Certified Information Systems Security Professional

My CISSP Journey

On the 4th of October, I finally took and passed the CISSP exam after bumping it twice. Let’s talk about my experience in studying and taking this exam.

Background

About 10 years experience in the IT industry. Helpdesk, retail (technology sales), web developer, systems administration, security analyst, security consultant.

Education

  • Bachelor’s degree in Network Security
  • Diploma in Systems Administration
  • Certificate IV in Database Administration

Certifications

  • OSCP
  • CCNA Cyber Ops

Studying

I began studying for this exam as soon as I got the notification from Offensive Security that I had passed the OSCP. I was in Macau at the time on an engagement for work, and used the evenings to study some practise exams. This was in April this year.

Prior to this, one of the course modules for my Network Security degree pretty closely followed the CISSP ciriculum and the instructor for this class was a CISSP, so I was familiar with most of the concepts already.

I tried to study as much as possible but this isn’t a very fun exam to study for. I decided to book the exam for August to give me more motivation. As August got closer, I felt that I wouldn’t be ready for the exam so I bumped it to September. Again, I knew I wasn’t prepared so I bumped it to October 4th, this time I decided that I was definitely not going to pay the $50 USD to reschedule the exam and told myself it was locked in. I ramped up my study, and crammed during the final week.

Reading Materials

  • CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide – 7th Edition (2017) 

    I purchased this book for my Kindle back in 2017 as it was an optional book to suplement one of the course modules for my Network Security degree. Note that there is now an 8th Edition available, so you may as well get it.This is the official book (commonly referred to as the Sybex Book) and as such, it covers the entire CISSP CBK in excruciating detail. The problem with this is book is that it is incredibly dry. It tries not to be, with some anecdotes and attempts at some light humour, but there is only so much that can be done with the CISSP material so this is a chore to get through. I tried to complete this book over 6 months but only ended up getting to 53%. After that, during my last few days before the exam, I went over the Chapter Reviews and Practise questions.I do think that this book is a must – even if you’re not planning on reading the entire book, it’s a great resource to supplement other material as a reference on topics that you need to go deeper on.There book also comes with access to the access to the Wiley Test Bank questions (see below).
    Link (note – get the latest version avaialble): https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119042712

  • Simple CISSP Exam Guide – Phil Martin (Audio Book) (2018) 

    I picked this up as the only audio book I could find on the subject. I accidentally picked up the old version and after listening to it twice, once at 1.5x speed and again at 1x speed during work commutes, I discovered the updated version for the new exam and used a free audible credit and listened to most of it again.As with the book, the material is extremely dry, but I think Phil does as good a job as possible. I probably only took in a fraction of this as I find it hard to focus on it, but the important thing is that every time I was paying attention, I was either learning something new or reinforcing something I already knew.I recommend this to anyone who commutes to work by car or is unable to read during their commute.

    Link (old): https://www.audible.com/pd/Simple-CISSP-Audiobook/B071P6YNC4
    Link (new): https://www.audible.com/pd/Essential-CISSP-Exam-Guide-Updated-for-the-2018-CISSP-Body-of-Knowledge-Audiobook/B07JVVMBTF?pf_rd_p=ba4c82a7-7c50-42e3-8a6a-89ab98524e7a&pf_rd_r=HABJ96MESSDWN7P56FW8&ref=a_pd_Simple_c5_PN_1_2

  • Essential CISSP Test Questions – Phil Martin (Audio Book) (2018) 

    I used one of my Audible credits to purchase this book after listening to the Simple CISSP Exam Guide (above). In this book, Phil reads out questions and then reads out the answer. There is no multiple choice. I personally didn’t get much out of it and probably only listened for 40 minutes in total, so I can’t recommend this style of learning unless you’re out of CISSP to listen to on your commutes, and if you do, maybe just listen to Simple CISSP again.Link: https://www.audible.com/pd/Essential-CISSP-Test-Questions-Audiobook/B07JDJ2QB1?pf_rd_p=ba4c82a7-7c50-42e3-8a6a-89ab98524e7a&pf_rd_r=R2B3SDRMEE50FQ5CCZTD&ref=a_pd_Simple_c5_PN_1_3

  • CISSP Study Guide – 3rd Edition – Eric Conrad (2015)I purchased this book on Kindle and read a few chapters. It’s the latest version and unfortunately, was published in 2015 so does not reflect the latest version fo the exam. The good news, however, is that none of the information in this book will contradict the exam, so everything you learn here will be valid. I got this book to see if I could read the entire thing before my exam but hadn’t left enough time for myself despite it being significantly shoter than the Sybex Book.

    Link: https://www.amazon.com/CISSP-Study-Guide-Eric-Conrad/dp/0128024372/ref=sr_1_2?keywords=eric+conrad&qid=1571860241&s=books&sr=1-2

  • 11th Hour CISSP – Third Edition – Eric Conrad (2015)This is another very heavily recommended book. I did read a bit of this book, but again, it was printed in 2015 so it may miss out of some of the new material. I actually think this is too shallow and found the Sybex Chapter reviews to be more to detailed but still shorter. If you believe that you already know the CBK very well and just need a few reminders, this may be helpful, but if you’re using this as your primary resource, I don’t think it will cover enough.

    Link: https://www.amazon.com/Eleventh-Hour-CISSP%C2%AE-Study-Guide-ebook/dp/B01LNFMIU0

  • Sunflower PDFThis document attempts to be a cheat sheet for the CBK. I think it would have been great for those who put it together. Everyone recommends this, so it might be good to read over and zero in on anything that you don’t know completely using the Sybex book.

    Link: https://www.sunflower-cissp.com/glossary/cissp/5497/download-sunflower-cissp-2019-pdf-document

Practice Exams

  • Boson ExamsI purchased the Boson Exams for the Boson Exam Engine. It costs $99 USD but you can usually get a discount coupon. Find /u/BosonMichael on Reddit and ask him if you can’t find it.

    These exams are great – there are 5 exams with 150 questions each. Every question has detailed explainations as to why each question is right or wrong, and points you to the section of the Sybex Book if you need to read more about it. Many people say that the questions are way too technical for the exam. I think my exam was pretty technical, however I think either way, this is a great resource because you SHOULD understand all the concepts on a technical level anyway.

    I did these exams sporadically during the 7 months or so that I was studying for the exam.

    Link: https://www.boson.com/practice-exam/cissp-isc2-practice-exam

  • Eric Conrad’s examsThese exams aren’t as well known as the Boson exams, however I found them probably the most accurate to the exam. There are two exams and they are 250 questions each. This is because, as with all the other Eric Conrad material, it’s following the old exam format. There are a few errors/duplicates in the second exam to watch out for.The web application that runs the exam is very old and cumbersome, and you may need to open some security holes in your browser to make it work. Also, sometimes the entire website went down while I was taking the exam. I think these are very worthwhile exams to take to see where you are at.

    From memory, if you get the answer wrong, it tells you why the wrong answers are wrong, but if you get the answer right, it just tells you that you’re right but not why.

    Link: https://booksite.elsevier.com/companion/conrad/practice_exams.php

    Note: there are also some podcasts by Eric Conrad. I didn’t listen to them, but I tested and found that they still work. I found a very old blog post (2013) that details how you can download these podcasts to listen offline: http://certcircus.mintrix.net/2013/07/27/more-study-help/

  • Wiley Test BankYou get access to this test bank with the Sybex book. It’s a bit hard to actually find the link to get these for some reason. Anyway, the code comes inside the book somewhere towards the start. You can redeem it here: https://testbanks.wiley.com/WPDACE/Products

    Note that it while it says ‘Eighth Edition’, I used the code from my Seventh Edition and it worked.

    The test bank has all of the Chapter Review questions plus a lot more (I think about 1300 all up).

  • CISSP STUDY appThis is the official ISC2 app and I’m pretty sure most or all of these are from the same questionbank as the Wiley Test Bank. It’s nice to have this on the go, but you have to pay for it again even if you have already purchased the book. I used this a lot on the bus and other random times when I had a few minutes.
    Link (Android): https://play.google.com/store/apps/details?id=com.learnzapp.wileycissp&hl=en

    Link (iOS): https://apps.apple.com/us/app/official-isc-cissp-study/id1064359987

Video Materials

  • Kelly Handerhan Cybrary CISSP CourseI’m sure that this video course is the single most recommended study resource for the CISSP. It’s great. Kelly is entertaining and does a good job of explaining most of the important concepts.I first watched the old videos I think recorded in 2015, and then I watched the ‘new’ 2018 videos later. I think I watched the new ones through a nearly two times.

    For some reason the Cybrary app seems to have disappeared from the Play Store. I think it’s because when I tried using it, it was really buggy and for some reason I could only find the old video course. I could only watch from my PC.

    For some reason, both were free to watch.

    Link: https://www.cybrary.it/course/cissp/

  • CBT NuggetsI got a one month subscription to CBT Nuggets to access their CISSP course, as I’ve used them when studying CCNA/CCNP material previously for my degree and found the videos to be great. However, for CISSP, they are no where near indepth enough. I would not recommend these videos at all.

    Link: https://www.cbtnuggets.com/blog/certifications/security/new-course-isc2-cissp-2018

  • ITDoJo Question Of The Day – CISSPI watched a decent amount of these and found them to be pretty good to give a deep dive on explaining answers to questions.

    Link: https://www.youtube.com/playlist?list=PLBpnwlO9U5unYmbZp2DJETNOHg8s_yW37

  • Why you WILL Pass (CISSP Mindset)This is a very recommended video about the mindset you should have when taking the CISSP exam. I suggest watching it, as it probably saved me during the exam.

    Link: https://www.youtube.com/watch?v=-99b1YUFx0A&t=143s

Exam Day

I booked by exam for 4PM on a Friday, so that I could have a drink afterwards either way. When I had the day off work because I was quite sick the entire week so spent most of the week hating life while cramming. I actually learned a few things that came assisted me in the exam while on the bus to the exam center because I was targeting a few things I hand’t looked into previously.

I got to the exam center about 40 minutes early. After being signed in, the lady asked me if I wanted to start early. I was happy to start and get it over with. After being lead to the exam computer, I used the ear plugs to drown out noises from other people taking exams. After starting the exam, I was unsure how I was going to do. I kept remembering the “think like a manager”, “big picture”, and “end game” mindset that everyone talks about, and there were a many times where I very reluctantly chose an answer based on this thinking rather than a more seemingly straight forward answer.

My exam was actually quite technical, where it definitely helped to have delved quite deep on some of the subjects.

I also used the CAT format to my advantage – I knew that if I got a question wrong, I would get drilled on it. With a question where I was torn between two answers, I encountered a similar question later in the exam and decided that I mustn’t have answered correctly the first time. Others may be able to leverage this as well.

At no point during the exam did I feel like I was killing it. Just about every question I narrowed down to two answers, and you could easily make a good argument for either of them being correct. I felt like I was arguing symantecs with myself, and answered many questions the way I felt ISC2 wanted me to answer them rather than what may more accurately align with my experience or expectations.

The exam stopped after 100 questions with probably about 30 or 40 minutes to go. I had budgeted my time for 150 and was surprised. My first thoughts were that I must have failed. I waited silently to be lead out of the exam room, but no one came to get me so I left the room and the exam center people let me go and get my things out of the locker while one of them went to get the print out. I wasn’t sure how to feel at this point while I waited for the results. I had heard that if you’re handed one piece of paper, you have passed, and if you’re handed two pieces of paper, you’ve failed. I heard the exam center staff person approaching with what I can only describe as simply the sound of one piece of paper. He handed it to me and I quickly scanned the page, seeing the message that I had passed. The exam center team congratulated me and I left extremely relieved.

Study Guide

My study was all over the place, I used just about all of the materials listed above in paralell rather than in any set order. It may make sense to work out a study plan similar to the following:

  1. Read the Sybex Book, taking the chapter exams at the end of each chapter (use the online exam engine if you wish.
  2. Complete the additional exams from the Wiley Test Bank. Make a list of all questions you got wrong and read the paragraph/section of that topic in the Sybex book.
  3. Watch the Kelly Handerhan video course.
  4. Take each of the Boson exams, reading the explainations to all questions you get wrong.
  5. Read the 11th Hour CISSP book leading up to the exam.
  6. Take both Eric Conrad’s practice exams (500 questions) and make a note of what you get wrong, then read about that topic in the Sybex book.
  7. Watch Kelly’s ‘Why you WILL pass the CISSP’ video.
  8. Take the exam.

If you stuck to this, you would have read the most detailed book, the most brief book as a refresh (because it takes so long to read the Sybex book), watched the best video course where Kelly explains everything to you in a way more easy to digest way, and completed about 2500 exam questions.

What Next?

As soon as I walked out of the exam center, I started thinking about what to do next.

CISM? – My understanding is that there is a decent amount of overlap between CISSP and CISM, so it may make sense to persue this certification next while my CISSP study is still fresh. I’ve started putting some study material together already, starting with Phil Martin’s Essential CISM audio book.

Security+? This exam shouldn’t be too much trouble to get and might not do much for my career, but it might be nice to focus on an easier certification after passing the OSCP and CISSP this year.

CCNA Route and Switch? – Would be good to add a networking certification to my CV and could probably achieve within a few months without too much effort.

PMP/CAPM/Project+? – I’ve slowly started studying the PMBOK and plan on adding a project management certification to my resume at some point.

Focus on my own projects for a while? – There are plenty of other projects I’d love to get time to work on – such as Cuckoo sandbox that I have pretty much working, but needs a lot more before it’s stable. It would be nice to have a break from all the studying over the past four years as well.

My OSCP Report Template

I’ve had a few requests to share my OSCP template. I was wary of doing so earlier, but this is actually the same report I would use if I was doing a commercial penetration test, and is 100% made myself from scratch, so here it is.

Satiex’s Penetration Test Report Template.pdf

Satiex’s Penetration Test Report Template.docx

Disclaimer: I’ve removed all references to OSCP and Offensive Security from the template. The icons were from a royalty free website. Use your due diligence in using this template for any commercial engagement or submitting it as part of any exam. I make no guarantees that this will be accepted by Offensive Security or your client. I do not know Offensive Security’s stance on sharing report templates. I strongly advise using this as a guide only.

Offensive Security Certified Professional

TLDR: Do the Lab Report.

While at an Airport bar in Singapore at 0200, March 31st, killing time with someone I met on the flight over from Sydney, I connected my phone to the dodgy free WiFi that caused my Email client complain about being man-in-the-middled due to the captive portal supplying it’s own untrusted certificate. I was about two thirds into an all-nighter for the third weekend in a row, and had just began a 6 hour layover, before a second 4 hour flight to Macau. After accepting the terms and conditions to connect to the network Suddenly my phone started vibrating frantically, echoing 4 or 5 different notification tones as it connected to the internet after 9 hours of going dark. New email, new SMS message, new Discord message, multiple Facebook chats. I checked my email first, expecting the usual junk. The list of emails loaded, and it took me half a second to realise what I was looking at: something that I had been anxiously waiting for and constantly checking my email for since 6 nights earlier:

As I read the words “We are happy”, I took a second to make sure that it wasn’t the lack of sleep playing with me. I blinked a few times and slowly realised that I had achieved something that had been hanging over my head since nearly a year prior, and something I hadn’t heard of many others doing – I passed the OSCP exam on my first attempt. I opened the email just to be sure, before hurrying over to my travelling companion, who was at the Wifi kiosk getting her own access sorted out. I must have sounded insane as I explained that I just recieved confirmation that I had passed an exam and that I didn’t know if I’d passed or failed and had been waiting for an email to find out for nearly a week and that this was a really big deal.

“Congratulations!” she said, entertaining my excitement, and offering me a high-five.

“We’re getting another round”, I announced. “I’m paying”

“Dear Craig,
We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.”

What is the OSCP?

It can be a bit confusing trying to understand what is involved in the course and the exam, so I’m going to try to clear a few things up here:

  1. PWK is Penetration Testing with Kali Linux. This is the course, which includes a downloadable PDF manual and acompanying tutorial videos that follow along with the PDF, and access to the Labs (VPN access to a network that houses around 50 vulnerable hosts). It also includes a single exam attempt.
  2. OSCP is Offensive Security Certified Professional – this is the certification that to gain by successfully passing the exam.
  3. You cannot take the OSCP exam without enrolling in the PWK course.
  4. The PWK Course includes 30, 60, or 90 days of lab access.
  5. You can renew your lab time for 15,30,60, or 90 days. When you renew your lab time, you get an additional exam attempt, however you can not accumulate exam attempts, so you may want to use your exam attempt before renewing your lab time.
  6. You can purchase an additional exam attempt without renewing the labs for a lot cheaper.

To achieve the OSCP certification, you have to sit an exam where you have to compromise several hosts within 23 hours and 45 minutes. This exam is done where ever you like (at home) – there are no options to take the exam at an exam center. At the conclusion of the exam, you have another 24 hours to complete and submit your Exam Report – which should read like a professional Penetration Test report, and include screenshots and instructions, showing how to replicate the path to compromise the host.
The exam is proctored, meaning whenever the exam VPN is active, you willbe monitored using your web cam, and your computer will be monitored using a screen monitoring application. This must be set up before you get access to the exam VPN.

The Journey

I’d heard about the OSCP in 2017, in between semesters during the last year of my Network Security degree. At the time I was very interested, but was focusing on finishing my degree. I then was lucky enough to be a part of the scholarship for the Cisco CCNA Cyber Ops course, which took the next few months of my time as I attained that certification. I found Cyber Ops to be an extremely well thought-out course, with very accurate and up-to-date material. Once I was done with that, my employer agreed to pay for me to take the OSCP course. This was around May 2018. I got access to the course material and the lab VPN.

I worked slowly through the Course Material while occasionally taking breaks to work on compromising hosts in the lab. I didn’t realise how much time working on the course material would actually take, and I didn’t get around to finishing them until a week before my exam, in March 2019, during the second time I’d renewed my PWK lab.

My Experience

I’ve read a lot of posts and spoken to a lot of people who have taken the OSCP exam, and everyones experience was different, and also very valuable to learn about. Some of my experiences contrast with a lot of what I’ve read and heard, so, I’ve compiled some of my main thoughts about the PWK course and the OSCP exam.

I didn’t use Hack the Box or VulnHub before starting the course

The first and last time I successfully compromised a host was during my time in the PWK lab. I did have a look at resources like Hack the Box and VulnHub but I never got around to using them. Many reviews and posts I’ve read do suggest using these resources, and I agree, as the lab time is expensive. However, for me, the PWK lab was enough to prepare me for the exam, so I don’t believe you need to spend much time outside of this as I’ve seen others suggest.

I also didn’t watch any IppSec videos until after I’d submit my exam – however I wish I had. His approach and methodology take all the guess work out of attacking a box. I do suggest watching some of his videos when you’re not working in the labs.

I submit the lab report with all the course exercises completed

This is what saved me. Do the lab report.

You’ll be told that by submitting a Lab Report along with your exam report, you can gain 5 extra points if your exam report doesn’t win you enough points to pass the exam. Effectively, there are 105 points up for grabs, and you only need 70 to pass. It was initially unclear to me whether the Lab Report was required to be part of the same document as the Exam report or not – It’s not. It should be a separate document with the course materials as an appendix.

The Lab Report requirements are as follows:

  • Cover page
  • Report on 10 separate lab boxes, including how you compromised the box with screenshots.
  • For each box, you have to use a separate exploit/vulnerability. I was sure to include a variety of different methods to attack and escalate privilege in the boxes that I included in the report, including Metasploit, brute forcing passwords, kernel exploits, weak services, RFI, LFI, etc.
  • For each of the boxes, you need to include a SINGLE screenshot showing the IP address (ifconfig/ip addr/ipconfig), whoami, and proof.txt contents. I also included the output of a ‘hostname’ in the screenshot for good measure.
    (I didn’t realise this requirement and had only included screenshots of the proof.txt contents, so I had to scramble to complete this after my exam before submitting my reports.)
  • Appendix with each of the course exercise, answered/attempted with screenshots and explanations.

In the course material, after each chapter there are a handful of exercises, about 60 or 70 in total. Many of these require you to complete while you have PWK lab access to work as you need to complete exercises on lab machines or on the lab network. Some also require you to conduct a certain attack or scan on lab boxes, but you may have to work out which boxes are vulnerable, which can be very difficult and time consuming to work out. Some questions are very vague or unclear on what is required, for example, it may ask you if you were able to conduct a certain attack on any boxes in the labs. In this case if you’re unsure, check the Offensive Security forums, or, show your attempt and detail your thought process. Do the lab report.

Many forum posts and blog post’s that I’ve read, and many people I’ve spoken to, have said that they didn’t believe that the amount of effort and time required to complete all of the exercises is worth the extra 5 points on the exam. Many people are also very excited to start rooting boxes and treat the PWK course as a race to get as many boxes before the lab time runs out. Some of these people have also admitted that they may have passed exam attempts that they had failed, had they submit the lab report. Do the lab report.

Another good reason to complete all of the lab exercises before working on compromising hosts, is that the PWK material teaches nearly everything that you need to take down the hosts. You will need to do a lot of your own research as well, however there were times where I spent a while stuck on the lab hosts before deciding to go back to the exercises, and found was I was looking for right in the course material. Do the lab report.

I didn’t use the OSCP report template

When you begin the PWK, you’re given a report that you can use for your Lab Report and Exam Report. There was conflicting information on whether or not you had to use their report or if you could use your own, something Offensive Security should clarify. I didn’t like theirs at all, for a number of reasons, so I developed my own template that I used for both the Lab Report and the Exam Report.

My report template was as follows:

Cover Page
Table of Contents
Executive Summary
– Key Recommendations (things like implement monitoring, patch management, vulnerability management programs)
– Methodology (my approach, based of the Cyber Kill Chain)
– Information Gatheriong (list of hosts, including hostname, IP, open ports)
– Penetration Test (each host broken down into the Kill Chain methodology, with information and screenshots for each stage of the Kill Chain, also included a summary, vulnerability scoring, and remediation recommendations)
– Housekeeping stuff (cleaning up)
– Appendix A (all course exercises, grouped by topic and then numbered the way that they are in the Course Material, for example. Wireshark, 2.3.5.1, 2.3.5.2, etc)
– Appendix B (Exploit source code)

I didn’t compromise 40 boxes in the labs before taking the exams

Some posts I’ve read were by students claiming to have compromised 40+ lab boxes. In contrast, I compromised about 14 all up, and they were all in the DMZ network. I took down one of the ‘big 4’, and some others that I considered to be a bit harder. The point is, I don’t think it’s imperative to ensure that you compromise every single host, so long as you get experience working on different operating systems with different attack vectors and methods of compromise.

Every box I compromised, I put together a full report on, using my own customised template. This helped to reinforce my reporting methodology and also gained me the 10 boxes required for me to include in my lab report.

My exam was proctored

My exam was proctored, meaning there was someone watching my screen and webcam the entire 24 hours during my exam. The proctor changed about every 8 hours. The proctor asked me to move the web cam around my room to inspect my surroundings. I also had to run an application called Screen Connect on my computer so that the proctor could watch my screen. I had a few issues with the proctoring software:

Firstly, the proctor advised at time that they were unable to see my webcam feed. I tried refreshing the web application that was watching my webcam, and had to restart my computer a few times. This was frustrating as it interrupted scans and bruteforce scripts I was running, and I had to set up my environment again each time I restarted.

I also had problems with the Screen Connect application – it seemed to lag my computer when I had all 4 monitors running, so I turned two of them off, which wasn’t ideal as I’m use to using at least three (a screen each for web browser, VMware, OneNote/Report).

Another cause of frustration was something that I couldn’t prove, but read a blog post where someone else reported the same issue while Screen Connect was running: it intermittently broke copy+paste between my host system and my guest system (VMware Tools). I asked the proctor about this, but was just given the copy/paste response the Screen Connect software can’t control my computer and if my computer meets the minimum specifications, there shouldn’t be an issue.

I did email Offensive Security to report of the time I’d lost due to the proctoring, and they granted me an additional 90 minutes of exam time. Unfortunately, an extra 90 minutes at the tail end of being up for 26 hours was more of a punishment at that point in time, and I didn’t end up making anymore progress during this time.

I recorded my entire exam

I used Xsplit Broadcaster to record my screen the entire time during my exam and save it to my hard drive. I did this to take the pressure off myself during my report, in case I forgot to get a screenshot or forgot how I attacked a host. This made me a lot more relaxed during my exam, knowing that I would be able to go back and find any commands run or gather screenshots during my report. If you’re looking for a free tool on windows, have a look at OBS.

My Exam

My exam was scheduled 9AM on Friday the 22nd of March, 2019. I was very close to rescheduling the exam, because I had a few very busy weekends prior: Mum’s 60th, and we had family from NZ and the UK staying with us all weekend, and the following weekend I was at BSides Canberra all weekend, which included a few very boozey nights with no sleep as I stayed up for around 26 hours playing in the Incident Response CTF. I guess that could be considered practise for the OSCP exam -_-. As the date approached, I told myself that I should just take the exam, not suring how I would do, but may as well give it a try, as the following weekend I’d be flying out to Macau for three weeks for a threat hunting engagement.

Exam Schedule

8AM – woke up, got a few V energy drinks and some snacks.

9AM – check email. Nothing from Offensive Security to start the exam.

9.15AM – get in touch with Offensive Security. actually, my exam starts at 10AM. Oh.

10AM – Get access to the exam. Read through instructions. Start working on the Buffer Overflow host. Watched the Course Material videos on the Buffer Overflow as I had to re-learn how to do it.

1/2PM – Took down the Buffer Overflow box. 25 points.

6PM? – Not sure what time actually, but at some pointI took down the 10 point box.

9PM – Someone came over to pick up some building material we were selling. It was heavy and took about an hour to help them pack it into their van.

10PM – realised I hadn’t eaten all day, my sister and I went for a trip to McDonalds as I wasn’t bothered to make anything.

11pm – Some time around here i believe I took down one of the 20 point boxes. After gaining the initial foothold, I fired Metasploit at it to gain a low priv shell. I was able to use a publicly available vulnerability to escalate privileges.

1am – 11am – For what seemed like forever, I worked on the other 20 point box. I managed to gain a low priv shell, and began the long, slow process of attempting privilege escalation. I must have thrown about 8 differnet exploits at it, then iterated through all of the services, applications, and security configurations without getting anywhere. I still have no idea what I was missing, and would love to know what it was.

I didn’t end up spending any real time on the 25 point box, as I knew that if I could just get root on the second 20 point box I’d have enoug points to pass. Without getting root, I was 50/50 on whether I’d had enough points.

The way I’d worked it out:
25 points – root (25)
20 points – root (20)
10 points – root (10)
20 points – low priv (10? There is no answer on how many points a low priv is worth, though many speculate it’s half).
25 points – didin’t attempt (0)
5 completed exam report (5)

= 70.

So I had to gamble on wether or not Offensive Security would be satisfied with my Lab Report, all my exercise answers, and my exam report, AND that they would award at least 10 points for a low privilege shell.

12PM-5PM I think I may have slept for a while.

5PM-8PM – Started working on my Exam Report.

9PM -went to my girlfriends place, then we both went down the road to AM//PM at Crowbar to see Slaves (who were awesome), and some friends and have a few drinks

11.30PM – drove back to my place

12.30AM-5AM – my girlfriend slept while I worked on finishing my Exam Report. Recording my exam was a big help, allowing me to go back and collect screenshots and recall how I attacked the hosts.

5.30AM – submit my Lab Report and Exam Report and received a confirmation email.

5AM? – slept

Days went by. I had no idea if I’d passed or not, and was willing to accept if I hadn’t. I started reading may posts about peoples exam experiences, many people reported that they received their results in around 24 hours. I nerviously checked my email every few hours, including during the middle of the night. Every vibration of my phone gave made me anxious. Friday arrived with no word. Offensive Security advise that results will be recieved within 5 business days of submitting the reports. I emailed Offensive Security and the replied saying that they were still marking my exam.

Saturday 30th March – about to board a plane for Singapore, en route to Macau. I check my phone one last time before the 8.5 hour journey. No word.

Sunday, 31st March – 3rd weekend in a row with no sleep (I can’t sleep on planes, and now I have a 6 hour lay over in Singapore). Connect to the airport WiFi, get the email that I passed.


My Credentials Prior to starting the PWK

Many people are interested in what experience is required before starting the PWK/OSCP, in my opinion, the PWK course teaches you nearly everything that is required for you to pass the exam. You will have to do some of your own research, however I don’t believe you need must more than decent computer and TCP/IP experience, and know your way around Windows and Linux. Anyway, here is me:

Education
– Certificate IV Database Administration
– Diploma Systems Administration (Networking)
– Bachelor of IT Network Security

Certifications
– CCNA Cyber Ops

10 years working in IT
– Helpdesk
– Web Developer
– Systems Administrator
– Security Analyst

 

OSCP Update #2

After a late night session, I just took down Oracle! It was an easy one, but it took some time as I got stuck on working on an exploit that I eventually didn’t use in favour of a different one.

Some thoughts…

  • Don’t only check Exploit-DB, look at Github as well for exploits.
  • Sometimes exploits can only be run once, if you mess up, you have to revert
  • Remember that 4444 won’t always be allowed out of the targets firewall
  • There some issues when running a python script I ‘wget’ from Exploit-DB. Turns out the line breaks were not formatted correctly for Linux. A simple ‘dos2unix’ command fixed this. https://en.wikipedia.org/wiki/Unix2dos
  • Make sure you’re running python scripts using python, not bash!

Days left: 48
Rooted: Oracle, Payday, Hotline, Alice, Bob, Beta, Leftturn, Master, Dotty, Pheonix

Someone took over the Australian Prime Minister’s domain name and is boasting about it on Facebook

UPDATE 20/10/2018

My prediction was incorrect – the domain is still under control of the prankster, lets just call him Jack (because that’s his name). Jack has apparently reached out to Scott Morrison offering to transfer it back over to him. The firm he works for have also made a press release. I have a feeling it borrows a bit from my article, but hey!

Check it out here: https://www.digitaleagles.com.au/social-media/secure-digital-assets-especially-youre-prime-minister/
————————————————————————————————————————————

So Prime Minister Scott Morrison forgot to renew his domain name scottmorrison.com.au and some dude from Melbourne purchased it and is pointing it to a WordPress installation. The simple website is just a single page with an image of the PM with Lustra’sScotty Doesn’t Know‘ obnoxiously playing in the background, sparking flashbacks of early 2000’s MySpace days.

He boasted it on his personal Facebook page which has lax privacy settings, but I don’t think subtlety was part of the plan here. Even so, I’m going to sanitise all screenshots.

blog31.png
Just look at all those internet points!

A whois lookup on the domain name shows that it was purchased by the same person whose Facebook account made the post:
blog32

Soon after, the contact details were changed from his personal gmail to a seperate one set up especially for this domain.
blog33
I’m not sure if he understands AUDA’s policies concerning .com.au WHOIS data, because changing the email address isn’t making him any more anonymous. For those playing at home, a .com.au is always tied to an ABN or ACN.

I also checked to see if this domain actually did belong to ScoMo:
blog34

Looks like it.

That’s pretty funny! What else can he do with the domain?

Well, now that he controls the domain name, he can set up a catchall mailbox and wait for emails addressed to the PM to come in. He could then enumerate which email addresses were signed up for which services, and then initiate password resets. He could also leak sensitive information (even inadvertently), possibly calendar and contact information for other world leaders depending on how the domain was set up and used previously, So, it’s actually kinda serious. Gabor, a cybersecurity expert, posted in his blog in August about the dangers of letting a domain expire and then fall into the wrong hands.

Of course, he could also impersonate the Prime Minister by setting up an email address under @scottmorrison.com.au and sending a mean letter to the POTUS, so there’s that.

Oh. So, what can the PM do about it?

Unlike .com, which is the wild west of domain names, .au domains are governed by auDA, who outline the eligibility policies for .au and .com.au domain names. Such policies include anti-cybersquatting measures (for example, buying a domain for the sole purpose of selling it to someone else), and also requiring a genuine need for registering the domain, which should be in line with the purpose of the ABN required to register the domain in the first place.

For a normal person like you or I, we would have to lodge a dispute claim with auDA, stating that the domain wasn’t registered in good faith (it would be very hard to argue the point). It’s not clear how effective or costly this is, a Whirlpool forum discussion discusses .au cyber-squatting at length.

Of course, he’s not like us, he’s the Prime Minister. I suspect Scotty now knows, and will have contacted the right people to have regained control over the domain by COB tomorrow. I imagine our prankster will get a stern talking to, but hopefully not much else. And please, DON’T FORGET TO RENEW YOUR DOMAIN NAMES!

OSCP Update #1

So I renewed my OSCP Lab time for another 90 days, with the goal of spending a lot more time. Well that hasn’t worked out so far, but I’ll keep at it.

Something I learned about the atftp service – the ‘path’ switch doesn’t seem to work, at least not for me. https://linux.die.net/man/8/atftpd according to this page and the OSCP Manual, the following should start the TFTP server with /tftp as the directory.

atftpd –daemon –port 69 /tftp

Anyway, it wasn’t working for me, and I couldn’t figure out why:

until I found a helpful forum post that suggested to check /etc/default/atftpd

I guess that the path flag wasn’t overwriting the default path of /srv/tftp. after changing the path, it worked.

onwards…

Rooted: alice, bob, payday, hotline, master, dotty, pheonix, beta

Days left: 73

Update

So I have plenty of existing content to upload here. So little time. I’ve began my OSCP journey which is has been taking up all of my free time. I’ve only got a few days of lab time left, after which I’ll have to extend for another 90 days. This time I’ll try and keep more of a journal of my progress. I’ve nearly got Bob, one of the harder targets…

Other than that, my band Aura Animi has two awesome shows coming up. One supporting Alpha Wolf at Hot Damn and another supporting Drowning Atlantis. Head over to our Facebook page for all the info!