Didn’t have much time over the weekend but still was able to catch Google CTF Quals. Very tough challenges, no wonder it’s close to 100 rating weight.
Didn’t have much time over the weekend but still was able to catch Google CTF Quals. Very tough challenges, no wonder it’s close to 100 rating weight.
This year I decided to try OSCP certification. It took a lot of effort but I passed the exam successfully last month.
From what I have seen OSCP and other Offensive Security certifications are fairly unusual - most other popular certifications are really “book” exams, something you can read, memorize, and maybe even cram for. OSCP on the other hand is as hands-on as you can get, and that gives it unique value. When you see “OSCP” next to someone’s title you can tell that that person has real practical hacking skills, and haven’t just read a book on the subject. This is not to say other certs are not valuable, but OSCP in my mind is in a class of its own.
Lots of blog posts have been written on the subject, and a lot of them helped me prepare (thank you to those who wrote them!). Below I’ll share a few random thoughts on how I approached preparation for the exam and what advice I would have given my past self.
Preparing for OSCP starts with the course and continues in the practical lab. The amount of time you spend there depends heavily on your schedule and past experience. I have a fair bit of pentesting and software engineering experience, so I decided to go with 2 months of lab time. My family commitments, however, made it hard to find more than a few hours of lab time every day. In the end I spent about 3 weeks going through the course and completing exercises, and then a little over a month in the lab. It was grueling, and I think I would have benefitted from more time in the lab, so if you have time and finances to extend the lab - take advantage of that.
I feel that ability to work in the lab is the most important part of OSCP, this is where you get you money’s worth. It’s a little counter-intuitive to say that, but to me it’s more important than actually passing the exam - the skills you acquire and practice are what will matter in the long run. A person that learned a lot in the lab and maybe failed the first exam in the end will be better off than the one that didn’t work hard in the lab and passed the exam by some lucky circumstance.
There are 3 areas of preparation that I concentrated on - mental, physical and technical.
Mental prep for the exam is probably the most important one. When you feel calm and composed you can methodically grind all obstacles down. When you are frustrated and panicking your brain shuts down. Finding vulnerabilities requires patience, attention to detail, and creative thinking - and stress is a killer of these qualities.
Some people complain that the exam systems are harder to exploit than the ones in the lab - I didn’t find that to be the case. That’s not to say the exam was easy - I just found it as hard to do as exploiting machines in the lab. I think the reason why exam seems harder to some is that in the lab you are relaxed and can calmly explore your targets, while during the exam you are stressed and under the gun to meet the deadline, which makes everything more difficult. Practicing calming myself down, and pursuading myself that even failing the test is not a big deal but rather yet another step in my learning helped me stay more relaxed and think more clearly.
The brain gets tired after a while so it is important to remove as many steps requiring mental energy from the exam as possible. Any time you need to write a script, research a code snippet, or look up a piece of information it drains your brain power a little - so doing as many of these things in advance as possible helps free mental energy for actual looking for vulnerabilities. I prepared a lot of scripts for running scan tools, building reverse shells, compiling exploits, and others; put together lists of commonly used code snippets; precompiled some of the exploits; and so on - all of which helped me think less about the operational side of things, and more about my targets.
Another method that helped was switching context and taking mental breaks. It is often recommended that if you hit a wall with one system, or spend an inordinate amount of time on it without progress (e.g. 2+ hours) you should switch to another system. This was very true for me, switching between systems helped keep things fresh and allowed me to take advantage of “unconscious mind”. Some of the breakthroughs that I had occurred when I put the problem I was trying to solve out of my mind completely and concentrated on something else.
Much has been said about getting enough food, drink and rest during the exam - and it all makes sense. When your body is well nourished you can fire on all cylinders.
Frequent rest is important, so taking a quick break to walk outside, or to lay down to rest definitely helps one recharge. I’ve found that power naps do wonders for giving me an energy boost - as long as I do not sleep for too long and become groggy.
Here some of the things that I found on the technical side of the equation:
Host machine setup. You have to make sure not only that your host machine OS is on the list of supported OSes, but also that it supports camera and can run Java JNLP apps. I was using a Kali VM on a Kali host (yes, I run Kali on Kali, ‘coz that’s how I roll), which is supported - and yet I had to scramble to set up my machine during the exam to get it to run JNLP apps - my Java version was too fresh and had that functionality disabled. In the end installing Iceweasel solved the issue.
Types of systems. In the exam you will likely get a mix of Windows and Linux machines, some easier, some harder (which is reflected in the points awarded for each one). The systems I had reminded me a lot of the types of systems in the course and the lab, so don’t expect something completely out of the ordinary. On the other hand some of the machines I had were at the very latest patch levels - in those cases kernel exploits are not an option, you have to look for a vulnerable application or a misconfiguration that you have to take advantage of.
Enumeration. It has been said that enumeration is key in the exam and I think that flows from the very nature of this course. We are trying to apply known exploits (with minor modifications) to vulnerable systems - and before you can do that you have to fully understand what exactly you are dealing with. You cannot exploit what you don’t understand. Once you fully understand your target you give your brain enough “food” to chew on, ideas for different things to try start to flow.
Curve balls. Of course the exam would be too easy if you could just apply a known exploit and call it a day. So do expect decoys, and vulnerabilities that are real but not fully exploitable. That’s again why enumeration is so crucial - if you have a full picture of the system then you have a list of things that you can try, not just the most obvious, low hanging fruit. On one of the systems during the exam I found a very obvious vulnerability, and yet the last step - overwriting the file that I needed - was not possible. However, with the help of thorough recon I found a misconfiguration that I could combine with this vulnerability to take it in a whole other direction and retrieve a file that allowed me to get shell. So be ready to get creative and combine different vulnerable pieces together.
Go from simple to complex solutions. Sometimes the vulnerability that you are looking for may be hiding on the surface so be methodical in trying all ideas, even the ones that seem too easy. Take a step back and think before jumping in. It maybe tempting to start bruteforcing the login - but maybe try a list of known default credentials first? You could start compiling and running kernel exploits, but first see if there is an application installed that should not normally be on the system and that is vulnerable?
Weak areas. Much has been said about extra practice for the skills that are your weakest - that rang very true for me during the exam. I knew that my Windows privesc skills needed more work but did not practice them enough - and (of course) got stuck with Windows escalation on 2 systems. If you know that you are weak at something - spend extra time practicing it.
Staying organized. Keeping your research, notes, logs, and screenshots organized is absolutely critical. Human brain has a limited bandwidth and things can very easily be missed or forgotten. I found KeepNote invaluable for keeping track of everything - whenever I was investigating a machine I created a node in the document tree for it and created sub-notes for enumeration logs, code snippets, todo lists, and other information. Searching and taking snapshots was very easy from within the tool, and everything you enter is automatically saved. As I gathered evidence I added new ideas to the todo list for each machine and then came back to try them.
Documenting your work. Do not cut corners on documenting all your steps, even if it feels that you are stating the obvious. Same goes for screenshots - take plenty, especially the ones that contain output of proof files and
i[fp]config (also note that
ifconfig may be missing on newer systems - use
ip addr in that case). Before you finish the exam re-check that you have captured everything that you need for the report. You will be kicking yourself the next day if some crucial piece of evidence is missing. Overdocumenting seems like an overkill but actually reinforces a valuable skill - if you will be interacting with clients and colleagues in your career you will inevitably need to learn to communicate technical information in a clear and detailed way, with any claims you make backed up by evidence.
Tools and resources. The following are the tools and resources that I got the most value out of during the exam and lab (of course lots of others were used as well, but these were the most helpful):
All in all it was a hard and stressful journey, but a very rewarding one. I’m already starting to miss the lab. :)
This is my first time trying Facebook CTF (was it on in previous years?). The platform was not very stable - frequent errors and downtimes, but that did not affect the offline challenges, so no biggie. The challenge quality was top notch, definitely not a beginner level CTF. Thanks for the good times!
This year’s SANS Holiday Hack Challenge (KringleCon) was again very enjoyable. There was a lot of new stuff to learn and practice. It’s very impressive that the SANS team would spend so much time and effort every year to build this great free learning event for us. Thanks guys!
HXP CTF was as great as last year - well done guys! Well organized, went without a hitch, challenges were tough and mentally stimulating. Solved several, came really close on a couple more. No matter how many times you know of exploiting something there is always one more - HXP challenges are great examples of unorthodox approaches to doing things.
I have mixed impressions of Kaspersky Industrial CTF - it was unusual to have no live chat, no announcements, no varying degrees of challenge difficulty; the “industrial” nature of the CTF was not reflected in the tasks. On the other hand the challenges were interesting and hard, so it was a great learning experience with lots of variety - from PHP serialization to .Net obfuscation. In any case - time well spent.
Another great CTF from ASIS. Clean interface and solid infrastructure. Great learning experience!
Volga CTF didn’t disappoint - very smoothly run, and the challenges were pretty inventive and quite complex. Great job organizers!
Challenges in Sharif CTF were a good mix of different levels of difficulty. It didn’t help that for about 6 or 7 hours the site went offline due to some IP blacklisting issue and was hard to reach from outside Iran. Lesson learned: download offline challenges early in order to avoid twiddling thumbs during possible outages.
2017 SANS Holiday Hack Challenge (HHC) was awesome this year - just as expected! A great mix of fun and education, and a perfect way to spend the down time during the holidays.
SECCON CTF didn’t disappoint this year either - lots of interesting challenges of all levels of complexity, all running without a hitch. A good brain workout!
Some very interesting and challenging tasks in HXP CTF. A well organized and managed event. Thanks HXP, I had a lot of fun (and stress )!
Pwn2Win was in interesting event - ran pretty smoothly, challeges were … challenging and the admins were responsive. It’s the first event that I saw that uses NIZK for scoring, should be a good way to cut down on questions about scoring reliability and fairness. Thanks for the great competition and learning experience!
FLARE-ON 2017 was very rewarding - what a great opportunity to sharpen reverse engineering skills! I ran out of time in the middle of the last challenge but the whole thing was still totally worth it. Big thanks to the organizers - I’m tooking forward to trying it again next year!
HackIT ran on August 25-27 in Harkiv, Ukraine. Lots of challenging tasks, most of them well done. Some stabilty issues, but organizers were on the Telegram channel and corrected problems as they came up. Thanks for the fun event!
RCTF is a fairly new event, however the quaity of challenges was surprisingly high, as was the overall organization. All in all - a fun competition.
DEF CON CTF Qualifier was humbling. No cheesy challenges here, I had to sweat for every one of them. The site design seemed very minimalistic, but flashy UI is not what it’s all about.
No shortage of tough challenges in PlaidCTF… Overall a very impressive competition, no wonder it’s considered to be one of the top CTF events. I guess mature CTFs all had enough time to polish their UIs and gain enough experience to make sure their events go smoothly and with few hiccups.
ASIS CTF Quals was organized very well. Sleek site, well-designed challenges, and organizers responding in a timely manner on chat. I was impressed! As usual - lots to learn and plenty of problems to agonize over…
Organizers did a great job with VolgaCTF Quals, you can tell that they have been doing this for several years. Things were very well set up and thought through, and most of it went without a hitch. Some of the online challenges were kind of slow, but the admins seemed to be responsive to requests for help and fixed challenges fairly quickly when they went down. I had a great time and learned a lot.
0CTF was a tough event. What does not kill me makes me stronger! Not to mention it’s a great way to gain lots of practical knowledge fast…
Just took part in a very challenging Boston Key Party CTF. Although I solved just one problem, the competition made me take an in depth look at seveal areas I have not dealt with before. All in all a great opportunity to expand my knowledge!
Codegate Prequal CTF was a very tough competition, the first one I have seen with almost exclusive emphasis on Reverse Engineering. Still, it was a great learning experience, which highlighted what areas of RE I need to read up on and practice.
Challenges in Alex CTF seemed easier than the ones in some of the other CTFs I have seen and the 3 days to complete them was pretty generous. That’s the best way of doing it, I think - when stress is lower you can think more creatively and come up with higher quality solutions.
This Christmas I took part in SANS Holiday Hack Challenge - and had a blast! What a fun ride it was. Modeled as a retro computer game it had security challenges masterfully woven into the script, making for an entertaining experience that also teaches important lessons about various security vulnerabilities.
33C3 CTF was intense! This is the toughest CTF I’ve been in so far. A very humbling experience…
SECCON 2016 Online CTF ran for just 24 hours. This defintely makes for a more intense competition, especially since the challenges did not seem to be any easier than the ones at 48-hour events.