h0mbre

h0mbre

Binary Exploitation

PWK/OSCP Review

14 minute read

Big Picture Thoughts

If you are on the fence about doing PWK or have been putting it off or feel that it is going to be too hard or you’re intimidated, forget all of that. Take concrete steps TODAY to start PWK. It’s not an overstatement to say that PWK is the best professional experience I’ve ever had and was truly life-changing. I am a huge idiot and I did this, you can too. Formulate a training plan to knock out the prereqs and start grinding.

Please reach out to me on Twitter, HackTheBox, or NetSecFocus if you have any questions or need any help. I’d love to hear from you.

Managing Expectations

Even though the course is very difficult and demanding it truly is an introduction-level course for penetration testing. This is a highly-technical field, you can’t expect to become a veteran after 3 months of hard work. Through taking the course, you will have the funny realization that even though you are orders of magnitude more advanced than you were 3 months ago, you still feel like you don’t know anything! Some reviewers have complained that the course is ‘dated’ which is true but also not important in my opinion. If you want the latest and greatest techniques on the latest fully patched operating systems, then read blog posts, go to conferences, follow infosec ninjas on twitter. PWK is not going to make you into some one-person APT elite hackerman. It will give you a solid grasp of penetration testing fundamentals and will give you a rock-solid foundation from which to springboard into the penetration testing field. You will know exactly how to compromise unpatched systems.

Others have spoken about the professional implications of obtaining the certification and are better poised to speak to that than I am as I am not a penetration tester in a professional capacity.

PWK is not an introduction-level course in the normal sense. It can be extremely difficult, stressful, and challenging depending on your experience level. If you are a beginner like me, it will be hard, that is a good thing! It’s a bit like saying ‘Intro to Astrophysics’ is an introduction-level course.

Prerequisites

The Offensive Security PWK syllabus recommends the following student prerequisites:

  • a Familiarity with Linux,
  • a solid understanding of TCP/IP,
  • Knowledge of a scripting language,
  • A solid understanding of infosec verbiage and concepts, and
  • Masochism.

Linux – You will definitely need to know basic Bash commands and how to navigate the Linux file system, understand file types, understand file permissions, etc. Prior to ever working in a terminal, I found the Bandit series on OverTheWire.org and the Bash/Shell ‘Learn the Command Line’ course from codeacademy to be very helpful for learning the basics.

Scripting – Please do not think you have to be a python master to start PWK, knowing basic concepts like data types, how to declare variables, etc is sufficient. For the most part, you will not need to create scripts from scratch. If you need help in this area a simple ‘Introduction to Python’ course, many of which are free online (codeacademy has one), would teach you MORE than you need to know to get through PWK.

TCP/IP – I am not a networking or TCP/IP guru by any means and did not feel overwhelmed at any point by the knowledge required to progress through the course. Familiarity with the application layer protocols should be more than enough as a starting point. Do you know what FTP is and what it’s used for? Do you know what HTTP is? Have you ever used WireShark to look at traffic? If this doesn’t sound like a foreign language to you, you are probably alright.

Masochism – You definitely need to be willing to grind. If you come into PWK with the appropriate mindset of “This will be hard and that’s a good thing. I want to do hard things that challenge me. I want to cultivate a foundational penetration testing skillset and I want to embrace the grind required to do so” you will excel. If at any time during the course you feel like tapping out, take a step back and think back to your motivations for getting into PWK in the first place. If this course was easy everyone would be an OSCP and the knowledge gained from PWK would be widely held and less valuable. You can do this.

Preparation

Coming into the PWK course I had just completed the PTP/eCPPTv2 course from eLearnSecurity and felt that a great deal of the PDF and video materials from Offensive Security were review. This is a good thing in my opinion. Others have had success with different approaches but my personal recommendation is to aim for the PWK materials to be review. It is my personal recommendation that the first machine you root in the labs should not be the first machine you’ve ever rooted. My thinking here is that you want to maximize your lab time. You want to maximize the amount of time you spend going against the lab machines. If you spend a couple weeks of time at the beginning of the course reading and re-reading the PDF and watching and re-watching the videos because all of the information is brand new to you, that will be less time you have in the labs. The greatest part of PWK is the playground of lab machines, we should be aiming to spend the vast majority of our time on the playground.

Like I said previously, I do not think the PWK labs should be the first time you attack a box. Technically speaking, PWK is a self-contained start-to-finish course which will provide you all that you need to take you from zero to OSCP; however, I find that overpreparing for PWK could set you up for the most success.

My background coming into PWK was that I had just gotten into studying information security in the previous 6 months. 6 months prior to taking PWK I was in the entry-level textbook certification phase with zero practical skills. I did Net+ and Sec+ 4 months prior, CEH (blegh) 3 months prior, and then spent 2 months or so on the PTP/eCPPTv2 course. If you are unaware, the PTP/eCPPTv2 course is very hands on and similar in format/delivery to PWK. The course was very helpful for learning Metasploit, learning how to research vulnerabilities, learning enumeration techniques, making me feel comfortable in a Linux terminal, etc. eCPPT also does a good job of teaching you buffer overflows which is probably the most ‘technical’ aspect of eCPPT and PWK. The course was also more “hand-holdy” than PWK and I think that is helpful for a true beginner like me. I think because of this, I was ready to hit the ground running when my PWK lab time came. I cannot stress enough that while the textbook type certifications serve a purpose (I hope!), they were not much help for PWK. If you want to do PWK and you want to do it ASAP, don’t waste your time on these types of certifications, you need practical skills. I will add more specific resource help to the ‘Resources’ section below.

Tulpa’s OSCP blogpost (which is great, definitely check it out) mentions a bare minimum of buying and going over Georgia Weidman’s ‘Penetration Testing’ book which I whole-heartedly agree with. Georgia does a fantastic job introducing you to the basics needed to confidently enroll in PWK. As Tulpa points out, there are even cybrary videos you can watch along with the book.

PWK Lab Time/Experience

I found the materials to be great. I had read reviews stating that they were just alright, but I was pleasantly surprised by them. I definitely recommend doing the lab exercises and documenting them, you will learn a lot of relevant things even if you are somewhat experienced and also give yourself a leg-up on 5 extra exam points. I spent about two days (~15 hours) looking over the PDF and watching the Videos. ‘Nice’

Your goal in the labs, and something you should think of as you approach every box in the network, should be to build a ‘methodology.’ What the hell does that even mean? For me it meant, I need to formulate a workflow that is: repeatable, efficient, and consistently leads me to rooting machines. In hindsight, I wish I would’ve rooted the box named ‘Alpha’ that first week in the labs and then read gotmilk’s forum post on his methodology for that box. If you want to see a comprehensive methodology and get a frame of reference for what you should be trying to accomplish, go read his forum post as soon as you can (definitely try the machine yourself before looking at the answers!!!). Early on in the labs, I would take an hour or two a week to watch Ippsec’s youtube walkthroughs of retired HackTheBox.eu machines to cobble together a methodology. Watch what he does and repeat this process on your lab machines.

Do not worry about the number of machines you are rooting, worry about your methodology. Is it leading you in the right direction? Is it becoming streamlined? Are you still trying to fingerprint RPC ports before checking out that anonymous FTP access? Some people will tell you to avoid forum hints like the plague and I disagree. Do not cheat yourself, be honest with yourself. Did you really try your best? You know if you did or not. If you tried your best, and you are truly stuck, go look for some forum hints or ask an admin for help. Be prepared to explain what you have tried, what your logic is, what you’re thinking could be an exploit path. Any question remotely resembling “Stuck on box xyz, any hints?” will net you zero friends and zero help. I don’t recommend leaning on the forums as a crutch, but definitely use them. If you are stuck, go find a tiny hint. A hint sparked something in your mind? Close the forums tab, ask yourself how your methodology missed that piece of information, “what could I have done to find that piece of information myself? What can I add or change about my methodology to catch that sort of thing in the future? Now that I have that piece of information and can progress 5% further on the machine, let me get earnestly stuck again before I appeal to the forum hints once more.”

I spent about 300 hours total over the course of about 7-8 weeks in the labs and rooted ~50 of the lab machines. If you add in the amount of time I spent on eCPPT labs and materials, that number moves to about 450 hours total, which is a number you will hear often when it comes to estimating the amount of time needed to progress through PWK. Your goal is not to become an OSCP, you could reasonably do that after only a moderate effort in the labs. Your goal is to squeeze every last drop of experience you can out of the lab environment. After rooting the lab machines, I went back to the 5 or so I used Metasploit on and tried to do them manually and tried to identify as many exploit paths as possible on the machines I had already compromised. For some machines you can find 3-4 distinct exploit paths. You are not done with a machine when you grab the root flag, see if there were any other ways you could’ve done it, research, read blog posts, script up an exploit path, etc, you’re here to learn as much as possible, not grab a proof file.

When I reached a point where I felt like I had spent enough time on the lab machines, I started looking for other lab environments to practice in. I found Virtual Hacking Labs to be an excellent choice. I bought a 30-day pass for $100 which is insanely cheap for what you get, and rooted around 25 of the machines in the lab environment. The experience was very similar to the PWK lab experience. I highly recommend you supplement your PWK labs with Virtual Hacking Labs or even do VHL before PWK. VHL also comes with a robust PDF full of really good information similar to PWK materials. Besides VHL, I also got on HackTheBox with a VIP membership so that I could practice against the retired machines. TJ Null and Ippsec have curated a list of HTB machines which are close to the PWK style of vulnerable machines and I have included that list in the ‘Resource’ section. At a minimum, watch Ippsec’s walkthroughs of those machines. Fair warning, HackTheBox is the single most addictive drug on the planet. I rooted around 15 retired HackTheBox machines and then moved onto Vulnhub. I found some curated lists of OSCP-like Vulnhub machines and rooted about 15 of these. All together I had rooted around 100 machines before taking my exam, but more importantly I felt like my methodology was finally what it needed to be for me to reliably exploit a machine that wasn’t too esoteric.

One thing I did, which was very helpful in my opinion, was a few weeks before my exam, I would grab 3-4 boxes that I had no experience with but trusted to be OSCP-like (either retired HTB or Vulnhub) and would time myself in exploiting them. I would mentally treat the experience like my upcoming OSCP exam and I felt like this helped me be more comfortable on the exam.

My weekly schedule, with a wife, kids, and full-time job, would usually entail 3 hours minimum on week nights and two separate 4 hour sessions per day on the weekend (typically from 6 am to 10 am and then 7pm to 11pm). That is about 30 hours a week. In all honesty, I kind of lost my mind with my schedule and for the most part ended up doing about 5 hours per week night and about 40 hours per week. I don’t recommend this pace for everyone. Others have been successful with much less demanding schedules, find something that works for you. Just eliminate time wasters from your daily routine and you’ll be amazed at how much free-time you open up. I found that interactions/quality time with family members went down in an absolute sense, but went way up quality wise. 30 minutes of high-quality family time is much better in my opinion than 90 minutes of time on your phone merely existing in the same room as a family member. Definitely try to find a healthy balance.

The Exam

The exam structure is a 24-hour exam with 5 victim hosts and then a second 24-hour period for you to compose and turn in your report.

Setting up the exam with the proctoring software was very straightforward and during the exam you kind of forget the proctors are even there. I had enough points to pass within 3-4 hours but wanted to get the last machine. After spending around 16 hours on the machine I was unable to even get a foothold, I actually felt like I had failed the exam haha. That box will forever haunt me.

I started the exam at around 4pm since this was when I would normally get home from work and start working in the labs every day so I thought it might feel routine to begin at this time. I worked until about 3am and then took a short 4-5 hour nap.

If you happen to fail an OSCP exam attempt, that is no problem! Lots of skilled people have failed an OSCP exam attempt, you are doing something hard remember. It is supposed to be hard. You will get it eventually if you keep trying, keep refining your methodology. You hear all the time about people passing on their 5th-6th attempt, that is truly inspiring stuff. You will pass the test eventually. A retake is $60 or so, so it’s not as financially crippling as other certification failures. Take a month and switch platforms, read some other walkthroughs, research some new techniques, add some new tricks to your game, etc.

I used OffSec’s exam report template and submitted my report about 6 hours after my lab time expired and received notification I had passed via email around 48 hours later. Do not take the report writing aspect lightly, document everything thoroughly. Triple check proof file submissions, screenshots, report format. You can fail even with 100 points of proofs if your report is not great.

Resources

You may also enjoy

Fuzzer Development 2: Sandboxing Syscalls

28 minute read

Introduction If you haven’t heard, we’re developing a fuzzer on the blog these days. I don’t even know if “fuzzer” is the right word for what we’re building,...