm4n's PrivEscCheck.ps1 can't find me a way in, I certainly don't have any hopes myself. 

The skills I learned when I passed CRTP in 2019 have gotten long in the tooth and the tools I made back then no longer work.

Take-aways which I need to deal with:

  1. I need my virtualization farm up and running during my next exams, because I need to be able to quickly and efficiently spin up VMs with OS versions and build software.
  2. Speaking of: I need to setup build hosts for both Linux and Windows, on multiple architectures and ideally multiple OS versions. 
  3. Automation. I wrote enumeration scripts which worked pretty well, but I need to expend them: if X is found, try A B and C
  4. Enumeration once inside is my big weak point. I used many privesc tools which scan for and suggest possible exploits, to no avail whatsoever. And the things I did manually in the past, no longer work well enough. 

Now... I need to wind down, get a lot more sleep and get back to the real world. Chill out and process all of this. Because right now I feel like an absolute fraud: "how can I teach people about pentesting and software security, if I can't pass this exam?", is what my imposter syndrome will say. 

As Marli rightly points out: it's not at all strange that I didn't pass, and I did not expect to pass. She points out that I haven't "done pentesting" in a serious sense for years, and she's right. I'm on DevSecOps, and infra stuff. Basically everything I'd achieved in 2016-2019 is gone, except for the bit of API hacking I did last year. So yeah, I'm out of the loop, not exercised at all. 

I discussed my situation with my colleague Leendert, an absolute huge support. We agree that, if I want to have a chance at passing this thing like I did seven years ago, I'll need about a year of solid training and studying. Multiple days a week, like I did in January and February. But as I already concluded: I'm just so damn tired. Tired from juggling multiple jobs and maybe from doing a type of work I wouldn't want to continue much longer. As Leendert (and Marli, and myself) concluded: first order of business might be to actually thoroughly rest and get back out the funk I've been in for weeks or months.

I'll do some more "navel gazing" and introspection, about where to take my career in the next year(s). In the coming months, I'll keep plugging at the CPTS training and certification exam.

 

EDIT:

I should speak a bit about the practical side of things, since a lot has changed there as well. 

As before, OffSec's documentation and communication about the exam is great. The provide ample documentation about what to expect and how the process will work, both in workflow and technically. 

The proctoring approach works well and feels trustworthy, it's all browser-based. Sharing my webcam was dead simple, although sharing both of my screens/desktops was finnicky and I couldn't get it to work reliably the first time. I had to restart the sharing a few times to get both screens properly shared. 

After the first 15-20 minutes of onboarding, the proctoring was all smooth sailing. I reported via chat when I went on breaks, and the proctors were there if I needed them. 

EDIT 2:

After talking it over with a few friends, I decided I was crazy to refuse to send in a report! I mean, I paid for the exam so I might as well get feedback from OffSec!

This afternoon I spent four hours, typing up a 35 page report (excluding appendices). Can you imagine how large the report would have been if I'd had been more successful!


kilala.nl tags: ,

View or add comments (curr. 0)