Sunday, July 1, 2018

SANS SEC560

Went to training this past week.  Took SANS SEC560.

Choose the hotel you stay at wisely.  I didn't sleep very well all week.  There's always the chance of not sleeping well, but in this case, it was worse than usual.  I can't fault the hotel; the beds were comfortable, the rooms were clean, etc.  There was just so much noise around, the whole night.  I did not stay in the SANS venue this time.

The class itself was great.  The instructor was entertaining.  He went a little fast, but he had a lot of material to cover.  As usual, I was trying to take notes while he spoke.  I'm glad I have On-Demand so I can listen to the lecture again from someone else's perspective and pause it when I feel the instructor is going too fast.

Feel like I learned a bit this week.  Most of the learning was from doing dumb things.

There is a ctf in it.  I can't give away exact answers.  Here's a few tips:

Pay attention to the instructor.

Get some sleep.  I was not prepared for ctf day.  I was so tired, that I kept mistyping stuff.  Simple stuff.  I wasn't going into the right directory to run things.

Plan out the tools you will use wisely, and put them in the $PATH.  This isn't always recommended for production machines, but in the case of VMs in a ctf, this may be a good idea.

Make notes of the tools you used throughout the week.  This will not only help you remember what to use, but will also be a handy reference guide for when you're nervous during the ctf.  This way, you don't have to flip through the course books.  This is also good advice for taking the exam - indexing.

Choose your team wisely.  I socially engineered my way into a good team.  I took a gamble and I wore my SANS Netwars Tournament of Champions t-shirt and hoodie this week.  The instructor made sure to announce that I was in last year's ToC, so people naturally assumed that I probably knew stuff.  I was asked to join the team that I wanted.  (After my performance yesterday, they are probably wondering how I won NetWars.  I wasn't dishonest.  It was persistence, Googling, and luck.)

That being said, don't wait for someone to ask you.  You should have your team made by Day 4 at the latest.

Watch the people in class.  The quiet ones who aren't paying attention are wild cards.  They will either be extremely good, or they will be bad.  I lucked out.  The quiet person in our class was really good.

You want people with different skill sets in your team.  I was doing scanning/recon, taking notes - making sure we had good material for a report, cracking passwords because I threw a couple of cores and more memory into my vm.  If there was a tie, we'd have to explain how we did things, and sometimes that report is what sets you apart.

The other guys were methodically working on exploiting the machines.  I would go in behind them and see if we missed anything.  You can scan from each system's perspective.  You might see something different from that perspective, because certain machines may be able to talk to each other, and nothing else.

I still ended up rooting a box, because I went in behind the first wave of exploiters in our team and got root on the box while they were trying to get into the next box.  You don't always need root, but it's nice to have to be able to get the hashes and crack them.

Don't compete with your teammates.  You're there to work as a team, not be the "star".

If you get stuck, this sounds stupid, try the dumbest things you can think of first and work your way up.  Example:  In tech support, it would be, "Is it powered on?  Are the cables plugged in on both ends?", etc.  In pen testing, it would be "Is the username set to "password" or other passwords you might already know?  Do users have more privileges than they should?, etc."  Good privilege escalation guide here:  https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation and here:  https://www.fuzzysecurity.com/tutorials/16.html

Scan the network.  Other teams may give clues about what to do next.  They may be stuck in a spot that you already have and vice versa.

My team ended up winning, but just barely.  I received a beautiful coin to add to my collection.  Thus far, I have 2 504 coins, 1 560 coin, and a NetWars coin.

No comments:

Post a Comment