Review: InfoSec Institute’s Advanced Ethical Hacking bootcamp
This past week, Feb 1st-5th, I was able to attend InfoSec Institute’s AEH bootcamp. I thought I’d write this up as I have a lot of opinions on it. To be frank I wasn’t entirely satisfied with the experience, but more on that later. In this review I will first start off with the facts, how much it costed, how it was setup, and how the materials were approached. Then I will get into my thoughts about the course. Of course please note that everything at that point will be entirely personal opinion, and could be drastically different from what other students think. I’d also like to state that this course was paid for out of the Tuition Assistance that my employer kindly provides me, so the cost of the course was not out-of-pocket but merely depleted my overall remaining TA.
Course At A Glance
So my employer is ‘partnered’ with InfoSec which means the cost of bootcamps is lower, I guess. This made the bootcamp roughly $3,300 at the end of the day. I took this virtually due to all of the Covid-19 restrictions still in place within most states. It is a five day, Monday-Friday, course with about eight hours per day. The days were a mix of lecture and labs. The instructor, Keatron Evans, communicated with myself and the other nine class members over skype; and all of our books and labs were digital (PDFs and web-based labs). We did also get mailed a copy of “The Shellcoder’s Handbook” prior to the course, which can be found on Amazon.com for roughly $32.
For most of the days we spent the better part of the morning with lecture following along in a PDF of slides accessible through a web-interface, but not downloadable. After lecture we would move into hands-on labs with a separate PDF (we could download that one) for the remaining part of the day. The labs were all done through a web-based client where you could click a side panel to swap between virtual machines. The lab environment had a Kali box, a Windows box, and a Windows Server box. Most labs focused primarily on the Windows/Kali boxes. The biggest downside to the labs were there was no copy-paste functionality. All scripts we made in the environment stayed in the environment, unless you wanted to re-write them on your own machine; or, as Keatron advised, setup a FTP or SSH server at home and push them out from the lab environment to your server.
This bootcamp primarily focused on Buffer Overflow exploitation. There were multiple different BoF techniques we hit on in the labs that used different approaches to overflowing memory. Of course for all of these labs we used Kali to write the exploit and a vulnerable program + debugger on the Windows box. These labs took up days one through four. Day five we moved onto some Metasploit labs, and some web application labs.
To end out the week, day four we took the IACRB Certified Penetration Tester (CPT) exam, and day five were took the IACRB Certified Expert Penetration Tester (CEPT) exam. Both of these exams were multiple-choice exams which were done through an unproctored web client, and were under 50 questions. As far as these exams go we were given PDFs to study on day one that would ‘prepare’ us for the exam, I am going to have an entirely separate blog post about this because there is a LOT more I want to say. Once you passed both exams on day five you had officially ended the course.
Now for my own thoughts
If you’re satisfied with knowing the basics of the course feel free to exit now, if not kick your feet up and enjoy my long rant.
So my first problem is the name “Advanced Ethical Hacking” which I have a problem with because I simply don’t think it’s true. Now, many people probably disagree with me but I think there is a line between ‘hacking’ and exploit development. When I think of hacking I think of following the methodology of enumeration->vulnerability exploitation->privilege escalation->root, like a HackTheBox machine or similar. Obviously that is super watered down but that’s the main gist in my head, you scan, you enumerate, you exploit, you escalate. But when I think of exploit development I think of manually writing extremely specific code to exploit a critical flaw in an application — I’m talking buffer overflows, smashing stacks, doing things that you aren’t using automated tools really ever. I know that is 100% a personal opinion but I just think there is a difference. And that’s where my problem with this course lies, we spend four out of five days doing nothing but buffer overflows. Then we get a handful of Metasploit and web app labs thrown together in day five on top of taking two hours for the two certification exams. That doesn’t sound like “Advanced Ethical hacking” it sounds much more close to “Junior Exploit Development” — which I think would of been a much more acceptable name.
My next problem is how we were given materials. First off, we never touched that random Shellcoder’s book they mailed us. Keatron said it was ‘supplementary reading’ we could utilize after the course, but I’d rather them just take off $32 from the price and then let me go out on my own to buy it if I feel called. Secondly the separation of Labs and Lecture PDFs annoys me slightly due to my liking of having everything in one spot, but that’s just me. But the absolute worst thing were the labs. These labs were just not good. I have no idea why we were forced to use these web-based virtual machines (that we eventually lose access to) which offered zero copy-paste functionality and constantly caused people problems. Nothing we touched in the Kali nor Windows machines were proprietary, everything can be found and downloaded for free. Why not let people download VirtualBox, a Kali image, and a trial Windows image then go from there? ”Well,” you might think, “it would take time to set all that up and try to walk people through it!” Then please explain why the very last lab on our PDFs was literally a “How to setup your own Kali instance” lab?! It’s literally in our course material, but it’s just a footnote that we never actually did! To cap it off we will end up losing access to these labs, I don’t remember the time frame but I do know it’s there. In my mind this is a huge blunder on students in the long run.
I will say the buffer overflows were decent labs. You did have to walk through each step of identifying and crafting a suitable BoF for a vulnerable application; and since those were the primary labs we did it was at least sufficient in that regard. However, going through the labs I kept feeling like “I’ve seen this before, or at least something very close to it,” until finally I realized that I had in fact seen this same application exploited in an old(er) vulnhub + github walkthrough I did back in January of 2020. It wasn’t the same exact scripts and vulnerability, obviously, but it was practically the same level of instruction. I will list that resource towards the end of my post if you’d like to walkthrough it yourself! Continuing, the Metasploit and web application labs were pretty pitiful. One-to-two pages each with stuff that can be easily learned through doing a few of the medium boxes in HackTheBox, or TryHackMe. Again, much more low level exploit development than anything else.
Now for the certifications…… oh these certifications. The course promises a 93% pass rate for the IACRB CPT and CEPT certifications….. and I agree, you definitely should not fail those two certifications if you take this course, especially if Keatron is your instructor. I mean he basically giv- actually I will just keep that for my IACRB blog post. Look, if you take the course you’ll get the certifications, that’s all I will say for now.
But the worst part of all of this is the website and brochure straight up lies. The website states a few things that were just simply not in the course. First off the website states “Hundreds of exercises in over 30 separate hands-on labs” — I don’t know what this is talking about. I could be remembering wrong but I think there were less than 25 labs, and I SCOFF at ‘hundreds of exercises’. What, do they mean letters in the scripts? Does every click you make count as a exercise? That straight up isn’t true. Secondly it (in bold) says “Nightly capture the flag exercises” and, not joking at all, there isn’t a single CTF exercise involved. We had our labs, and that was it. I don’t know if it is insinuating that the labs we did were ‘CTFs’ or something, but no, we didn’t do anything like that. The only thing Keatron said when I asked him is that some students will choose to do that labs at night. If this is something that is specific to in-person courses and not virtual ones then it should of been listed as such, but I doubt that very much.
And finally, the brochure provided to me by the sales rep, clearly states that the CPT/CEPT certifications are two-part examinations. Part one being a multiple-choice examination and part two being a take-home practical exam. Yea, another complete lie, according to Keatron they (speaking about IACRB) haven’t done that in a while. Although, he did say he would give me the links to the old practical VMs (I guess he was the one who made them) if I wanted to try my hand. However, any request I made for the links following that was followed with a prompt ghosting of any of my messages.
Interesting enough it is still listed on the IACRB website as well… but I digress. I will speak more about IACRB later…
All in All
Basically I don’t think this course is worth $3,300 nor the PTO you’d have to spend on the week to take it. Just use the github resource below, do some medium boxes on HTB, or the offensive pentesting path on TryHackMe and you’ll basically be at the same level knowledge-wise. As far as getting the certifications for you resume goes, I think you’d be much better off grabbing eLearnSecurity’s eJPT certification. I know that, surprisingly, CEPT/CPT pop up on a lot more job postings than you’d think, but if you walk into an interview with only CEPT/CPT level knowledge you’re most likely going to have problems. Again, just my opinion.
Match the Knowledge
I highly recommend checking out ‘do stack buffer overflow good’ by Justin Steven on github: https://github.com/justinsteven/dostackbufferoverflowgood . This is a phenomenal walkthrough on stack-based BoFs which would give someone a really good baseline to understand exactly what is going on. I’d also recommend doing it a few times, if you’re like me it’ll take multiple run throughs before all of the scripts make full sense.
Here is the link to HTB: https://www.hackthebox.eu/ . and to THM: https://tryhackme.com/
Finally, here is the link to INE’s website; you can sign up for the Starter Pass which gives you full FREE access to the eJPT training material. You still have to pay like $400 (I Think) for the exam voucher, but it’s well worth it in my opinion. https://ine.com/pages/cybersecurity#trynow
Thanks for reading, and best of luck!
