Baptist0ne: Learning is the most important thing.
It doesn't matter how quickly you gain your knowledge as long as you make the most out of the lab time and course materials. If you feel that you are not ready to hack the lab boxes yet then you are taking the right approach in training at home first, imho. Feel free to come ping me on IRC if you need help understanding something.
My experience so far - almost 30 days in - has been quite productive and fun. Given my previous background in web development and network administration and having been a pentester for almost 2 years, I was already familiar with most of the concepts described in the course and yet I can't describe how much I have learned in so little time.
In my opinion, the course materials are very good and the labs are just priceless. I feel that this is what has taught me the most. Some real thought and effort have been put into setting up the labs with so many different systems and configurations for us to experiment with. IRC has also proven to be an invaluable resource as many other students are willing to exchange ideas - without spoiling the challenges. The admins have always been helpful too.
So far, I have rooted about half of the boxes in the lab and have tried to document everything as much as possible as I go along (using keepnote). I've also started writing the final report as otherwise it would just be too painful to do it all at once in the end. Another rule I try to follow is to avoid using metasploit as much as possible - not only because of potential limitations during the exam but also because I find that I gain a much better understanding of how an exploit works by doing it the 'manual' way.
In case this is helpful to other people, here is the generic process that has been working for me:Info gathering and service enumeration
Portscan, identify OS, identify versions of every service, run common tools on common services (snmpcheck, enum4linux, nikto, dirbuster, nmap scripts, etc), read about services you don't know, visit the web page (if any) and enumerate the server/CMS/technologies used, try default passwords, etc.Vulnerability analysis
Based on what was found earlier, check for exploits/vulnerabilities for the service versions you found previously (using google, exploit-db/searchsploit, metasploit), check for web attacks (SQL injection, LFI/RFI, XSS, etc). Define the possible attack vectors and decide on which one is best but keep your options open: don't get tunnel vision trying one vector for hours and failing only to find that if you had spent 5 min just trying another route you would have already been in.. Knowing what all of your options are at all times is important for that very reason.Exploitation
The fun part! If the previous phases went well, there should be enough to work with here. In case it's an exploit: download it, understand it, modify it if necessary, compile it if necessary and run. If the exploit doesn't work, try a different one. If it's a web attack it should be obvious how to proceed as long as you know how all of them work. At this point - if we got this far - we should have some sort of shell on the target.Privilege escalation
Some remote exploits will give you a root/SYSTEM shell but that's not always the case. Escalating privileges can be very easy or very tricky. I found that the more I do it, the better I become at it. There are lots of blogs and resources out there with privilege escalation cheatsheets/script => use them! Go back to phase 1 and enumerate everything you can about the target now that you have access to more things. If using local privilege escalation exploits, again understand, modify, upload to the target, compile try them ALL (the ones that affect that system of course) until one of them works. Some need to be tried more than once. Still not root? Check for weak files/permissions/configurations/etc that you can use to your advantage. Still not root? Think outside of the box! Be creative. Generally, I find this the most painful, frustrating but also the most rewarding phase.Post exploitation
Once you have pwned a box, get as much information as you can out of it. Not only because it could help you later but also because it's fun to understand how things are linked together.Post mortem
What did we learn? Keep notes of found usernames/passwords. Make notes of what local exploits work and keep them handy for the next time you encounter a similar system. Keep notes, add stuff to the report
Obviously, more things can happen during each phase and most systems are different but this is the general gist of what works for me. Also, I didn't want to spoil it for anyone by including too many tips.
- Go through the lab guide before you start. It will help.
- Enumerate as much as possible. That is key.
My plan is to keep using this strategy and hopefully all the boxes will - eventually - fall.