Getting back into it!
Following on in the series from my previous post – My OSCP Diary – Week 1 I continue my offensive security professional certification journey!
So, after a break in my training schedule (pro tip, ask Offensive Security (Offsec) to pause your PWK lab time – I didn’t which was stupid) I’m back into the PWK labs!
The first thing I realised after having ~ 40 days break was taking that long a gap isn’t the best idea (but hey holidays and life have to happen right!) I got back into the lab and looked at my attack Visio blankly for a bit, realising the task ahead of me had a lot of servers still in it!
I think the first box I decided to hit was pain, as its name says this box is not easy as is considered an OSCP boss box, as its name says, it’s painful but quite fun once you have cracked it.
Boxes complete so far (in no particular order):
In addition to the 17 (34% complete) boxes pwn3d, I’ve unlocked all 3 networks (dev, IT and admin)
I’ve got 4 boxes work in progress:
Hopefully by the next post these and a few more are on the owned list!
Learning all the things
So, so far it seems progress has been fairly good, but not everything is as simple as it seems so I thought I’d note some of the lessons I’m learning through the journey:
Enumeration is everything
Now I know we all know that but practising that again and again and again can be difficult, all you have to miss, is a single version number, parameter or page and your route to root might be dead in its tracks!
Take your time, follow a method, document your findings, run through every service and use all the data you have (a whiteboard can be helpful). If you find a known vulnerability test them (using a control server is great but you can’t always build a copy of the target).
If you are familiar with Offensive security their mantra is try harder! My view on this is probably a bit different, it would be ‘Keep going’. You can end up in scenarios where you are down a rabbit hole, lost with no clue where to head and you can be hitting your head repeating attempts to exploit a vulnerability (internally screaming ‘why won’t you work! Etc.), some of this can be difficult because it can be frustrating. The offsec view on the world of education is something like this:
- Try harder
- Don’t talk to other people – the text goes something along the lines of ‘you don’t learn by asking for the answer’
I clearly am still running through the course but I’m not a great advocate of the above approach, my view is more like:
- Research, review, explore, keep going
- Discuss the craft with fellow students, pen testers, industry folk etc.
- Generally, we are hunting for known vulnerabilities or common weak configurations etc. Yes, the process of getting from 0 to hero just with Nmap and a few cli commands is awesome but the learning is a combination of internet research, trial and error and perseverance.
The art of enumeration takes far longer to master than the use of the exploits, the art of privilege escalation enumeration again takes longer than the actual escalation process itself.
Sometimes you can pwn a service with a few TCP packets, other times your abusing a logic flaw or weak configuration. The key part is being able to find the weakness. For me I find that requires a mixture of inquisitiveness, exploration, method but also knowing how the systems work under the hood and knowledge and experience of performing the exploit routines (this part, in my opinion can be taught in a more show and tell manner). My windows knowledge is far superior to my Linux, yet we move further out of my natural (how can knowing windows be natural…) comfort zone when we start hitting BSD and SUN boxes. The key thing to remember here is that no one can know (and remember) everything, and you hit scenarios whereby you will have to fall back on good enumeration and research. So my view is that you need to ‘Keep going’, keep on in the labs, watch YouTube videos (IPPSEC is awesome), read material on enumeration and exploits.
When consulting I have to keep records and notes on a lot of things, the OSCP is no different, it is however easy to get caught up in the moment of shell excitement and forget to record a bit of info (as I found, a few times I forgot to grab proof.txt and I didn’t record the network-secret.txt output – I simple just pasted it into the control panel). Keep note, take screenshots, hell record screen caps and videos if it helps.
Not everyone will have access to Nessus (or other commercial solutions) but if you do it’s a great idea to run some scans after pwning the boxes and see if you could have found the route you took. This is a great way of learning some of the gaps that exist in the automated tools and why to secure a service requires far more than a quick automated scan (it’s a tool that can be useful but not for all scenario)
There are many ways to skin a cat!
Ok so, my method for approaching the PWK was to do what I’d do in real life to attack a target, this led to me to the admin network rapidly. That was great (fun) however we must remember the PWK labs are 50 virtual machines in a network which isn’t like one I’ve ever seen in the company over the last 20 years. So, my advice to others (unless they are like me and want to get stuck in quicker) is, read through the PDF material and watch the videos, complete the exercises (this should get you to root on a few boxes fast). Login to the forums but be careful with trusting all you see.
So, for now I’m going to keep going, there’s a few boxes I’ve got in progress (3 limited shells) and a whole load more to attack! #keepgoing #tryharder