I've been wanting to write this post for a while, but I keep putting it off. Call it PTSD if you will, but I think I'm finally ready to talk about my experiences with Offensive Security's
Pentesting with Kali course and the resulting exam. When I read write ups before taking the class, it felt like a lot of them were written by rockstars that killed the lab environment and honestly felt a little intimidating. I hope that this writeup can give the perspective of sort of a "regular Joe" type experience and showing that even with a lackluster lab experience the exam is still possible. Due to NDAs with the material a lot of it is going to be pretty general, but I feel like it's worth putting text to internets about.
tl;dr: Course was great, exam was brutal, I PASSED!
Background
Prior to taking PWK I had taken a pentesting class with Dave Kennedy at Blackhat 2014. It was a good class with a lot of foundational knowledge and gave me a really great into to metasploit if nothing else. I think it's something he teaches every year, so if you're looking to take some training at Blackhat, I'd definitely give his class a shot.
Other than that class, most of my other experience with pentesting had come from working through CTF challenges at DerbyCon, Holiday Hack Challenges, and other random CTF/wargames scattered across the internet. I'd done some real world pentesting in some of my roles at various jobs, but it was never my sole responsibility.
Pentesting with Kali
When I started my most recent position, my boss mentioned that he was pushing for the team to at minimum take the PWK course just for a perspective adjustment. I can definitely see what he meant with that. The amount of lateral thinking and creativity that are required for the course are pretty immense. You start looking at other problems in different ways and really just improves your critical thinking skills.
I opted to take the full 90 day lab time, and I'm not sure that was the best choice. I went pretty hard on the course material/labs for ~40 days and then I just got burnt out. I couldn't muster the desire to run back to the labs and with all the extra time ahead of me, I started procrastinating pretty hard.
The lab manual for the course is really top notch. The explanations for various attacks and methodologies are very detailed and when needed, there are videos to back up the reading. To be honest, I didn't watch many of the videos unless I was unable to get some the of the examples working. The shining moment for me in the course material was the section on buffer overflow exploits. I had tried various tutorials and walkthroughs for buffer overflows before, but had never had any success. Using the PWK VM and following the lab manual, I was able to complete both buffer overflow exercises in the lab manual.
One thing I particularly struggled with, and after talking to a lot of others who have taken the course or are currently taking the course is a sense of no direction. You get the course materials, you get your VM, you get the videos, and you get the VPN information to connect to the lab. That's really it though. There's really no course outline, or a clear way to know when you're supposed to enter the lab, etc. Here's my take on that: The lab manual is there to give you base knowledge about various exploits, tools and methodologies you'll use in the lab, By no means do you need to read it from beginning to end before starting the VPN labs. I typed up a summary of the chapters of the lab manual to hopefully give some direction with what to focus on and what you might be able to skip based on the knowledge you already have. Here it is:
- DNS Enumeration - Do you know how DNS works? Do you know how zone transfers work?
- Port Scanning- Can you nmap? Do you know how it works?
- SMB Enumeration- Do you know null sessions? Review nmap SMB scanning scripts
- SMTP- Skip it..maybe come back if you think you need it but I never got any use out of it.
- SNMP- Also can probably skip..look for default community strings and there are tools, but I ran a lot of SNMP scans and never got anything useful
- Vulnerability Scanning- nmap has vuln scanning scripts, set up OpenVAS...if you've never used or set up OpenVAS this one is fun because it actually works unlike any other time I've tried to install OpenVAS
- Buffer Overflows- You either know this or you don't. EXCELLENT tutorial, walkthrough, and tools explanations though. The first time I've ever had a BOF tutorial actually work for me.
- Post Exploitation- Another really helpful section for me..the discussion about file transfers and non-interactive shells is really important for the lab.
- Privilege Escalation is good, but I've got a few links that are better
- Client Side Attacks is important for lab, but it never really stuck with me
- WebApps- Do you know XSS/LFI/RFI/SQLi?
- Password Attacks are good for lab...to be honest I did very little cracking with john/hydra...most of the hashes I cracked with the OffSec crackpot tool or crackstation.net
- Port Redirection and Tunneling is VERY important for lab. It's not an easy topic so make sure you've got some focus going into this one. I referenced this a lot.
- Metasploit- Again, you know it or you don't. Do you know things like how modules are organized, 'show options', staged vs. non-staged, building metasploit modules
- Bypassing AV is a good section, you'll need it a few times
- The last section just kind of ties it all together in an example...good to read but it's not going to blow your mind
So that's what you want to focus on to have success in the labs. If you want general information/knowledge by all means read the entire manual and watch all of the videos. However, if your attention span or lab time is lacking, that's a decent outline to follow to get you hacking on the VPN ASAP.
PWK Labs
This was certainly an experience! The thrill of running that first nmap scan and seeing all the hosts, knowing that they were all exploitable to the root level, it was very exciting. It's also very overwhelming. Trying to figure out where to start in that sea of IPs is pretty tough. If you run some of the scans recommended in the lab manual, you'll find some pretty low hanging fruit. However, even the low hanging fruit generally has some small twists or nuances that make it less than straight forward.
If you're not familiar with the PWK lab structure, you are initially connected to the student network and there are a multitude of hosts there. All systems have a root-only accessible file called proof.txt which is a trophy of sorts. However, your ultimate goal is always a root/system level shell. Some hosts have an additional file called network-secrets.txt which allows you to unlock additional subnets. These are the IT, Dev and Admin network. During my time I was able to unlock IT and Dev but never quite cracked the admin network.
If I can offfer one bit of helpful advice it's this: DOCUMENT EVERYTHING. When I finished my lab time and went back to work on my lab report, I realized how shoddy a lot of my notes were. I documented important exploits steps, but not necessarily how I got there or how I discovered the vulnerability. This was a good lesson for the exam though.
A quick note about the lab report: It's entirely extra credit on the exam and you only have to write up 10 hosts. I think they say a lab report can get you an extra 5-ish points on the exam. Hard to see where it would make a difference between pass/fail but it's a good exercise to practice before your exam report
PWK Exam
It really can't be overstated how brutal this exam is. Over the course of my lab time, I was able to get root/system on ~20 systems. Based on that performance, and reading write ups where people talk regularly about getting all/most of them, I was very discouraged going into the exam. I truly had no concept that I would pass the exam and was mostly just taking it because it had been paid for with the course fees.
You schedule your exam several weeks in advance, and I had previously hoped to schedule for early on a Saturday morning but Saturdays were booked up quite far in advance. I ended up settling with 1pm on a Sunday. It gave me a bit of time to spend with my family and gave some forced breaks for food and sleep. Around 10 minutes after my scheduled start time, I got an email with the VPN information and the systems I had been assigned. I turned on some music and away I went.
You receive a score break down for each system with your exam instructions. So I started off with the lowest point system for a quick win. The exploit was fairly obvious and I had root on the system within the first hour. This was really a great boost of confidence. I worked for a few more hours and got root on a second system. I really felt as though I had some good momentum going. I had planned to break for dinner but instead got some vending machine food and powered through. I managed to get local access on one more server and then I took a break to head home for some evening family time. The break was hard to take at the time but was critically vital. When I came back, I had a breakthrough and got local access on another machine. I worked late into the night but made no further progress.
I went home at this time to get some much needed rest. It was tough getting to sleep and I woke up after less than 4 hrs and just needed to get back to work. I went back and hacked away a bit more. At this point I felt pretty defeated. I was so close and I just needed to escalate these two systems. I took another break to have a walk around and another revelation dawned on me so I rushed back and got my third root access. I spent the rest of my time pouring over the local access that I had trying desperately to find some way to escalate my access. Finally I happened on something that felt odd and ended up being just the key I needed. Based on my calculations I had 80 points with my exam systems and 5 extra points with teh lab report. I had passed!(probably)
You get 24hrs after the exam to finish your report, but I powered through with my last 2-3 hours of lab time to write up my report. I wanted the access to get any screenshots or other details I might need with the access. I saved it and went home to get some much needed rest. The next day I did some editing and formatting and finally submitted my report. Around 30hrs or so after I submitted the report I got the all important email that I had passed the exam and earned the OSCP certification.
Time breakdown:
1pm - Scheduled start time
1:10pm - Received exam instructions
8pm- Took break
9:30pm - Resumed work
12:30am - Went to bed
6:00am - Resumed work
~11:30am - Had a passing score
(estimated time worked: ~16hrs)
Summary
Overall, I think this was a very beneficial experience for me. My primary job responsibilities are not explicitly pentesting, but I feel as though the critical thinking skills I honed in this experience will be immensely helpful in both my current role as well as my career path. I'd certainly recommend the course for nearly anyone in the Information Security field. The benefits for red teams is obvious. The benefit for blue teams to see how attacks actually work and what the attack life cycle really looks like is a great perspective to have.
