So I have spent several years now working with students taking Offensive Security’s Penetration Testing with Kali Linux (PWK) - the preparatory course for the Offensive Security Certified Professional (OSCP), and I decided it was finally time to write a post on how to get the most out of your lab time.
Jump to Tips:
- Do the Exercises and Labs Together
- Approach the Labs like a Real Network
- More Power! (Brute Forcing) is not the Answer
- Practice Buffer Overflows as you go
- Do not be Afraid to get Help
- Metasploit is not Evil
- Take Notes
I initially took the course several years ago. I then built an ethical hacking elective at West Point around this course and, more recently, am helping with the curriculum development of the FullStack Cyber Bootcamp that also leverages PWK. I also have worked with (given advice, answered questions, talked trash, etc.) several U.S. Army cyber personnel working through PWK as part of either their official education or working through the course on their own dime for fun/profit. At this point, I have assisted roughly 40 people in some way through the PWK material. I find myself giving the same tips over and over so figured it was time to write this all down to save myself time in the future. If you are reading this, I assume you are about to start your journey through PWK. If you are on my obscure webpage, I also assume you have done your homework so know the experience will be both amazingly rewarding but potentially
painful frustrating at times. Trying Harder is certainly part of the experience and the learning experience. I simply hope this post helps you maximize the rewarding part of the course and while minimizing some of the unnecessary frustration.
Also, there are lots of other great posts on how to prepare for OSCP (just ask Google) so this is not going to be another one of them. Personally, I always pointed my students towards abatchy, but I’m sure others are just as good. This post is not on how to prepare but rather how to get the most out of your PWK experience. In my opinion, the point of PWK is to teach the pentest process so you don’t need any other pentest preparation as long as you meet the basic requisites (TCP/IP networking, Linux, Scripting/Programming), but I understand money/time is always a factor. I certainly do not think you can prepare too much so feel free to follow any of these posts that you want before you start.
Warning: The below contains quasi spoilers. I don’t consider them spoilers (nothing even close to writeups), but I do give hints towards where to start on the lab. If you want an absolutely pure PWK experience and to slam your head against a wall a lot, this post might not be for you.
Do the Exercises and Labs Together
The first thing I try to highlight to my students is that the manual/exercises and the lab environment should not be thought of as two separate resources (or a linear progression from exercises to labs) but two pieces of a single threaded experience. In my experience, students do the manual from start to finish as fast as possible and somewhat burn themselves out because they have no context. They then try to jump right into the lab with the same linear and hand held step-by-step approach and get smoked (overwhelmed) because they do not have content for this big shift in mentality between the two methods of training. The below plan is my recommended approach to integrate the labs and exercises to build this context without taking much away from the pure lab experience. (I talk more about the public lab below).
- Chapter 1-4
- Initial Lab Recon (map the public lab environment including IPs, Hostnames, and DNS)
- Chapter 5.1 (skip 5.2), 9-11 (skip 9.2), 14, and 16 (skip 16.7)
- So we are skipping 6-8 (all the BOF stuff), 12 (client side exploits), 13 (Web), and 15 (Tunneling)
- First Boxes - Reread Chapter 4.3 and practice on the lab (several boxes to choose from but JD is normally my recommendation).
- Chapter 13
- Alpha and Beta (they are named for a reason). Mike is also good.
- Chapter 12, 15, 17, 18 (really, read chapter 18)
- Gamma, Mike (if not already done), Jeff
- Finish the Exercises - 5.2, 6-8, 9.2, and 16.7
- More boxes! (check out this scoreboard of one of my previous classes for an example of what boxes may be more approachable as you go through the experience)
Approach the Labs like a Real Network
The lab environment is not similar to a CFT and can not be approached like a checklist
One of the more frustrating things for my students is figuring out how to approach the public labs. The machines are intended to quasi represent a real network. Each box is not created equal and some are not initially exploitable. As I mentioned above, the approach is normally to do all exercises then labs (or just jump into the labs which is also a terrible idea). They also approach PWK like other CTFs or competitions expecting some linear, progressive experience. PWK is not linear. The first IP is not necessarily the first machine to approach.
Hostname (Box Type) Matters
Think about how a real network is designed. Rule #1: HOSTNAMES matter. I can not emphasize this enough. On a real network, each box has a purpose, and the hostname helps the network designer organize these boxes. Also, some servers (like those with important network configuration and authentication functions) are more important than others. This network is no different. There is so much information in simply DNS and hostnames. Is the box a client (user) or a server? In a real network, you generally can interact with servers and can not directly interact with clients. The lab environment is similar. If it is a client (like a person’s name), you might want to be thinking more about client type attacks like password reuse from a different service or possibly a traditional client-side exploit. If it is a server, start looking to see if it has some unique purpose. Generally, this unique purpose (via the hostname) is a huge hint from OffSec about how to attack that box.
The Network Address Matters
This is less important than hostname, but it also is fairly important. IPs matter! Generally, network devices are either the first or last IPs on a network. As shown below, the lab is actually 4 networks with 2 other networks attached to the public network (Dev and IT). There needs to be a device (router) routing between public and DEV/IT. This device’s primary function is routing, but it also might be doing some port forwarding to maybe allow a client on public to access a specific service on one of the two private labs. This also might be to allow easy tunneling for students in the future. I’m staying somewhat vague for a reason, but the point is IP schemes matter and the network matters. When you compromise a box, figure out what network (or networks) you are on to help with future exploitation.
More Power! (Brute Forcing) is not the Answer
Passwords are super important (weak passwords, defaults, and reuse), but brute forcing is not.
My students want to try to brute force every login page and crack every single hash. News flash: some things are intentionally designed not to be crackable so do not waste your time. Offensive security is a business, and they are paying for these resources. Do you think they want to encourage crazy brute forcing or the highest level OpenVAS scanning? Using hydra in particular is SO slow. Use the resource they give you - both crackpot and rockyou.txt. Between these two resources and a little google-foo for some default passwords, you will be fine. If this does not work, it is [generally] designed not to work. You need to find another way in or, more often, recover the appropriate password from somewhere else. Post exploitation is very important in PWK so make sure you are gathering passwords as you go and testing for password reuse on your remaining boxes.
Tip: OffSec repeatedly uses the same hash as a signal it is not crackable, and this hash is generally for the root or administrator account. You are like the 100,000th+ person to take PWK. If crackpot does not recognize the hash instantly, there is a reason. After a couple boxes, you will understand what I mean.
Practice BOF as you go
Chapters 6-8 are not needed for the labs so you can practice these skills as you go to prepare for the exam.
The Buffer Overflow (BOF) stuff is always what initially scares my students because it is the most technically complicated part of the lab manual; however, in my experience, the BOF stuff is actually the easiest part of the exam (as long as you pay attention to detail) because it is so straight forward and you can practice exactly what you need to do as many times as you want. I certainly recommend practicing these chapters again prior to the exam, but you do not need to have this skill mastered for the labs. In fact, you will not use it on the labs. If this part is a struggle for you, just move on for now and periodically come back. By the time you take the exam, you will essentially start with a minimum of a 25 (hopefully a 30 with the exercises) because this step will become automatic with a little practice.
Do not be Afraid to get Help
You will not go from n00b to ninja overnight
Yes, you need to try harder. Yes, you need to be dedicated and work really hard to get the most value out of PWK. No, you do not need to do everything 100% by yourself. A lot of pentesting is feeling, intuition, the ability to sift through a bunch of potential attack vectors to determine what course of action is most likely to be successful. This intuition only comes with experience from compromising multiple boxes. PWK has a ton of resources built in to help you be successful. Always try the box first on your own but get help if you are stuck. This is the idea of productive struggle. You will best determine what your threshold is on your own, but I tell my students if you spend no less than 30 minutes but (generally) no more than 75 minutes without making any progress - seek help.
OffSec has several resources available like the forum and IRC [just do
!hostname]. Also, everyone should read the Alpha Walkthrough as a first step. I do NOT recommend asking another student as they do not know how to avoid simply “spilling the beans”, and live chat is generally not that helpful (lots of Try Harders). After that, move on to another problem and come back later. Simply having a different perspective later on is very helpful in tackling problems (especially if you take notes!).
Metasploit is not Evil
Metasploit gets a bad name from the script-kiddies, but the C2 functionality is really useful
Man - my students are so afraid of using metasploit because of the exam (I’ll discuss this more below), but you should not be afraid to learn initially with metasploit and then do it by hand. Crawl, Walk, Run. You will not be an instant ninja. Exploit it with metasploit. Prove the exploit works then figure it out by hand. Heck, even sit on the box and use logs, etc. to help you troubleshoot as you practice the by-hand exploitation.
Yes, you can only use metasploit once on the exam but this is really a false dilemma. First (in my experience), only one or two of the four boxes will even be suitable for a metasploit exploit so it doesn’t even matter. Secondly, you can not use Metasploit modules (Auxiliary, Exploit, and Post) on more than one machine, you can use the C2 functionality as much as you want (multi handler (aka exploit/multi/handler) and msfvenom). This functionality is pretty useful and should not be ignored. You can always use non-staged msfvenom payloads (like
shell_reverse_tcp instead of
shell/reverse_tcp) and catch them with
multi/handler is awesome so do not be afraid to use it.
A lot of people mention this fact, but I ignored it initially. Take note - they will come in super handy as you move on to other boxes. I love Keep note, but it is super outdated now. Any note taking mention will do but taking notes is a must.
I had more comments when I brainstormed this post in the shower but can not remember them now. I hope this helps. Feel free to leave a comment below and good luck on your journey.