oscp certsI was always interested in security (the charm of the dark side...), however I learned everything I know by myself. Until today.
This summer I decided to attend one of the most complete and intense course you can find: Penetration Testing with Kali Linux, provided by Offensive Security.


matrixIf you know a little about security, you certainly heard of Kali Linux: it's a Linux distribution focused on penetration testing and forensic. Offensive Security is the company that develops and maintain Kali (among other things) and it's the best in his work.

Their Penetration Testing with Kali Linux (PWK for short) is a very particular training course: you are not required to answer multi-choices questions, but it's a hands on course where you will hack computers for real. The exam, again, is a 24 hours effort where you have to prove you learned the skill taught in the course.

Basically, they are doing what Morpheus did in Matrix.

My Background

PHP logoTo be honest, before starting I asked myself if my tech background was good enough for this course.

I have a very good knowledge of PHP and Python, that I use for my work, and I know the basics of C/C++, which are the main languages used in the exploits.

Looking at some reviews online, they all suggest to have a good knowledge on networking, so I started studying the TCP/IP Tutorial and Technical Overview manual. 

Well, on second thought, it was way an overkill. Yes, you need to know the difference between TCP and UDP and yes, you have to know what's a subnet mask, but you really don't have to know all the sections of the TCP/IP stack.

I wasn't sure if my job on web application development would be useful, however during the course I surprisingly discovered that it was a plus.
One of the largest attack surface are web application, having some experience with them will let you image how the remote script is actually working and adjust the payload accordingly.

Moreover, being a developer really helps you in the debugging phase: you'll have to fix/review exploits and even if you don't know the language you are using, you already know the steps required to isolate, confirm and fix any bug.

The Course

When you register for the course, it won't start immediately (or at least this happened in my case); I had to wait 15 days before getting the hands on the labs and the manuals. Please consider it if you are on a very tight time schedule.
I purchased the course with 90 days of lab access. I'm very happy with this choice, since I have a family and a full time job, so I couldn't dedicate all my time to the course.

Course Materials

As you might know, you'll get a video guide and a PDF manual. Such manual is basically a transcript of the videos however you must study both of them. They are basically saying the same things, but sometimes there are some details that aren't in the other part (for example You should do XXX before trying the exploit or it could not work).

The Lab

This is the reason I enrolled in this course: you have access to three different subnets, with more than 40 machines. They are not isolate target, but most of them will have dependencies with one or more boxes. After rooting a machine, you'll have to check for interesting files, passwords, documents, everything (even love stories...).
Remember: this is not a Capture The Flag event, but you are simulating the attack on an immaginary company network. Think about it as a giant riddle, where everything is connected.

Just a tip: if you get stuck on a box, ask for help to an admin. Looking around on the net, I thought they won't give me much help (the Try Harder philosophy).

This is completely false. Sure, they will never tell you the exact steps required to exploit a target, but they will give you a clue after another, making you think and leading to the solution.

The Tools

Offensive security gives you all the details and suggestion on how organise your Kali Linux virtual machine, however I had to step away from their instruction a couple of times.

Git vs Google Drive (or Dropbox)

Git Logo 2ColorYou should backup very often: there's nothing more frustrating than losing an entire day to rebuild your virtual machine because something went wrong. Like you think you got a shell on the remote box but instead you simply connected to yourself and a typo will mess up your /etc/passwd or /etc/shadow file. Do not ask me how I know that.

Several other students were using shared folders with the Virtual Machine and then link them to Dropbox or Google Drive. This could be a good solution, but I really don't like it for several reasons.
First of all Google Drive is terrible in resolving conflicts: if the same file was modified in two different machines, you'll get mad to really understand what happened and restore the correct version.
Moreover, Google Drive is actively scanning all your file contents; since we are dealing with malware, several times I found my compiled scripts being replaced with empty files. Not very funny.

After few days I get back to good old Git: I created a private repository on Github and store all my code inside it. In this way I didn't have to worry about conflicts or files being deleted.
As a nice addition, if you find any cool repository hosting interesting tools, you can simply add to your own copy using the git submodule add syntax.

Hashcat vs John the Ripper

hashcatDuring the course sometimes you'll have to crack some passwords (don't worry, you don't need a cracking ring to solve those challenges). The manual teaches you how to use John The Ripper and gives you some hints on how to create some simply wordlists.
Sadly, when I had to crack something, JtR was extremely slow, I guess because it was running within a virtual machine with limited resources.

In my spare time I crack passwords for fun, so I have a PC with a decent GPU and Hashcat installed. In few minutes (if not seconds) I found the correct password, without waiting some hours.
For the records, now Hashcat works on CPU, too, so you don't need any fancy GPU to get started using it. I strongly suggest you to take a look at it, since it has some interesting features.

The Exam

I booked the exam 20 days after the end of my lab time, since I had to organise myself to face the exam properly. This free time was really needed, I was able to free my mind by the stress of the labs.

The email with connection details arrived at 11 AM sharp, and I immediately started working on the targets.

To boost my confidence, I started working on a low hanging fruit. After 2 hours I rooted the box.
Then I headed to another box (medium difficulty), after about 3 hours I rooted the box.

It was time to tackle the hardest box: I knew I could simply try the other two boxes before, but I made the following consideration. With three boxes left, I needed two more roots to pass. If for any reasons I could not get one of the medium one, I had to face the hardest one, being tired and frustrated from a failure.
I felt I was getting tired pretty fast, so I bite the bullet and started working on the big monster.

That was the right choice. I took me full 4 hours to own the box and boy, that was really hard and lengthy. With my hearth lighter and with a full boost of confidence, I started working on the fourth machine.

And then, despair.

I enumerated the target and found the vulnerable software, but for the life of me I could not trigger the exploit. Then I remembered that I still had my "Use Metasploit" card. I used it to get a low privilege shell but, once again, I was stuck.
There's no way to get a root shell, I tried every trick I had and even Metasploit scripts, no joy.

Desperation was rising as an ocean tide: were I doomed to fail this exam, even if I was able to tackle the hardest box? That sounded like a really bad joke: I was prepared to fail, but not to fail so close to the goal.

I decided to give one last try and then go to bed for a couple of hours of sleep. Once again, that was the right choice: something clicked and I found my way to get an Administrator account.

At 23:30, after 12 hours and 30 minutes, I completed my exam, went out for a walk and then collapsed in the bed.

Final considerations

That was one of the most exciting experience I ever had. When I got into the Admin Network for the first time I really felt a tingling behind the neck, and I actually jumped on my chair when I rooted Humble.

The course will actually teach you how to "think" from a pentester perspective: you are going to exploit old and well known vulnerabilities, but with a twist. Almost none of the scripts you can find online will work, so you have to analyze your environment, think what you have and what you want to achieve and finally update you code to test it.

This is something that a multiple-choice test would never teach you.

Useful links

Collection of tools and tips: https://www.securitysift.com/offsec-pwb-oscp/

Linux privilege escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Windows privilege escalation: http://www.fuzzysecurity.com/tutorials/16.html

Meterpreter payloads: http://netsec.ws/?p=331

Reverse shells: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet