In September of 2016 I embarked on a journey of knowledge and web application pwnage. The SANS SEC542 Web App Penetration Testing and Ethical Hacking course called to me like a light in the night. My towel was packed and I set sail for our nation’s capital to attend SANS Crystal City 2016.

When I was deciding on which SANS event I wanted to attend I wanted to make sure the instructor would be engaging and be able to convey the information in a way that works with my style of learning. The course was taught by Adrien de Beaupre. I didn’t know what to expect from this guy at first. I did a Google search on him and saw one of his spots on Security Weekly. Based on that I had an idea that I would like him. I went in with high hopes for building on the foundation of knowledge I already possessed and learn some new techniques.  Now dear reader or perspective student I speak to you when I say don’t panic, Adrien is alright. After six days of intense knowledge transfer I left with all expectations exceeded by miles. Mr. de Beaupre is an excellent instructor and makes learning fun and enjoyable. The first day I entered into the classroom he was rocking out to some metal and it was at this point I knew I made the right choice.

I came into this course with having already achieved the OSCP, CPTE, and having been a web systems administrator/programmer. I had a substantial amount of experience and familiarity in web based architecture, applications, and fundamentals. This experience helped me absorb the course content better than if I had none at all. That being said, the course does cover fundamentals and may be repetitive to those already experienced in the nuances of the web aether relm. However, this course will help hone the skills and knowledge of more experienced professionals.

Arrival

When I arrived at the hotel I was given a room that looked like it was from a bad roadside motel that one may fine on an abandoned highway on a long stretch of road between two distant town in the middle of a desert. The room was dirty, floor and walls stained with some kind of fluid, a literal hole in the wall behind the television, a broken lamp shade, a dirty stained desk chair, and some other things I’ve probably repressed. The room was a nightmare! I went to the front desk and informed them of the state of dysfunction the room was in. I will say this, they handled it with top quality service like that of which I have not experienced. They immediately apologized and upgraded me to a Jr. suite.

The Course

The course was six days and each of the first 5 days covering different subject areas with the last day being a capture the flag (CTF) challenge.  The CTF is designed to leverage the information discussed during the first five days and put them to practical use.

The first day I arrived early to check in and to see if there was any sustenance that would conform to a primal palette. My only complaint about SANS food offerings is that it is very carb/sugar rich and typical continental breakfast type food. Each day the food was different and afternoon snacks were provided that followed a similar theme of insulin busting fare.

Not realizing it at the time, a gentleman and fellow classmate who I’ve come to highly respect checked me in to the conference. The guy is really an inspiration and opened my eyes to many possibilities.

I walked into the classroom and saw that several folks had arrived ahead of me. Everyone was really friendly and welcoming. I scanned the room for a place to stake my claim and resisted my initial urge to hide in the back row. I marched forward past row after row after row of tables and took my place smack dab in the middle of the front row. This proved to be the best decision I have made that may have a lasting impact on the rest of my life.

Soon after I settled in came a gentleman from the Lone Star state. This fine fellow is someone that was a cornerstone to the success of the last day of the course and is some I had the honor of meeting and who I’ve also come to respect greatly. He setup next to me, we made introductions and soon the class for day one began.

The first day is an introduction into the wonderful word of web technology. Adrien being a master orator and excellent instructor was able to pull back the veil and take a topics that look insanely complex and turned them into understandable spells and incantations. Once the basics of web architecture were reviewed topics such as information gathering a.k.a. OSINT, common tools for web application testing, overview of the penetration testers methodology, and others were explored.

The rest of the week covered the syllabus as outlined on the SANS SEC542 website. The structure of the course followed a book for each day. Days were broken up into instruction, demonstration, lab exercises then rinse and repeat. The end of day one was an extra credit challenge to hack a game. In hindsight I should have taken this challenge but I instead decided to get out of the hotel and explore the area near by.

The CTF

On the second to last day of the course my friend and classmate from Texas took the initiative to assemble a team for the CTF for the next day. The team consisted of myself, the Texan, and two very skilled members of our military.

When CTF day arrived one of the first things we needed to do was come up with a name for our team. We put our collective creativity together and came up with CaffeinatedBacon. And so it was, the greatest team the world has ever known. Ok, ok, maybe that is a bit of an exaggeration but we were good.

This was the first time I did a SANS CTF. I was familiar with the PWK type challenges where the objective was to get a foothold into a system then escalate a low privileged account to get root. This CTF was different in that there were multiple challenges that were more than just getting root.  There was a list of flags/objectives that required gathering information to get points. If the wrong information was submitted points were deducted. The CTF portal provided hints if  stuck. Every time a hint was use points were also lost. The CTF was timed and we had about 3 hours or so to complete the challenge.

As we gathered into the class room my anxiety was at an all time high. I had high expectations for myself and I wanted to win. Adrenaline was coursing through my veins assisted by an abundance of caffeine (no bacon unfortunately).  We setup our team table and had to overcome some technical difficulty. Luckily I brought a couple of cat 5 cables because the ones provided didn’t work well for some.

After everyone was settled our team devised a strategy for how we would work together. We identified a task master, the person who would keep track of the score and hand out tasks when someone completed a challenge. That way we could ensure we did’t duplicate any effort and maximize our time on each challenge.

It was time, the CTF had begun. We started off strong and gained the lead fast. We each were racking up points and moving forward. The Task Master was delegating and tracking progress expertly. Our lead at one point was over 100 points from the 2nd place team. The team named Puppy started to catch up at one point and gave us a run for our money. My nerves started to cloud my thought process when they were getting close, but I overcame the pressure, took a deep breath and continued on with a lazer like focus. Towards the end we put the hammer down and moved our lead into a strong position. As the final moment ticked by we debated weather to use hints so complete more challenges or keep the score we had and hope another team didn’t pull off a come from behind win. I suggested we stick to where we were because we couldn’t guarantee that the points deducted from the hint would have provided any information that would result in completing a challenge, but we could guarantee our current position. The risk/reward calculation didn’t seem like it was worth it. Finally the timer ran down zero and everyone had to stop. CaffeinatedBacon had done it! The end of the CTF was called and we had won! W00t!! We had a score over 400 points and only used two hints.

ctf-dashboard

My heart was pounding from start to finish and we prevailed! I was practically jumping for joy and this experience had ignited a passion for this kind of CTF.  It was a great experience and I was glad I got to meet some great and talented people.

At the end of the competition, before we all left to go on our separate ways, we were awarded with the coveted challenge coin. I accepted the coin and examined it with a sense of accomplishment and pride.

challenge-coin

 

Conclusion

The SANS experience was amazing. I had heard of SANS from other folks that had taken other courses and they always spoke of SANS as the best in training and quality. Being a natural skeptic I took their description and enthusiasm with a grain of salt. After taking my first SANS course I now understand why everyone speaks about them in such high regard. I can’t wait to take my next SANS course. I hope it will be soon.

Next – GWAPT

My next post will cover the GWAPT exam where I will discuss tips and tricks for exam preparation that helped me successfully pass and achieve the GIAC Web Application Penetration Tester certification.

 

Advertisements