OSCP: Try Harder

I recently passed the OSCP exam, on my third attempt. OffSec’s slogan used to be Try Harder, and I’ve been thinking about what that means. (The slogan has recently been replaced by a 5-step learning approach: trial, failure, adaptation, growth, and triumph.)

I’m quite active on the OffSec Discord server, and I’ve spent a lot of time helping other people out with exercises. That’s partly because I like to be kind, partly to “pay it forward” (after other people have helped me), and partly to reinforce my own learning. There’s a phrase I heard a while back: you don’t truly understand something until you can explain it to someone else.

However, I do sometimes despair at the lack of initiative I see from other people. There’s a hint bot on the server, and pinned messages in each channel, and you can search for previous messages about a particular topic. Even after all that, the same questions come up over and over again. I blocked one person after they outright refused to do a search: they said that they’d get the answer more quickly by asking the question, i.e. they wanted other people to do the work for them. That’s an example of someone who certainly could try harder.

I think the slogan is most relevant when it comes to a “black box” machine, e.g. one of the PEN-200 lab VMs. That’s where you’re simply given an IP address, and you have to figure everything else out for yourself. How long should you bash your head against the wall before you look for hints/walkthroughs?

First up, what’s the purpose of doing these machines? I think there are a few benefits:

  • You can practice the skills you’ve already learned, so you’ll remember them and you’ll get faster at applying them. As a simple example, I’ve created so many netcat listeners that I can type nc -nvlp 4444 without having to check my notes.
  • You can learn new skills.
  • You can deal with getting stuck.

I think the last point is the most significant. Sooner or later, you’re going to face a situation where you run out of ideas. You’ve done your enumeration, and tried some exploits (which didn’t work), and you have no idea what to do next. This is a frustrating experience, and ideally you don’t want to face this for the first time under exam conditions. (Putting that another way, if you do have this experience in an exam, you’ll get a confidence boost from knowing that you’ve faced similar challenges before and got through them.)

You can simulate the exam experience by deliberately not looking at hints/walkthroughs for a practice machine, when you don’t have the same time constraints. For instance, I’ve sometimes spent an entire day dealing with one machine; I’ll work on it in the evening, go to bed, and resume in the morning. In theory, you could stay on one machine indefinitely, for weeks or months. In practice, you will reach a point of diminishing returns, where you’re no longer making efficient use of your study time.

If you do need to look at a walkthrough, it’s worth reflecting on what the missing piece of the puzzle was. In particular, is this something you could have figured out for yourself (e.g. reusing a password you found earlier), or is it a technique that’s completely new to you (e.g. a double file extension attack)? Either way, you need to update your methodology. However, in the first scenario it means that you gave up too easily, so the general lesson is to be more thorough.

As a related issue, you need to be wary of rabbit holes. In some cases, you could spend hours trying to exploit a particular vulnerability (i.e. you’re not giving up), but the actual solution is to take a step back and try something else.

There’s a scene in The Sure Thing which illustrates the rabbit hole concept. (Spoiler alert!) The protagonists have run out of cash, so they need to find shelter for the night, and they’re trying to break into a caravan. Gib tries to pick the padlock, and Alison looks through her bag for a nail file or similar that he could use. She then realises that she has a credit card, but Gib dismisses that: “Credit cards work on a completely different kind of lock!” The point here is that he’s focussed on a particular technique, so he’s lost sight of the overall goal.

There’s an important distinction between a lab machine and a real world penetration test. In the lab scenario, you know for a fact that the machine is vulnerable; if you can’t find a way in, that means that you’re missing something. In the real world, there’s always going to be the nagging doubt: is this machine really secure, or is there a weak spot that you didn’t notice?

In the OSCP exam, there will be 3 standalone machines. I.e. each of these machines is completely independent of each other (and the AD set); whatever information you need will come from that machine. The same principle applies to most machines at TryHackMe and HackTheBox.

By contrast, there were some dependencies between machines in the PEN-200 labs. (OffSec mention this in the PEN-200 Labs Learning Path.) That means that if you can’t find a way to exploit a particular machine, it might be time to stop; maybe the information you need is on another machine. In my case, although I only completed 30 machines, I have notes on an additional 40 (based on my enumeration).

I think there are benefits to having interconnected machines, e.g. it mirrors a real-world scenario. However, it’s not the best way to improve your grit. I think it’s better to start with standalone machines, until you’re confident that you won’t give up too easily, then move on to machines with dependencies.

NB The PEN-200 syllabus changed in March 2023. I haven’t used the new labs, so I don’t know how much interdependency there is between machines now.

One tip I’ve found for TryHackMe is to look at the age of the room. For instance, suppose that a machine has the Log4Shell vulnerability (CVE-2021-44228); if the room was created in 2018 then that’s probably not the intended method for attacking it (because the vulnerability hadn’t been discovered). That implies that there will be at least one other vulnerability, and you should try to find it. The purpose of the exercise is to improve your skills, not just your score.

I make notes on each machine that I do, and in most cases this includes a “Lessons learned” section. Related to that, I often read walkthroughs after I’ve completed a machine, just to see whether other people approached it in a different way. Maybe there was a more efficient technique, which I can then apply to other machines in the future.

There was an incident in March 2022 where someone failed their OSCP exam, and leaked the details of the AD set. In response, OffSec retired that AD set from the exam and made it a new topic exercise (section 21.5.5, “AD Attacks II”); they also gave a lifetime ban to the person who’d leaked the details. The implication of this is that you can use those exercises as a mock exam. The training material prior to that topic covers everything that you need to know in order to solve it. So, I would encourage any PEN-200 students to avoid hints on that section for as long as possible.

In conclusion, it’s ok to look at walkthroughs. However, I’d advise you to give it your best shot first, and be honest with yourself about what that means. If you do look at a walkthrough, don’t just copy/paste to get the flag; make a conscious effort to reflect on what you could have done differently this time and/or what you should do differently in future.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.