Being generous of nature, I thought I’d share how to stuff up the exam of Offensive Security 101 course. All the blog postings I’ve found on the exam is how they succeed. Well this is a bit different. I managed to get a remarkable poor result which I can attribute to the following:
- Not being prepared to spend the full 24 hours to complete the exam
- Not having the right mind set to work through processes and think like an attacker
- Not documenting fully and double checking and confirming results
- Not taking a fresh air breaks
- Not having enough experience
- Quite possibly being a whiner
For mere mortals, like myself, that don’t spend time looking for applications and systems to attack, the simple frustration of working through each service to find a hole to get a foot hold is “interesting”*.
*Insert swear words of choice
When attacking a system, the process is simple:
- Find a live IP address
- Discover the services on the IP address
Search for vulnerabilities for that service
After that successful discovery process, I developed this totally unsuccessful process steps:
- Ignore the blinding obvious results from your own scans
- Spend ages Googling and finding nothing that really fits
- Grasp at straws and download anything that had the service name in it or sounds vaguely like it.
- Try to adapt code that mostly wasn’t going to work, while not understanding how the author was attempting to do it in the first place
- Watch the poorly complied code fail to do anything and wonder why I didn’t have a root shell prompt
- Stare into space for long periods
- Muttering to myself
- Contemplate a career in herding mice with elephants, blowing stuff up or becoming a reality-tv star
- Come up with something equally unlikely to work
- Back to step 1
After a number of hours of going through this process it’s somewhat disheartening, especially when you seem to get zip-all back. Letting all that frustration build up and not taking time to have a break is how to fail the exam. Simple
The exam –a post mortem
While reviewing of what went wrong during the exam, a friend commented that I should be used to dealing with similar frustrations as a sys admin. My response was without experience of the methods to get a foot hole, you effectively end up throwing mud at the target and see what sticks. As a Sys Admin, that’s usually the last resort, which you should never do with production systems.
As a great example of this, I was oddly very hesitant to run things that I didn’t really understand that could break it. I struggled to get the simple statement the lab machine are there to be broken. It was weird, I build hundreds of machines each year with the purpose of testing – and invariably breaking them , so why was this different?
It wasn’t different, it was a failure of adjusting my mindset to fit the situation and letting implied pressure of the exam get to me. I’d read other blogs about how people struggled and let their stories compound the “this is going to be really hard” mindset. I hit a wall at a certain point and refused to attempt to climb it.
That’s when I failed.
I honestly though “Well I’m crap at this, let’s never bother with penetration testing again and I’ll stick with my day job.”
This where friends, time and a good night’s sleep make the world of difference.
The few days after the failing the exam I gathered up all my notes and records, review them and cleared them up in to an ordered fashion. I realised I had a huge amount of information I hadn’t applied, taken in to account or even tried. With some, okay – a lot, encouragement from friends the exam re-booked.I had twenty days to get back on the program. I did some serious reading and re-practicing of some of the lessons, while attacking home built systems.
My second exam try was a very different experience. I went in with goals and enforced break times. My notes and thoughts were well detailed and ordered. I review my notes and findings after each break, which helped keep a clear perspective of what I was doing and what I’d tried. This time round I completed the exam in 8 hours, successfully getting all the targets in that time. I still made some stupid mistakes, but being able to review my notes I corrected my mistakes after taking a break or two. The only real mistake I didn’t correct was burning the same pot twice while attempting to cook pasta during food breaks. Oops.
Failing the exam was actually a great lesson in itself and worth the 12 hours I spend feeling sorry for myself , staring at “impossible” targets to hack during the first exam. I knew the targets could be hacked, but by putting them in the” too hard bucket” I wasn’t giving myself a fair chance.
Top three tips
Study with someone else, great to bounce ideas off and helps get a better understanding of questions and topics.
Lurk in the IRC chat room and troll through the forums, there’s great gems in there.
Remember to review your findings and double check your findings. It’s all too easy to make simple mistakes and get dishearten despite having the right freakin’ answer all along.
Thanks Damian and Ash for your encouragement and having to put up with my whining/rants.