A Reflection on My First Year of Offensive Security

Hello, folks or you know that one reader that views my blog. Today we are going to continue through my journey from college student to Offsec engineer. If you haven't read my previous posts, never fear. I will summarize and link the posts if you are interested.

In early 2019 I started my first internship in Application Security, where I worked on automating security solutions and CI/CD. I share the process I went through applying, interviewing, and obtaining my first internship here.

In 2020 just around the time the pandemic hit the U.S., I found myself in that all too familiar stage of excitement, anxiousness, and uncertainty, soon-to-be grads often find themselves in. I was in search of a job. I was still an intern, but the team I worked with did not have enough budget to pull me on full-time.

I applied for an Offsec engineer position that I was painfully unqualified for, but man was interested. How I landed the interview and got my manager to give me a shot can be found here. TLDR; Despite my lack of experience, I got lucky, and on May 4th, 2020, I started my first Offensive Security gig!

The Beginning

So it’s just under one year on the job, and I thought I would share what the experience was like. My boss fair warned me that there would be much work to do to ramp up as a college student just entering the Infosec/IT world. Students straight out of college without previous practical IT/product development/security experience are not necessarily ideal Offsec candidates. However, my team has invested in me by providing plenty of opportunities for both on-the-job training and introducing me to resources that I use to help me hone my skills in my free time.

The Ramp Up

During the first couple weeks of onboarding, I was finishing up school full time. I was given a few projects to work on related to Linux system administration using three Linux machines.

After the Linux administration tasks, I was given some projects related to python programming and web development. The idea was to expose me to the fundamentals before I actually learned how to hack anything. The build it before you break it approach.

I spent a lot of my spare time trying to learn about web application security via PortSwigger and other Linux concepts on overthewire.org. I participated in my first CTF (unless you would like to include my interview). I shared that experience here. If you are interested, have a look-see. This was also my first "CTF write up" so it definitely is not my best quality work.

Throughout the last nine months (the time I have been in this position), I have participated in about four CTF's. I have walked through all of the overthewire bandit activities, solved ten-ish HTB's, and solved four rooms on TryHackMe.

I also spent a lot of time building lab environments to experiment and explore. To do this, I spent a lot of time in VMware and AWS, which have been great resources for me. All of my experimentation so far has fallen under the free tier in AWS.

I also leveraged Docker a ton, which has been a fantastic resource for quick PoC and experimentation.

About a week or two after graduating my boss asked me if I was “ready to take the hardest class I have taken to date”. Soon after I was enrolled in the OSCP PWK training.

OSCP

I had 90 days of access and worked full time. Thankfully my boss was really cool and gave me two days out of the week to study for the exam. Despite the time given and outside time I spent studying, I fell flat on my face with the training. I spent so much time reading through the material and researching the technology not only related to the tools or concepts but networking, Linux, Windows, bash, just ... computer stuff.

I read a lot of different things online about going straight into the labs vs doing the activities and reading the course material first. I received mixed answers and figured I needed all the practice and points I could get; so I decided to do the activities first.

Man, I wish I started on the labs sooner.

In hindsight would have set a certain amount of time a week dedicated to the labs and a separate time box for reading the manual and doing the activities. I would set the intention in my schedule to account for both. That way I did not completely neglect one over the other.

I did not neglect the lab environment altogether, the activities do use machines from the lab environment but I definitely did not take advantage of the labs as I should have.

I did mess around in my own VM's to recreate scenarios described in the lab manual as well as work on some hackthebox's recommended in TJ Null's list.

Still, I would have focused a little more on the labs since I will always have the manual; I am subscribed to hackthebox and have access to those machines well after I had OSCP lab access. I think one of the largest flaws in my approach was:

I wanted to be familiar with all of the concepts before attempting the lab

I felt as though I needed to finish every section so as to be exposed to everything before even attempting the lab environment. So fast forward to my last two weeks of access, I am on the last few chapters yet I have not touched a single lab box (outside of the activities).

Still, I believed it would be fine. I was considering paying for an extension where I would go all-in on the labs. I thought to myself "Maybe I wouldn't pass my first exam attempt but I would still gain that insight of what the exam was like and adjust my approach accordingly".

When I did work on labs I found myself shying away from any Windows machines. I had very little experience with Windows and found myself spiraling into self-doubt the longer I struggled on a Windows machine.

A week and a half before I lost lab access, I lost a really close family member. This would be the third family member I lost in 3 months. This pandemic was weighing on me. I was shredded to pieces.

I became increasingly angry with myself for not making very much progress and I flat gave up. I had no idea what the lab environment was like. I felt that I had no expectation of what the exam was going to be like. All I knew was that the exam was going to be hard and I was a noob... I decided to postpone my exam attempt.

OSCP Takeaways

I just want to reiterate the poor mentality I had when approaching this training. I believe at the time, what was holding me back from even attempting the lab, was wanting to be exposed to all of the sections in the manual BEFORE attempting the labs.

Though it would have been nice to be exposed to all of the topics beforehand, that is not the point of the training. The point of the certification training is to learn by leveraging a hands-on practical environment.

The point of the training is to be exposed to the fundamentals of Offensive Security, including the pain points of running into stuff you have little to no knowledge about and seeing how you approach solving the problem.

Since the training, I have been on real engagements where I learned that I will never walk into a situation with full deep knowledge of everything that exists in an environment.

That research component, at least for where I am now (and I do not see it changing too soon) will always exist on engagement. I will never research before the engagement to eliminate the need to research during the engagement.

That is not to say you should not prepare as much as possible but in terms of the OSCP training, that was my time to prepare via a hands-on practical approach. Not knock every box out of the park.

Attacking and Defending Active Directory

A month and a half after I finished OSCP training I found myself enrolled in CRTP (Certified Red Team Professional), a course for Attacking and Defending Active Directory. Talk about facing your weaknesses head-on. I was excited to learn about Active Directory and I was sure to brush up on some Windows fundamentals here.

Again, I found myself enrolled in a class of 90-day access. I was determined to get as much hands-on experience as I could and stay at a steady pace. This class was a lot of fun. I definitely learned a lot and really found myself enjoying the labs.

The class was engaging and broke the units into the stages of an engagement.

Despite how well the course material was constructed, I found myself extremely overwhelmed an embarrassing number of times. I started to feel like there was no way I was actually going to learn the material. I may get the exercises done by following the walkthrough videos when I got stuck but actually understand the material? No way. I am too much of a noob.

I tried my best and found myself sinking entire weekends, evenings, and many mornings in the course material. Sometimes it was tough to get started, but once I did, it became harder to stop. I did every single lab and captured most of the flags; maybe I missed one or two.

At some point, just before the holidays, I found myself falling behind. I spent the holidays buried in the course material. I reviewed the previously covered chapters and caught up to my original pace. Don’t get me wrong, it was in no way, shape, or form easy (to me), but I spent a lot of time on the course material.

I am writing this a week away from my exam date. I will likely write an update to discuss how I did in the exam as well. I believe I have a decent chance of passing the first attempt. I have used a few resources from TryHackMe and HTB to gain some more hands-on practice after losing the lab access from the class itself. However, if I do not, I will definitely be studying more and retaking it.

Update

So I took the exam yesterday. The exam was 25 hours long; I started at 6 AM Friday and ended at 5:45 AM this morning(I am writing this on Saturday). The goal was to compromise 5 machines then turn in the report 48 hours from the lab end time.

Unfortunately, I got stuck on one machine the entire lab. I am writing this on very little sleep, but I wanted to write it now and move forward. I do not want to give any spoilers, so I will not describe details about the lab, but I will say how I approached it.

The night before the exam. I meal prep every single meal. I had all my tools ready and tested on my Kali Linux machine. I intended on starting my exam between 5 AM and 5:30 AM, but by the time I finished my first coffee and breakfast, it was just before 6 AM. I planned to sleep at 8:30 PM the night before, but I struggled to sleep early. I was anticipating the exam. I set an alarm for every 2 hours to take a break, which I did not always take. I think I took 3 breaks less than 30 minutes each.

The first break was after privesc-ing my foothold machine. I walked my dog and grabbed something to eat. I got stuck on this box. I did not feel lost until around 11 PM, so I decided to take a 2-hour nap. When I awoke, I found some silly things that I was doing and felt as if I had an idea of what I needed to do, but I struggled to pull it off.

I spent the final 3 hours of access going through the data I had and documenting theories of what I should do and assumptions I had or things I thought I knew that ended up being inaccurate. I did all of this to ensure that I knew what areas I needed to work on, moving forward after the exam.

This documentation really helped me draw new conclusions and try more things just before losing access, which did not yield winning results but did help give me direction on how I should move forward in my active directory education.

In hindsight, most of the issues or areas that I need to work on are not surprising. It makes perfect sense to me that I did not know … what I did not know or what I hadn’t considered while training.

Before this course, I had no familiarity with Active Directory whatsoever. As I mentioned before, I struggled using Windows machines, and this course was strictly Windows-based. In the course, I gained a lot of insight into the environment via the lectures.

Gaps were being filled in the lectures/course material before I could recognize that the gaps existed at all.

I think we have all had those experiences in life where you practice in a controlled environment, and there are some hiccups when you work out the real deal. Sometimes these are hiccups… other times; you spend 20 hours banging your head against your keyboard.

All of these experiences are learning experiences. I am glad that I found the questions I did not know I had. I was surprised how long I could work on the lab, though I know the quality of brainpower depleted as the night turned into the next morning. I had fun working on the exam. I will improve upon the gaps I found. I will study more and retake the exam when I can.

My goal is to have one offensive security certification by the end of the year.

All credentials aside, the most important thing is not the certifications but the hands-on experience I am gaining and what I am learning in the process. Regardless of passing any exams, what I have learned in this course and what I learned from taking OSCP training has proven extremely valuable in my day job, so it was well worth taking.

Key Take-Aways

• I am just a noob, sharing my experiences to hopefully someway somehow help someone else out.

• Walk into every challenge head-on and seek out as much hands-on experience as you can(LEGALLY). I created a resource page that I will continue to add to. It has a few resources I have been using to learn.

• I feel like I have fallen flat on my face so many times this past year, and I am only learning and growing from these experiences, so please do not fear failure or looking like a noob. Every well-versed individual in any practice was once a noob.

• Take care, be kind to yourself, thank you for visiting.