Try Harder. No, harder! Keep going… TRY HARDER!

Try Harder! It sounds like an annoying catch phrase, doesn’t it. I thought the same, when I started PWK in January.

I thought that you do, or you do not. There is no try.

Well, having now completed my OSCP exam and lab report and having been granted the OSCP certification, I now know there is no do – there is only TRY HARDER!

“Try Harder” is a hard concept to explain. It’s probably even a very individual concept to each person who does the certification – but I know for certain that the PWK labs and the OSCP certification exam challenged me more in a short period of time than just about anything else in my professional career!

I’ve done some challenging things as a developer. Designing a secure solution for single sign on from a custom mobile application into another custom application was challenging. Designing a protocol to allow a staff member to emulate student access to a major system in an afternoon was challenging. But, these were challenging in a different way. At 3pm in the afternoon after documenting the protocol for HMAC data validation in a custom mobile application, if I get tired, and assuming I have managed my time correctly, I can task-switch to something else for the rest of the day to give the grey matter a break.

That’s challenging. Putting yourself in the mindset of an attacker for hours on end, considering what they could see on the wire, what the protocols in use are, what known weaknesses the protocols have and how they can be mitigated – that’s all pretty challenging stuff. It’s also a place I thrive in!

Then 5pm comes along – and off to the pub you go. It simmers in the back of your mind over the weekend, but not much more thought is given than that.

But PWK and the OSCP exam take the concept of challenging to a whole other level. 24 hour exam. 5 hosts. 70 points required. Metasploit on one host only. No commercial tools. But, then it’s not over. Not by a long shot. You then have 24 hours to prepare and submit your lab & exam report. This in itself is a tough challenge, and if you’re also submitting your 10 lab hosts you’d better make sure they’re finished BEFORE you need to document your 5 lab hosts!

The OSCP exam itself isn’t just a penetration testing challenge, it’s a test of your stamina. It’s a test of your preparation. It’s a test of your time management skills.

It is a test of YOU.

It gets tough.

It gets really tough.

But, if your preparation is right, if your skills are on, and if the luck is with you – it all falls into place.

But. Here’s the thing. It only falls into place if you…

TRY HARDER!

It’s kind of intangible. It’s hard to explain.

If you’re considering doing PWK, you’ll just have to jump in and find out for yourself.

 

 

 

What the hell just happened! Did you just get PWND?

So, if you’ve been following this blog for a while (there aren’t many, but I do know of a couple) you may have just seen a whole bunch of infosec/ctf/hacking-related content added to the site.

No, my blog hasn’t been hacked.

No, I’m not a skript kiddie.

No, I don’t illegally access sites or servers I don’t have permission to access.

Yes, I do consider myself a hacker – but in the true sense of the word. Someone who uses hardware and software for purposes they were not originally designed for. Not the meaning of the word used by the media – someone who accesses systems illegally.

Yes, I do operate a small Information Security group – aimed at fostering knowledge and understanding of information security issues.

Yes, I am involved with assessing security of software as part of my full-time software development role.

Yes, I often undertake CTF challenges on the weekends.

Yes, I am aiming to move into a role with more involvement in Information Security in the future.

No, I will not hack your ex-girlfriends Facebook, and nor do I know anyone who can.

I was starting to operate a small blog hosted on WordPress.com to host all my CTF and security related content, but it was then becoming a little annoying to have this blog sitting here, only hosting brewing content. I can’t see a reason why it can’t do both, so I imported all the images and content over here.

So, from here on there won’t be ONLY homebrewing posts, I’ll be posting on information security related topics too. There are a stack of homebrewers who are in the IT industry too, so I think that content will also be kind of interesting for some of you anyway. Likewise, InfoSec people are often basically functioning alcoholics too – so they’ll probably get something from the homebrewing content too 🙂

Enjoy!

Red Team Engagements

I just LOVE this video! It’s coverage of RedTeam Security doing a Red Team engagement on a small US Power Company.

This has completely confirmed my desire to move into a hands-on white-hat penetration testing career (having spent the past 15 years as a developer and sysadmin), and it was a major driver for me to start doing CTF challenges before I get into doing the Offensive Security Certified Professional certificate, via the Pentesting with Kali course.

NullByte CTF – Walk Through

This is a writeup of the NullByte CTF challenge which can be found on VulnHub.

I really wasn’t sure what to do next after the last challenge, but this one looked as good as any!

I ultimately headed down the slightly wrong path at the end here, but I learned a lesson from that in itself. Also I learned about manual, blind SQL Injection rather than using SQLMap to do all the dirty work, so that was nice.

Continue reading NullByte CTF – Walk Through

Minotaur CTF – Walk Through

This is a writeup of the Minotaur CTF boot2root CTF VM which can be found on VulnHub.

This is my first CTF writeup, having previously done a couple of CTF challenges with varying levels of success. In each of the previous challenges I’ve done, I have had to look at other walkthroughs to get an idea of the next steps required. Pleasantly however in a couple of cases, the next step was what I’d assumed it would be – but thought to myself “Naa. That doesn’t seem right.”, only to find that in the walkthrough, that’s what they did.

For this CTF Walk Through, I’m going to give it my best go, without looking at other walk throughs. That is until I crack the shits and go looking for hints 🙂

Continue reading Minotaur CTF – Walk Through