root@dafthack:~#‎ > ‎

Pentesting with Backtrack/OSCP Review

posted Nov 5, 2012, 3:37 PM by Beau Bullock   [ updated Oct 4, 2013, 12:43 PM ]
Dedication, perseverance, and trying harder are what it takes to be granted the title of Offensive Security Certified Professional. There are a lot of good reviews already posted about the Pentesting with Backtrack course offered by Offensive Security but I feel my own experiences may be able to extend on those. If you have read any of the other reviews posted then you already know that I am not able to give any details concerning specific lab or exam boxes. Besides, if you are planning on taking this course that would ruin all the fun!

The course materials consist of a 330+ page lab guide, and series of instructional videos to go with each chapter. Within the lab guide you will find a very broad range of topics including Backtrack basics, information gathering techniques, service enumeration, port scanning, arp spoofing, buffer overflow exploitation, Metasploit usage, SSH tunneling, password attacks, physical access attacks, web application attack vectors, and much more. The way the videos are presented make each topic easy to follow. Probably the most important part of the course is the lab itself. You can purchase lab access in increments of 15, 30, 60, or 90 days. I highly recommend doing at least 60 days in the lab. The first week or two you will want to focus on going through the lab guide and videos and only briefly touch the lab for some of the techniques taught in the guide. Once you complete the lab guide jump into the lab and hold on tight because you are in for a lot of pain, agony, reward and great self-satisfaction. During your time in the course make sure to visit the offsec forum and jump in the FreeNode IRC channel #offsec to network with other Offsec students and administrators. Don't hesitate to ask for assistance if you need it but be prepared to receive the notorious "Try Harder" response. The secret to asking for assistance is to have a very specific problem you are trying to solve. Details are very important. Don't just say you can't penetrate a box. Explain in detail the steps you've taken to eliminate every possible exploitation avenue and you may be given a nudge in the right direction. Still, don't expect anyone to hand you anything during the course.

The lab itself is a massive hacking playground. It's setup similar to a standard corporate network. It is divided into four subnets with a few firewalls in between networks. You will find Windows hosts, various Linux flavors, firewalls, and maybe even a Mac! You may even run into some users to interact with. Know that every host CAN be compromised. Some are easy, and some may take weeks of analysis and research. I compromised about 95% of the lab environment. Be prepared to spend hours upon hours of time in the labs as they are very addicting(Hopefully you have a very patient/understanding spouse). Also, make sure to keep really good notes. I used the recommended Keepnote tool in Backtrack to consolidate all my notes and screenshots. Since the lab is so massive it is easy to move on to another target and forget what you have done previously. Part of the course is writing a full penetration test report of the vulnerabilities and how you exploited them. It is not mandatory to do this for the lab but they say it may weigh in your favor during the exam. I recommend doing it. My report ended up around 120 pages. It should come in handy as a reference guide for future pentests.

In order to be successful in PWB one must learn to be extremely resourceful and very creative. You have to be able to look at a system from all angles, each service individually, and then everything as a whole. There are times when a service alone may not be vulnerable to an exploit, but that same service coupled with a secondary mechanism(user action, process, misconfiguration) happening somewhere else may provide an avenue for penetration. You must also not focus on the lab guide alone for this course. It is a great introduction to pentesting but many of the exploitation techniques you will need to learn on your own from other resources. Specifically the topic of privilege escalation was one of the most complicated and tedious things to learn. But don't worry as there are many great resources already available out on the internet detailing this and many of the other techniques you will need to be successful.

The main reason one takes PWB is to gain the skills necessary to obtain the coveted OSCP certificate. The OSCP is different than most security certifications as there are no multiple choice questions on the exam. In fact there are no questions at all. During this extremely hands on technical challenge you are given 24 hours to do a successful penetration test against 5 servers. The goal is to obtain Administrative or root access to the systems. The best part about the exam is that you cannot use a vulnerability scanner and you can only use Metasploit on a single target. Some recommendations I would give for those preparing for the exam would be to compromise as many hosts as possible in the labs. Make it a goal of at a minimum getting into the admin network and then go back and pop any of the boxes you may have skipped over. Make sure you have a strong understanding of service analysis, privilege escalation, and custom code writing/modification. Also, make sure you have notes/cheat sheets handy. Personally I scheduled my exam for 10 AM so I would be well rested for the grueling 24 hour period ahead of me. My exam day went like this: I woke up around 8:30 AM or so, had breakfast and a cup of coffee and just relaxed before getting the email containing my exam guide and VPN connectivity pack. I began working on the first host compromising it about two hours in. I took a break to eat lunch around 1:00 PM and it took me a mind-bending 7 hours for me to successfully get administrative access on the second host which put me at about 8:00 PM. After 10 hours in my brain started to feel like it was eating itself. But I was then able compromise the third server an hour or so later putting me at 9:30 or 10. With three servers down and unprivileged user access on the other two I was feeling pretty confident I would pass. Well it took me another 4 hours to finally get root access on my fourth host. At 2:30 AM I had attempted to escalate privileges on my final host for a few hours to no avail but I had enough points to pass so I decided to finish my report write-up and submit it to Offsec for review. Two days later I received my confirmation email stating that I had passed the exam. It was by far the most satisfying email I have ever received.

To conclude this review I really would like to thank the Offsec team for providing such a great avenue for learning. In my opinion the course and lab are brilliant. If you are interested in security, and want to dive deeper into the world of penetration testing I highly recommend you consider Offensive Security's Pentesting with Backtrack course. Just keep in mind that this course is not for the faint of heart. You will need to dedicate the majority of your free time to the course and labs in order to succeed. But the payoff for your hard work will be great. If you start to get discouraged take a break or move on to another box. Also, don't hesitate to retry exploits as sometimes they have a strange way of failing only occasionally. Above all, remember to always...Try Harder!

Helpful Resources:

Research - If you aren't familiar with this word you will be. Google is your friend. Just remember that someone has done this before you and probably posted something about it on the internet somewhere.

Go through the Metasploit Unleashed course (it's a free course offered by Offsec... why not take it??) -

G0tmi1k Privilege Escalation Guide -

Searchsploit - Search for local exploits within Backtrack - 
root@bt:/pentest/exploits/exploitdb# ./searchsploit kernel 2.6 linux local|sort -n

Hacking: The Art of Exploitation - Good source for C exploit development

Web Application Hackers Handbook

Pauldotcom - They always have great guests and tech segments.


The gadget spec URL could not be found