attended sec542 and netwars at sans east

About a week or so ago, I and a coworker attended SANS East in New Orleans. I was in town to take SEC542 and he was taking FOR610. We arrived a day before registration was open.

I just have to say that I absolutely enjoyed New Orleans! I’ve been to a few cities in recent years for training, and most really have pretty generic character; they’re just another city with maybe good weather. But New Orleans and especially the French Quarter has a great character to it with absolutely wonderful food, fun people, shops galore, and music everywhere. Combine that with beautiful weather (50-70 degrees in February winter is beautiful to me!) and thick mysterious fog every morning and I loved it.

We were in town the night of the Super Bowl, so after registering for classes, we navigated an impromptu Boycott Bowl block party (New Orleans Saints had their Super Bowl berth stolen from them two weeks prior and they’re a little sensitive!) to join the SANS opening reception at Fulton Alley for open buffet, bowling, and bar. Super excellent time out there, and I would visit New Orleans again some other winter.

My background gives me a good foundation for this course. I’ve not only managed my own sites and servers, including their (somewhat simple) code, for many years, but I also spent about 15 years as a security/sysadmin in charge of hundreds of critical business web sites and servers and working closely with developers. I’ve also gone through the PWK course and earned my OSCP, and done many HTB boxes over the past few years, all of which has given me exposure to web app vulnerabilities, exploit execution, and red team tools. In all, I feel comfortable with web applications, but my confidence isn’t all there when it comes to efficiently and accurately performing a “real” pen test against a site. (More on this later.) I’ve used some of the tools we’d use in the course, like Burp and wpscan in the past, but others I have not, like ZAP and BeEf.

To prep for the class, I mostly brushed up with courses on web app testing on YouTube or PluralSight. The most notable courses that really helped were 2 courses for 3 hours of Burp Suite on Pluralsight by instructor Sunny Wear and a series by Dawid Czagan on web app hacking also on Pluralsight.

The SEC542 class itself consisted of 5 days of lecture followed by a CTF competition on day 6. The class is pretty solid in covering the basics of web application technology, OWASP Top 10-styled weaknesses and exploits, and the beginnings of conducting web application assessments. The instructor (Eric Conrad) was excellent in adding value to the course with personal stories, advice, examples, and encouragement.

There were maybe about 30ish labs over the 5 days. Some labs are very basic where you just follow the directions to perform a quick directory traversal or XXE attack. But others later on offer a little more chance to choose your own difficulty and how many hints/guidance you take, which works especially well in something like the Python-related labs where I just needed a few pointers from Google and the books on how to do a few things and I could mostly do them with my own script. That sort of open-ended lab actually doubles as nice practice, rather than just pure introduction and copying

The day 6 CTF was an absolute blast and my penultimate experience at SANS East and SEC542. We split into fairly random teams based on when people came in. I think one team was somewhat pre-picked, but ours was pretty much, “Yeah, sit down, join up!” We had 3 teams in our class (online teams competed only against each other), 2 consisting of 5 students, and ours with 4 students.

As we got going, I started doing scans of the network using nmap and nikto, and doing really quick assessments on the results to draw attention to any suggested targets (“WordPress here! SSL here! CGI script there!”). My other teammates cleared out the level 1 book questions while this happened. I had my back to the classroom screen, so I didn’t see the jumping around of the team scores very much, but my impression is that for the most part first place traded hands quite a bit.

My team was amazing. I’ve never really had many chances to work on a pen test or assessment (or even a CTF) as part of a team, and this was absolutely wonderful. We all made progress and everyone contributed investigation and success into the things they were tackling. Someone scored out the questions on one section, I took another, and another two were done before I had even looked at them. We even had one guy make some ridiculous lucky guesses to score wins, and as I said when that happened, “That’s half of hacking, making guesses and getting it right!”
In the end, we had the lead, but bought hints on the final few questions which dropped us back into second place for a while. We got pretty hard stuck on a few things, but eventually figured it all out except one last question that was bothering me badly as I knew I was almost there (turns out I was). In the end, we bought one final hint, scored the question out, and then scored the final question to take the lead in the last 6ish minutes and held it until time ran out. Super fun to earn that coin and get first, but honestly it was more awesome to run through that well-paced CTF on a team that worked so well together. We made some mistakes, but nothing so big that it messed with our energy.

So, how did I feel about this course? This is a weird space, as is much of information security disciplines where you need a certain baseline of fundamental knowledge, otherwise your uphill climb can be difficult. But the material can quickly be overpassed with just a little bit of experience (which is kind of the point of the course, yeah?). And that really leads to my only down side of the course. But it’s really not even a problem with the course, but rather with me. For almost all of these exploits and attacks, I’ve done them before between OSCP/PWK and HTB lab environments. So, honestly, good portions of this course were sort of a review for me, or rather a reinforcement. But, make no mistake, I did learn a few new things, especially the value-add stuff from the instructor.

My biggest takeaway, much like so much in information security, is that this discipline and doing these assessments takes constant and regular practice. Practice, practice, practice. Which is really the place that I am right now with my skills and level of confidence. I simply need to iterate through the things I know, over and over, get quicker and more familiar with the tools, and maybe start doing some assessments at work on our sites to compliment the things our QA teams do.

Still, could someone pass over this course with self-study and a cheaper budget? Yes, and probably not that hard, either, unlike other high level SANS courses. A student could study up on various cheaper courses or even free YouTube courses going over OWASP Top 10 attacks. And honestly, there are free tutorials on doing DVWA, OWASP Juice Shop, and Mutillidae II out there for free, which will cover the Top 10 and more. Add in doing some HTB boxes and watching along with Ippsec on Youtube doing retired boxes shows many of the attacks in a more live situation. From there, it’s really about learning the tools, and you get use out of them from HTB or PWK/OSCP, plus additional courses on those tools which may cost a small subscription to view for a few months. Still, that’s quite a bit cheaper than SANS, especially if looking to do this on your own dime. You won’t necessarily get a certificate, or exposure to other smart students, or the Netwars experience, or the value from the instructor, but I honestly think students can get past SEC542 on their own with some personal dedication.

And that now brings me to Netwars. For a third, and probably last time until they update the content, my coworker and I competed in Netwars Core. We sat at the front, which must have been a good area to sit, since the winning team and most of the individual top 5 were sitting. After two nights, I finished in first place for a coin and trophy, and my coworker fought a super close battle for 4th place! My placing was pretty undramatic, but that fight for 3rd through 6th was pretty tight. I might do Core if I ever attend a coinapalooza event (and have coins to acquire), but barring Core being updated to a version 6, I’ll likely duck into DFIR or Cyber Defense in future events now

GWAPT and the future. So, that leaves me with what’s next. I’ll be studying the materials again, making my index, and going through the labs once more in preparation for the GWAPT exam. I have pretty high confidence going into this one unlike my GCFA. During and likely after this, I will also be trying to get a practice regimen started. At a bare minimum, I want to tackle web-heavy HTB boxes, not to necessarily root them, but to practice assessment steps and tools usage (I need more confidence in fuzzing, sqlmap, for instance). I also will look into those vulnerable open source boxes for further practice (Mutillidae, DVWA, Juice Shop). I am also woefully inexperienced with REST/API and SOAP assessments, so I’ll likely find some courses or guidance on that. And lastly, I’ll also work to continue to further my Python and even Javascript exposure. I do also have a Pentester Academy sub, and they have some web content and challenges as well.

That sounds like quite a lot, but honestly this is about forming a long-term practice and experience habit for web assessments. And to my viewpoint, being conversant and ready-to-go with web app assessments is a core pillar for anyone looking to be on or near red teams/offense.

Will I take SEC642? I don’t know. Some of those topics definitely are things I’m less comfortable with today, so it is still in my top several classes to look at if I get another opportunity to attend something. But other options are tempting as well, such as SEC573 (Python), SEC617 (Wireless Pentesting), SEC660 (Exploit Writing), FOR610 (Malware Reversing), SEC588 (Purple Teams), SEC545 (Cloud Security), and FOR572 (Network Forensics). It might just depend on what lines up best with what I and my company need when the chance opens up.

Leave a Reply

Your email address will not be published. Required fields are marked *