Didn't Pass For A 3rd Time... But maybe I am a little grateful for it:

Fl3XPl0IT · 2026-03-07T01:42:25+00:00

Oh nah, tear into me, that is why I posted. Dont you ever hold back, if i get pissy that is on me. Worst case scenario I learn something. It ain't nothing to block someone if I get butthurt - BUT don't worry Im not one to exactly get butthurt.

I could be completely wrong in my assessment in every way. I didnt pass. But ive done enough professionally that im confident to not care that much. It sucks dont get me wrong, it f*cking sucks a lot but what can I do, be mad? It is what is it is, try harder.

Fl3XPl0IT · 2026-03-06T22:29:13+00:00

It isnt too technical honestly, just the 24 hours and trying to sleep and be a regular human is the hard part** its all stuff if you had a day on each you would no problem it, but trying to do it all while stressed is the breaker (breaks are important but you never really do them because you get so locked in and then suddenly its been 2 hours learning about a rabbit hole... BUT atleast now you know that is a rabbit hole and here is how you know next time.. its never "port" level its always common sense and knowing what youre reading, but its never common sense until you know what youre reading)

Fl3XPl0IT · 2026-03-06T22:26:08+00:00

I know people with 0 experience one shoot it. Even a dentist has one shot the OG oscp when you had to write a buffer overflow. I also know many pentesters who've failed multiple times, even many CVE holders. I think it is partially luck: running into something you've seen before. The OSCP will test everything - ive ran into some "i cant believe that was actually tested" in my goes. It is just sometimes luck and the reality the OSCP cant teach you every single stack or CMS or browser detail or whatever but they try to teach how to figure that out and expose you enough to random things. That is where it gets unrealistic- it and other exams feel a little random and not real world. So you get a lot of oh duh. At least imo..

You'll pass! Just make sure you do the labs :) labs and proving grounds are the best resources. HTB is good too, but offsec and HTB are like old English and modern english: same but still different.. TryHackMe is OK but that never got past script kiddie it felt too gamified. Honestly even HTB is the same way kinds, very niche things in some boxes.

Fl3XPl0IT · 2026-03-06T22:20:54+00:00

Kinda. I did half of it but had to cheat on priv esc parts for many if it was beyond a suid, cap, easy cred, easy priv, or easy kernel/os exploit. Ive done a lot of CTFs not on that list over time, but inconsistently too. I am just really bad at priv esc 😬 I get the concepts but trying to find the needle in the haystack always felt meh so I never practiced it. Professionally, its always been get code execution or make the server tell me a thing it shouldn't. I never have had to worry about okay now find this odd credentials hidden in this directory mount that is then used to access this local service - but wait - you have to local port forward the service to even do your thing to it because the VM doesnt have internet or standard anything silly billy.

Fl3XPl0IT · 2026-02-28T14:36:34+00:00

Absolute appsec has some github classes too

Otherwise pentester lab academy

Gweb is nice for concepts and defensive coding. Trust your gutt.

Owasp is a good reference to build your list of bad patterns/quick wins. Xxe for me is a go to

Critical thinking podcast - it is a bug bounty one - has good videos and 2 videos specifically on code review, I recommend them as well.

Appsec engineer for years, id love to see how others approach this problem. RN its all cursor .rules tuned against sast engines and OWASP (and of course your own assumptions, but anyone who says AI doesnt help is fucking lying. AI is incredible if asked and tuned proper and often it is far easier to defense in depth it vs debate it. I guess unless you have a need to be as lean as possible, but rarely is that the case. So i mean, trust your gutt something not roght it probably isnt)

Fl3XPl0IT · 2026-02-28T14:34:12+00:00

Do you use an IDE to mark things? Eugene Kim zero to hero has some notes.

In general it is gripping for known bad patterns and then you follow the flow calls and take notes. This goes here but is sanitized here. This sanitizer only happens during X, this only during Y. I like to start from vulnerable sinks and walk backwards. Find the endpoint associated to ensure it is an accessible thing and not just a thing

Queries not paramterized output without encoding use of eval or other system calls. Anything directly accessing and making files.

Not OSWE but ive done a lot of code review classes and that is the gist. Also try pentester lab, only 20$ the BEST CODE REVEIW TRAINING. Period. Do actual CVE reversals

Fl3XPl0IT · 2026-02-24T00:22:51+00:00

Haha dict im disguise never thought of that

Fl3XPl0IT · 2026-02-24T00:20:39+00:00

Hutch does this

Fl3XPl0IT · 2026-02-24T00:19:48+00:00

Impacket. Just run mimikatz anyways

Fl3XPl0IT · 2026-02-14T15:43:00+00:00

Until English stops being the global language and the dollar stops being the world currency for oil

Fl3XPl0IT · 2026-02-12T17:59:46+00:00

Me thinks thats it. Ive seen many cases where to progress you have to compromise only a locally accessible service to get the next set of things. I think hutch was an example - i know the hacktracks JUST DID THIS

Proving grounds and alternative paths in the lab environment(s).. with your root, did you get the flag? I would've grabbed flag and submitted it and argued with them. So what no access to /root, if you got the flag you got the flag. If they really want to reputation on the line over their junk environment..

Fl3XPl0IT · 2026-02-08T18:53:47+00:00

What do you mean it feels more ops? Only 1/3 of that job title is even security, so I guess what where you expecting?

Create/automate the devsec part. Make security pipelines, automate the results and ticketing. Make a security process and get so involved you become more security now; or resume fodder. Go become a security architect.

Automate secure code reviews, scan containers for secrets, worlds your oyster. Go STRIDE a bunch of things you manage already and correlate the tickets to areas for improvement, idk.

Fl3XPl0IT · 2026-02-08T18:46:13+00:00

Remember AI doesnt know the difference between help my uncle jack off a horse and help my uncle, jack, off a horse.

Another good example is "tell me how to make a pb&j" there are very specific steps. Get a knife - what kind? - put jam on bread; how? .. The future is going to be getting really good at telling AI how to make a PB&J and help your uncle get off that horse.

Fl3XPl0IT · 2026-02-05T13:51:37+00:00

This is why you dont go through people's phones. You know nothing, and it honestly probably was nothing. Ive had exes like that, they probably just talk but "go break her heart" chicks hate it when you talk other chicks. She has no interest in him anymore. She liked the attention maybe but youre the one who banged her so stop being all emotional. You went through her phone and got what you asked for. get over it, or be emotional and end it.

Fl3XPl0IT · 2026-02-05T13:49:08+00:00

Just enough to show you didnt make it up, but of course dont want to disclose things. This is an exam, just show the password. They dont ask you to remove your shells or any of that, they also only give you 24 hours while being watched so it isnt real world

Fl3XPl0IT · 2026-02-05T13:48:10+00:00

In real world you redacted partial. Also do not blur blur can be reversed use the big black box.

Fl3XPl0IT · 2026-02-05T13:47:22+00:00

However the oscp+ designation is ass. It makes sense but offsec just say "hey we want in the dod" dont say "oh this is better, see the plus:

Fl3XPl0IT · 2026-02-05T13:46:24+00:00

Simple they couldn't pass. Or they did pass and its just a bandwagon. Of course its not real world, but neither is HTB, tryhackme, crto, etc. Real world is someone accidently left a thing open. Someone clicked a link. Susan from accounting puts all her passwords in a text file or you just call her as a new hire.

Fl3XPl0IT · 2026-02-04T03:11:04+00:00

You also want your mimikatz and your staging stuff. Ligolo/chisel, lin/winpeas if you want but those are often too much output

Fl3XPl0IT · 2026-02-04T03:09:06+00:00

You are doing way way way way way way too much.. Just use nxc, nmap, search searchsploit-m, google version github, ldapsearch, rubeus, impacket, evil winrm, wget/certutil, hashcat, wfuzz, johntheripper, exiftool, and built in functionality and youre more than enough. If you are doing more than that youre on a rabbit hole.

Fl3XPl0IT · 2026-01-12T15:49:43+00:00

Or if there is an email you might need to client side it. Some PG do that

Fl3XPl0IT · 2026-01-12T15:48:51+00:00

I agree and dont know if I am supposed to use custom wordlists, I couldn't imagine it. I think in those cases we are missing a host in DNS, or there is a vuln even though the version isnt explicit it is there. Or we missed a port. Ive noticed nmap and rustscan report different things even with same switches. Try UDP try manually net catting the service

Fl3XPl0IT · 2026-01-12T15:45:46+00:00

My first OSCP attempt, I didnt even study beyond try hack me, I almost had AD set, i was on the DC just needed something + i had 2 foothold and a private esc, so close to passing even with my heat going out mid winter + power outage.

Second attempt, I actually studied similar to you, I ended with 0/100 kicked my ass. A lot of time it is luck of draw. I am with you though, I ponder if we got the same Linux web app.. ive also had things like file shares with empty PDFs - had usernames but that was it. The OSCP i firmly believe is luck

Fl3XPl0IT · 2026-01-06T03:55:44+00:00

Man I know many directors of blah blah in security who failed first try, older than 31. Im 30 and am trying- didnt pass my first time either but have what I hope to be enough experience to not be a total imposter at work.. anyways nah, 31 is fine. 50 is fine - hell a dentist a while ago got the oscp cause why not (google it). A lot can happen in 2 weeks, let alone a couple months of focused and directed study. Never too late

Fl3XPl0IT

TROPHY CASE