August 31, 2015 at 09:16

How I rented OSCP

    image


    From time to time, the theme of training specialists in various fields of information security and obtaining relevant certifications is raised on the hub. We have already discussed the preparation and delivery of CISSP, CISA, Security +, CEH \ ECSA. Once every two to three weeks we are actively invited to courses from pentestitis.

    In the same topic, I want to introduce readers to another training option and share my own experience in taking the Penetration Testing Training with Kali Linux course from Offensive Security followed by the exam.

    About Offensive Security


    It is probably impossible to meet a person who would purposefully engage in practical safety and not hear about this company. Backtrack, Kali Linux, Exploit-Database, Google Hacking Database - the most famous of their projects.

    The guys also do pentests and vocational training online or live at conference venues. Currently, the following areas are offered for training:
    • Penetration Testing with Kali Linux (PWK) - OSCP certification
    • Cracking The Perimeter (CTP) - OSCE
    • Offensive Security Wireless Attacks (WiFu) - OSWP

    There are courses that can only be physically attended by the Black Hat USA conference venue:
    • Advanced Windows Exploitation (AWE) - OSEE
    • Advanced Web Attacks and Exploitation (AWAE) - OSWE (previously promised to translate this course online)

    I studied at PWK, so further we will talk about it.

    About the course


    As the name implies, the course is purely practical and gathers the basic techniques used in conducting security testing. After registration, the student receives video lectures, a pdf-file with materials (in my case, this is 360 pages and several hours of video) and, most importantly, VPN access to the online laboratory. The operation of hosts from the laboratory is generally the most fun part, and you can already buy a course only for it. All sorts of other goodies are also provided, such as access to a private forum and the ability to chat with instructors in IRC.

    The cost of the course largely depends on the number of days of access to the laboratory network. At the time of publication, this is:
    • $ 800 for 30 days
    • $ 1000 for 60 days
    • 1150 $ for 90 days

    It turns out a little expensive, especially given the current rate.

    The documentation contains a fairly wide list of topics that comply with the generally accepted methodology: collecting information, listing, fuzzing, exploiting binary vulnerabilities, using ready-made exploits and writing your own, privilege escalation, tunneling connections, basic attacks on web applications, automation through writing python and bash- scripts, etc. More detailed content can be viewed on the site . For most sections, there is a set of tasks to perform in the laboratory and questions with an asterisk, which you are invited to study yourself.

    In general, during the course, many problems are solved only after many hours of studying the issue, collecting information from other resources and trying to use a variety of approaches. A simple study of the proposed documentation, viewing video materials and retyping examples of commands, most likely, will not be enough for hacking and half of the hosts in the laboratory, not to mention the exam. And this is the whole OSCP, which to a greater extent teaches to get to the bottom of the vulnerability and look for a solution on your own, rather than mindlessly retyping the commands in the console.

    On the other hand, the course requires a minimum of initial knowledge, so that you can gradually understand everything. It is also worth saying that as part of the training, you will not get specific skills like writing ROP chains or searching for race conditions in a web application. To carry out a lab and pass an exam, such knowledge is in principle not required, but one way or another, topics are touched upon when performing laboratory tests.

    For example, as it still happens in real systems, in the labs a host was found that was vulnerable to the notorious MS08-067. Everything seems to be trite, you can use the well-known module from Metasploit and move on to the next goal. But here a problem arises, in the exam it is practically forbidden to use the framework, i.e. if such a situation arises, automatic operation will fail. Of the exploits that were found on the Internet, not one wanted to work, which served to further investigate the vulnerability itself, to study the mechanism of DEP in different systems with different service packs, to write ROP chains, etc. As a result - a certain amount of time spent, a lot of fun and a ready-made exploit for all purposes from WinXP SP0 to Windows Server 2003 SP2, which, however, was never used.

    Labs


    Upon purchase, you can order access to the laboratory network for 30, 60 or 90 days. If you are new to practical safety, or plan to devote training no more than 3-4 hours a day, it is worth taking the maximum option. From my own experience I’ll say that there really is something to do. In addition, the first month will most likely be spent on studying the theory and basic tools, you can learn to write shell scripts, deal with Wireshark, compile exploits for various software, etc. The rest of the time will be taken directly by the operation and parallel study of various techniques and features that are not reflected in the official documentation.

    They try to keep the laboratory in a state as close to real as possible. Systems are periodically updated, vulnerable services appear, which are often found in real pentests.

    In total, you will have about 60 virtual hosts with a variety of configurations. The network is divided into segments interconnected: Public Network, Development Network, IT Department, Administrative Department. Only the public network is directly accessible, access to the rest will require work in terms of proxying connections and port forwarding.

    Each host is vulnerable in one way or another. Some machines are extremely easy to access, while others require hours or even days. Hacking all systems is not necessary, the main goal is to get as many skills as possible. But if possible, I would advise you to understand and get the maximum privileges on all machines. And if you manage to deal with PAIN, SUFFERENCE, GHOST and HUMBLE - it will be generally super. You can immediately add a line to the resume, knowledgeable people will appreciate :)

    OSCP is a sea of ​​fun, excitement, pain and suffering at the same time. You can often find questions on the forum or in a chat like “I spent a week working on this host, forgot what my wife looks like and what my dog’s name is, tried all the options, nothing works. What to do?". Most often, the answer to a similar question is a dry “Try Harder”, or “Enumeration is the key”.

    Try Harder is almost the middle name and philosophy of the course. This is the mantra that persecutes you throughout the training and becomes the motto after. “Exploit X does not compile, what should I do?” - Try Harder. “I got access to Alice, Bob, Pedro, but how to get access to Cory” - Try Harder. “I tried all the privilege escalation exploits for Y, but never got root” - Try Harder. And so every time.

    And only after an impressive description of the work done to investigate the target, list the services, and attempt all kinds of attacks, having felt all the suffering experienced, the IRC instructor will give a little hint or ask a leading question. And at this moment doubts arise about the correctness of the choice of profession. How could you not notice such a simple detail or not try the banal method? Why I myself could not guess before that?

    In general, OSCP also teaches attention to detail and gives confidence that everything can be broken, you just need to find the very seemingly insignificant feature.

    Exam


    Passing an exam is also a hallmark of the course. The student is provided with VPN access to a closed network, for hacking which is given 24 hours and another 24 hours given to write the final report, which is recommended to include the introductory part, information for management, the entire course of testing and technical details, as well as recommendations for elimination. It is also worthwhile to attach a report on the laboratory, so that in case of doubt among examiners, have a chance to move the scales in your direction and successfully pass certification.

    The exam has strict requirements: you cannot use vulnerability scanners (Nessus, Acutenix, etc.) or automatic exploitation tools (for example, sqlmap). As I wrote above, the use of Metasploit in some cases is acceptable, but is strictly limited to the list of modules.

    Depending on the level of access gained, each host is given a certain amount of points. Judging by the reviews, many are "lying" precisely on the task of increasing privileges, so you should pay special attention to this when preparing. Objectives also vary in difficulty level. The required minimum is 70 points. It seemed to me that the test hosts did not differ much in complexity from the laboratory ones.

    In my case, the network turned out to be 5 hosts from 10 to 25 points for each. The first three hours were spent on collecting information, scanning ports and all kinds of transfers. After that, attack options were more or less defined. Obtained first root for 20 points, after 3 hours another one. An hour later, we managed to figure out the host for 25. Then everything went more complicated, because fatigue began to affect, and for about 2 hours I jumped from one host to another, not knowing what to catch on. A break for eating and a short walk helped, after which I managed to find a way to get the minimum rights on the host for 25, and then raise the privileges. It's funny, but the last one succumbed to the host for 10.

    Total, it took about 12-14 hours, taking into account breaks. The next day, the final report (exam + laboratory) was sent to the organizers. And two days later I received a letter about the successful passing and qualification of Offensive Security Certified Professional.

    As for the tips:
    • Be sure to immediately start compiling notes on the material studied, document the entire path of access, take screenshots as evidence. Firstly, it will help when it’s time for a final report. Secondly, it will be easier to deal with the exam if something similar occurs.
    • Most machines on the network can be hacked in several ways, if time permits, try everything.
    • Some hosts cannot be hacked immediately without hacking some others. If you have spent a decent amount of time, tried all the techniques, try asking a chat question if you can access the host directly or if you need to pay attention to other goals.
    • It’s nice to have a set of virtual machines with different operating systems and architectures on hand — it can come in handy when writing or compiling exploits.
    • Enumeration is the key. If something doesn’t work out, check again if all the information has been collected. Could information from SNMP be useful, have users been enumerated, have all ports been scanned, have html code been viewed, etc.
    • After having played enough with a metasplit, try to repeat all the attacks without it.
    • At the exam, try to work according to the methodology, and not grab everything. This will save time and not miss important points.
    • Try to train with vulnerable systems on the list from https://www.vulnhub.com before buying the course . A good start would be Kioptrix, Holynyx, Nebula, Metasploitable.
    • Check out the works \ subscribe to comrade @ g0tmi1k. Among other cool publications / projects, he also has an excellent privilege escalation guide https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/


    In conclusion


    The practical orientation in many ways makes the course exceptional. Particularly pleased with the focus on getting real skills, and not on memorizing / memorizing the correct options for affixing crosses in tests. Two weeks of fun and immersion in a favorite thing went unnoticed and even a little sorry that it was all over.
    I strongly recommend that anyone who begins their journey in the field of practical information security take a closer look. And for those who have already studied in the courses, I propose to share their impressions in the comments, especially interested in the OSCE and AWAE.

    Well and a nice addition to the curtain - “Offensive Security - Try Harder” Song
    Tags:

    Also popular now: