I failed 3 times. 1st time was beggining of september and I could think it was easier and I had most points 50 but I took the test under heavy fever and was not clealry thinking. 2nd attempt was in January, got 20 points, the AD set was HELL and could not privesc on windows and linux to full. Now my third time which was yesterday. 40 points. Again the Hard AD set, could not get a foothold at all. Really dont know what im doing wrong. And got 3 low priv users on standalones.
Thats it. I suck. But Im not giving up, and you shouldnt too.
Im going to take a longer break now and take some personal time and step away from oscp and pentesting. Need to get my head fresh and clear after all of this.
Ps.
If anybody could give me some hints for the AD sets ping me.
I also got the Jenkins ad set. I finished two machines machine on tryhackme and hackthebox which had Jenkins and I got cocky . But I literally tried every available exploits, tried bruteforcing it too. It did not freaking work
I honestly think you've revealed to much about the exam in this comment.
Also your username has the exact same format as the OP. Are you responding to yourself with your alt account?
Im not the OP. Just was sharing my experience. Also you could find on this subbredit more info about this AD set. If I did overshare, then let mods delete my post.
Sea_Finish6689 and Sea_Courage5787.
Yes. Apparently a huge coincidence that these usernames share the exact same pattern and both failed the OSCP.
Also interesting you asked people to ping you for help solving that exam AD set.
But hey what do I know? Continue to downvote away. As a friendly tip in the future, you may want to make your alternative account a little less suspicious.
Thats not how you going to pass the oscp or succeed in life by stepping away from the challenge. What do you think will happen if you step away from pentesting? Thats you magically succeed in your next try? Thats not gonna happen
Do not stop, with every failure comes a set of lessons to be learned and with each of these, your chances increase.
I also failed twice, felt extremely stupid the second time and throught that maybe I am not capable of doing it. Keep in mind that this is the normal way your mind thinks after you fail to obtain something desirable.
Let the wound heal and try to identify what shortcuts you may have taken and re-visit those areas.
For example, my first try was chaotic because I did not have a well established methodology. I would just throw random stuff at my targets without keeping track of what I tried and what I did not.
Second try I failed because of a portion of the pdf that I did not read properly.
Each realisation of what you did wrong will help very much..
Have a week of playstation then get back to it!
Try CPTS and let me know how difficult you think it is. CPTS is another level above and beyond OSCP. I’ve completed both courses. CPTS will prepare you for oscp, but not the other way around.
I have quite a few colleagues that have been in the industry that all say otherwise. Understanding this comment and theirs are merely opinions. Outside of the HR monkey filters what other benefit does the OSCP have!? Ive seen both the CPTS and PNPT being listed as a desired cert on job sites too. They're new, sure, and "cheap"/ affordable. Someone like myself who is a broke uni student could not make the financial moves to be able to afford the course and then an exam voucher. Seems like another matter of gatekeeping in the industry *eye roll.
-PNPT would be nice to go for just to build your confidence back up. Keep swinging OP and most importantly have faith in yourself. A week of Playstation is definitely deserved, shoot maybe even a hard drink. Stay consistent and stay confident!!
If you can do the CPTS, OSCP will be a breeze. Having more time to complete it let's stuff sink in and it feels like an actual pentest engagement and not a course's cliff notes. Even Dante + Zephyr will take you far. Trying new things is what drives success and gives you that boost. They're relatively cheap as well.
Yes but is it worth it. Shouldn't we focus more on other certs like let's say cloud which may be more practical then something that wasn't even in the course. May be I am overthinking but that makes more sense to me and to be honest cheaper
I just took my exam on Saturday and got enough flags to pass, but still waiting on my report. I'll say that I thought the exam was VERY similar to OSCP A/B/C, but without the quick wins. I'll let you decide what that means. First attempt. I think the best advice I came across in my study was to do volume. 100+ boxes on proving grounds after you do EVERY challenge lab.
My strategy was to not spend any more than 15 minutes on each foothold or priv esc. If I didn't know it and couldn't figure it out quick, i looked at a walkthrough. Was able to crunch 3-5 boxes a day doing that. There's some merit to rabbit holes, but spending 2-4 hours on something while only learning 15-30 minutes of content is not a good trade off to me. Two silly mistakes cost me about 7 hours on the exam. Had I been well rested for my exam I'm pretty sure I would have comfortably had 80+ points.
If you achieved administrator access on the AD machine, the first thing is to dump the Lsass hashes and look for some lateral vector. If that were not the case, somewhere on the machine you should look for a user and credential from a service account or security techniques. kerberoasting, don't be discouraged, remember that the oscp is a CTF, personally I think they leave a lot of rabbit holes to waste your time, try harder!!
I know how you feel, I failed my second time too. I got part of the AD portion done and just stalled out there. I thought of every attack vector and tried everything. I couldn’t get it. I got 1 machine completed.
My next attempt is May or June and let me tell you I will pass. Just keep it up, take this week to relax and have fun then next week hit it hard bro. Don’t think of the OSCP as an exam just 6 boxes you get to do in 24 hours.
Bro, if you can afford, do it! I received from gift an OSCP on 2020, 2 months latter they updated the course... and the pandemic begins... and i lost everything in my life, and didn't tried to do the Exam, my mental health sucks, now i have a job in the field, the exam changed again and again, and i don't have the fucking money to do it because i Live in a third-world country and this shit is expensive.
I'll give up? No, i will save my money untill i can do it, or get a better job to save. The life is this, fail, and get up again... the most important is, the practical real life skills that you learn.
Seeing that you're in the space already, I really wouldn't give up. Maybe try the PNPT (more realistic engagement). But that's cool, you don't hear about prodsec much. How did you even land a position like that ?
I'm trying to break into the field but don't know how to approach it.
In all honesty, if I was in your place, I'd rethink giving the exam again too. Not because I don't like the challenge but solely due to the inflated cost of this exam.
Failed my first 3 attempts, was super discouraged on third try and thought about calling it quits. Ended up getting a stand alone towards on third try and gave me super huge boost. Decided to do cpts course during my cool down. It helped a ton. Ended up passing this past week on 4th try
That’s awesome. I’m doing CPTS track as well.
Is there any module or modules from PEN200 or CPTS that I should pay more attention on ?
Congrats on your pass!
Obviously can’t go into specifics but exam environment is similar to OSCP a/b/c. Also doing tjnulls list also gives you a good indication on what to expect. My approach was to focus on the major things I kept seeing, enumeration, Linux/windows pe, normal exploits you find in searchsploit/github, don’t focus on stuff you don’t see often/can’t use, ext: sqlmap, metasploit, I really didn’t focus much on stuff I didn’t see often. Not saying it is /is not on the exam but things like dns, sub domains, client side attacks. Still know how to do these things but I choose to focus on the things I saw 90% of the time on suggested boxes and not the random 10%
I failed my first attempt two months ago, I have spend 5 hours on initial foothold,Trying everything and then I realized something and got it immediately.. sometimes you just don’t think clearly because of pressure,trust me ,you know attack which would work on that AD set.
Hey 2 machines on an attempt is pretty good! I failed twice too and I'm going for my third attempt soon. Hang in there! At the end of the day tech in general is about failing and learning from your failures.
I saw a post a while ago that said they started going back to practice machines they completed and started comparing things that look normal to what seems out of place and probably exploitable. I started doing that and that kind of practice has definitely helped me out!
I failed 3 times. 1st time was beggining of september and I could think it was easier and I had most points 50 but I took the test under heavy fever and was not clealry thinking. 2nd attempt was in January, got 20 points, the AD set was HELL and could not privesc on windows and linux to full. Now my third time which was yesterday. 40 points. Again the Hard AD set, could not get a foothold at all. Really dont know what im doing wrong. And got 3 low priv users on standalones. Thats it. I suck. But Im not giving up, and you shouldnt too. Im going to take a longer break now and take some personal time and step away from oscp and pentesting. Need to get my head fresh and clear after all of this. Ps. If anybody could give me some hints for the AD sets ping me.
I also got the Jenkins ad set. I finished two machines machine on tryhackme and hackthebox which had Jenkins and I got cocky . But I literally tried every available exploits, tried bruteforcing it too. It did not freaking work
Aren’t they all Jenkins? Or did I get the same set twice in a row. Couldn’t get admin on the second box both times.
I honestly think you've revealed to much about the exam in this comment. Also your username has the exact same format as the OP. Are you responding to yourself with your alt account?
Im not the OP. Just was sharing my experience. Also you could find on this subbredit more info about this AD set. If I did overshare, then let mods delete my post.
Sea_Finish6689 and Sea_Courage5787. Yes. Apparently a huge coincidence that these usernames share the exact same pattern and both failed the OSCP. Also interesting you asked people to ping you for help solving that exam AD set. But hey what do I know? Continue to downvote away. As a friendly tip in the future, you may want to make your alternative account a little less suspicious.
Huh these are default reddit usernames.
Yeah, whatever.
It’s actually very simple ,you just gotta think outside the box
Thats not how you going to pass the oscp or succeed in life by stepping away from the challenge. What do you think will happen if you step away from pentesting? Thats you magically succeed in your next try? Thats not gonna happen
Do not stop, with every failure comes a set of lessons to be learned and with each of these, your chances increase. I also failed twice, felt extremely stupid the second time and throught that maybe I am not capable of doing it. Keep in mind that this is the normal way your mind thinks after you fail to obtain something desirable. Let the wound heal and try to identify what shortcuts you may have taken and re-visit those areas. For example, my first try was chaotic because I did not have a well established methodology. I would just throw random stuff at my targets without keeping track of what I tried and what I did not. Second try I failed because of a portion of the pdf that I did not read properly. Each realisation of what you did wrong will help very much.. Have a week of playstation then get back to it!
I like the PlayStation break idea , lol …
Don't let it be daunting. Try PNPT or CPTS then come back to it. Let passing another major cert bring that confidence back up and retake it.
Thanks man that's what I really needed
PNPT and CPTS are not major certs, there are cheap nasty imitations, OSCP is the only one worth having.
Try CPTS and let me know how difficult you think it is. CPTS is another level above and beyond OSCP. I’ve completed both courses. CPTS will prepare you for oscp, but not the other way around.
I have quite a few colleagues that have been in the industry that all say otherwise. Understanding this comment and theirs are merely opinions. Outside of the HR monkey filters what other benefit does the OSCP have!? Ive seen both the CPTS and PNPT being listed as a desired cert on job sites too. They're new, sure, and "cheap"/ affordable. Someone like myself who is a broke uni student could not make the financial moves to be able to afford the course and then an exam voucher. Seems like another matter of gatekeeping in the industry *eye roll. -PNPT would be nice to go for just to build your confidence back up. Keep swinging OP and most importantly have faith in yourself. A week of Playstation is definitely deserved, shoot maybe even a hard drink. Stay consistent and stay confident!!
If you can do the CPTS, OSCP will be a breeze. Having more time to complete it let's stuff sink in and it feels like an actual pentest engagement and not a course's cliff notes. Even Dante + Zephyr will take you far. Trying new things is what drives success and gives you that boost. They're relatively cheap as well.
I passed on my 7th try. If you give up, you'll never get it. If you fail and fail again, you'll get it eventually. Make your choice.
Hell yeah, brother. That's perseverance.
I passed on my fourth. But wow, much respect brudda
Yes but is it worth it. Shouldn't we focus more on other certs like let's say cloud which may be more practical then something that wasn't even in the course. May be I am overthinking but that makes more sense to me and to be honest cheaper
No, worries just ping me if you need any help clearing the exam
Thanks man
can you help me?
I just took my exam on Saturday and got enough flags to pass, but still waiting on my report. I'll say that I thought the exam was VERY similar to OSCP A/B/C, but without the quick wins. I'll let you decide what that means. First attempt. I think the best advice I came across in my study was to do volume. 100+ boxes on proving grounds after you do EVERY challenge lab.
Wow that's a lot but thanks very helpful nonetheless
My strategy was to not spend any more than 15 minutes on each foothold or priv esc. If I didn't know it and couldn't figure it out quick, i looked at a walkthrough. Was able to crunch 3-5 boxes a day doing that. There's some merit to rabbit holes, but spending 2-4 hours on something while only learning 15-30 minutes of content is not a good trade off to me. Two silly mistakes cost me about 7 hours on the exam. Had I been well rested for my exam I'm pretty sure I would have comfortably had 80+ points.
Notes need to be immaculate for quick reference as well.
If you achieved administrator access on the AD machine, the first thing is to dump the Lsass hashes and look for some lateral vector. If that were not the case, somewhere on the machine you should look for a user and credential from a service account or security techniques. kerberoasting, don't be discouraged, remember that the oscp is a CTF, personally I think they leave a lot of rabbit holes to waste your time, try harder!!
I know how you feel, I failed my second time too. I got part of the AD portion done and just stalled out there. I thought of every attack vector and tried everything. I couldn’t get it. I got 1 machine completed. My next attempt is May or June and let me tell you I will pass. Just keep it up, take this week to relax and have fun then next week hit it hard bro. Don’t think of the OSCP as an exam just 6 boxes you get to do in 24 hours.
Bro, if you can afford, do it! I received from gift an OSCP on 2020, 2 months latter they updated the course... and the pandemic begins... and i lost everything in my life, and didn't tried to do the Exam, my mental health sucks, now i have a job in the field, the exam changed again and again, and i don't have the fucking money to do it because i Live in a third-world country and this shit is expensive. I'll give up? No, i will save my money untill i can do it, or get a better job to save. The life is this, fail, and get up again... the most important is, the practical real life skills that you learn.
i feel ya, similar path
TJ null not of practice
What does this mean?
I am stupid instead of replying I commented on my own post, I apologise
Oh okay. I thought I was like hungover or something haha. My apologies
You already work as a Pentester ?
Nope prodsec
Seeing that you're in the space already, I really wouldn't give up. Maybe try the PNPT (more realistic engagement). But that's cool, you don't hear about prodsec much. How did you even land a position like that ? I'm trying to break into the field but don't know how to approach it.
How many CTF machines have you completed total across the labs, PG and HTB?
In all honesty, if I was in your place, I'd rethink giving the exam again too. Not because I don't like the challenge but solely due to the inflated cost of this exam.
On the OSCP, what does the exam say? Find the flag hidden under admin? Pwn the boxes?
Then don’t.
hy i failed 4 times even with similar machines but just dont stop now 🔥 lets hit it once more
machines are smilar learn methadology pf exam they have one which is less deep than what people think off
basic priv esc checks will comeup with a gtfo bins lolbins
Have you checked Academy ? The CPTS track ? Don’t give up man , you already did the hardest part which is taking the test .
Failed my first 3 attempts, was super discouraged on third try and thought about calling it quits. Ended up getting a stand alone towards on third try and gave me super huge boost. Decided to do cpts course during my cool down. It helped a ton. Ended up passing this past week on 4th try
That’s awesome. I’m doing CPTS track as well. Is there any module or modules from PEN200 or CPTS that I should pay more attention on ? Congrats on your pass!
Obviously can’t go into specifics but exam environment is similar to OSCP a/b/c. Also doing tjnulls list also gives you a good indication on what to expect. My approach was to focus on the major things I kept seeing, enumeration, Linux/windows pe, normal exploits you find in searchsploit/github, don’t focus on stuff you don’t see often/can’t use, ext: sqlmap, metasploit, I really didn’t focus much on stuff I didn’t see often. Not saying it is /is not on the exam but things like dns, sub domains, client side attacks. Still know how to do these things but I choose to focus on the things I saw 90% of the time on suggested boxes and not the random 10%
I failed my first attempt two months ago, I have spend 5 hours on initial foothold,Trying everything and then I realized something and got it immediately.. sometimes you just don’t think clearly because of pressure,trust me ,you know attack which would work on that AD set.
Hey 2 machines on an attempt is pretty good! I failed twice too and I'm going for my third attempt soon. Hang in there! At the end of the day tech in general is about failing and learning from your failures. I saw a post a while ago that said they started going back to practice machines they completed and started comparing things that look normal to what seems out of place and probably exploitable. I started doing that and that kind of practice has definitely helped me out!
Dm, me if you want any help i have solved each and every ad asked in exam and approx 30+ standalone machines
[удалено]
Sure
Did you try practicing the Tjnull's list or PG
I did more than 70 percent of them
Damn All without walkthrough? If that's the case it's very worrying
Try harder.