Offensive Security are launching a new Virtual Penetration Testing Lab, dubbed The Playground.
For those who have already taken an Offensive Security course (e.g. PWK), you will already be familiar with the types of machines in the lab - mainly various flavours of Linux and Windows. The Playground is even more versatile and also includes Citrix, Windows AD Domains, SCADA, IPS and anti-virus.
I was incredibly lucky and was offered the chance to join the private beta program for testing the Playground; which involved attacking as many of the machines as possible and providing appropriate feedback to Offensive Security. The intricate details of the lab will obviously remain private, but we were permitted to publish this final review of our experience.
So without further ado…
Many of the queries posed by aspiring students are based around whether or not they are ‘ready’, or ‘experienced enough’ to take PWK. An important distinction to make is that the Playground is not a structured course, but a ‘product’ which can be effectively rented by organisations - super useful for staff training for example.
The difficulty of the lab machines range from very easy to really very tough. I say this based on my current level of experience: a relatively inexperienced pentester - I started out as a hobbiest, and got a job pentesting full-time about a year ago. I then passed PWK in April 2014.
I was only able to spend ~1.5 week in the lab, out of the allocated slot of ~3 weeks, and in that time I was able to fully compromise 17 boxes across 2 subnets (and one router).
So how does the difficulty of this lab compares to PWK? In short, there are some machines in the Playground which I’d say are just as easy, if not easier, than those in the PWK lab. But these don’t last long and the difficulty ramps up quite quickly.
Some significant experience will be required to penetrate into the deeper subnets.
I didn’t see any content from the PWK labs copied across to the Playground - this is all new content! So if you have already completed PWK, don’t be concerned about repeated yourself.
Access to the Playground is by way of VPN - once registered you receive a ‘Connectivity Pack’, containing VPN certs, username and password. Connecting creates a new tap interface on your host, which is assigned an IP in the Playground DMZ.
From there, you can port scan and attack the first subnet of the Playground. Exploiting boxes in the DMZ reveals hosts which are ‘dual-honed’, allowing you to pivot into other networks.
I want to mention the new Dashboard, as there are several improvements over the one currently found in PWK.
At it’s most basic level, the Dashboard lists all of the available machines in the lab. Participants can reboot or revert them at will (although restricted to a particular number per 24 hour period). There is also an ‘admin’ level dashboard where statistics can be tracked, batch reverting carried out and other functions.
Each machine holds a text file, containing a short MD5 hash which can only be obtained when root/administrator privileges have been obtained. This hash can be submitted against the relevant machine in the Dashboard, which then marks it as ‘owned’ and increments your score. For the beta test each box was given a score of 1 point, but when live they will have scores representative of their difficulty.
Without being able to talk about the machines in the lab, the technical review stops here. I really enjoyed my experience with the parts of the lab I was able to interact with - the Offensive Security Team have done a really good job in creating a vibrant lab.
There is so much variety in what is exploitable (old software, weak creds, password re-use, custom applications, you name it). There are also levels of interaction between boxes, which simulate real-life scenarios and open up different avenues for attack (e.g. using one rooted box to leverage an attack against another).
Hand-on-heart, there was honestly not a single thing I out-right didn’t like about this lab. Sure there were ‘issues’ with some of the builds, but these will be fixed based on feedback from the beta program. In terms of the overall design and implementation, I simply can’t fault it.
One slight annoyance is the issue of reverting. Giving everybody the ability to revert machines has both advantages and disadvantages - reverting a machine resets it back to its default configuration, meaning any changes made to it by the participants are removed. Obviously this reduces the overhead of having an administrator do it all the time.
Also, it means that once a machine has been compromised, it can be reverted so the next participant can start from fresh. But since the lab is a shared environment multiple attackers can be working on it at the same time. Some like to revert a box before they start working on it to ensure it’s in a default state; but if somebody else is currently connected to it, they immediately lose their access and must re-exploit. This can be super-frustrating if you are trying to work on a privilege escalation; or using that box as a pivot into another subnet.
I don’t see a reasonable technical solution to this, it’s more logistical and will very much depend on the organisation and how they want to manage it. Organisations won’t share lab access with another organisations, they get their own instance, so the issue can be managed internally. As a minimum, I would recommend a courtesy IM/IRC/email message to your fellow hackers before reverting.
Now, to finish off this waffle, I would like to extend my sincere gratitude to muts and g0tmi1k for inviting me to join the beta program; and to loneferret, who also put a lot of work in the lab to make our lives a misery!
Kudos to Offensive Security, you should all be very proud of what you have achieved - now you just need get AWAE online!! :D