APMG Linux Proctoring - Certified In The Art of Hacking Exam

As I mentioned in a previous blog post, I was unsure how I was going to complete a security exam due to ProctorU not supporting Linux.

I'm delighted to say that the examiners - APMG - were understanding about my plight. They were aware of ProctorU's limitations and had a workaround.

They had me install Beyond Trust's "bomgar" Linux client - which is a simple Remote Desktop app. It was preconfigured with my invigilator's details and they were able to remotely see my screen and control my keyboard & mouse. The app didn't run as root, thankfully! Once I closed the app, it automatically deleted itself - and I couldn't find any trace of it. As it happens, I'm paranoid so I had made a separate user account on a freshly installed Linux partition, which was wiped immediately afterwards.

The Remote Desktop didn't have access to my webcam, so we jumped on a Microsoft Teams call in the browser. There the invigilator (a nice guy called Dave) had me point my webcam around my room to make sure I didn't have any notes visible, or a person crouching behind my desk feeding me answers. Dave then spent an hour watching me pick my nose scrunching up my face as I tried to remember arcane security trivia. He also got to listen to me mutter to myself. Fun! The invigilator was also there in case I had any technical problems with the exam. But, luckily, it all went well.

Sadly, the exam wasn't keyboard accessible. The buttons for marking your multiple choice answers couldn't be selected by the keyboard. And, annoyingly, they are presented horizontally while the questions are vertical.

(Taken from their practice papers)

Quite why that couldn't be a normal radio button next to each answer, I don't know!

The testing platform was a little slow - which made going back over my answers a little annoying.

All that notwithstanding, I passed!

70 questions, 35 correct needed for a pass. So I was delighted with a score of 80%.

I reckon it was just about possible to pass the exam using only the slides. But there were questions on there about, say, FREAK and POODLE. They were mentioned in the lectures - but not in enough detail to successfully answer the questions.

Similarly, some of the questions were very much "it depends". Here's one taken from my memory:

How would you find hidden directories in a web app?

1. Look at `robots.txt`
2. Examine the source code
3. Use a web spider
4. Run a brute force scan

In the class, we learned DirBuster. Which is a brute-force tool. So I put that. But I also think it is totally legitimate to use robots.txt; it's a great source of finding directories that the owner doesn't want you scurrying around in. Similarly, commented out bits in source code is a valuable intelligence tool. A spider will show you all the directories which are publicly linked to.

I've no idea if "Brute Force" is the correct answer. And that's kinda the limitation of multiple-choice exams. If the question had been "describe the advantages and disadvantages of each of these techniques" then I think that would show the student had understood the material. But, of course, that takes longer to mark and is more expensive to run.

I don't think I've taken an exam since I was at university the first time around. And, to be quite honest, I've no desire to repeat the experience. It was a stressful time leading up to it and, frankly, a little demeaning to have to go through so much rigmarole to prove I wasn't cheating. And I'm not convinced that multiple choice questions about pub trivia is the best way to test knowledge.

I have two more training sessions coming up and I'm going to pick ones with a better attitude to testing.