Saturday, 19 November 2016

Keep Trying Harder (PWK/OSCP)

I have been preparing for the OSCP certification exam for a good portion of the second half of 2016; which culminated in the OSCP 24 hour (23hr 15min) challenge last weekend.

I began the challenge at 1400hrs and worked constantly for 18 hours, by which time I had one root and two low privilege shells. Unfortunately this didn't change for the remainder of the challenge.
As a result, I failed.

Looking back, I realise a number of mistakes I made in tackling the challenge.
First of all, I got one root and two low privilege shells well within the first 5 hours. I then spent the next 17 hours going in circles, becoming more and more frustrated, more tired, clock watching and becoming more worried that I wouldn't pass.
This clearly isn't the best technique.

I have found that half of the challenge appears to be time management. I was determined to power through the sleep deprivation, believing that I could cheat the performance degradation that tiredness brings; as it turns out, I'm not super human.

The tiredness itself impacted my memory. I look back and realise that I was repeating the same (privilege escalation) steps over and over again, the definition of madness...

With the clarity and soberness of a rested mind, I look back and realise that I missed some significant and obvious clues. For what appears to be one reason: The challenge itself is difficult, and rightly celebrated for that fact. As a result, I believe I had convinced myself that it would require all of the enumeration-exploitation-privilege escalation-Fu that I could summon to master it. Now I'm sure an element of that is true, however I believe I missed a big portion of what is being tested: prioritisation, time management, effective and concise analysis.

I also realise I scripted too much. I read many blog posts and forum posts written by other students that had tackled the challenge, almost all of which featured a significant amount of scripting.
Of course, I have used custom scripts constantly throughout the PWK labs, however I decided to write a monster enumeration script of epic-ness especially for the exam, I think this was a mistake.
I had forgotten that in the labs I had popped some of the most challenging machines without the use of this script. I had thrown away a tried and tested methodology for an unproven enumeration script that did the 'analysis' for me.
Although my script helped me to quickly get low privilege shells on two machines, I had robbed myself of valuable human analysis that may well have given me the edge in later privilege escalation. For which, I payed the price.

So for my own peace of mind, and potentially to the benefit of others, here is a list of what I recommend:

[1] Develop a definitive time-line and stick to it. Limit the effects of tiredness and tunnel vision as much as possible.

[2] Do not prejudge how technically difficult the challenge is. Pursue clues that you are given; don't dismiss them in the belief that it cannot be that simple.

[3] Do not repeat the exact same exploits/techniques expecting a different outcome, unless new information comes to light that changes the vector.

[4] Initial enumeration - exploitation - low priv shell - secondary enumeration - privilege escalation - root/system. It works. stick to it.

[5] Do not over script enumeration. Unless your coding up some immense machine-learning analytical script of awesomeness, no script can beat human analysis and pattern recognition.

[6] Enjoy the experience. Don't worry about failure. If I hadn't failed, I wouldn't know everything I've just written.

The OSCP challenge is, like the labs, a learning experience. Even though I am bitterly disappointed that I failed it this time; I know that it is making me a better penetration tester and that is very valuable indeed.

Saturday, 5 November 2016

Black Hat Europe 2016

This year, the Black Hat Europe conference moved from Amsterdam to a larger venue in London.
Continuing on from last year (and many years previously); Black Hat offered 100 students the opportunity to apply for free admission to the conference. I took them up on this opportunity, and for the second year running, I was lucky enough to be awarded the Black Hat Europe student scholarship.

Much like last year, I found the briefings to be exceptional. Of particular note was 'Ghost in the PLC: Designing an undetectable programmable logic controller rootkit' by Ali Abbasi and Majid Hashemi,  'Another Brick off the Wall: Deconstructing web application firewalls using automata learning' by George Argyros and Ioannis Stais as well as 'Ego Market: When people's greed for fame benefits large-scale botnets' by Masarah Paquet-Clouston and Olivier Bilodeau.

I have come away from Black Hat Europe feeling inspired and freshly reminded that there are many, many individuals who are also so incredibly enthusiastic and passionate about technology and security.

Black Hat have been so generous for the past 2 years to fund me to attend their conference and I look forward to attending next year. Although, Considering this is my final academic year, its probably about time I paid my own way (or have a generous employer who would do so on my behalf)!