Here are a few new resources I’ve run across in the last month or so. I’ve gone back to add these to some of my older posts, such as the Windows Privesc Resources, so hopefully you’ll find them, one way or another.
JSgen.py – bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings
So you want to be a security engineer?
Local and Remote File Inclusion Cheat Sheet
External XML Entity (XXE) Injection Payloads
There is a new currency and payment network built by ex-PayPal employees called Initiative Q. The Q currency is currently being allocated for free if you are invited by an existing member. The idea is that if millions of people join, Q could become a leading payment network, and, according to well-known economic models, that means the value of the reward would be around $130,000. The amount you reserve upon signup decreases every day, and each member has a limited number of invites. You can use my invite link here: https://initiativeq.com/invite/Br3w9plhX
You only need to give your name and email address, then your spot is reserved. You don’t ever have to hand the a dime if you don’t want to, so there is no harm in trying it out, in case this does ever take off.
I remain skeptical, but I thought I’d share, in case anyone else is curious.
It has been close to a year since I took the Penetration Testing with Kali (PWK) course and subsequently obtained the Offensive Security Certified Professional (OSCP) certification. Since then, I have been hanging out in a lot of Slack, Discord, and MatterMost chat rooms for security professionals and enthusiasts (not to mention various subreddits). When discussing the topic of obtaining the OSCP certfication, I have noticed *a lot* of prospective PWK/OSCP students asking the same questions, over and over.
The OffSec website itself covers some of the answers to some of these questions, but whether its because people don’t read it, or that it wasn’t made very clear, these questions keep coming back. Here, I will attempt to answer them as best I can.
Disclaimer: I am not an OffSec employee, nor do I make the claim that anything that follows is OffSec’s official opinion about the matter. These are my opinions; use them at your own risk.
- Do I have enough experience to attempt this?
- How much lab time should I buy?
- Can I use tool X on the exam?
- What note keeping app should I use?
- How do I format my reports?
- Is the HackTheBox.eu lab similar to the OSCP/PWK lab?
- Are VulnHub VM’s similar to the OSCP/PWK lab?
- What other resources can I use to help me prepare for the PWK course?
Do I have enough experience to attempt this?
According to the official OffSec FAQ you do need some foundational skills before you attempt this course. You should certainly know your way around the Linux command line before diving in, and having a little bash or python scripting under your belt is recommended. That said, it’s more important that you can read code and understand what it is doing than being able to sit down and write something from scratch.
I see many people asking about work experience, which isn’t really covered by OffSec. For example, people wondering if 3 years of networking and/or 1 year being a SOC analyst is “enough.” These questions are impossible to quantify and just as impossible to answer. What you should focus on is your skills as they relate to what is needed for the course.
To do that, head over to the PWK Syllabus page and go through each section. Take notes about things that you are not sure about, or know that you lack skills and expertise in.
Once you have a list made, start your research and find ways to learn about what you need to get up to speed on. For example, when I was preparing for PWK, I knew very little about buffer overflows. I spent a while watching various YouTube videos, reading up on the methods by which you can use a buffer overflow exploit, and taking notes for future reference. Once I started the course, I was able to dive into the exercises and understand what was going on, at least a little bit beyond the very basics, which helped me save time.
In the same boat? Check out this excellent blog post about buffer overflows for something similar to what you will see in the PWK course. Also, while I haven’t tried it yet, I hear that this is a good buffer overflow challenge you can practice on.
How much lab time should I buy?
Buy the 90 day course in order to get the most out of the experience and not feel crunched for time — especially if you work full time and/or have a family.
With 90 days, you can complete the exercises in the PWK courseware first, and still have plenty of time left for compromising lab machines.
Can I use tool X on the exam?
I see this question a lot, perhaps more than any other. People want to know if it is safe to use a specific tool on the exam, such as Sn1per. The official exam guide from OffSec enumerates the types of tools that are restricted on the exam. It is pretty clear that you cannot use commercial tools or automated exploit tools. Keep this statement in mind when wondering if you can use a certain tool:
The primary objective of the OSCP exam is to evaluate your skills in identifying and exploiting vulnerabilities, not in automating the process.
If a tools helps you enumerate a system (nmap, nikto, dirbuster, e.g.), then it is OK to use.
If a tool automates the attacking and exploiting (sqlmap, Sn1per, *autopwn tools), then stay away from it.
Don’t forget the restrictions on Metasploit, too.
From what I have heard, even though OffSec states that they will not discuss anything about it further, people have successfully messaged the admins to ask about a certain tool and gotten replies. Try that if you are still unsure.
What note keeping app should I use?
I wrote a lot about this already, so be sure to check out that write-up. In short, these are the main takeaways:
- Do not use KeepNote (which is actually recommended in the PWK course), because it is no longer updated or maintained. People have lost their work because it has crashed on them.
- CherryTree is an excellent replacement for KeepNote and is easily installed on the OffSec PWK Kali VM (it is bundled by default on the latest/greatest version of Kali).
- OneNote covers all the bases you might need, is available via the web on your Kali box, and has clients for Mac and Windows.
- Other options boil down to personal choice: Evernote, markdown, etc.
How do I format my reports?
Check out the example reports that OffSec provides. From those, you can document your PWK exercises, your 10 lab machines (both of which contribute towards the 5 bonus points on the exam), and your exam notes.
I do not recommend skipping the exercise and 10 lab machine documentation, thus forfeiting your 5 extra exam points. I am a living example of someone who would not have passed the exam had I not provided that documentation. Yes, it is time consuming, but it prepares you for the exam documentation and helps you solidify what you have learned in the course.
Is the HackTheBox.eu lab similar to the OSCP/PWK lab?
There are definitely some worthy machine on Hack The Box (HTB) that can help you prepare for OSCP. The enumeration skills alone will help you work on the OSCP labs as you develop a methodology.
There are definitely some more “puzzle-ish” machines in HTB, similar to what you might find in a Capture The Flag event, but there are also plenty of OSCP-like boxes to be found. It is a good way to practice and prepare.
Are VulnHub VM’s similar to the OSCP/PWK lab?
See the above answer about Hack The Box, as much of it applies to the VulnHub machines too. I used VulnHub to help me pre-study for OSCP, and it was a big help. The famous post by Abatchy about OSCP-like VulnHub VM’s is a great resource. My favorites were:
- All the Kioptrix machines
What other resources can I use to help me prepare for the PWK course?
There are a lot of resources that can help you pre-study before you dive into the course. I will post some here.
Along with my friend eth3real (and some pitching in from our new friend Brian), we teamed up as DefCon828 and won the Capture the Flag contest at BSides Asheville today. The loot was some cool WiFi Pineapple gear.
Last month, Jess and I won 1st and 2nd place respectively at BlueRidgeCon. I do feel bad about missing out on the lectures, talks, and socialization at these awesome conferences, but I can’t stay away from the CTFs. It’s bad.