April 15, 2018

Install Arch Linux with encryption, secure boot and manual tweaking

   Today I will share my guide that I used for Arch installation. Obviously, there are a lot of resources, where you can find installation instructions, but here I would like to share my tips. Obviously, all related links will be included in this post. 
   
Our goal: 
  • UEFI Arch installation on encrypted volume + /boot also should be encrypted
  • enable and use secure boot with own keys on laptop
  • do post installation hardening
  • installation steps for Gnome without unneeded software

 

Installation


   All installation instructions can be found in official Arch Linux wiki (https://wiki.archlinux.org/index.php/installation_guide). The only thing is that you need to go through each wiki article to compile your own installation guide. I used this guide as a starting point (https://grez911.github.io/cryptoarch.html). I don't see any value in copy-pasting someone's guide here fully. The only difference I had is that I don't have partition for swap, as my laptop has 16 GB of RAM. Also I installed /boot on ext3 filesystem. 
  Another guide to consider is https://headcrash.industries/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920/. There you can find specifics about btrfs and Yoga 920 installation.

Secure Boot 

 

   You can start reading about secure boot from wiki - https://wiki.archlinux.org/index.php/Secure_Boot. If you really want to understand what is going on in system I highly recommend go through this article https://bentley.link/secureboot/ and manually create everything. However, for automation you can use tool from github (https://github.com/xmikos/cryptboot) which is described in "Secure Boot" section from second installation guide on Yoga. After finish you can check whether secure boot is active by using this command: od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. To get right value of XX, just use tab completion. Last digit should be 1.

Post installation hardening

 

  After installation finished I went through hardening. I will advise to go through wiki page - https://wiki.archlinux.org/index.php/Security. When I read about kernel hardening, I decided to install linux-hardened package, using this guide - https://thacoon.gitlab.io/articles/2017-07/arch-linux-hardened-kernel.html. It broke system for me as there were no kernel module for fat to proceed with boot. I found that I was not alone with my problems - https://flameeyes.blog/2011/09/12/hardened-and-efi-aren-t-buddies/. As for now I just wait for new releases. After all hardening I used tool called Lynis for audit (https://cisofy.com/lynis/). I found this sufficient enough to have a better level of security.


Post installation tips

 

   Well, now you can install anything you want in your new system. Pretty good list can be found in official wiki - https://wiki.archlinux.org/index.php/list_of_applications For decent terminal fonts I used this package - https://www.archlinux.org/packages/community/any/awesome-terminal-fonts/.
   As a desktop environment I prefer gnome, but I don't like loads of software which will be installed together with gnome. I found this conversation in reddit helpful, especially comment about what name stands for what software - https://www.reddit.com/r/archlinux/comments/3q98sf/gnome_without_the_bloat_what_is_neccesary/cwd8rj8/?st=jg194hew&sh=c96834de
 

January 21, 2018

OSCP course and exam overview

   There is a good proverb saying: "Later is better than never". Loads of people asking me about my OSCP experience and thoughts, so I decided to share it here. There are plenty of reviews with book/lab/exam details, so I would not copy/paste it. This review will be more about my experience and thoughts. I passed exam in October 2015 using first attempt. I know that exam and course change a lot since that time, but still I hope someone will find my review valuable.


Introduction

   To tell the truth certifications in infosec suck. It is very hard to follow rapid growth in industry and address modern concepts in courses. Before Offensive Security there were no hands-on certification. I find myself this situation quite strange, as vendors check you hands-on skills with bunch of questions. Even if we put aside endless dumps available in Internet, I think practice skills can be evaluated only by practice.


Lab environment

   I decided to take OSCP to challenge and improve my skills and out-of-the-box thinking. This is a self-study entry-level course from OffSec. They don't test your knowledge level when you sign-up for the course. Study will require loads of time and effort from student. I decided to buy my lab for 3 months and owned every machine out there.
   So I started with a book, I solved exercises and put them in my future lab report appendix. Frankly this book is just a good intro in what you will need while owning machines in lab. All basic techniques can be found there. OffSec is not a course, where they will guide you through all machines, it is up to you. They just provide you with some vectors to consider.
   While fighting with lab I struggled a lot. The most frustrating thing for me was that I knew that machine is vulnerable, but can't find where. In real pentest you never know beforehand that you target is actually vulnerable. I was stuck so many times. There was an IRC chat where you can discuss your problems with OffSec stuff. In my time the most common answer was: "Enumerate more". Now I am very thankful for this, as only persistence and suffering will help you to find out the truth. Since that time I know that there is no such a thing as "I tried to hack it for a long time". Patience is really important in our job. Pentest is not a bunch of tricks to try against target, it is more like a proper mindset and joy of solving puzzles.
   During lab time I did not do post-enumeration after rooting the box and it caused me pain when I was sitting in lab with only client-side boxes. I wasted 2 days just to go through all owned boxes to find necessary information to progress further. In lab you can find some neat stuff to play with such as Oracle, small domain environment, various OS versions. You will master privilege escalation, pivoting, trivial AV bypass, client-side exploitation. I improve my Metasploit skills, diving into how it is actually working. Admin network was a pleasure to play with. At the end I spent around 3 days to create full lab report with evidence and planned my exam.

Exam

   As I can't reveal details of exam and loads of things were written in other reviews I will just summarize my wins and fails. So I started exam with buffer overflow machine and got 25 points pretty quickly. Then I got 2 limited shells on other 2 machines. And then I stuck, really stuck. I was sitting from 14-00 till 01-00 with no luck. I felt myself miserable and went for a quick nap with heavy heart. However, at 7-00 I got up and in 2 hours I rooted Linux box for 20 points. I ignored 10 point box as I found worthless to spend time on such a low target. Then in next 2 hours I got rest of 2 machines, finishing 15 minutes before deadline. I started to dance and forgot to submit proof.txt in online system. Luckily I had all screenshots to prove rooting.
   After 2 days I received passing confirmation.

Closing thoughts and critics

   I personally found OSCP as a great entry level challenge. I vote for hands-on testing instead of paper-based exams in all forms. I heard opinions that playing with OSCP lab is not the same as a performing assessment, so it is not relevant for getting pentest job. I will agree with this only in a small thing: here you don't report all these informational bugs/missing best practices. Also you don't care much about environment stability, as you can always revert the machine. But everything else in lab and exam is quite close to real life, also course encourages you to research and study more, improves your personal qualities which will help in developing pentester career.
   When I do hiring, I personally consider OSCP as an advantage. Obviously, getting OSCP will not promote you to senior tester in a moment, but it would be a good base to start building technical career in sphere of legal hacking.