27. Trying Harder: The Challenge Labs

In this final Learning Module, we will discuss the transition from going through the course material and Module exercises to taking on the Challenge Labs. We will cover the following Learning Units:

• PWK Challenge Lab Overview
• Challenge Lab Details
• The OSCP Exam Information

27.1. PWK Challenge Lab Overview

This Learning Unit covers the following Learning Objectives:

• Learn about the different kinds of Challenge Labs
• Obtain a high level overview of each scenario
• Understand how to treat the mock OSCP Challenge Labs

27.1.1. STOP! Do This First

If you are reading this Module and haven't yet completed ALL the PWK Capstone exercises, we highly recommend going back and finishing them before proceeding. The Capstone exercises provide you with an opportunity to hack machines with specific constraints on what needs to be enumerated. By compromising single machines and smaller networks via the Capstone exercises, you will set yourself up for a more successful, effective, and pleasant experience with the Challenge Labs.

Once you have completed the Capstone exercises, make sure to read through and follow along with the Assembling the Pieces Module to begin developing a methodological framework for attacking larger networks. We recommend starting with the Challenge Labs only once the Capstone exercises and the Assembling the Pieces Module are complete.

27.1.2. Challenge Labs 0-3

Much of the below information is included in the Introduction to PWK Module. We're repeating the information here because it has likely been a while since you read the introduction. Please review it carefully before starting the Challenge Labs.

There are three types of Challenge Labs. The first four Challenge Labs are called scenarios. Each scenario consists of a set of networked machines and a short background story that puts those machines in context. Your goal is to obtain access to a Domain Administrator account on an Active Directory domain, and compromise as many machines on the network as possible.

In the same way that Capstone Exercises test the learner on the material of multiple Learning Units, so too do these scenarios test the learner on the material of multiple Learning Modules. Your level of uncertainty about the network here is high and similar to real-world penetration tests, because you will not know which machines are vulnerable to what types of attacks. In addition, each of the four scenarios progressively increases in complexity due to additional machines, subnetworks, and attack vectors.

Further, you will not know that any specific machine is directly vulnerable in the first place. Some machines will be dependent on information, credentials, or capabilities that will be found on other machines. And some machines may not even be (intentionally) exploitable until after the Domain Controller is compromised.

All machines contain either a local.txt file, a proof.txt file, or both. The contents of these files are randomized hashes that can be submitted to the OLP to log each compromise. Just like the Module exercise flags, the contents of these files will change on every revert of the machine.

The following summaries provide a high level overview of each scenario:

Challenge Lab 0: SECURA: In the first Challenge Lab, you are tasked with performing a penetration test on SECURA's three-machine enterprise environment. This lab serves as a ramp-up before tackling the more complex Challenge Labs 1-3. You will exploit vulnerabilities in ManageEngine, pivot through internal services, and leverage insecure GPO permissions to escalate privileges and compromise the domain.

Challenge Lab 1: MEDTECH: You have been tasked to conduct a penetration test for MEDTECH, a recently formed IoT healthcare startup. Your objective is to find as many vulnerabilities and misconfigurations as possible in order to increase their Active Directory security posture and reduce the attack surface.

Challenge Lab 2: RELIA: You are tasked with a penetration test of RELIA, an industrial company building driving systems for the timber industry. The target got attacked a few weeks ago and now wants to get an assessment of their IT security. Their goal is to find out if an attacker can breach the perimeter and get Domain Admin privileges in the internal network.

Challenge Lab 3: SKYLARK: Skylark Industries is an aerospace multinational corporation that performs research & development on cutting-edge aviation technologies. One of their major branch offices has recently been targeted by an Advanced Persistent Threat (APT) actor ransomware attack. For this reason, the company CISO now wishes to further shield Skylark Industries' attack surface. You have been tasked to conduct a preemptive penetration test towards their HQ infrastructure and find any vulnerability that could potentially jeopardize the company's trade secrets.

27.1.3. Challenge Labs 4-6

The second type of Challenge Lab consists of an OSCP-like experience. They are each composed of six OSCP machines. The intention of these Challenges is to provide a mock-exam experience that closely reflects a similar level of difficulty to that of the actual OSCP exam.

Each challenge contains three machines that are connected via Active Directory, and three standalone machines that do not have any dependencies or intranet connections. All the standalone machines have a local.txt and a proof.txt.

While the Challenge Labs have no point values, on the exam the standalone machines would be worth 20 points each for a total of 60 points. The Active Directory set is worth 40 points all together, and the entire domain must be compromised to achieve any points for it at all.

All the intended attack vectors for these machines are taught in the PEN-200 Modules, or are leveraged in the first four Challenge Labs. However, the specific requirements to trigger the vulnerabilities may differ from the exact scenarios and techniques demonstrated in the course material. You are expected to be able to take the demonstrated exploitation techniques and modify them for the specific environment.

When completing Challenges 4-6, we recommend a different approach compared to Challenges 0-3. In particular, the purpose of these challenges is to provide you with direct, intuitive insight on the types of machines that are likely to be on the exam. These Challenges are not designed to be all-encompassing: not every vector that is part of these Challenges will be on every exam attempt, and the exam may contain vectors that are not part of these Challenges. Again, anything taught within PWK is fair game.

In order to mimic the exam as closely as possible, we suggest that you avoid discussing these machines in particular with peers and the Student Mentors. In addition, you may want to experiment with setting a timer to complete these machines. However, we don't necessarily recommend trying to do so within 24 hours, simply because it is more effective to spread out your learning time over a longer period. For each of the challenges, you might want to try spending an initial 24 hours in total to see how far you can get within the time limit. Then, step back and explore your progress.

In a sense, Challenges 4-6 provide a self-assessment of yourself as much as they represent an assessment of machines and networks. We recommend that you treat them as an opportunity to discover your own strengths and weaknesses, and then to use that information to guide your next learning focus.

27.1.4. Challenge Labs 7-8

The third type of Challenge Labs is similar to Challenge Labs 0-3. However, the difficulty and complexity of Challenge Labs 7-8 are significantly higher than those of Challenge Labs 0-6. They require skills and techniques beyond what is covered in the PEN-200 material and are intended to help you transition toward more advanced skills, such as those taught in the PEN-300 course. These Challenge Labs are beyond the scope of the OSCP exam. If preparing for the exam is your main objective, you may rather focus on Challenges 4, 5 & 6.

The following summary provides a high level overview of the scenarios:

Challenge Lab 7: ZEUS: The challenge is divided into three main objectives, each targeting different client systems within the Zeus.Corp domain. The first objective involves infiltrating SMB shares to access company database configurations. The second objective focuses on credential dumping, logging in with the obtained credentials, and reading a specific document. The final objective requires participants to log in to the system, reset a user's password, and create a backup.

Challenge Lab 8: POSEIDON: This lab contains an active directory chain and involves exploiting various privilege escalation techniques and vulnerabilities. Users will perform ASREPRoasting and SeImpersonate Privilege Abuse, leak clear-text passwords, abuse ACL permissions, and exploit Backup Operators group privileges and Parent-Child Trust to achieve domain compromise.

All machines contain either a local.txt file, a proof.txt file, or both. The contents of these files are randomized hashes that can be submitted to the OLP to log each compromise. Just like the Module exercise flags, the contents of these files will change on every revert of the machine.

27.2. Challenge Lab Details

In this Learning Unit we will discuss some of the important details that are useful to know about the Challenge Labs. This Learning Unit covers the following Learning Objectives:

• Understand how Client-Side simulations work
• Understand the concept of dependencies
• Learn about non-intentionally vulnerable machines
• Understand the lack of meaning inherent to IP address ordering
• Learn how routers and Network Address Translation affect the scenarios
• Understand how to treat credentials and password attacks

27.2.1. Client-Side Simulations

The internal VPN lab network contains a number of simulated clients that can be exploited using client-side attacks. These clients are programmed to simulate common corporate user activity. Subtle hints throughout the lab can help you locate these simulated clients. Thorough post-exploitation information gathering may also reveal communication between client machines.

The various simulated clients will perform their task(s) at different time intervals. The most common interval is three minutes.

27.2.2. Machine Dependencies

Some targets are not designed to be exploited without first gathering specific additional information on another lab machine. Others can only be exploited through a pivot. Student Mentors will not provide details about machine dependencies. Determining whether or not a machine has a dependency is an important part of the information gathering process, so you'll need to discover this information on your own.

An example of a dependency might be that a machine named VANGUARD contains a file that divulges credentials for another machine named SENTINEL. VANGUARD may not have any (intentional) external attack vectors, so you will need to compromise SENTINEL first.

There are no dependencies between Challenges. This means that the information you find in Challenge 1 will not pertain to any of the machines in Challenges 2-6, and so on.

For the OSCP-like Challenges (4-6), there are no dependencies between the three domain joined machines and the three standalone machines. The three standalone machines themselves also do not contain any dependencies. Thus one way to think about these Challenges (and therefore the exam) is that each contains a total of four isolated mini-environments: an AD set and three standalone machines.

27.2.3. Machine Vulnerability

While some machines may be dependent on information or access that can only be obtained by compromising other machines within a Challenge, some machines aren't designed to be hacked at all. The reason these machines exist in the Challenges is because in the real world, many machines you will encounter as a penetration tester will not be (easily) hackable.

However, the number of these machines is kept to a minimum; there are only a few per challenge. In addition, every machine does contain at least a local.txt or proof.txt file. This means that some machines may not have privilege escalation paths, but every machine can be accessed after obtaining Domain Administrator permissions for each of the Challenges (whether or not they are domain joined).

It is important to note that the OSCP-like Challenges and the OSCP itself DO NOT contain these types of machines. On the exam, every machine is designed to be exploitable, and every machine has a privilege escalation attack vector.

27.2.4. Machine Ordering

The IP addresses of the lab machines are not significant. For example, you do not need to start with 10.11.1.1 and work your way through the machines in numerical order. One of the most important skills you will need to learn as a penetration tester is how to scan a number of machines in order to find the lowest-hanging fruit.

Do not read into the specific octet values of the IP addresses within a challenge. If SENTINEL has an IP address of 192.168.1.5 and VANGUARD has an IP address of 192.168.1.12, it doesn't mean that you should target SENTINEL first. It also doesn't mean that SENTINEL is considered easier, and it doesn't mean that VANGUARD is dependent on SENTINEL. In fact, in our hypothetical example, precisely the opposite is true!

27.2.5. Routers/NAT

Each of the Challenges have multiple subnetworks, with at least one external and one internal subnetwork. For each Challenge, the internal subnetworks are not directly routable from the initial external network, but the external network is routable from all other networks.

You will need to use various techniques covered in the course to gain access to the internal networks. For example, you may need to exploit machines NAT’d behind firewalls, leveraging dual-homed hosts or client-side exploits. Lengthy attacks such as brute forcing or DOS/DDOS are highly discouraged as they will render the firewalls, along with any additional networks connected to them, inaccessible to you.

A number of machines in the labs have software firewalls enabled and may not respond to ICMP echo requests. If an IP address does not respond to ICMP echo requests, this does not necessarily mean that the target machine is down or does not exist.

27.2.6. Passwords

Spending an excessive amount of time cracking the root or administrator passwords of all machines in the lab is not required. If you have tried all of the available wordlists in Kali, and used information gathered throughout the labs, stop and consider a different attack vector. If you have significant cracking hardware, then feel free to continue on to crack as many passwords as you can. With "regular" hardware, every intentional vector that relies on password-cracking should take less than 10 minutes with the right wordlist and parameters.

27.3. The OSCP Exam Information

This Learning Unit covers the following Learning Objectives:

• Learn about the OSCP Certification Exam

27.3.1. OSCP Exam Attempt

Included with your initial purchase of the PWK course is an attempt at the OSCP certification exam.¹ The exam is optional, so it is up to you to decide whether or not you would like to tackle it.

To book your OSCP exam, go to your exam scheduling calendar. The calendar can be located in the OffSec Training Library under the course exam page. Here you will be able to see your exam expiry date, as well as schedule the exam for your preferred date and time.

Keep in mind that you won't be able to select a start time if the exam labs are full for that time period so we encourage you to schedule your exam as soon as possible.

For additional information, please visit our support page.²

27.3.2. About the OSCP Exam

The OSCP certification exam simulates a live network in a private VPN that contains a small number of vulnerable machines. The structure is exactly the same as that of Challenges 4-6. To pass, you must score 70 points. Points are awarded for low-privilege command-line shell access as well as full system compromise. The environment is completely dedicated to you for the duration of the exam, and you will have 23 hours and 45 minutes to complete it.

Specific instructions for each target machine will be located in your exam control panel, which will only become available to you once your exam begins.

To ensure the integrity of our certifications, the exam will be remotely proctored. You are required to be present 15 minutes before your exam start time to perform identity verification and other pre-exam tasks. In order to do so, click on the Exam tab in the OffSec Training Library, which is situated at the top right of your screen. During these pre-exam verification steps, you will be provided with a VPN connectivity pack.

Once the exam has ended, you will have an additional 24 hours to put together your exam report and document your findings. You will be evaluated on the quality and content of the exam report, so please include as much detail as possible and make sure your findings are all reproducible.

Once your exam files have been accepted, your exam will be graded and you will receive your results in 10 business days. If you came up short, then we will notify you, and you may purchase a certification retake using the appropriate links.

We highly recommend that you carefully schedule your exam for a 48-hour window when you can ensure minimal outside distractions or commitments. Also, please note that exam availability is handled on a first come, first served basis, so it is best to schedule your exam as far in advance as possible to ensure your preferred date is available. For additional information regarding the exam, we encourage you to take some time to go over the OSCP exam guide.¹

27.3.3. Metasploit Usage - Challenge Labs vs Exam

We encourage you to use Metasploit in the Challenge Labs, especially in Challenges 0-3. Metasploit is a great tool and you should learn all of the features it has to offer. While Metasploit usage is limited in the OSCP certification exam, we will encourage you not to place arbitrary restrictions on yourself during the learning process. If you wish, you can experiment with limiting yourself temporarily in your initial explorations of Challenges 4-6. More information about Metasploit usage can be found in the OSCP exam guide.

27.4. Wrapping Up

If you've taken the time to understand the course material presented in the course Modules and associated videos and have tackled all the Module exercises and Assembling the Pieces, you'll enjoy the Challenge Labs. If you're having trouble, consider filling in knowledge gaps in the course material, and if you're still stuck, step back and take on new perspective. It's easy to get so fixated on a single challenge and lose sight of the fact that there may be a simpler solution waiting down a different path. Take good notes and review them often. Search for alternate paths that might advance your assessment. When all else fails, do not hesitate to reach out to the Student Mentors. Finally, remember that you often have all the knowledge you need to tackle the problem in front of you. Don't give up, and remember the Try Harder mindset!