hunting malware in memory from endgame

I tend to usually avoid vendor blogs since they are usually self-serving as far as presenting a problem in a singular way that makes their product the answer; basically marketing posts. But I do appreciate posts that offer additional knowledge beyond just the marketing slant. Endgame has a post about hunting malware threads and processes in memory. I highlight this post, because it starts out by going over various methods that malware attempts to dig into memory and hide. And then it has a paragraph about detecting things like this using a PowerShell tool, Get-InjectedThreads.

Super cool information for someone getting into malware analysis or detection.

on your own for microsoft update monthly reports that look decent

A few months ago Microsoft changed how they tell us about product updates. Rather than give us neat little bulletins and MS18-001 style summaries, we have to now pull our own information from their repository. For most of us, this is annoying, since a month with 12 “updates” which themselves package an average of 6 actual updates for 5 affected products (30 actual patches per update, for example) used to still be one single “MS18-001 Description” entry in our ledgers. Now things are dirtier and annoying (change!).

But not all is bad. Now, enterprising persons can craft their own method and format for pulling monthly information out of the repository. Such as this code snippet which is simple enough to post here for illustration purposes, but was taken from github user JohnLaTwC:

## Uploaded by @JohnLaTwC
## Miss security bulletins?  Create them yourself in a few lines of PowerShell:

## First, get an API key to the MSRC Portal API
## Sign-in in here:, and click on the Developer tab, click the Show button on the API key.

## Install the MSRC PowerShell cmdlets, Run in an Admin PowerShell:
## Install-Module -Name MSRCSecurityUpdates -force

## In a normal user PowerShell:
Import-Module MSRCSecurityUpdates -Verbose:$false
Set-MSRCApiKey -ApiKey "your-api-key" 
$timeperiod = Get-Date -Format yyyy-MMM
# Older style report
#$fname = 'MSRCSecurityUpdates' + $timeperiod + '.html'
#Get-MsrcCvrfDocument -ID $timeperiod | Get-MsrcSecurityBulletinHtml | Out-File $fname
#Invoke-Item $fname 
# Newer style report
$fname_cve = 'MSRC_CVEs' + $timeperiod + '.html'
Get-MsrcCvrfDocument -ID $timeperiod | Get-MsrcVulnerabilityReportHtml | Out-File $fname_cve
Invoke-Item $fname_cve

This looks super simple, and it is, but that’s because the heavy lifting is in the requirements needed from the comments at the top of this code block. You need to get an API key and install the MSRC PowerShell cmdlets. Ok, that’s not really heavy, but there are options for decent-looking reports without spending a ton of time.

In a previous life, every month I would compile information about the monthly Microsoft patches. For general information, I would include the MS designation, name, description/details with context for my business, URL, and applicable KBs listed out.

I then also added a few contextual points by pulling in CVSS scores, exploitability index, MS severity, impact, and whether the details are publicly known into the same pane. I also added in the scoring for a few other key vendors/services for further context and our own personal resultant criticality.

The above report actually poops out almost all of this information. It’s not crazy pretty, but it’s not as bad as exporting directly from the repository. And it does give me much of what I had before, all told.

detecting malicious actors on windows systems through logs

I think I saw this passed around on Twitter first: Detecting Lateral Movement through Tracking Event Logs [PDF] from the Japan CERT. The blog link actually goes into more detail about the purpose, which is to assist incident responders. But this can be equally useful to incident detection to highlight some log entries to look for that may indicate potential malicious actors. This is also useful for pen testers who are tasked (directly or indirectly) with testing or evading blue teams. Even in a lab, a pen tester can initiate some of these attacks or actions and validate what they see or what artifacts they leave behind on systems. Near the end, there are even supporting steps to make sure proper logging settings are in place to see these events. (Gee, tracking Executing Processes pretty much covers most of it, eh?)

And like many settings in security, the paper at least makes mention that there are considerations to make before making audit log changes. For instance, tracking executing processes (or written files) will generate a large number of entries in the logs, causing them to fill up and roll over or flood your log collectors or SIEMs and maybe challenge your backup capacity. As always, keep in mind the big picture when making settings/architecture decisions.

Very cool list. It’s things like this that I have a hard time figuring out how to save and consume. Do I add a menu link in “resources” to the paper, keep my own list of this somewhere, or just hope to remember I have it here?

keeping up with infosec

How does one keep up with the Infosec world? It’s easy to get comfortable and keep doing what you’re doing as change swirls around outside the window. Technology and security have common themes over the decades, but many of the knobs, dials, and talking points change and we need to keep up with all the new ideas and products coming along every few years. It’s a simple fact that security experts are often used as sounding boards for new technologies and projects, which means keeping up and learning are key habits.

As a corollary to this topic, answering this question also means asking how you want to present yourself to the greater community of infosec online and in person. Do we stick to fully anonymous screennames, switch completely over to real names, or some sort of hybrid in between? This is a personal decision for everyone, but something to keep in mind when putting yourself out there virtually or really. This can be screennames, usernames, email addresses, domain names, and profile details and pictures and avatars. It may even steer you towards or away from certain forums and medium. It may also be dictated by your role, for instance malware researchers may stick a bit more towards the anonymous realms.

So, how do we keep up?

Old School collab: IRC, web forums, mailing lists, blog comments, ‘zines, and even books. These are still used, but they’re a little less prevalent these days. Mailing lists are nice to lurk on when they aren’t broken by spam filters. Mailing lists feel like they’re on the dying end of the spectrum, but does still remain as one of the better “push” methods.

New school social media: Slack, Reddit, Discord, LinkedIn, StackExchanges etc. These are still growing and are often only as useful as what you put into it. Reddit and LinkedIn are a bit more lurker friendly, but LinkedIn’s activity feeds are very noisy with only a few ways to manage it. I actually prefer Twitter as a news feed over LinkedIn, but mileage will vary.

Twitter deserves it’s own mention, as it really has become important for briefly meeting new people, feeding links to other information elsewhere (sort of filling the void from Google Reader), and getting quick notification of important events. If it feels like something major is happening like DNS is down or a major provider out, I often turn to Twitter to get a confirmation. Twitter becomes invaluable when at a con.

Infosec news feeds. It’s important to make some effort to keep up with incoming news and learning opportunities from blogs, infosec news sites, dashboards, exploit/vuln trackers and more. A huge bulk of this is still personal blogs to read, and I suggest Feedly to take care of a huge chunk of this segment.

Traditional news sources. It’s still important to keep up with some of the major events in the country and world, not just for impact on business and infosec, but to keep up with social talking points. It’s also important to know when something in infosec hits the mainstream news waves to prepare for incoming questions.

Podcasts and video. Both of these mediums kinda straddle the new and old school social media, but are more about delivering content to your eye and ear holes rather than more interactive formats. Audio definitely allows for a wide range of opportunities to consume (feet- and hands- and eyes-free). Video is still great for conveying highly technical topics.

In-person networking, cons, meet-ups both formal and more informal, local or more remote. These are great opportunities to learn from others and grow one’s own analog network.

Vendor demos, webinars, and events are great places to meet others, meet vendors, and see new products and features which are likely responses to direction in the overall industry.

Self-study, learning, and playing for fun. In order to continue to learn and grow, you need to enjoy the industry and process and work. And this means being a geek during down times and learning some new things, often on your own with self-paced study and tinkering with new things. These new things are often found as follow-up tasks to many of the above learning and exposure opportunities.

More formally, training and courses are available to do more structured and tracked learning of new things.

Lastly, getting back to how one presents oneself to the great digital and analog worlds is the tenet of giving back to the great community. This could be just participating with the mediums up above, but also by keeping one’s own blog, github, wiki, checklists, tools, scripts, how-to’s, or other content. It’s about giving back and being visible.

PS: Be cognizant of two more thoughts. First, think hard about mixing your infosec activities with your personal ones, and that includes the way you present yourself online. Again, this is highly personal and there’s no right answer, but sometimes you want to make sure your personal hobbies and activities are separated from your infosec world. This is probably most applicable to a Twitter presence. Second,  and conversely, don’t be afraid to plug some hobbies into these activities. A great example would be browsing Reddit or populating Feedly with blogs and news feeds for something you’re interested in or have a hobby around. Including sections and opportunity for these will make it more likely that you’ll check back in and consume these activities, and allow a little diversion from the same old intense firehose of security information.

building a malware detonation and analysis environment

Via Reddit, I saw and really like this blog post about how to “set up your own malware analysis lab with VirtualBox, INetSim and Burp.” Oh wow, INetSim fills a nice role in this, but the author also does go through almost every step you need to do to set up a couple victim boxes, an analysis box, and get visibility into the basics.

My lab is nearly equipped right now to do this, but it could with some adjustments based on these steps. I’ve never done full on malware detonation and analysis before. I have done malware analysis to a smaller degree many years ago on actively infected production systems. It’s definitely more sane to do this in a controlled, throwaway environment! Filing this one away to do on a rainy day where I’m inspired to do some malware analysis like this. I really dig the INetSim and Burp setup.

pushing sysmon monitoring for security ops

Saw this on Feedly as I futiley try to keep up with security feeds: How to track that annoying pop-up. Yeah, yeah, yeah, sysinternals, sysmon, tasks, blah blah, sort of junior sysadmin stuff. Wait, what is this at the end of the article? A throwaway mention of and link to SwiftOnSecurity’s sysmon-config custom config file for monitoring systems. Now we’re talking!

You can pay the bucks for a badass product to do your system monitoring for you. Or you can roll your own temporary solution for small troubleshooting tasks. And then there’s that huge grey area in the middle for small-medium environments where you might not have the budget but still want to do better logging. This looks like a nice way to hit the ground running with sysmon on the cheaper “roll your own” side of things.

I’ve, of course, used and considered SysInternals tools as toolkit staples since before I started professional work in IT. And yet, 15 years later, they still surprise me! I hadn’t seen that Sysmon could be used in such a way. Some tips are available here, and the official information found here.

I now need to remember to set this up on my lab boxes every time I refresh them…

training and learning plans for the rest of 2017

I made a post back in November about some future learning plans. Of that list, I’ve “finished” building my lab for the moment which allows me to put time into vulnhub boxes and other lab work. I successfully finished the PWK/OSCP course (whew!). I’ve started getting back to attending local meet-ups and events (SecDSM, BSidesIowa, ISSA). I also have a PluralSight subscription where I fill some free time with courses hosted there; they proved very helpful in preparing for the PWK/OSCP.

Moving forward over the next 6 months…

I’ve added and also started to pursue other online labs/CTF styled efforts such as I hope to make HTB my larger time spend for geek stuff over the summer months. Add this to Vulnhub lab efforts and I should have my puzzle-solving itch taken care of for at least the summer. Also, doing these hits some sub-goals of organization and learning a few new tools.

Work is footing access to the LinuxAcademy course site for 6 months with the goal that I will be completing one of a few 20-ish hour tracks in Linux. Obviously, I’ll take advantage of more courses than just that. My own goal is to shore up some of my Linux exposure. I’m comfortable in Linux day-to-day and command line operation, but I still have lots to learn and I do plenty of administration-by-Google. I’d love to eventually just add in a RedHat or LinuxFoundation or Linux+/LPIC certification under my belt. Probably one of the former two by end of 2017 or early 2018.

I am also impatiently waiting for the online release of the Offensive Security web application course, AWAE/OSWE. This isn’t live yet, but once it opens, I plan to get in on this to further my web application security assessment skills as a priority. I could also pursue self study on the syllabus or using books like the Web Application Hacker’s Handbook in the meantime. Failing that one coming out any time soon, I’m also open to looking at other web app security/assessment courses or certifications. Examples include eLearnSecurity’s eWAPT course, or maybe the CSSLP from ISC2.

For possible other directions later this year, the next Offensive Security offering CTP/OSCE is an experience I’d like to have finished by the end of 2018. But having done OSCP, I know this will be another time suck. I’d like to look into the SLAE from SecurityTube as a pre-cursor.

Also, the CompTia CASP has appeared on my radar of something to pursue, and seems to be getting good exposure and reviews. Other possibilities are the CCNA as a way to get into the deeper Cisco security stuff or doing some other vendor-specific stuff like Palo Alto, Fortinet, VMWare, AWS Cloud Security, and so on.

My lab does still need to have a plan implemented for standing up (and re-standing up efficiently) an AD environment that I can use for testing. I’d like to package some additional PowerShell and maybe even Ansible/DevOps concepts into this effort, but that might be too big of a scope.

And a bit further down the priority list would be something like the ISACA CISA/CISM or much deeper study into Python.

There’s an endless amount of learning to do!

local file inclusion testing from hakin9

Ever since Hakin9 stopped being carried at Barnes & Noble, it’s been pretty persona non grata to me (I would read it for free over lunches spent at B&N). But I see it’s still alive with an article titled, “Web Application Penetration Testing: Local File Inclusion (LFI) Testing.” Is this the definitive guide? No, but it’s surprisingly useful and covers plenty of bases. Also uses DVWA for examples, meaning you can do some follow-alongs.

I do want to point out the php://filter/convert.base64-encode/resource=/etc/passwd section. This is highly useful if output of files isn’t very pretty, usually meaning carriage returns are not displayed properly. Outputting into base64 and then decoding it means things like long config files aren’t hell to read.

cloud security case study from threatsim

Everyone is at least thinking about cloud computing and security to some degree. Few people get or know what to look for, and fewer yet on how to do it. A multi-part article has been posted by Stratum//Security about building and using ThreatSim in the AWS cloud for several years. Part 1 is largely marketing fluff and context (though the security controls bullet list is very good to steal!), but the latter two parts start going down a bullet point list of things to keep in mind for cloud security.

This is certainly not all-inclusive, but every little bit to add to the body of cloud security knowledge, the better. Cloud security includes pretty much everything for more traditional security, but also almost doubled in order to cover things abstracted out to a whole new layer in the cloud platform tooling.

pwk and oscp advice to my younger self

This is part 2 of a 2-part post. The previous post was more about me, while this post is more about advice for others. (There’s also a part 3.)

Success in this course comes from two things: experience and knowledge brought to the course up front, and how much quality time is put into the course while taking it. This makes it extremely difficult to gauge what someone needs to do to prepare or how one should approach and study. Some students will fly through the labs due to their large amount of free time or pre-existing skillsets, while others will take a few months to get the ball rolling up their steep learning curve. Every step of the course and the lab discovery and pwnage is a separate journey; even researching things that turn out to be false leads takes time and energy. The goal is to get the most out of the course, and that is often about putting the time into it.

Some Basic Foundation

Try to become familiar with the Kali Linux and the tools it has and the layout. This will be your home base for the course, and has pretty much everything you’ll need.

For those newer to Linux, start using a distro on a day-to-day system and find some online courses on Linux security and administration and shell scripting/commands. Linux+ level skills are good, anything beyond is great.

For those newer to Windows, find some courses on Windows security and OS administration. This includes hosting server-type applications (e.g. web platforms).

Learn some Metasploit. It’s worth it and it’ll get used, whether in the course or beyond as a pen tester. Off Sec has a free Metasploit Unleashed course.

Learn some basic, free, staple tools and get comfortable with working various switches: nmap, unicornscan, curl. Google the top 100 security tools.

To get familiar with some of the big issues over the past 15 years, grab a copy of Hacking Exposed (McClure, Scambray, Kurtz).

For pen testing theory, check Penetration Testing: A Hands-On Introduction to Hacking (Weidman) or the slightly more up-to-date The Hacker’s Playbook 2 (Kim).

Have a decent enough grasp of networking to know how TCP/IP works in general, use and read some Wireshark/tcpdump output, and understand IP addressing, firewalls, and ports.

Have a decent grasp of our web technology works, from configuring web servers, looking at simple HTML/PHP/ASP code, and how browsers interact with the web server.

Install some security-related browser add-ons and poke around the Developer tools in place in every major browser these days (F12).

Dive into Python or Perl enough to get into Socket programming. Very useful to start swimming in the ocean of editing or making exploit code or enumeration scripts. Having had a course of class in basic programming is great, as you can start to consume any language if you know the logic.

Start thinking like an attacker. This often comes with experience, but start thinking of ways you can get to Goal X or Access Y. What mistakes do you look for? What isn’t default?

Lastly, know that OSCP/PWK comes with course materials and videos that teach you everything you need. So don’t think you are going into this being tested from day 1. You’re going to be learning from day 1 until day X.

To Be a Successful Student…

For most students, this will be the very first taste of anything to do with pen testing beyond reading a pen testing report someone else produced. As such, think about what pen testers do with their jobs: scan and attack systems, keep and organize and protect notes, create client reports, research, and learn. Students should be going into this course looking to hone and taste and practice every piece of that job role.

This is an entry level course and certification for an IT discipline that is not itself entry level. Security combines everything and a little more from other IT disciplines. Pen testing touches them all, and is certainly not an entry level route into general IT. That said, the PWK/OSCP is, by necessity, still only a small taste. As such, students should have some exposure to Linux, Windows, networking, coding, web technologies, Metasploit, shell scripting, and Python, among other more specific experience. In general, the more enterprise level troubleshooting done in these topics, the better.

Find a support group somewhere to turn to, even if it’s the spoiler-free IRC channel. Be ready to put some time into this as well, from a social standpoint. Help others out and befriend a few peers. Don’t be that person who just wants to leech answers. Give something back and grow your network. Plan on this taking several hours out of each week to maintain relations. To be fair, this is the biggest difference in the course today from my previous experience; the social opportunities and other learning services are amazing today. Don’t ask for answers; don’t give answers away; help yourself and others learn by doing and figuring things out.

The course isn’t teaching anything brand new to the world. Be ready to consume resource material quickly, efficiently, and effectively. Sometimes there is the need to read manuals for tools or apps, or even find them first! Be good about using Google and analyzing search hits efficiently and effectively.

Rely on Metasploit exploits as little as possible. When source code is found, try to run the attacks manually. This is largely to help understanding, but also test prep since Metasploit use is explicitly limited. When time is available, put in some research and effort into manual attacks, even up to porting Metasploit ruby modules into standalone Python/Perl/Shell exploits.

It’s ok to find something obvious and focus on just that thing, but the better bang for the buck involves taking notes on ideas, but moving on and making sure to at least lightly touch everything available. There might be something even easier to exploit, especially since so many lab machines have multiple routes to root. This means going fast isn’t a great measure; it’s about being thorough and finding all the lessons offsec has prepared in the labs. When looking at the whole lab, it is known that every system has an issue. But it is not known if every system has more than 1 route to root. This adds realistic uncertainty to methods and time spend.

Figure out how to keep notes. Think about how to document vulnerabilities and exploits enough that allow a client or future pen tester to recreate the steps and validate the results or the fixes. Test the notes in a few weeks by re-rooting boxes from the notes.

Do the course exercises and lab report, and be aware these two items will eat up 2-3 weeks of time (that’s what it took for me with a full time job and other responsibilities).

Words to My Younger Self (of 3 months)
Clearly, what I brought to the labs and what I did in them helped me pass the exam, but I feel like I could have done even better had I changed some things. I had more than several takeaways from my lab and exam experience that I would pass on to my own self of 3 months ago:

Rely on the forums less. This is really a balance that is going to be very personal and difference for everyone. For me, I think I relied upon the forums too much for hints that lead to answers. I’m very good with puzzles like that, but I think I should have found more things on my own. It’s a balance between money spent for time on the course, against one’s own knowledge, against one’s own background and familiarity with the OS versions, against being able to troubleshoot the clear issues. I think I used the forums too much on my quest to get x roots in y days. The quality of the learning, methodology, and accuracy is more important than speeding through and tallying up pwned systems. I learned this way too late.

Just to reiterate: Do not put so much emphasis on the quest to get x roots in y days!

Even when rooting a box with hints, troubleshoot and fully understand the opening used. Do all payloads work? Do other characters work? What limitations are there or requirements? Can I leave off the null character or does it need it? Can I play around with various sqli bypasses or does only one work? This sort of curiosity helps go faster and more confidently on subsequent similar boxes. Don’t just get root, loot the box, and move on. Absorb and analyze the holes for full understanding.

Get better at knowing what is normal on a linux system for various distros. What are the default services and their runlevel? What are the default SGID and SUID files? What are the default cron jobs?

Once comfortable doing these manually, script out the very basics of the initial enumeration scanning. Unicornscan->nmap-> maybe a nikto or dirb or enum4linux scan immediately. Those are time consuming to wait through. I may as well throw in a few curl gets since I do those every time I see a web server/port. Taking this too far snowballs into huge scripts that steals away learning from doing things manually, though. The real goal: to be able to kick off a scan of x boxes while working on a different one without interruptions. This will help on the exam, but also in the field. But don’t take this so far that manual tests and results are missed.

The methodology is king, but the vulnerability trivia and experience in the labs is a close runner-up. But still, make the methodology the main key. I’m a big believer in checklists, and I have enumeration checklists that I continued to update and maintain from even my early lab wins. Learn from others and continue to build what works for me.

With every rooting look back at my process and ask: What can I do to find things like this quicker? Am I missing steps? What clues lead me to this answer and how do I make sure not to miss them? Always review your process after each box and update your process/checklist. I did this, but not enough for my taste.

Make a list of lessons learned from each box. Try to keep them in one location so you can review later and make sure you do know those things. incorporate every experience into your full body of knowledge and skill. I also did this, but again I should have slowed down and done it more.

Train a bit for the exam. 5 boxes, 24 hours. Sit down some day and tell yourself “I will spend 3-4 hours on this box and be done.” See how that goes. See how your work space and notes look when you hit your cutoff. Move to another box and spend 4-5 hours again. Any success? Weaknesses? Fatigue? Did the break from the first box spark some ideas? During my time in the labs, I sat down on a box and stuck with that one box until rooted (30 minutes to 16 hours) with only 2 exceptions where I had to walk away for a while. This didn’t prepare me for the exam.

Do not be afraid of the exam! For me, I learned almost as much about myself and my knowledge during 48 hours of exam time and cooldown as I did in about a month of lab time. Failure is not embarrassing on this exam! It’s a chance to figure out what needs to be done to succeed further. I should have been ready for the basics of it and taken a crack earlier. If I had failed my first attempt when I took it at 90+ days, I would have had to look elsewhere beyond the labs to improve myself for subsequent attempts.

Figure out a way to stay organized on the desktop. After the exam, I had about 30 terminal windows, 4 firefox windows (with several tabs each), and 10 unsaved text files hanging out. Doing 3-4 systems at one time means being organized, not just inside your mind, but also on the desktop. Get better at tmux or other terminal helpers like screen or get dual screens going. I did fine when doing one box at a time, which is how I tackled the labs, but this got out of hand during the exam with 5 boxes at once.

Figure out a way to automatically record commands issued and/or terminal output. It’s a waste of time to do this manually. asciicinema and screen.

Get better at DLL sideloading and windows executable payloads. I just didn’t find as many opportunities in the labs to do this as I thought I would, but that likely means I just missed them.

I still have lab time this month, and I plan to tackle a few of the last items on this list while I have that time available.

reflections on passing the pwk lab and oscp exam

This is part 1 of a 2-part post. This post is more about me, and the next post more for advice for others. (And part 3.)

Passed the Exam
Over this past holiday weekend, I took and passed my OSCP exam. I started this course back in 2008 as detailed previously, but nothing I did back then really carried over to my knowledge base today other than knowing how the course works. I became interested in completing this unfinished task in November 2016 and I signed up for 90 days as March 2017 rolled in. My initial goal was to get about half the boxes over my 90 days of lab time, but I exceeded that pace and adjusted my goals as I went along. After 66 out of 90 days, I had rooted every target system in the labs at least one way (many systems have multiple avenues of success, and I by no means found close to all of them). I extended my lab time 30 days just before taking the exam (for further research regardless of pass/fail), and took the exam on day 90+3.

The point of this and the next post is to give my insight into the course and exam experience. There are dozens upon dozens of exam reviews and stories out there, so I’ll try to keep this somewhat different from the many others. There won’t be a litany of links to cover topics to study (which is a bit ironic considering my links menu on the side). To be honest, others have proctored far better lists than I would provide. Go search them up!

My Background
I have 17+ years casual own-time interest in security. 14 years of IT technical work, mostly systems and networking plus security defense management. I am comfortable with scripting and coding principles, comfortable in PowerShell, novice-to-intermediate in Linux administration and working inside it, good with general networking, and extremely knowledgeable about Windows and systems/servers.

This means I bring a pretty decent history of knowledge and exposure to security concepts, even if I’m not always actively utilizing those skills and putting off-sec-style boots on the ground. My professional IT jobs have included doing things with security in mind. I use Linux Ubuntu as a day-to-day desktop at home. I’ve used BackTrack and Kali, and I’ve rooted a handful of boxes in the past using Metasploit or very simple tricks. I’m pretty learned over the years and understand technical concepts, but would still consider myself a bit of a neophyte to the deeper workings of hands-on pen testing.

My Pre-Course Activities
I did a bunch of things to lead up to my PWK/OSCP sign up, but the most important was simply reading other OSCP reviews and feedback and study lists on blogs, reddit, forums, youtube, etc. In doing so, I made an absolutely unattainable list of things to reference and check out, and I sort of tried to prioritize and tackle that list.

I checked out vulnhub and built a better lab environment at home for further study.

I slowly found some of the new and old places that students hang out and socialize, notably a private Discord server off the forum, a Slack off the netsec sub-Reddit, and the #offsec IRC channel.

I signed up for Cybrary and Pluralsight to take some courses to shore up some of my weaknesses and areas I’ve not been heavily exposed to: shell scripting basics, python basics, linux administration, kali and enumeration basics. To be honest, those Pluralsight courses were overall very helpful!

Being a previous student, I was allowed to upgrade my course materials for a small upgrade fee and download them without having to purchase more lab time. This proved to be awesome, as it allowed me to start studying the material without having it happen while my lab clock counts down.

I installed and started getting used to Kali Linux again as both a VM and a dedicated laptop, plus incorporated KeepNote into those installations and my normal Desktops and synced using Dropbox. (Note: In the actual PWK labs I only used my Kali VM that was downloaded as part of the student lab signup and never did an update to it nor had to ever revert it. I also switched away from KeepNote to CherryTree about 2 weeks into my lab time due to issues.)

Importantly, I made sure that I could sign up for the labs during a time where me, my job, and my loved ones were ready to accommodate the time-suck that is required for this course.