I've been working on my OSCP for some time. I just never feel quite ready. I've been pwning more and more machines on Hack the Box. Things are making much more sense, and it's coming together better than it did before. That said, I still don't feel quite ready.
I think the biggest challenge is in time management. I am having to learn how to make things happen fast while working on these boxes. When I do HTB, I can work on something for two hours, take a break, come back later or the next day, and so on. This exam asking a little more of me.
I just have to push myself to learn how to properly enumerate and pwn the machines without sinking too much time into rabbit holes. That's probably the most challenging part of the exam. While skill is definitely a major factor, I can't help but feel that sometimes it's a bit of luck. Eventually, a skilled enough student will succeed. Still, I feel as if there's those times when sometimes you just happen to find foothold with the first thing you saw. Other times, we find ourselves in an endless loop of trying something, then trying something else and getting it hours later only to notice it was that one thing we missed, or the wrong wordlist in GoBuster.
That's not a complaint by any means. That's the name of the game, and that's the exam. If anything, I feel it reflects more on my skills at this point in time. If I'm getting lost going down rabbit holes and focusing too much on things that aren't important while missing things that are, luck or not – it's not going to help me pass the exam.
Things I intend to focus on:
- Time Management for the boxes. I need to really focus on how to not go down rabbit holes and how to know when to move on.
- Enumerating with a very methodical approach: for instance, start with A, then do A, and then C rather than kind of start chasing ghosts and getting lost in my enumeration, then running in circles as I start launching Hail Marys at everything I see.
- Making my buffer overflow process more efficient. This is the part of the studies I dislike the most. It's painfully slow and repetitive. It requires a lot of patience to modify the script, throw the 'sploit. Look at the results, and modify. Rinse. Repeat. I just have to suck it up and practice this.
- Build the process for putting together the reports and taking screenshots: This can be a bit more challenging than it sounds if you're not used to taking notes on everything you're doing. When I started Hack the Box a few years back, I legit had no idea what I was doing. I look back and truly wonder how the heck I figured some of these things out. I just kept trying things until stuff worked. I Googled a lot and somehow got through stuff. Of course, that alone doesn't work in the exam environment, because it's not one box in five days, it's five boxes in one day.
- This blog to track my progress. This blog is intended to do some things: 1. It holes me accountable for the two or three readers who drop by. 2. It enables me to do writeups which in turn force me to explain things in a way I didn't do before. In the past, if something worked, I just accepted that it worked and moved forward. Now, I am really trying to look at the things I do and ask, "Why did this work? How can I put that into words that I can sort of understand?"
On to it
Well. For now, time to study a bit more. There are plenty more writeups I'd like to do, but the boxes I've been completing lately are still active, so I'll have to wait before posting something.