By Derek Scheller, Trace3 Engagement Architect
So before we go too deep into the weeds let me preface this post by saying, if you are only reading this hoping for the magic bullet stop now. I will not be giving you any answers to lab or exam boxes, not only is it unethical and against the Offensive Security agreement, but it will take away from your learning.
Now let us begin our journey. I am unlike so many others that got this certification, but at the same time like so many others. I started my journey in the early 2000’s when I found BackTrack Linux, the predecessor to Kali. When I finally had the time to sit down and learn Linux on a computer I owned it was with the sole purpose of learning security. I researched how to break into wireless networks, how to crack Windows passwords, how to crack Linux passwords, etc. Now I tell you this because I was doing this on my own machines with no malicious intent rather to learn because I was curious and already loved fixing computers so why not learn how to break into them. With my initial research I learned about BackTrack linux and the aircrack-ng suite. I cracked into my own wifi network on my first day of playing with the application. I can’t even begin to tell you how amazed and scared I was at the same time. WiFi was becoming huge and knowing how easy it was to do was exciting.
I followed up by looking into cracking my Windows password and Linux password. Once again seeing the ease of offline password cracking amazed me and showed me that at the time my and most other passwords out there were not safe. It took seconds for my computer which to be honest wasn’t the most advanced to crack those passwords. Once I learned how to use tools like Cain and Able and John the Ripper to do these things I became even more intrigued. So the next question was where do I go from here, what should I learn next well that lead me to two other locations. The first was seeing if I could pull my passwords during login utilizing SSLStrip and Ettercap. Once again after researching how, I was successful. At this point now only was I excited but even more scared then before. How easy it was to get credentials over the wire and exploit them was insane.
The final and honestly craziest part of the beginning journey was finding the TOR network. As I was trying to find better ways to keep communication private and secure over the network The Onion Router, otherwise known as the TOR Network was where I found myself. Mind you there is a lot of darkness there if you delve too far but its capabilities and usage of VPNs is quite amazing. Since this isn’t a lesson on TOR we will just mention that you have to be careful and use it for the right and ethical reason, or you can very easily end up behind bars.
So what came next, how exactly did I pass. To that I have to not only praise myself and drive to research and constantly learn more, but also The InfoSec Institute and Keatron Evans as well as SANS. Why InfoSec you may ask they don’t have any prestigious offensive security certifications, well honestly because it was some of the best training I had ever received at the time. I was going for my CEH as it was part of the DOD requirements and I could get it paid for. I was expecting the normal bootcamp of heres how you pass the test. I couldn’t have been more wrong. With the help of Keatron I developed a methodology of enumeration and exploitation I never had before. Now mind you I had been researching security for roughly 10 years at this point and never had a formal job in it. Keatron showed us proper enumeration, better techniques for using nmap, chained exploits, tunneling, and so much more. Not only did he prepare me for the CEH but for a career in cybersecurity.
After earning my CEH I spent almost a year studying on my own again, researching, practicing what I was taught and further developing my skillset. I then was privileged enough to be accepted into the Cyber Network Defender course of the US Army and attend five SANS courses, 4 of which were for certifications. I won’t say I didn’t learn anything from these courses as these too helped develop techniques by some of the best in the business, but I did have less to learn than many others. This I credit my constant thirst for knowledge in a field that I had never had a formal job in. I was always working to perfect my abilities. Striving to be better than I was the day before.
So lets fast forward the year is 2020, roughly 5 years since I took my SANS courses, and I am finally able to take PWK and earn the one certification that had eluded me for years, the OSCP. So what was the secret to passing, what Hack the Box list did I follow, or what VHL lab boxes helped the most. It is here that I will tell you none of them. I didn’t follow a list for Hack the Box I simply went through the active boxes to improve methodology and help build rank (its a pride thing). I never did VHL I simply joined the Discord channel to meet like minded people that were interested in cybersecurity. The only training I used once I was at this point was the PWK lab boxes. I didn’t do the exercises, I didn’t turn in a report for exercises and labs, I simply went through and pwned every single lab machine. I took notes on how, what I found, and how I executed certain exploits. I read the write-up the Offensive Security did on two of their lab machines to get a feel for their kill chain techniques. I do find that VHL and HTB have a lot to offer and can help you in so many ways. But, its not magic its not guaranteed, and to be honest it all comes down to you.