And I don’t mean the difficulty.
When studying security you learn a bunch of things, then you practice those things that you learnt, and then you have an exam. The problem is that the exam isn’t on what you learnt. The challenge isn’t about what you have already learned. The challenge is usually to figure out something you don’t know about, that may or may not be related to what you already know. Independent study, research and problem solving are all important skills in security, so it’s great that we’re assessing them, but why aren’t we teaching them?
I’ll pick on the OSCP today, since I’ve already picked on UNSW enough. The PWK course was very interesting, and very practical, it’s one of the things that separates it from other certifications. I learned how to run an nmap scan, how a reverse shell works and why you would need one, how to do basic SQL injection, a couple of ways to transfer files, how to replace a binary that will be executed on startup with SYSTEM level privileges, and how to put version numbers in EDB and swap out the shellcode before running it. Great. Interesting, practical. It’s a lot of tools in the belt.
Now, equipped with the skills to be a pro hacker I took to the labs. Where do I start? What do I do? “Start with the low hanging fruit.” Whatever that means? “Just find the easy targets.” Ok? Which ones are those? How do I find them?
Remember those tools in the belt? Yeah, they’re all hammers. And there’s not a lot of nails in computer systems.
I scanned a machine. Cool, it’s got some open ports. Check them out. No hits on EDB, not a lot of ports that I actually learned about. Looks like HTTP is the way to go. Pull up a browser. One of those directory pages. You know the one. Click around some of the files and have a look. Some files have WebDAV or DAVtest in the name. Interesting, let’s google that.
Wait. Forgot to revert the machine. Damn, now all those files are gone. Guess those Mad Hints were just leftover from other students. I’ve never heard of webdav, I couldn’t pick it out of a line up, it wasn’t in the course materials. What if I’d reverted it beforehand? How would I know? Whatever.
I found a couple of tools with no/terrible documentation/examples and figured it out (over a few hours). Fun times. Now on to the privilege escalation. Wait, I don’t actually know anything about how to do that. Unless there’s a file on the desktop with a local exploit to compile, or a binary call backdoor_me? Nope, shame. Guess I’ll just tap away at my keys until I get admin through magic.
Long winded? Maybe. But my point stands. That was about as far as I got in the labs, no for lack of trying, but lack of direction. And the exam was the same, except worse. Even reading through the Alpha walkthrough, the only thought I had the whole time was “why haven’t I learnt this? nikto wasn’t in the course?”
The problem, in my opinion, is that the facilitators (whether OS or UNSW, or the many others I’m sure) felt that the only way to make the exam challenging was by putting in things they didn’t teach. Because otherwise everyone would pass and it would be easy, since they actually know how to do the things they were taught. Or maybe they wanted to emphasize the soft skills in security? But then why wouldn’t they be teaching them? Or maybe they want to keep the rite of passage for aspiring hackers, because there was no walkthrough in the 80s? Or try to trick the students by making the answer something they don’t know about, for whatever reason?
Let’s stick with the most generous hypothesis and go with the first one, combined with the fact that they don’t know better, because it doesn’t matter (unless they don’t want to improve), and get on with some solutions (in a new post, since this is long enough).
My Portfolio 