Embracing Failure: How the OSCP Taught Me to Fight Against Complacency

• Introduction
• The Job
• The Complacency Trap
• The Ripple Effect
• The Awakening
• The Renewed Vigor
• The Victory
• Conclusion

Introduction

June 2016 found me hunched over my computer deep into the night, the steady rhythm of my keystrokes the only sound in our tiny basement apartment. Madison, my partner, was attempting to sleep in the next room, our lives cramped into this small space in a bid to keep our expenses low.

Every night, like clockwork, I would be at my desk, hacking away in the PWK labs, the thrill of new challenges fueling my determination to obtain the OSCP certification. I would wake early, spend my day working, hit the gym, and then return to my desk to continue my mission, often into the early hours of the morning.

By the end of the summer, I had logged roughly 400 hours, rooting 33 boxes in the labs. The big day arrived, and I started the exam off strong. The first box was a breeze. I was on top of the world, thinking, "I AM CRUSHING IT! All of my practice is paying off! I am going to get this certification!"

But then, the momentum faltered. For the next 15 hours, I was stuck in a nightmarish loop of dead ends and rabbit holes. By the end of the 24-hour exam period, I had only managed to root one box and gain user privileges on another. With a heavy heart and my dreams shattered, I submitted my report, only to receive the anticipated result: Failure.

The ensuing weeks were grim. I couldn't look people in the eye. Friends and family knew I'd been working tirelessly towards this goal. I was asked, "How did your exam go? Did you pass?" Their well-meaning questions only deepened my shame. All those long nights and early mornings, the relentless hours of preparation... all for nothing.

Nothing can describe the sinking emptiness feeling in my gut that stirred. I truly gave it my all to obtain that certification. Every spare moment I had was dedicated to studying. Hours turned into days, weeks, months. Time was a blur, practicing and preparing. It was more than just a certification to me – it was a badge of honor, a testament to my dedication and the future it might bring.

Every late-night study session, every weekend spent in front of my computer, every moment of frustration when a concept didn't quite click - all of it was fueled by the dream of earning that coveted certificate. I had kept imagining the sense of accomplishment, envisioning the doors it would open in my career, how it would help me provide for my family. It’s all I wanted.

Yet, when I received my results, my dreams were shot down so quickly I didn’t have time to comprehend it. I was completely blindsided. Failure. A word that held an almost physical weight, pressing down on me, unable to resist its pressure. My hard work, my sacrifice, my unwavering dedication – it all felt in vain.

I was left questioning everything. Was I not cut out for this? Had I misjudged my own abilities? Was all the time and effort I had put into this journey a waste? The disappointment was overwhelming. It cast a dark shadow over my aspirations, nearly consuming me.

I found myself standing at the crossroads, faced with the reality of my failure and the daunting question – Where do I go from here?

The Job

In the wake of my OSCP failure, I found myself at a Starbucks patio in downtown Toronto, the early fall chill nipping at my overdressed self in a suit. I was there to meet Fred, a man that ran a local cybersecurity business, who an earlier contact of mine thought could use someone like me at his company.

When Fred arrived, we introduced ourselves and walked around for a bit. He was a straight shooter, charismatic and clearly knowledgeable in his field. As we sat on a bench, he posed questions that pried at my knowledge about his company, my passion for penetration testing, and my ethical judgement. I answered as honestly as I could, regretting my lack of proper research about his company, sharing my experiences of ethical decision making, my dedication and failure to obtain the OSCP, and my theoretical approach to penetration testing.

Fred seemed intrigued. Though he already had a penetration tester on his team, he thought I could learn from him. We parted ways with nothing promised but his commitment to stay in touch.

A few weeks later, Fred reached out for my resume and a cover letter, followed by a request for a mock penetration test and report. The request sparked a new objective within me: to prove my responsibility and dedication. The OSCP failure was far from my mind. In fact, the only reason I was trying to get that certificate was to get a job in the exact field Fred wanted to expand at his own company! I worked rigorously, investing days in reconnaissance and compiling a detailed report.

After that, silence. For months, I heard nothing from Fred, which led me to doubt my performance for his mock penetration test. In the interim, I tried to refocus my energy on improving my skills and programming to help me on the next go around at the OSCP, whenever that would be. The doubts were already creeping into my brain:

“First you failed the OSCP after working so hard, and now you failed at delivering a mock pentest? You’re not cut out for this. You should give up and do something else''.

Like a climber steadily losing his grip on the mountaintop, I could feel the hold on my goals weakening. Or the burn of a rope getting hotter with each sudden slip, I sensed my goals slowly and gradually distancing themselves away from me.

I had made friends in the OffSec forums and IRC channels, their advice seemed to resonate with me instead: “learn from your mistakes, focus on improvements”. So that's what I strived to do to help push out the negative whispers in my head.

Then, one day in January 2017, as I was sitting in a class, an email notification broke the monotony of a class lecture. It was Fred, asking when I could start.

The euphoria that washed over me was indescribable. After striving for so long, I was finally where I wanted to be. I would be working in a field I was passionate about and with someone who was willing to mentor me. It was everything I had hoped for.

My days were filled with intriguing tasks, new challenges, and a deep sense of accomplishment. The certificate that once seemed so pivotal now felt less significant. The negative thoughts stopped. My anxiety calmed, and instead anxiousness from excitement took over. I was doing the work, learning the ropes, and proving my worth - all without the OSCP. I had achieved my goal through sheer resilience and passion, and I felt secure in my position.

The Complacency Trap

In my new role, challenges were an everyday affair. But after the rollercoaster ride to get here, I was primed to take them head-on. I found that my experiences with the OSCP had not been in vain. The painstaking hours spent in the lab, the intricate tasks, and even the failure - all of it had equipped me with a certain resilience. To be fair, I had already experienced my fair share of failure before the OSCP when changing career fields.

The first few weeks were a whirlwind of learning and adapting. I was working part-time while juggling school, but Fred was understanding and prioritized my education. Despite the packed schedule, I found myself thriving in this environment. I was gaining real-world experience, learning from an industry expert, and helping companies.

With the comfort of my role came an unsuspected companion, complacency. As the seasons changed and the months rolled by, my work became a familiar rhythm. I was secure in my abilities, comfortable in my role, and content with my progress. There was no looming exam to prepare for, no certification to chase - I was already where I had dreamed of being.

But the universe has a funny way of challenging our comfort zones. It was during one of our casual conversations that Fred, my boss and mentor, posed a question that caught me off-guard: "Would you consider taking the OSCP again?" He was willing to cover the cost. I was already a penetration tester, this should be easy for me, I thought. I took Fred up on his offer.

In hindsight, my agreement was superficial, not backed by the commitment and dedication I once had. I was comfortable in my position, confident in my skills, and I let that blind me. I didn’t study as I should have, I didn’t dedicate the hours needed, I simply went through the motions. And inevitably in November 2017, I failed the certification again, hardly putting up a fight.

But this time, it was different. I wasn't devastated or cut at the knees by failure. I shrugged it off, unfazed, because I already had a job as a penetration tester. I was already doing the work I loved. The sting of failure was, in essence, numbed by my success. I did not realize the dangerous side effect of complacency. I was growing cocky, my hunger for improvement was waning, and my thirst for betterment was slowly being replaced by a complacent attitude.

The Ripple Effect

Once complacency takes root, it spreads like a slow-growing vine, intertwining its tendrils into various aspects of life. And so it was with me. The complacency that started in my professional life began to spread into my educational pursuits. I had been going to college with the singular goal of becoming a penetration tester. Yet, here I was, already working in the role I had been studying for. My motivation to excel academically began to wane. I remember going for a walk with Madison and saying “It’s crazy, I fought so hard to get into this field and now that I am in it, I’m pretty much set. I could technically fail out of school and still be okay.” She did not believe what she was hearing, and sternly replied “No, you wouldn’t let that happen. That isn’t you. You wouldn’t give up now after all you’ve done, it just doesn’t make sense for you to do that”. I laughed it off and said I was kidding, but I wasn’t. The intrusive seed of complacency was planted, and it was growing.

It didn’t stop there. This complacent mindset started to fester in the way I approached my job. My work, once a thrill of problem-solving and perpetual learning, became a routine affair. I started relying heavily on automated tools like Nessus, Metasploit, Core Impact, running them without much thought or customization. I was beginning to mistake the mere use of these tools for the art of penetration testing itself. I had stopped challenging myself, stopped questioning, stopped learning.

I had ceased all activties of keeping up with the latest research and stopped tracking the emerging trends in cybersecurity. My tools became crutches, my job a routine. I thought I was a penetration tester because I could run a tool, but in reality, I was a script-kiddie. Someone akin to a novice, aimlessly hammering away at a cold, unyielding anvil, not a skilled blacksmith expertly forging a blade of my own.

I had forgotten that the tools don't make the tester. A true penetration tester is an artist, a problem-solver, an insatiable learner who thrives on challenge and constantly seeks to push their limits. I had become comfortable within my limits, and that comfort was slowly eroding the passion and curiosity that had driven me into this field in the first place.

The Awakening

Sometimes the most profound revelations come when we least expect them and shake us awake. For me, it was at a couple of conventions - DEFCON in Las Vegas and Hackfest in Quebec City - where I came face to face with my shortcomings. I watched people demonstrate their dedication and run laps around me in discussions about things I had zero knowledge in but was aware enough to know that I should at least have an inclination of what they were talking about.

These were people who lived and breathed cybersecurity. Their depth of understanding, their innovative thinking, their passion for the field was awe-inspiring and humbling. In their presence, my perceived competence felt superficial, my skillset limited, and my knowledge outdated.

I also heard some harsh truths on security podcast discussions. The security podcasts I regularly listened to began to resonate differently. Discussions about 'fake' penetration testers struck a chord, their descriptions uncomfortably close to my current reality. They talked about penetration testers who ran automated tools and delivering reports based on the tool output were actually just corporate script-kiddies. They were talking about me. They might as well have held up a mirror, showing my own reflection. It shattered my world and made me sick. I was not the skilled “haxor” I had convinced myself I was. I had been hiding behind an illusion of competence while my “skills” had plateaued.

It was like someone had pulled the cord and I fell into a tub of ice cold water when the realization hit: I was a joke. A fake. I didn't know what I thought I did in the field of cybersecurity. I was not a competent penetration tester that I had somehow convinced myself that I was. Don’t get me wrong though, I still managed to perform adequately on social engineering, physical, and some IoT based penetration testing but I was not actively trying to sharpen my skills. In fact, I had let them dull until they were blunt and useless. I just remained the same, never bettering myself.

The discomfort of realizing I had fallen behind, the humiliation of being a novice amongst experts who started in the field at the same time I did, the challenge of catching up — these were not deterrents. They were the sparks that reignited my resolve to strive to be better. I was ready to push my boundaries again, ready to challenge myself, ready to learn. The smack on the head was uncomfortable, but it was necessary. It was the turning point that steered me back to the path of growth.

“Long before the body goes soft, the mind will have softened. Fortunately, I wasn’t that far gone, but my mind had softened a bit because I hadn’t been challenged to the edge of my capabilities in years.” - David Goggins, Never Finished: Unshackle Your Mind and Win the War Within

The Renewed Vigor

Complacency is the enemy of progress. Once I recognized this, there was no other way forward but to buckle down, focus, and do the work. And that's exactly what I did. I knew the only way to prove to myself that I could be considered “competent” amongst my peers was to commit and pass the OSCP. I didn’t want the certificate to be a better penetration tester. I wanted it to prove to myself that I wouldn’t half-ass my job, school, or my life again. It was the only worthwhile challenging thing in my life at the time. I failed it twice now, it only made sense to regroup and come up with a battle plan to tackle it this time.

My strategy was focused on simulating the unfamiliarity of the OSCP exam environment. I had already spent countless hours in the PWK labs, and I had become too familiar with the machines there. I needed to shake things up, to step outside my comfort zone. To do this, I turned to HackTheBox (HTB), an incredible online platform that provides hands-on practice against many diverse and challenging machines.

I started by diving into TJ_Null's list of OSCP-like VMs on HTB. These machines were chosen for their similarities to the OSCP exam environment, providing an authentic training ground. This approach was pivotal for me - facing these unknown machines was a crucible of heat and pressure, much like the OSCP exam itself.

Once I had my plan, I decided to upgrade my HTB account to VIP. This gave me uninterrupted access to the retired machines, which was perfect for dedicated, focused study sessions.

However, I implemented a cardinal rule: no seeking hints on the HTB forums or solutions from published write-ups. You may wonder why I would do that. Simple: I needed to enhance my critical thinking and problem-solving skills. Getting nudged in the right direction, while helpful in the short term, can stunt the growth of these crucial skills. There's immense value in the struggle, the frustration, and ultimately, the triumph.

To add another layer of accountability, I set up weekly status and motivational calls with a close friend who had already conquered the OSCP. It was funny, because I was once his mentor, and now he was mentoring me! These calls kept me grounded, motivated, and on track.

Preparing for my third attempt at the OSCP involved many late nights and gallons of coffee. But with it came growth, learning, and ultimately, a deeper understanding and appreciation of the art of penetration testing.

The Victory

This third time around, I approached the exam differently. I had an attack plan. I allowed myself a maximum of one hour per target. If I couldn't make any headway within that time frame, I moved onto the next one. This time-management strategy was a game-changer for me. It helped me stay focused and efficient, and ultimately led to a more effective attack.

My methodology was refined, thanks largely at the time to Tib3rius's AutoRecon tool. This tool provided a robust, systematic approach to enumeration, allowing me to methodically work through each target, focusing first on everything except web applications. Web content was left last in my approach due to its vastness and complexity. This allowed me to take on each target with an organized, efficient method, one that was refined through countless hours of practice during my time on the OSCP-like VM’s on HTB.

The final aspect of my strategy this time around was self-care. I allowed myself to take frequent breaks, stepping outside to ground myself. I wouldn’t even put on shoes, I just let my bare feet touch the grass, walk around talking to myself (debugging), and take in the background noise of the outdoors. This helped dissipate any creeping anxiety or stress, allowing me to return to the exam refreshed and refocused.

Time can fly by when you're focused and in the zone. I was so immersed in the exam that I managed to crack one of the harder boxes, achieving user access after a grueling five hours. However, I didn't let this deter me. I pressed on, employing the same methodology on the other machines, and within 3 more hours, I had rooted the other four boxes. I had enough points to pass and it had only been 8 hours!

After conquering the four boxes, I didn't just sit back and revel in my accomplishment. Instead, I took the next hour to document everything, creating a detailed report. The rest of the day was spent in a well-deserved rest, but the exam was still at the forefront of my mind.

Waking up early the next day, just an hour before my exam access was due to end, I revisited the most difficult machine that I had only managed to get user access on. I had victory in my crosshairs, but did I need to pop that last box to its fullest? No, what I had up to that point was good enough. But “good enough” wasn't enough for me anymore. My journey had painfully demonstrated to me the pitfall of complacency, of settling into comfort zones.

In that moment, I painfully recalled the illusion I was living under, believing I was on par with the talented individuals in my field, only to watch them fly by me and soar up high as though I were a stationary bystander. I still feel the stifling embrace of complacency, that disgusting sludgy blanket that threatened to smother my drive and ambition. I was hell-bent on not slipping back underneath it. Kicking back and resting on my laurels? Not a chance. Within an hour, I had rooted the final box, completing all five exam machines. This was a victory not just over the exam, but over my past self. I had conquered all five machines, not because I had to, but out of a refusal to settle for anything less than my absolute best.

The moment I saw the “Passed” email notification a few days later from OffSec in June 2019, a wave of joy and relief washed over me. I had done it. I had earned the OSCP. It was never the certification itself that mattered to me the most, it was the adventure I embarked on to get there. I failed it twice. I let myself believe it wasn’t needed - which is true! But you can't deny the powerful transformation you undergo in the pursuit of such a challenge. The certificate, while a great achievement, was simply a tangible representation of the growth I had experienced, the resilience I had shown, and the knowledge I had accumulated. And most importantly, it symbolized my triumph over complacency and stagnation.

It was a testament to the fact that even when you think you have reached your destination, there is always another mountain to climb, another skill to master, another challenge to conquer. The journey does not end with obtaining your dream; it merely begins a new chapter.

The OSCP was just the added bonus, one to go up on the wall somewhere. It’s been a reminder for me every time I glance at it as I walk by: not to get comfortable and complacent.

Conclusion

To truly grow as a professional and as a person, you need to embrace the uncomfortable truth that failure is an integral part of the journey. Not many people are comfortable with the idea of failure, and it's not hard to see why: Failure is often seen as a sign of weakness or incompetence. We tend to see it as a direct reflection of our abilities and our worth, a stark reminder of our shortcomings and a blow to our ego. However, the truth is that failure, in reality, is one of the most effective teachers we could ever ask for.

But even as I began to understand and appreciate the value of failure, I came face to face with another challenge: complacency. With every successful win, every triumphant breakthrough, I felt a sense of accomplishment, a surge of confidence. And while there's nothing wrong with celebrating your victories, there's a fine line between confidence and complacency, between being satisfied with your success and being lulled into a false sense of security.

Complacency is a deceptive comfort zone that can trap you, hold you back, and prevent you from reaching your full potential. To truly thrive in the world of cybersecurity, you need to be constantly evolving, constantly striving for improvement. You need to challenge yourself, to step out of your comfort zone, to face failure head-on and use it as a catalyst for growth.

Funny thing, when you start shifting gears and rewiring your brain to look out for things that hinder your progress such as complacency: you see it everywhere, and work harder to avoid it. I would be lying if I said it doesn’t sneak up on me from time to time still. It happens, and it’s going to happen.

But recognizing complacency is the first step to overcoming it. Once you realize it’s happening just remember to challenge yourself to change yourself.