Offensive Security CTP course / OSCE certification review

Hi guys,

I’d like to tell you a bit about my personal experience about taking (and passing! :-)) the Offensive Security “Cracking The Perimeter” (CTP) course / Offensive Security Certified Expert (OSCE) certification.

Since there are already a gazillion of “what’s inside” descriptions for CTP out there, I won’t repeat that here. You basically learn a bit more advanced ideas for vulnerability identification and exploitation.

OSCP vs. OSCE

So, let’s start first with comparing CTP with PWK (or OSCE with OSCP). Quick answer: You can’t. It really is something different.

After finishing both, I can say that (from my perspective) OSCP teaches you:

  • Identifying vulnerabilities in services and machines
  • Pentesting methodology
  • Teaching multiple methods for privilege escalation
  • Being very creative and trying out everything (even if things don’t appear logical at first sight)
  • Introduction into many many tools for the multiple stages of a pen test
  • A very structured way of working (taking notes etc.)
  • Learning about various “popular” vulns/exploits from the past years
  • The general mindset of a “hacker”
  • Finding and using suitable exploits (e.g. by querying exploit-db)
  • A first introduction into exploit development

OSCE on the other hand was a bit different. What I took from it was the following:

  • Advanced exploit development techniques (SEH overwrites, manual encoding of assembly instructions, dealing with character conversion in payloads, egghunters)
  • Finding new vulnerabilities in network services (-> fuzzing)
  • Being even more creative when it comes to combining multiple vulnerabilities
  • Find vulnerabilities by studying application source code
  • Manually backdooring (Windows) binaries
  • Bypassing Anti Virus
  • A glimpse into Cisco router configuration exploitation (-> SNMP)

My motivation for taking CTP/OSCE

After having finished OSCP in March this year, I was thinking about “what to do next”. OSCP really was fun, puzzling, challenging and interesting. A never ending source for learning and developing skills. But there was one thing in there that fascinated me the most, which was the development of exploits.

I already wrote about this in my OSCP review here: I have quite some experience in reversing/hacking software and am feeling quite comfortable in a debugger. I always find it fascinating to see an application in its most abstract way: memory, filled with bytes that instruct the CPU to do certain things. This all then enhanced with multiple concepts like registers, stacks, the heap etc. This is all good fun to me and I enjoy “diving deep”. Maybe that’s why I thought OSCE, as being more “exploit development focused”, would be the next best thing to do.

Of course I then started reading every review out there about the CTP/OSCE, and general consensus had been, that it’s “super hard”, sporting a “brutal 48h exam” and that you really should prepare heavily prior even registering for the CTP. I mean, hey, Offsec even requires you to solve a “puzzle” (fc4.me – ya know) before you can register. Wow.

I then realised that I have some conceptual “gaps” that needed filling. I wasn’t really proficient in debugging Linux applications (-> gdb). Same applied for ImmunityDbg or OllyDbg. I worked with IDA Pro – but that had been a while ago. Also, my know how regarding assembly level shellcode development was quite limited. Yeah – there’s a “windows/shell_reverse_tcp” – but how does it work in detail?

Prepping for the CTP course

So before signing up for CTP, I went for the SecurityTube Linux Assembly Expert course. I was hoping to get a refresher in coding assembly shellcode and also to learn about certain concepts (e.g. egghunter). And this worked fine – the course delivered. And besides – it was quite entertaining, too. Even a bit more advanced topics like encoding/encrypting your shellcode were covered – which was 100% fun (if you, like me, love to be creative when it comes to modifying stuff in memory :-)).

In parallel to SLAE I tried to learn a bit more about Windows exploitation. Following the Corelan exploit development tutorials turned out to be super helpful. Super interesting and packed with new stuff to learn.

So on April 11th, after getting a bit tired of all this “OSCE is super difficult” and “you need to prep a lot before doing this” bla bla, I decided to don’t give a shit and sign up for CTP.

Bildschirmfoto 2017-06-01 um 14.54.38

The CTP course

On April 23rd I received my course material and started to work my way through the PDF (and videos). My first impression?

Honestly, coming from OSCP, you first feel a bit disappointed since it’s much less material than in the PWK course. The good thing on the other hand is that Offsec forces you to reflect a bit more than in OSCP since there were intentional gaps and errors in the material (so you had to come up with your own solutions instead of just copying something).

So it took me only about a week for finishing all CTP exercises. Which felt a bit odd. In OSCP you had these 50 servers you had to hack which of course took way longer.

This new situation immediately makes you think the following:

“This just can’t be enough to pass the exam. This can only be a foundation and they (Offsec) expect you to learn more (on the Internet).”

This situation really is deceiving. I felt “ready” after finishing the course work. Nothing of the things I learnt seemed “difficult” and I was kind of anticipating the exam. So I scheduled an exam date – which unfortunately wasn’t possible until End of June (the whole May was “booked out”). Which meant plenty of time (or: way too much time?) for extended studying.

Preparing for the exam

One thing I did do was “re-building exploits” I found on exploit-db (read: here). Trying to port them to 64 bit. Trying to understand why they work the way they work, understanding the various ways to implement an egghunter (Google is your friend here). Really trying to become more proficient in Windows exploit development, Windows API stuff, character encoding etc.

In retrospect, this exploit stuff didn’t seem too hard to me. I was more afraid of some potentially nasty OSCP-style web vuln exam objectives than of multiple bad ass exploit development tasks 🙂

Mid of May I checked the Offsec exam booking page again and discovered an open slot for June 26th. I said “what the hell” and booked it. Basically pulling the initial exam date 4 weeks ahead. I felt brave, confident and l33t. Bring it on, Offsec! 🙂

The CTP exam

My 48h exam was scheduled for Friday, May 26th, 11am – so I had to finish all tasks until latest Sunday 10:45am.

There has been written a lot about the exam and yes, I can’t reveal much about its contents. But it’s basically a similar structure as in OSCP – you get tasks that are either “easy” (with a lower amount of points to score) or “difficult” (with high points). In order to pass (i.e. have enough points), you need to finish two “difficult” tasks and one “easy”.

Here is how it turned out (for me).

Since I’m usually a bit nervous in exam situations (which tends to somehow block my brain circuits), I decided to go for an easy target first to gain some confidence. And that worked out fine. After 2 hours, the first “easy” task was finished. Took a bit longer than maybe normally required since you always have to make sure to keep notes (screenshots etc) of everything you do.

Next thing to crack was one of the “difficult” targets. It was dealing with something that sounded unknown yet interesting and I gave it a go. After some research on Google (yes, even in the exam you learn new things – although the concepts are the same as in the course work), I found a possible attack angle and began trying out stuff. It took me about 5 hours in total for this “difficult” server to exploit and to tackle the exam objective.

7 hours down, 50% done. I felt confident so I had to tweet about my progress 🙂

Bildschirmfoto 2017-06-01 um 15.04.21

Perfect timing for a break. My girlfriend and me had a nice dinner and after that, I started working on the other “easy” target. It seemed to be pretty straightforward since it was based on a concept that was taught extensively in the course – but of course there was a twist. I kind of failed to get the objective done and got annoyed. And whenever you get annoyed by something, you maybe should try something else instead. So after maybe working 3 hours on this “easy” task, I became curious about the last remaining thing – the other “difficult” exam objective. So I stopped working on the “easy” task and switched context.

And that final one can be considered as the “main” challenge of the exam. In retrospect – this was the most difficult and most challenging bit of the exam.

So at around 9pm the evening I started working on this one. It didn’t take me long to find the initial attack vector and I began exploiting it. And this thing then continued to unfold – and unfold – and unfold. One “challenge” followed the other. This was just crazy – I identified various things that seemed “odd” and “unexpected”. There was more than one time where I thought that “this can’t be right” and “maybe I should try something else” … but I kept pushing, refining, trying, understanding, exploring (trying harder, ya know :-)).

Somewhere around midnight I knew how to solve this puzzle. I had everything I need and just had to find a way to plug it all together – in a possible way, given the crazy and very restricted circumstances.

I spent the next three hours experimenting and trying out things, but there was always something which hindered me in getting what I want. Sounds a bit cryptic but you’ll see what I mean once you pass your exam 🙂

At Saturday, 3am I knew that I’m 90% done and so damn close to solving this puzzle but needed a fresh brain to fix the remaining 10%. So I decided to take a break and went to bed.

Getting up again – 5 hours later. A quick double espresso in front of my computer. I started plotting the situation from scratch, writing it down on a bit of paper and trying to find a smart way to solve it. It was a puzzle I had to solve. A tricky situation with loads of constraints. You have to work around them and find a way to the goal. I left behind the “trial&error” phase a  long while ago – this now was a very focused “solution finding” process.

And there it was. Not sure why I didn’t come up with this before but it was just plain simple. I re-arranged some of my code and it looked good. The concept I had in mind was logically consistent and just should work when executing it.

9am Saturday morning. I modified my exploit and gave it a final try. 3-2-1 go. BOOM. It just worked. As expected. I successfully exploited this vulnerability and fulfilled the exam objective. Buttery smooth. No questions asked. What a beautifully satisfying situation. I was in complete control of what I was doing and created something complex, yet elegant (yes, really quite proud of this :-)). Everything I did felt totally logical and I just couldn’t stop grinning. This had been just crazy difficult/complex/weird/cool. Massive respect to Offensive Security for coming up with such a creative exam task. I felt like being on top of the world.

1412083753344_Image_galleryImage_King_jpg

Now I had enough points for passing the exam. But I wanted more. I wanted all the points. So: Back to the 2nd “easy box”.

And as always – with a fresh mind, things become just easy. At around 11am I successfully finished this final task.

24h over – all objectives completed. Game over. Told my girlfriend (and the guys on Twitter) that “I’m done” and that this should be sufficient to pass the exam.

What a feeling. My inner and outer body were just smiling. Mission accomplished.

Exam aftermath

Full of joy and satisfaction I went to bed for a couple of hours. Started writing the documentation and sent it over to Offsec at around 6pm Saturday evening.

Had this strange feeling for the rest of the weekend. This just felt a bit too easy. And my (personal) solution for that 2nd “difficult” objective just felt odd, weird, crazy, complex and uber-creative – was this really the correct way to do this? Or are there many possible (other) solutions? Did I maybe understood this only “half” and just found a weird and accidental way around the “real” way of solving this? Full of doubts… But also full of confidence since it was kind of hardcore and damn – I nailed all exam objectives!

Waiting for the “result” email really sucked. I knew that I finished all objectives but – you never know. But then, finally, on Monday afternoon, I got the email and it was confirmed – I passed the exam and am now a certified expert 🙂

offsec-student-certified-emblem-rgb-osce.png

Tips for passing the exam

Since I love to help other people, here my personal tips for passing the exam.

  • Be open to learning new concepts “on the fly” – Googling will help you in the exam
  • Try out everything – eventually you will find something that works – be creative!
  • Really try to fully understand what’s going on – don’t give up until you understand it all!
  • Always try to get the “full picture” of the situation – read the exam instructions carefully!
  • The Corelan tutorials proved to be helpful (and interesting!) to gain enough “depth”
  • Do each and every of the course exercises and don’t stop until you fully understood/mastered them!
  • Don’t take shortcuts – really do whatever it takes to understand this stuff
  • Have some fun building your own exploits – you can pull POC’s from exploit-db in order to save you the time to find out how to crash a certain software
  • And most important: Have fun.

That was it. Please let me know if you have questions. I’d to be happy to help. Either here or on Twitter.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s