Tips for an Information Security Analyst/Pentester career - Ep. 80 - "Try Harder" Explained

 12/18/2021 Update: Now the OSCP exam structure changed, too. Check the latest update.

 

 

2/22/2020 Update: PWK has recently been updated, including Active Directory attacks and a lot of stuff that had been left out so far, and adding and revamping lab machines. Check all the updates here.

As I had the opportunity to say it other times, though OSCP is a great cert, it isn't per se enough to get a job. 

Some PWK machines are quite realistic but the OSCP exam per se is much more CTF-like than anything else. I personally found my eJPT exam to be much more alike a real pentest.

Experience is invaluable, and you don't get that either in PWK or HTB or Vulnhub. 

They can help with the right mindset but they don't prepare you for the real complexity of a penetration testing, such as scanning a /16 subnet with Nmap in the fastest possible time when your testing hours are running out and you need to wrap up, or getting a WPA handshake from a wireless network when none of your attacks seem to work. They don't really prepare you for internal pentests at all. 

For you to be successful in this industry you need to be persistent, and that's why the try harder motto.

The fact you already are a pentester doesn't mean OSCP is going to be easy for you, maybe it's the other way around.

Even if you're a pentester, OSCP is hard because of the way shorter time at your disposal and of physical and mental exhaustion.

You don't normally have to pentest a network or a web app in 24 hours.

You're used to recon for weeks and then doing all you need to do within a certain amount of hours, laid out in the rules of engagement (ROE).

Additionally, you don't normally deal with buffer overflows and stuff like that when pentesting a network or a web app, unless when using a public exploit available for a specific vulnerability detected.

That's something you do for exploit development/research, which is a different line of work.

In a real pentest, you have a way longer time to work on it. No engagement can be wrapped up in 24 hours, unless it's only a matter of generating a Nessus report, running Nmap and Burp, comparing the results with the previous engagement and then feeding the results from the automated report to the client, along with some explanations and recommendations. No one could draft a full-fledged report in such a short time. We mostly run the scans and add a column to the previous finding matrix with the current issue status (remediated/unremediated/partly remediated), and that's about it.

That's something you need to be aware of, but I'm not saying this because I'm not OSCP certified yet.

I want that cert, too, and I'm going back to it.

I planned to get a CySA+ in a couple of weeks, as the new exam beta is only $50, then I'm going to plan for another OSCP attempt.

Experience is way more valuable than any industry certification.

In fact, when I had no experience no one would contact me for pentesting jobs, while now they do it all the time, why?

Because I've been working for over a year. I do it day in and day out.

With that being said, there's nothing wrong with failing.

You're expected to fail, and it's the only way to learn.

I saw a video about OSCP tips and the guy who made it (nice guy but the fact he keeps showing his cert in the video ended up annoying me a little bit, and at the same time it motivated me to get back at it) said one thing that hit me: How do you call someone who passed OSCP after 6 attempts? OSCP certified. You're OSCP certified regardless if you pass at your first try or after 10. Your certification doesn't change based on the number of attempts, so why should you care about that?

TRY HARDER EXPLAINED - WHY DO THEY KEEP BUGGING US WITH THIS SH*T MOTTO?

I personally get why OSCP admins make people mad with that try harder motto. I know the feeling you get when you look for an answer and you hit a brick wall.

However, we can consider this motto under another, different perspective.

OffSec goal is to develop an attitude in you that will guide you in your future career, rather than running a paper mill operation.

Try harder is something that applies to your work as a pentester, too. 

It means you need to find all the possible answers and do your recon and enumeration the right way, not behave like a child and ask for someone to bail you out without doing your fair share.

Your employer and your clients trust you'll find a way to get your job done no matter what (of course, until you face solvable issues). That's why that motto. 

Professional penetration testing is hard, and no two engagements are born equal. 

You need determination, persistence and passion to overcome technical issues (and wrong attitudes, too, sometimes) and deliver. That's what they pay you for. It's not for the faint of heart.

In fact, often times I can't find a thing with automated tools and get discouraged.

It would be too easy for me to give up when testing a web app and say, "there's nothing here, why bother?".

That's when I spend hours on manual validation. I start throwing all sort of parameters at a page, until suddenly something magic happens. That's what TRY HARDER attitude really means for you.

For example, without revealing too many details, in an engagement I recently found several XSS vulns by throwing random payloads at some webpages.

Say the page was www.example.com/, for argument's sake.

My coworkers had linked to a guy's tweet about how to quickly scan for XSS. 

The tweet included some test payloads, so I started throwing them at that page I was examining and at other ones included in the scope, scoring multiple XSS vulnerabilities.

More specifically, I changed the GET request for our example page in Repeater as follows:

www.example.com/?id="><svg/onload=alert('hacked')>{{1*1}}, and Boom, scored!!

Would I have scored that XSS, had I given up? No, and the client would be unaware of the issue.

Can you think of what consequences and what type of impact this could have for their business?

That's why you need that mindset, and that's why I'm exhausted (but mostly happy with my work) at the end of the day.

You can also think of a very high number of other situations where you need a try harder attitude. For example, you might have to face technical issues where an exploit you need to test a vulnerability doesn't work, or a specific configuration for an internal pentest doesn't work and you can't reach some or all of the subnets included in the scope.

You simply can't give up when people rely on you to provide solutions.

Of course, nothing wrong with asking for help but only when all your other options ran out.

I hope my post gives you a new perspective on what try harder really means.