I knew failing the exam was a distinct possibility and that many people I know have failed once or more before finally passing but it still hurts a bit to go through all that preparation to end up with a big reality check.
I won’t talk to any specifics about the exam but I would say it didn’t really end up playing well to my strengths at all. I got one of the larger point machines early on but then just felt like I was flailing about with everything else. Collecting clues and following leads but ultimately not getting much traction.
While I did know going in that time management would be an issue, I don’t think I really anticipated the breadth of content I’d have to filter through and, more importantly, need to be able to prioritize. When you have an entire evening to devote to a machine and enumerate every single service, or casually browse the file system for interesting content that’s one thing, but it’s not a sustainable practice for a timed exam of multiple machines in a small amount of time. You need to know ahead of time things to look for. And you need to know how to do it quickly. This can probably easily be said for real-world pen-tests as well so it’s something I need to improve.
I did do a lot of prep in terms of efficient scanning, enumeration, having resources at hand, but I still clearly have large blind spots in terms of overall experience for what to narrow in on right away. I also need more experience to aid in connecting the dots between disparate vulnerabilities. I need to be able to know what’s [probably] noise and what’s not at a glance. I don’t know that any of these things are specifically easy to study for.
I’ve been working on OSCP studying pretty much non-stop for a couple months so I think I will take a breather from the labs and focus on HacktheBox for at least a month as a break. While doing so I’m going to also try and take a deep dive into specific common services each for a day or two at a time to develop a deeper understanding of how each and every one works. I’d like to demystify as much as possible any scan/enumeration results, and in so doing also have a better feeling for what is or isn’t an exploitable configuration. Likewise with internal configurations, you can’t always be reliant on unpatched OS/service exploits…you need to know what things to look at for common misconfigurations. Where can you find cached credentials that aren’t regularly purged and other low hanging fruit?
I’ve been looking a lot at Linux Sysadmin guides in the past few weeks and found that to be extremely helpful. Not only has it helped me just with my own personal linux-fu, but also gives great recommendations on how to harden my own systems, and for every security best practice there is a lazy/neglected opposite to be mindful of. But you can’t spot that if you don’t know what it’s supposed to look like in the first place. I probably need plenty of help in the Windows arena too.
One other thing that can’t really be understated is managing frustration, maintaining focus, and a keeping a healthy attitude throughout the exam. I’m not sure how to mimic the test environment exactly, but I think it would be beneficial for me personally to really cram together 2-3 machines in a night and try to speedrun them while keeping full documentation, and do this “fire drill” somewhat regularly to really force myself to acclimate to the stresses of it.
I’m not sure whether I’ll be retaking the exam in a couple months or if it will be longer…but I definitely will be.