Week one of the PwK course has flown by! I am up to 9 rooted machines this week with sufference about to be rooted this afternoon! So that will take me up to 10 for this week. Which is ideal, I have been writing them all up and ready to go into my report, so hopefully I will have the full report done and completed within the week. Which means I should be able to pay 100% attention to the labs for the remainder of my time.
So I feel like I have learnt a hell of alot this week. My brain still feels a bit mushy so I will grab some key points I think are good to know heading into the course.
- Document everything! I have a really nice cherry tree set up now, I lifted the template from here: https://guide.offsecnewbie.com/cherrytree-oscp-template and have changed to fit how I work, and added in new methodologies or changed them for ones I use. I cannot stress how important keeping organised is. Some of these boxes have a tonne of services up and running, with multiple potential exploits so keeping track of everything is key!
- Be methodical! I started the week kind of wild westing it with boxes, taking notes of what I needed but not everything, skipping over services and going straight for things I thought looked vulnerable. This was semi successful, but started to let me down quickly, and create more work when I had to go back and re-document or screen shot things for the report. However I have developed over the week to follow my cheat sheet, work through all services in order, even if a particular service looks juicy, keep checking, squeeze every drop of information out of it. Take everything as a whole, note everything running, patch levels, service version etc. What does each service give you, what can you do with that, what do you need. How does it all come together. Since working like this I haven’t hit a box, that hasn’t been doable. Some take more time and are not as obvious but you will always get there, if you have all of the information infront of you.
- Drop the CTF mentality. This got me into trouble quite early on. I was missing easy steps, looking for harder or smarter ways of doing things because I thought that was the way the boxes were set out. WRONG. These are designed to be similar to real world situations. People do stupid things configs are wrong, services arn’t patched Kernals, and OS’s are out of date. I have been so used to avoiding password guessing, not using kernal exploits etc in CTF’s I don’t pay any attention to them during the attack and that costs me time and effort. Treat the lab like a real world situation. Nothing is off the table, use every tool you have. If you think this might not be the “correct” route, once you have root go to the forums get some other ideas and try the box again. The whole point is the lab is for learning. Use every technique you can find, and become familar with them.
- Learn. Again it boils down to remembering the point of the labs. Its a real large environment, its not about chalking through them as quickly as you can and smashing everything with kernel exploits. It’s about doing things you might be unfamilar with, if you’ve used a method before, try another one. On this note, use the forums. I have used them for 2 box’s, once to check I was on the right path, second to actually get a nudge on an inital foothold. I had never seen or even thought of this as a route for one of the boxes. So I was very interested to try it out. The forums are great for this, there is very little game changing hints, but enough to get you on the right track. Don’t be scared to use them, as you can’t know everything and its pointless to sit staring at a box for 3 days of your valuable course time, when you had no idea X service, could even be exploited like that. But once you complete the box, you have learnt something new! However keep that balanced, don’t become reliant on the forums, use them only as a last resort.
- MSF, use it. Why not. Again the labs are for learning. Use msf and get used to using it. In the real world do you think you would be held back by not using it if it was a viable avenue of attack. No. Get comfortable with it and what it can offer. However again its just a learning point. Go back do it again once you have used MSF, is there another route, dont become dependant on it or its tools. Can you do the same exploit from MSF but manually. What was the exploit doing. Why did it work. How does it work.
- You don’t have to root everything. Don’t slog through every machine 1 by 1 to root. Mix it up, at least at first. Scan the whole network for certain services. If you are better at web exploitation start there. Find all open port 80’s. Kock off some low hanging fruit with known crappy services. If you get stuck on a box for hours move on. The initial time I think should be spent getting your methodology sorted and settling in. So why not start where you are more comfortable and build your confidence and move on from there.
- Enjoy it. Its an amazing lab. Remember why its there, its not brand new using all the latest tech, but it is solid. It uses the same way of doing things you would use for any environment. Plus how many environments can you say you have been in that are 100% new and perfect with everything patched and running the newest versions… Im excited to getonto the pivoting bits and move into new networks. As that’s not something I have had much practise with. I know it won’t be in the exam but its a key skill for the real world.
- Take breaks. Found myself burning out pretty quickly this week. Doing this ontop of work and life is hard, racking up nearly 14 hours of screen time a day with work and this is not good. Take breaks, get some fresh air, you’ll feel better for it and wont finish your course looking like golumn.
The material is great too! Ive nearly finished the vids and the documentation. Its been really handy. It has given me some new ways of doing things or just reinforced things I already knew. Its defintly worth doing even if you do know alot of it. The buffer overflow bits are key obviously. Its like a whole second course in there, and I try and run through a buffer overflow every other day, just to keep the methodology in my head. Once you have it listed out and get your own process for doing them, they can be pretty rewarding.
The report. Theres so much to pack in, I’m trying to keep it light. I don’t want to include too much additional crap they don’t need to see. I’m trying to treat it like a report as a sysadmin I would want to see. Not a blow by blow of “look at my skillz, and 4 pages of crap per service” but rather heres the problem, heres how it is exploited, this is how its mitigated. So hopefully I will get that smashed out this week, can’t see a reason to not do it. I would be gutted if I failed simply for not typing up my notes, when that could get me 5 points.
I am still confused as to how the hell I am going to potentially root 5 boxes in one day for the exam however, that thought still bothers me. I am dreading the exam. But it must be done, hopefully in 5 weeks I will be ready.
So to summarize, the course is everything everyone says it is. If your thinking of doing it. JUST DO IT, and I hope any of this information is helpful to you! Now, time to root sufference.