Having completed the e-learning’s eJPT, which I posted about here I have now embarked upon Offensive Security’s PWK course, leading to the OSCP certificate.
After the sign-up process and after waiting for my intake date, I received a series of emails giving me the course material (a PDF of a 375 pages and 149 videos), links to their lab control panel and instructions on how to download their version of Kali plus how to get to their labs via VPN.
The materials seem quite good albeit a little sparse compared to how I expected them to be. Unlike the eJPT there are no lab challenges at the end of each section (shame because I react well to that style of learning) but instead they do have some exercises which you can (and should) do. These are not marked at this stage so you could be making mistakes and not know about it. As I’m beginning to gather with OffSec, they are subtle teachers and even the simple exercises sometimes hide a bit more depth than first appears and I’ve revisted them only to find there was more to learn.
The lab consists of a large number of machines running an even larger number of applications and services. It really is quite impressive. Some I’ve found quite easy, others have been difficult and not just in a “I’ve no idea how to approach this” sort of way but more in that realistic way that you think you know what to do but it’s just not working and so you start doubting yourself. They don’t make it easy. Just because netcat is installed on your target box, doesn’t mean it’ll work. And even if it works, it doesn’t mean it’ll work on just any port – you get the idea. So far I’ve spent way too long on some boxes that in retrospect weren’t even that hard.
Of course OffSec are famous for their “Try Harder” phrase and you’ll read accounts of how people, desperate for help, have turned to the instructors only to be told to go away and Try Harder. I have to say, so far, I’ve found this portrayal a bit unfair. I was actually nervous about even asking for help but in reality I not only got help but I got it in the way I needed it. I get the impression that if you go to them whining “I’ve been trying this box for 5 days now and nothing works, what do I do” you’re not going to get handed an ABC plan of getting root. But when I’ve gone to them saying something like: “I’ve managed to find exploit A in the web app and uploaded a shell but when I try to connect back to Kali it does B and I’ve tried C and D and E, here is the code I tried but they don’t help…” then you’ll get helped in a somewhat Socratic way like “OK so which particular shell did you try?” and that one question could easily be enough to make you think “Oh shit, well I only tried one actually” and armed with that bit of info and some new-found confidence that you’re on the right track….5 mins later you’re in. I call it the “messy drawer effect” – you know when you’re looking for an item and you go through your messy drawer full of crap and you can’t find it no matter how hard you look so you give up. And then someone tells you “it’s definitely in that drawer” and you go back and find it almost immediately. You just needed to know you weren’t wasting your time.
Anyway, I’m only just into it and will update this post as things go on. I’ve just hit the Buffer Overflow exploit section which is twisting my melon somewhat so back to the grindstone…