General updates.

I apologize up front, but this is more of a “what’s been going on from a personal perspective” post, than a “here’s my progress toward OSCP” post.

I did get to spend four days in training at work.  The class covered Python 3, and I did learn a few things.  I’m still not a fan of the formatting, but I’m less disgusted with the language than I was before the class.  It has some features that are nice, and I’ll probably go back through Violent Python and translate it into python3 code, from scratch, this time, instead of trying to go back over what I stumbled through last time I did it.  It’ll be good for me.

I also didn’t make any progress on PentesterLab PRO, this week.  Our bank decided to decline the payment under the “fraud prevention” department.  Normally, we get a call that we can say “this was legit, let it through,” which they did the first month.  This time, they just flat out denied the payment.  Between my wife and I, we spent a good chunk of the day trying to get them to approve the payment.  The process was painful, and even then, the payment got denied a second time when processing tried to go through.  We worked with the good folks at PentesterLab’s site, and they were easy to work with on determining an alternative payment method.  We are very happy with the service, thus far.

When the weekend arrived, my wife and I sat down and scheduled out what all needed to get done.  Household errands won out over any training, this time.  Now that the payment issues are resolved, I’ll likely do some of the exercises during the week, this week, though.

So what did we get done?  We addressed fixing/streamlining some household processes that help a family of 11 people get along.  We also bought some plants to stick in the ground/in containers.  The Chinese Artichokes didn’t make it over the winter, but both containers of Jerusalem Artichokes did.  The container that had the Chinese ‘Chokes will be replanted with a Chocolate Mint, and a sprinkle of Marigold seeds.  We have a Peppermint plant that seems to come back every year, even though the Lemon Balm seems to take over and choke out everything in its path, and it’s right next to the balm.  I’m thinking of taking a snip snip cutting of that, shoving it three quarters into the ground, and seeing if it will root in the same container as the Chocolate Mint.  I’m only considering it, though.  If those two start competing, we’d much rather than the Chocolate Mint than the Peppermint.

We’ve also got two new high bush Blueberry bushes that will be planted this week, if not already done by the time this post goes live.  There is a single Blueberry plant on the corner of the house that has managed to survive the 14+ years we’ve lived here, and while it isn’t thriving, the fact that it keeps coming back is encouraging.

We also picked up some everbearing Strawberries.  These will go in the strawberry planter my wife got as a gift from my parents a couple of years ago.  These are her Mother’s Day gift from the rest of us, this year.  Yes, it’s a week early, but she doesn’t mind.

Later this week, we’ll order some “Raspberry Shortcake ™” Raspberries from an online nursery.  The local shop had some a week or three back, but we didn’t buy them.  I specifically wanted some this week, but they were out, and they don’t know when another shipment might arrive.  I know another distributor that carries these, so we’re planning to purchase a couple of gallon sized orders, and they’ll go in a couple more plastic “whiskey half barrel” planters like the ones the Sunchokes (Jerusalem Artichokes) are in.

This week has been better than last week was, with regards to the depression.  The plant therapy helps.  The hack therapy does, too, and I do intend to get through more of the Essentials Badge at PentesterLab this week.  If they release the rest of the Unix Badge, I’ll also finish it out.

If I get feedback about not liking the plant talk, I’ll try to keep it on the other blog, and bring it back sooner, but I’d rather work with just UnixSecLab for now, and not deal with running two at once.  If nobody complains, I may still drop an update here, every now and then about how the gardening is going.

Thanks for sticking with me, and I’m sorry this post was a bit light on technical stuff.  Next week should be much better.

Updates – OSCP prep (PentesterLab PRO) pt. 4

This was a rough week.  First, I was on call, which is always stressful.  Second, everyone else in the house had a head cold of some sort.  We suspect it was weather related.  I ended up working from home, bouncing back and forth between putting out fires/handling normal requests for work, and checking on the kids and wife/fixing meals/handling household chores to keep us from falling too far behind.  Third, Saturday was the 10 year anniversary of the murder of my little brother.  I’ve been in a dark place this month, and that event was the primary driver for it.

As a progress report, I can say that I managed to get past a few more of the Essentials Badge exercises.  I also completed all of the newest unlocked exercises for the Unix badge.  This brings me to 18/60 Essentials Badge total, and 32/35 Unix Badge total exercises.  I got stuck on another Essentials Badge exercise, caved a little early, sent a support request, then figured it out on my own about five minutes after sending the request in.

The issue was that I wasn’t URL encoding the plus sign with “%2b” since the browser was encoding most everything else for me.  I didn’t realize it also needed encoding.  I’m almost positive I read that it needed to be, but my brain again translated that as “if it needs it, browser will take care of it” and I didn’t check my work.  As soon as I figured it out, I tested with manual encoding, and got the flag for completion.

I’m not stuck on the next exercise, but it’s a little more involved, and I’m already exhausted from my hell week adventures.  I’ll tackle them more later this coming week.

As a depression management tactic, my wife took me to see Avengers: Infinity War, on Sunday.  It was a real tear jerker, but I was expecting it, and it really did me more good than harm, so it was a good call.  Any kind of date with my wife helps, but I’m really impressed with the Marvel Cinematic Universe movie franchise, thus far, so I was glad for the distraction.

This coming week, I’m supposed to be learning a little Python with some other coworkers.  I have a distaste for the language, due to the structure of the code (it always looks like it wants to just drift off the page, then wakes up and slams back to the left to do it all over again.)  I’ve been forcing myself to try to learn it a little along, however, and this class will give me some structured direction to my learning.  My current tactics have mostly included converting the python2.x code from Violent Python into python3.6 compatible code.  In this way, I learn a little of both 2 and 3, and it forces me to think about the code, not just blindly type what’s in the book and pray that it works.

That’s all I have for this week.  Hopefully, next week will be a better update in general.

Updates – OSCP prep (PentesterLab PRO) pt. 3

When last we left our student, he was stuck on an exercise at PentesterLab PRO.  The exerise was the last AUTHO in the list.  Two weekends straight were rough, and he finally broke down and started speaking of himself in the third person.  Or contacted support to determine whether the exercise itself was broken, or something else was wrong with his understanding.

He… ahem… *I* got a response, and I kicked myself repeatedly after I received it.  I did nothing wrong, other than spell the word wrong.  There’s a distinct difference in how the word for the parameter is spelled in American English vs. European English.  In America, we spell it with a “z” before the “ation.”  The exercise uses the European spelling, and while my brain read it fine, when I went to type in the parameter into either mitmproxy or Burp Suite, I Americanized it,every… single… time.

My boss has a habit of copy/pasting most everything.  His keyboard skills for highlighting the bits he wants to select, copying, then moving to the line he wants to modify, and pasting in things like Google Mail, and Docs are beyond me.  I have to move my hand to the mouse, and that bothers me.  I also type somewhere between 70 and 90 WPM on a good day, so I often just type instead.

I should listen to my boss more often.  I should learn some of this keyboard tricks.  I probably won’t, but I should.

I was so frustrated with myself over this that I didn’t touch the labs again until Sunday.  I did one exercise to force myself to progress, and I’ll probably work on it more during the week, this week, but for now I only progressed by five exercises.  The last AUTHO and the first four CODEXEC (code execution) exercises were all I managed, this week.

I did let myself get distracted by some of my non-tech hobbies, though.  I put a couple of plants in the ground, purchased my copy of “The Great American Farm Tour” (GAFT) from Abundant Permaculture, and watched some videos from the purchase.

My focus this year is still UnixSecLab, and getting my OSCP is a hug part of that.  I’m still not completely abandoning Jack of all Hobbies, though, and I’m getting ideas for next year so I can ramp up operations for it.  Until then, all posts will be here, and the other will just lie dormant.

Next week, I should have much more progress to report.  Thanks for sticking with me through my journey.

Updates – OSCP prep (PentesterLab PRO) pt. 2

Last week, I got kind of stuck on one of the Essentials Badge exercises, and I’m trying really hard to just do these in the order presented.  I wasn’t able to work on this any during the week.  Friday, I had a serious sinus flare up that kept me home from work, but later than evening and during the weekend, I started on a different badge as a “feel good, lots of progress” kind of thing.  I did all 27 of the available Unix Badge exercises.  There are 35 total, but only 27 are unlocked, at this time.

My goal for the rest of the week is to work on the Essentials Badge some more, one exercise or two at a time (per day.)

The rest of the weekend was kind of procrastination, because I focused on getting some progress in my favorite online game: Guild Wars 2.  I did this, because sometimes you just need a break, and have some fun.  I’ll keep working on getting my griffon mount, but I’m not allowed to touch the game each day until I’ve either completed an exercise in PentesterLab, or I’ve worked a full two hours without progress.  If I can’t get the exercise in two hours, I don’t need to be stressing myself out over it.

The goal at this point is to get through the Essentials Badge over the next couple of weeks, then take a look at the White Badge.

So far, these exercises have been pretty straight forward, until they aren’t.  I’m not sure if the last AUTHO_06 exercise I got stuck on is due to a failure to understand the requirement on my part, or due to a bug in the system.  I believe I understand what is wanted, but nothing I tried last week was working, so I can’t really say.  I’m considering going back through the entire AUTHO_# set using the same username every time, in case the later ones play on earlier ones, and I may have gotten my stuff out of sync, somehow.

Updates – OSCP prep (PentesterLab PRO)

We had some birthday related festivities in the house most of the weekend, but I did work on the PentesterLab PRO progression this week(end.)

There are 60 progression levels in the Essentials Badge grouping.  It started off overly simple, went straight to hair pulling, then got overly simple again for a few more, then I hit the AUTHO_05 level, which is a mass assignment vulnerability issue.  Note that AUTHO_04 is, as well, and it wasn’t terrible.  The AUTHO_05 level is AUTHO_04 “fixed” so you have to find another way to get to the goal.

I spent several hours banging my head against the wall on this.  I shut down my kali vm, walked away for a bit, ate some dinner, and came back to it.  I finally got past it by changing my “true” to a “1” in the key/value pair I was injecting via the proxy.  Seriously?  Seriously.

AUTHO_06?  Yeah, it’s just as bad.  Still trying to figure out what magic combination of key(name) and value(name) to use for it.  The “hint” says one thing, but nothing I try around that is working, so it’s probably either a big mess, or something really simple I’m missing.

My lack of experience with Burp Suite and mitmproxy may be my biggest problem, but I actually had some decent success with both tools for most of the exercises, thus far.  I was planning to use OWASP ZAP as part of my progression, but I changed my mind.  Burp and ZAP are the two biggest players in the attack proxy space, but mitmproxy is command line based, and thus has a smaller memory footprint.  The only exercise I wasn’t able to use it on, yet, was one where when I modified the POST to be sent, I never got the full page response back, and that’s more due to a lack of familiarity with the tool than anything.  I’m going to try to learn what other flags and/or settings I might need in order to make those work, and when I’m comfortable with it, I’ll do a write-up here on how to use it in comparison to Burp (which I’m also having to learn as I go.)

One of the exercises led me to two other CLI tools to stick in my back pocket.  The “hash-identifier” tool helps narrow down what kind of hash a string of characters might be.  The “findmyhash” command helped search a massive number of online rainbow table style sites to check what the keyword to the hash was.  What was messing me up the most on this was I guessed it to be a certain kind of hash, but when I passed the suspect key (the name of the user) to that hash using the echo command to print the word being hashed piped to the openssl <hash> command, the value I got back didn’t match what I was comparing it to.  My problem was using “echo” instead of “printf” since echo tacks on a carriage return and/or new line, and that messes up the hash.  Once I figured this out, I was able to progress to the next exercise quickly.

All in all, web app testing is one of my weaknesses, and these exercises have been very helpful, thus far.  I recommend PentesterLab PRO for brushing up on these kinds of attacks, since they cover a wide array of attack types without giving you too much detail so you are forced to research and learn, much as I suspect the PWK/OSCP will be.

A quick note about all of the commands I’ve mentioned in this post.  They are all installed by default in the full Kali VM OVA build.  I didn’t have to apt-get install any of them.

Updates – OSCP Prep and New Book

Last Monday, I posted about my plan for preparing for and eventually taking and passing the OSCP (Offensive-Security Certified Professional.)

My prep work for the week has included:

  • Finishing my Cornell Style notes on the eLearnSecurity Reports and Methodology information.
  • Signing up for PentesterLab PRO.
  • Passing the “Introduction” badge on PentesterLab PRO.
  • Installing 4 of the 5 lab machines as described in Tony Robinson’s “Building Virtual Machine Labs” book.
    • The only lab machine left is the Metasploitable machine, which I intend to work on this week.
  • Installed Kali VM on my main gaming laptop for doing further PentesterLab PRO exercises.

Sunday (April 1) Michael W. Lucas announced his “#mwlSecretbook” title.  He’s been working on this book for months, but kept the title secret, until now.  This is the 13th book in the “Mastery” series, and as a Print Sponsor (and Print Patreon Patron,) I got a copy of the PDF bright an early in my email.  I took the morning to read the book.

The title?  “Ed Mastery.”  That’s right… this book is all about using the “ed” line editor for Unix systems.  I think this was an excellent book to release, for multiple reasons.

  1. There are already excellent books on the “sed” and “awk” commands that give a brief explanations, one-liners, and so on, available on the market.
  2. The “ed” editor is one of the least utilized editors, yet it is almost guaranteed to exist on any Unix system you may find yourself on.  The “ed” command is part of the POSIX definitions, after all.  Some newer Linux distributions are beginning to leave this out, but I blame the stupidity that is “systemd” for swaying this kind of thinking.
  3. The simplicity of the command is staggering, and after you’ve used it for a few days, it seems second nature.  It’s worth at least practicing this command to have it in your back pocket.
  4. It works, even when your TERM settings get jacked up.  It works when you’re in a single user session that only mounted “/” because of corrupted filesystem issues, and you need to modify configuration files but don’t have access to “vi” since that usually lives in “/usr” (and isn’t statically compiled.)  It just works.  Period.

At a previous place of employment, we had to fix some boot issues every now and then.  Doing this required booting into single user mode (root) where the filesystem only mounted “/” at first.  Sometimes, we could mount “/usr” manually, then use vi to modify our files.  The problem was that “vi” wasn’t statically compiled, and thus lived in “/usr” instead of “/bin” where the statically compiled programs were stashed.  I always wondered what would happen if “/usr” crapped itself, and thought it would be best to learn “ed” as an alternative.

I first learned ed by forcing myself to use it instead of any other text editor for a whole week.  The first couple of days were a little painful, but after that, it became pretty comfortable.

I haven’t been forced to use it, but I’ve always been happy to have it in my back pocket.  I have used it (and vi) to demonstrate poorly configured SUDO policy in the past.

After spending my morning reading the PDF version of this book, I’ve decided I need to brush up on it.  It’s been a few years since I forced myself to learn it, and this book does include some tricks I never figured out on my own back then.  If you’re in the Unix space: User, SysAdmin, or Pentester; get this book.

Plans for this coming week:

  • Finish building the Tony Robinson style lab.
  • Continue working on the Essentials Badge on PentesterLab PRO.
  • Continue improving my workflow and documentation methodology.
  • Begin using “ed” regularly, again.

Journey to OSCP – The Plan

I’ve mentioned it a few times before today, but I plan to take the Penetration Testing with Kali course, and Offensive-Security Certified Professional exam this year.  I’ve been spastic about preparations up to this point.

Thus far, I’ve read a few blog posts about others’ journeys to OSCP.  I’ve gone back to my eLearnSecurity Professional Penetration Tester course materials.  I’ve watched some amazing YouTube channels that cover some walk-throughs of Vuln Hub and Hack The Box machines.  I’ve pulled some books already in my collection, and added a few more that should help in my own journey.

I’ve laid out a generic (no dates) plan for how to prepare for the end goal.

Some of the steps require going back to previous steps for review and revision so I can hone my methodology.  The reporting pieces will be closer to eLearnSecurity’s style than the more brief PWK style, most likely, but I’ll probably present something closer to PWK style for the actual OSCP, since that’s what they are looking for.  The PWK style will be a portion of the eLS style in the end, so it’s just a subset, not a replacement.

The general flow of preparation looks like this:

  • Take Cornell Style notes on the Methodology and Reporting documents provided by eLS.  DONE
    • Create initial “Methodology” work flow guide for myself.
    • Create initial templates and scripts to create the templates during work flow for “Reports” eLS style for myself.
  • Take Cornell Style notes on the appropriate chapters from Building Virtual Machine Labs by Tony Robinson
    • Build a lab by the guide above.  I started to do this already using ProxMox, but the ProxMox installation had issues, and I abandoned that, rather than spending precious time trying to “just make it work.”  I have a ProxMox desktop lab, already, but it’s too small for the machines listed in the guide, and I don’t want to mix that lab with this one.
  • Take Cornell Style notes on each of IppSec‘s walk-through videos
    • Use these notes to revise and hone my own Methodology work flow guide.
  • Sign up for PentesterLab PRO.
    • Work through at least the White and Yellow badges.
    • Work through the “bootcamp” page suggestions.
    • Go back and review eLS course material where relevant.
  • Work through Tulpa’s preparation guide.
  • Finish reviewing eLS course material after all of above, if not already complete.
  • Subscribe to Hack The Box.
    • Work through retired machines, then review my results/techniques/methodology and compare with online walk-throughs of these machines.
    • Work on non-retired machines.
  • ONGOING – Lunch twice a week at work, work on a downloaded VM from Vuln Hub.
  • Order PWK and schedule OSCP exam.

Yes, that is a lot to do before the last bit (actually ordering/working the course and taking the exam.)  Yes, I will do all of that THIS YEAR.

I will update “where I’m at” posts on this blog as I work through my process.  This way, you all can follow along.  The PWK/OSCP is too important to me to just jump feet first into.  I have limited time due to the size of my family (9 kids,) full time job (with hour commute to, and hour commute from work each day,) and the occasional week of on call.  I want to brush up and hone my methodology before I jump.  I believe this will make the experience more fulfilling.

Here’s to a time-packed and challenging year ahead.

Pi-Top Kali – Getting Kali Installed

Over the last few weeks, I’ve gone through the process of installing Kali onto its own microSD card for use on the pi-top.  I started with the latest 2017 image, but recently the first 2018 image became available, so I did the procedure again.  This document will cover the latest image.

First, I downloaded the image from the site onto my Linux Mint laptop.  Next, I verified the checksum.

sha256sum ./kali-linux-2018.1-rpi3-nexmon.img.xz
1ce9fb1ab69c709046b3ddddfeff6481b484f19e8b2b61725cebfb6361953c08  ./kali-linux-2018.1-rpi3-nexmon.img.xz

This matched the checksum on the site.  After verification, I unpacked the xz archive with unxz.  This created the kali-linux-2018.1-rpi3-nexmon.img image file for installation.

unxz kali-linux-2018.1-rpi3-nexmon.img.xz

Next, I put a new 32G microSD card in to receive the image.  I checked dmesg output to verify that the card was recognized successfully.

[11115.585761] mmc0: new ultra high speed SDR50 SDHC card at address 0001
[11115.603234] mmcblk0: mmc0:0001 00000 29.8 GiB
[11115.606945]  mmcblk0: p1

In order to install, I unmounted the auto-mounted card and used dd to tranfer a copy of the image to the card.

sudo dd if=./kali-linux-2018.1-rpi3-nexmon.img of=/dev/mmcblk0 bs=512k
14000+0 records in
14000+0 records out
7340032000 bytes (7.3 GB, 6.8 GiB) copied, 388.375 s, 18.9 MB/s

I ejected and re-inserted the card to verify it is seen correctly.  Both partitions were picked up, and I unmounted these for the next step.  Because the image is much smaller than the size of the card, I needed to resize the linux partition to take advantage of the extra space.  I used GParted for this.

GParted has an issue with the e2fsck not being up to date enough.  I had to install the following two packages manually, before growing the EXT4 mount point:

sudo apt-get install ./e2fsprogs_1.43.8-1ubuntu1_amd64.deb ./e2fslibs_1.43.8-1ubuntu1_amd64.deb

Once GParted was working correctly, I used it to resize the linux partiton.

sudo gparted /dev/mmcblk0

I selected the EXT4 mount, chose “move/resize,” and resized it to take up all of the unallocated space.  I then applied the change, and closed the program.

I swapped microSD cards to put Kali into the pi-top and remove polarisOS.  Booting the machine worked fine on first try, so the image appears to be installed okay.

I had a few housekeeping tasks to take care of.

My first housekeeping task was to create a new password for the root user.  Second was to regenerate host keys.  Most pre-built images should go through these two basic steps, since they ship with pre-generated widely known shared keys and passwords.

To regenerate the host keys, I ran:
root@kali:~ rm /etc/ssh/ssh_host_*
root@kali:~ dpkg-reconfigure openssh-server
root@kali:~ service ssh restart

I was surprised to find that the newest version of kali actually didn’t ship with pre-installed ssh host keys.  When I ran the rm command, it failed with file not found, and a file listing of /etc/ssh confirmed there were none to remove.  I only needed the dpkg-reconfigure and service restart.

My next steps included updating the system, since Kali-Rolling updates very frequently.  In order to do this, I put the machine on the network, then ran the following:

ntpdate 0.us.pool.ntp.org
apt-get update
apt-get upgrade

The reason for the ntpdate first is that the machine doesn’t come with a configured NTP service, and the clock on the Pi puts the machine several months behind the real world.  It thought it was December 14 rather than current date.  The other two commands updated the APT cache, and then updated the system to latest.

My final task was to go through the process of updating the repository lists to be able to install the “pt-*” packages from polarisOS, but I ran into a dependency error on one of the packages, which prevented that from working properly.  I’ll continue to troubleshoot this issue before I go into the deep details of setting it up, but the error I ran into was that the python3-pt-idletime package was dependent upon python3 (< 3.6) where 3.6.4 is the current version in Kali.

Pi-Top Kali – First Boot PolarisOS

Last week we talked about the kit, how it went together, and the fact that the first boot was to the pi-top polarisOS microSD card included with the kit.  Today, I’ll go over a quick rambling of notes on how the second “First Boot” (after it charged) went, and what I poked around looking for in this OS.  This post will not include screenshots, but I may try to get a few and do a follow up later in the week that is screenshot heavy.

It is a graphical boot that brings up a LightDM Panel (auto log-in.)  This initial Panel is the “pi-topDASHBOARD” and contains the following three sections:

  • Learn. Play. Create (includes "pi-topCODER" launch and "CEEDuniverse" play buttons)
  • Quick Launch (includes application icons for common/popular applications.)
  • Notes (a notepad that can be typed into.)

Along the top of the Panel is a status bar that includes indicators for whether the network is working, battery status, date/time, and a selector for Settings.

Selecting any app from the Quick Launch (or pressing the “Panel” keyboard button) will make this initial panel go away, and present the typical X11 style desktop.

Pressing the “Panel” keyboard button will bring the panel view back.

Since the Battery Status only shows on the Panel bar, this is a good thing to have.

From the typical X11 style desktop view, there are a few apps pinned to the bottom task bar.

  • Chromium
  • File Manager (PCManFM)
  • LXTerminal
  • CEED Universe
  • 3D Slash
  • Mathematica
  • Wolfram

The far right of the status bar includes status icons for the network, volume, and time, as well as an “eject” icon for external media, and a “panel” icon that can be clicked instead of hitting the Panel button on the keyboard.

The primary menu icon is in the lower left corner and the menu includes categories for:

Out of the packages listed above, htop is a “top” replacement that has some enhanced features, CEED Universe is part of the pi-top “CEED” learning software, with online games and such, and the rest are pretty self explanatory (integrated development environments, programming languages, some games, web and email, and an office suite.)

The items of greatest interest to me from poking around with the intent of setting up Kali as the primary OS for this machine are the hardware related packages.  I want a battery status indicator, as well as power/terminal launch/panel control buttons to function from the keyboard.  In order to take advantage of these things, I took a look at the software repository settings, and found this:

/etc/apt/sources.list:

deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://archive.raspbian.org/raspbian/ jessie main contrib non-free rpi

/etc/apt/sources.list.d/pi-top.list:

deb http://apt.pi-top.com/raspbian/ jessie main

/etc/apt/sources.list.d/raspbian.list:

deb http://archive.raspberrypi.org/debian/ jessie main ui
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://archive.raspberrypi.org/debian/ jessie main ui

All of the packages specifically for the pi-top hardware include a “pt-” prefix.  Using a mix of dpkg -S, dpkg -L, and apt-cache showpkg I was able to confirm that the pt-* packages are located at the raspbian repositories jessie main.  This should make it easy to install them for Kali to take advantage of the special keyboard keys, and maybe get a battery status indicator.

Pi-Top Kali – The Kit

Last week was all about the order and tracking.  Today will cover the unboxing, how the kit goes together, and some potential “gotchas” to watch for while putting your own kit together, if you’re following along.

The large shipping box contained two boxes.  The larger box had the shell/kit, and the smaller box held the Raspberry Pi 3.

pi-top case
Pi-Top Case

I opened the larger box first, and verified that the contents were okay.  Inside were the shell, a box containing the charging cable + plug adapters, some booklets on the pi-top itself as well as the inventor’s kit, and of course, a box containing the components to the inventor’s kit that came with the purchase.  I don’t plan to do anything with the inventor’s kit for a while, so I left that alone.

The first step in putting the kit together was to slide the keyboard panel down, then remove the screw holding the heat sink/GPIO bridge in place.

GPIO bridge + heat sink
GPIO bridge + heat sink

After that piece was removed, four screws were removed to take out the plastic card “stand in” for the Raspberry Pi 3.  This card has a little cushion on one side that helped protect the heat sink/GPIO bridge during shipping.  Once those were removed, I slid the hub to the right along its rail.

The next step was to unbox the Raspberry Pi 3 so that it could be installed.  What I did not do at first, but I recommend be done if you intend to use it at all, is to install the microSD card that came with a pre-installed pi-top polarisOS image.  Not installing the card before installing the Pi isn’t a deal breaker, but if you’re not going to swap cards, it’s less of a pain to do it now, rather than later.  If you do intend to swap cards, or you forget to install it before installing the Pi into the case, the little tool they include includes a groove for pulling/guiding the card into and out of the Pi.

To install the Pi, I had to line up the two USB prongs inside the case with the left most set of USB sockets on the Pi, then gently push up (toward the back of the case) to seat the board.  The next step was to put the screws back in to hold the Pi in place.  The holes in the Pi didn’t quite line up right with the holes for the screws, so a little effort may be needed in getting the Pi seated properly while installing these screws.

USB bridge
USB bridge
Pi Seated onto USB bridge
Pi Seated onto USB bridge

Once the screws were in place, I had to carefully slide the hub such that the audio plug and the HDMI plug slid into their respective sockets on the Pi.

Finally, I lined the heat sink/GPIO bridge up with the GPIO pins on the Pi, and carefully seated it until the pins on the other side seated into the smaller groove on the hub.  Once it was snugly in place, I installed the last (longest) screw to keep it seated.

Pi Installed
Pi Installed

With all of the components in play, and the microSD card installed, the last step was to slide the keyboard back into place and turn the machine on.  My first boot was to the pi-top polarisOS they included with the device, so that I could check that everything worked okay with their included software.

I noted that the battery indicator within polarisOS showed a 33% battery status, so I shut it back down and plugged it in.  It took a few hours to charge to full.  While charging the indicator light next to the USB ports on the back flashes.  When it is finished, it turns solid green.

Next week will cover the first boot, general poking around, and discovery of tools within polarisOS.