osce-certs

“CTP/OSCE was one of the most challenging and rewarding experiences of my life”

This course review will be discussing my experiences with the Cracking the Perimeter (CTP) course, as well as the Offensive Security Certified Expert (OSCE) exam and certification. This course has been designed by the Offensive Security team, and is instructed by Mati Aharoni (Muts).

The goal of this course is to cover more advanced penetration testing techniques and start to dive deeper into exploit development. If you’d like to learn more about OSCE you can take a look at the course syllabus – Link.

 

Am I ready for OSCE?

osce

To sign up for the course you need to first complete a hacking challenge, this is designed to ensure the student has the required prerequisite skill before trying to climb the mountain that is OSCE.

CTP/OSCE is Offensive Security’s advanced penetration testing and intermediate-level exploit development course.  It is highly recommended that you first tackle their introductory course OSCP, but it isn’t a requirement. Throughout this course review I will commonly compare my OSCE experience to my experience with OSCP. Here is a link to our course review on OSCP if you’d like to learn more about that course and certification.

The following skills are useful if you’re interested in challenging this course:

  • Scripting
  • x86 Assembly and Shellcoding
  • Basic Exploit Development skills – Write a basic buffer overflow
  • Creative Thinking
  • Try Harder Mindset
  • OSCP-level skills

 

Course Format:

“Think of OSCE as the opposite of CISSP”

The course comes with PDFs, videos, and VPN lab access. Compared to OSCP you’ll find the course materials a lot more focused, where OSCP may have been a 1000 feet wide and 100 feet deep, OSCE is now a 1000 feet deep and only a 100 feet wide.

The student is provided VPN access to the network, as well as a virtual machine for testing/research purposed during the allotted lab time.

 

Course Experience:

“Offensive Security will guide you to gaining knowledge, but will not hold your hand to the answer”

When comparing my OSCE experience to OSCP, I felt that I was no longer jumping from machine to machine to move further, but I was jumping around memory on a single system to execute my final stage shellcode. Overall I found I could get through the course content a lot faster compared to OSCP course. I found the course material in OSCE required me to do more independent research when comparing it to OSCP.

Overall you can’t be afraid to work in a debugger with this course, you’ll spend most of your time writing your own script to exploit the vulnerability and single step through the exploitation process with Immunity Debugger. This becomes really enjoyable if you’re someone who enjoys a deeper understanding of the magic behind the scenes when an exploit works and you see your reverse shell connect back to your listener. OSCP introduces the exploit development techniques with basic buffer overflows and is a good starting place. OSCE expands on the exploit development process and introduces more advanced topics like Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), Egghunter shellcode techniques, and manual shellcoding for restrictive exploit environments.

Instead of heavy documentation for each box I pwned in OSCP, I found myself having to spend more time to fill in gaps of knowledge in order to fully grasp the course content. Offensive Security fully expects this of their students, they guide you through the process of gaining knowledge, but they do not hold your hand. So after starting a particular module if you realize you’re in some very deep water and not grasping everything you will likely need to go out and do a lot of independent research in order to move forward.

The course material at first glance may seen a bit dated to some, but I think the course material is less about the specific examples and more about the techniques they are teaching and the overall process.  I know a lot of the more advanced exploit development bells and whistles are covered in their OSEE course.

 

Exam Experience:

dragon

“A gruelling 48-hour exam challenged me to push beyond my current knowledge and forced me to develop new skills”

The exam is formatted as a 48-hour active penetration test against a simulated network challenging the skills you developed during the course, and even some things not directly covered in the course. This is done by design because they want to ensure you are flexible and can adapt and solve complex problems in unknown situations. I actually found that I learned a tremendous amount just doing the research to solve the exam challenges.

I don’t think I truly slept much in my 48-hour testing experience, I did try but I have an extremely difficult time turning my brain off when I am trying to solve a problem. My mind raced for a while in some situations and I found I was over thinking some of the problems, and had to slow down and walk back through my steps to ensure I didn’t miss something. All in all, the 48-hour exam was a painful experience, but I learned a great deal and had quite a high after emerging victorious.

 

Recommendations:

“You will need to put in the time”

First and foremost, if you’re considering this course, ensure you have the time to dedicate to it. You will need to spend several hours and multiple days per week developing new skills, researching, etc. If you do not have the time to dedicate to this journey, do not try to convince yourself you will be successful.

“You will need to do a lot of independent research”

Be comfortable diving deep into unfamiliar waters. Unless you’re (very) experienced in the exploit development, there will likely be topics covered or skills required that are foreign to you, and you’re going to have to learn things that will seem overwhelming at first glance.

“You will need to write your own exploits and shellcode #POP POP RET”

Be ready to “Try Harder” and teach yourself advanced content like manual shellcoding because this is required to complete the course and exam successfully.

“Do you have enough coffee?”

Seriously, get ready to stock up!

“Offensive Security Training is like a drug, you will get addicted!”

Get ready to be addicted to Offensive Security training and checking back everyday to see if Offensive Security’s Advanced Web Attacks and Exploitation (AWAE) comes online.

 

Conclusion:

“With enough persistence, anything is possible”

OSCE1

One thing I continue to learn when taking Offensive Security training is that with enough persistence and the “Try Harder” mindset anything is possible. This has truly evolved my skills as a penetration tester because I never stop at an automated scanner’s findings.  I am now finding myself writing my own tools mid-assessment to enumerate or interact with vulnerabilities. This type of skill allows me to find issues other testers have missed because it wasn’t in Burp’s or Nessus’s tool output.

After OSCE I now have a passion for writing tools that enumerate and interact with vulnerabilities missed by automated tools.  Every report I write I take a great deal of pride when a custom tool was developed to interact with a vulnerable system.  This way of thinking and skillset was forced to develop during my OSCE course and exam challenge.  Even if you feel the OSCE course content doesn’t directly line up with the type of work you do, the mindset of “Trying Harder” will pour over into any project or assessment you tackle in your day job.

 

Additional Resources:

http://www.fuzzysecurity.com/tutorials.html – Exploit tutorials

https://www.corelan.be/index.php/articles/ – Exploit tutorials

http://www.offensive-security.com/blog/ – Offensive Security blog

http://blog.g0tmi1k.com/ – Security blog

Shellcoding for Windows and Linux – Tutorial

Shellcoder’s Handbook – Book