The thing with security is that you have to earn your certificates and this is one of those cases. The duration of the exam is just 7 days for practical and 7 days for report writing. In summary, 14 days of joy and fun. If this already sounds exhausting, oh I mean extreme then prepare yourself for the following.
About exam
The cost of this is only 400 dollars. For such a price you get an exam attempt and an additional retake. Sometimes it is a great idea just to restart machines if something is not working and it feels like it should. Had a case where registration functionality did not work and after the machine reset the complete new attack surface opened up. Just doing a machine revert fixed it which led to vulnerability. Must be the case – works on my machine.
Nevertheless, the exam environment is very stable and dedicated so no one else is connected to it. You still have to send the report even though you have not succeeded. This is to ensure your retake does not expire. Also, some feedback from the examiners will be sent on achieved progress so far and what is still remaining. So this is actually not that bad. Of course, there is always a stress factor when thinking of failure. The key here is to understand that it is ok to fail and accept this as a learning experience. “Success is going from failure to failure without losing enthusiasm.” – Winston Churchill.
“Success is going from failure to failure without losing enthusiasm.” – Winston Churchill.
Exam goals
This is not a CTF-style competition where you have to locate flags and get points. This requires a proper Black box web penetration testing experience. The scope consists of several subdomains and IP addresses. So it is actually more than 2 web applications. Since this is not a vulnerability assessment the goal is to identify and exploit as many vulnerabilities as possible. Failure to do so may result in failing even though the main goals are satisfied. As usual on hacking events and other exams, the final objective is to execute commands on a web server and get a reverse connection – shell.
Exam restrictions
One of the fun parts is there are no restrictions to use any exploitation or scanner tools. This is great since it is very similar to the real-world scenario. This does not mean that there are any CVE’s waiting to be exploited. The exam is prepared in such a way that you have to know how to identify, exploit, and post exploited vulnerabilities that may or not be found in a preparation course for the exam. I can verify that a tool is only as good as its user.
Exam preparation
I had the privilege of taking the exam course in order to prepare – course. Though it is not free and alternatives can be found. There is definitely value in the material and some things can be useful in the exam. Looking back it is clear that some things are just mandatory in order to successfully complete this.
Evasion techniques. Some payloads just don’t work and it doesn’t matter how hard you tried or how far you have gotten. This is because filters are in place and you just have to know how to work around them in order to run your exploit properly.
Scripting. Scanners are ok, but they can only highlight an issue if there is any. Some vulnerabilities require proper exploitation which can not be done with any available tool. This is because exam machines require custom exploitation tools and the ones off the shelf do not work properly. Luckily for us, there are multiple custom exploitation scripts on the internet that we can tweak a bit and make them run.
Mapping application. Since the exam is for web applications, prepare to approach this with no prior knowledge. This means you have to know your way around enumerating or mapping the web. This helps to identify the attack surface and create your own thread model. This is a must since it is not a CTF.
„If you are into web security and have been intrigued by reading this. Then it might be the challenge you were looking for.“
Final thoughts
Focusing on the common issues first is a great approach that might result in success. Some vulnerabilities are just that and do not fit in any other attack chain whatsoever. Still have to be exploited or also can be exploited in different ways. This was a case we had with a colleague on our take. We solved the same issue differently. It took him only three actual days to solve it. While I thought of another approach which apparently was intended.
Overall the experience is great. Reasonable price for a reasonable amount of time for the environment where you can break things to your left and right. If you ever wondered, now you know what hacker exams look like. After all, this is the best black box web penetration testing exam there is out there as far as I know.
If you are into web security and have been intrigued by reading this. Then it might be the challenge you were looking for.
