Failing at the Final Hurdle

So I failed my OSCP exam. Well, not exactly fail thats perhaps too strong of a word. In order to pass the exam you need 70/100 points and I got 60, more accurate to say I just barely missed out on passing. It’s now been nearly a month and I have not done much thinking about it, I had been so laser focused for months that I decided to take a break and just try and relax a little. Now, I think I am finally ready to digest the experience so that I can start mentally preparing for the next attempt.

Days and Days Gone By

I have been doing CTFs for a very long time, I am quite proud to say I have over 120 completes on HackTheBox. I do this for fun; even on breaks from work when I am supposed to not be thinking about cyber and just relaxing I cannot stop myself by trying to knock out a couple of boxes. That being said, I always saw the OSCP as this big scary thing that I would never be ready enough for. CTFs have so much variety, so many unique paths that can be taken and since I am still very much a white belt I often had to use guides or get completely stuck.

But one day, almost exactly a year ago(June of 2025) I had a bit of an epiphany. The OSCP exam is meant to be somewhat standardized, somewhat consistent. It would not be valuable if it confirmed a completely different set of skills each time it was taken. There was also no way it was meant to as hard as I envisioned as if it was it would be way too hard to pass. So I did some research and realized that I was at the level many others were when they passed the exam and that’s when I set out to take it and pass.

My preparation began from there, and there was a lot to learn. I had always preferred Linux boxes for CTFs, I knew next to nothing about Windows let alone Active Directory. So I set out to learn and grow and it was a lot of fun, hacking Active Directory is surprisingly one of the most satisfying things I have learned in hacking.

Trials and Tribulations

I bought the exam in November, it had 3 months of lab access and then I could schedule the exam whenever I wanted. My son was due in February so I planned to grind through all the material and take the exam end of January. The plan was going great, but God tests us in ways we do not expect and in this case my wife and I received news that are son’s position put him in a high risk pregnancy. What followed was a super stressful month, my wife was under observation in the hospital for two weeks and my son had to be born early to avoid natural labor. I did my best to prepare in that time but between going to work, the hospital, and my parent’s house where my daughter was staying I just did not have the time.

So I waited, my son was born in mid-January, I spent the next few weeks focused on family. Then my paternity leave ended and Ramadan started and again it was difficult to study so I waited till after the holy month was done. We got to April and I started to get back in the right head space, I was too scared to take it so I scheduled the last possible weekend I could (first week of June), which put it at nearly a year since I started preparing. During this time I went through the OSCP B and C practice exams, they went fairly well so I thought I was as ready as I could be. After a year long prep and countless hours of CTF practice and study, exam day arrived.

Excitement and Trepidation

The exam was 24 hours and I chose 11am-11am Saturday to Sunday. I started off following the methodology that I prepared for, nmap scan the 3 standalone machines and the entry point Active Directory machine. Then set up a ligolo tunnel on the entry point machine and nmap scan machine 2 and DC for the AD set. Scans took a while, but I was used to this from the practice exams. Then I did a quick analysis on each one, taking quick notes on what I saw was most interesting on each server and taking a peek at any web servers that were available.

This whole process burned somewhere between 1.5-2 hours but I do not regret it. One of the important things I learned going into the exam was not to be serial, that is do not go one box at a time; push until you get stuck then pivot. Gathering initial notes on everything was very important so that I had an idea of what to dig into when it was time to pivot. With all the preparation done there was one I wanted to do first and complete, the AD set.

I. Am. Speed.

I had spent many hours preparing my methodology, and in particular I was hyper focused on Active Directory. I followed my system exactly and found success extremely fast, I had the first machine rooted within 20 minutes of serious digging. I am not allowed to share specific solutions for the exam, but the key to moving through Active Directory is using information from Bloodhound and LDAP until you get stuck, then work on traditional Windows privesc. Going back and forth between traditional escalation and Active Directory worked perfectly in this case as I escalated through a common windows misconfig and then used dumps from mimikatz to access accounts with Active Directory permissions that helped me advance. This back and forth eventually led me to completing the entire set, and in less than 3 hours. 5 hours into a 24 hour exam and I had 40/100 points and I was over the moon, I only needed half of the remaining flags to pass. In the practice exams there was always one standalone box that would be troublesome, but 2 of them would be easy enough, at least to get user flags. Surely I had the rest of the exam in the bag…

The Realization Slowly Hit Me

Not at first though, I had not really looked at any of the boxes since my initial scans so everything was fresh. I had only needed 3 flags so I was not worried about completing anything so I planned to just bounce around between each box until I got a solve. Initial work was great on all 3, found some file servers without authentication and a wordpress site which wpscan delivered me promising results on. But as I continued I reached my first surprise of the exam, I had expectations that were totally wrong.

Offsec provides 3 practice exams, OSCP A, B, and C. For all 3 exams, amongst the standalone boxes there was a pattern: 1-2 boxes would have a vulnerable web server with a known CVE and searchable PoCs to get initial access. This happened on all 3 exams, a couple had 2 boxes that were this straightforward. I scanned all 3 standalones to the moon and back, and while the Wordpress site had some vulnerabilities, none of them had a simple PoC that could be used to attain a shell of any kind.

Now that did throw me off, but I was not worried yet because I have solved plenty of boxes without some easy RCE PoC. I just had to do some more careful enumeration and look for hidden info. I was able to get some good stuff, passwords off an SMB share, a database password using LFI, and usernames for multiple boxes. I then followed the methodology of combining every username/password I have for every service and I didnt get any hits anywhere and this is where I started to get worried. The version info showed everything was fairly secure so my best way in was misconfig or data exposure and despite these vulnerabilities existing I was not able to chain them together to get a shell.

What started off as confidence and calm slowly devolved to terror as hours passed one by one and the sun lowered in the sky yet I had no new flags to show for all my effort. Eventually we reached 11 at night, making it 8 hours without any progress whatsoever. It was a 24 hour exam and I knew I could work through the night but I was quite tired. I made the decision to get a full nights rest, to be refreshed and have a clear head. So I went to bed and got some sleep.

The Last Stand

I woke up at 6am and got right to it, I had 4 hours and 45 minutes to pull off something special and pass this exam. Immediate success, a fresh mind from a night of rest plus a few novel ideas pushed me to get credentials to a service on one of the Linux machines that could be leveraged for a a user shell. One flag down, then came rooting the box, I ran linpeas and lucky me, the password for root was in the dump. Logged in as root and got the flag and once again I was over the moon. 2 flags means 20 more points, bringing me to 60/100 and one flag shy of passing. I had 4 hours, of the 4 flags on the table I needed just one more.

Of course, going off the title of the blog you know what happened, that last flag did not materialize and I failed to meet the required 70 points. One month has elapsed since the exam, and when I think back on those two boxes I am still not sure what more I could have done. Everything that was exposed I enumerated like crazy, I even found some new techniques googling I had never used before. After trying everything I knew, and not finding any more new ideas via googling I went through the info I had. I tried every combination of credentials, looked for anything that was misconfigured and desperately tried to find just one method of code execution. The exam was 24 hours(23 and 45 min to be precise), and I came down to the last 5 minutes before I finally accepted defeat and resigned.

Taking a Long Break

So, how do I feel now? not bad. I spent the past month not even thinking about it, giving myself a mental break and allowed myself time for other projects. My PC setup was Windows 10 based, but I got tired of MicroSlop so I restaged to Fedora, learned about tiling managers and started using sway. Also spent time on other things like restarting this blog and actually working on my first true post(this one). I am going to continue this break too, it is summer and I got plans with my family. I wont be free to really focus for another month anyway so I am going to enjoy my time “off”, and come back with a vengeance and blast this thing out of the water next time.

What Can I Do Differently?

Ill be honest I really do not know what to do differently. When I get back to it Ill review all my notes and techniques to get myself up to where I was last time. I also did not finish Lain’s list so I will be going back to do more of that as well. The only thing I can really do is change my mindset, the worst thing you can do is go into an exam with expectations of how easy it will be or what attack vectors you will need. That mistake threw me off, my mind was not ready for more diverse methods of exploitation and I suffered because of that. Besides that I got nothing, I do not know what new methods to learn that would have helped me pass the exam, I did everything I know was possible. Now I am still a white belt, not an expert so there is definitely something simple I did not know how to do that caused me to fail but without exam solutions Ill never know. Ill just try to prepare best I can and hope that the hand I get dealt is better and I am skilled enough to root all the boxes.

Timing is the only thing I would change beyond the technical side. 11am was not a great option as the next day I only had 4-5 hours after sleep to finish. Ill either start real early next time and take a 2 hour nap in the day, or start way later so with a full nights rest I have the same amount of time before and after.

It Happens

I am not demoralized, nor am I upset. Very experienced testers have been known to fail on the first attempt, and I take pride in the fact that I achieved the highest amount of points possible without failing. At the end of the day I am still just a learner, just trying to get better. I hope to do better next time.