Review: Offensive Security Certified Expert (OSCE) / Cracking the Perimeter (CTP)
It was almost midnight when I submitted my report to the offsec team and I waited for almost 26 hours until It was 02:09 AM when I got the most awaited email telling me that I had successfully passed the certification exam and that I have been awarded an OSCE certificate.
Why yet another review?⌗
There are way too many reviews already available prior to this one If you do a little research. However, all of them have one thing in common and that is all of the reviewers had previously taken the Offensive Security Certified Professional (OSCP) exam before attempting OSCE. For me, I wanted to do things differently and attempt OSCE without taking OSCP because many people said It cannot be done and I had to prove them wrong plus this happens to be my first certification. Now that we have gotten that out of the way, let’s dive in.
The Pre & Post Registration Process⌗
The pricing structure for the CTP course is following:
Unlike other certification courses, registering for CTP/OSCE is a little bit different. There is a challenge that you need to solve before you can even sign up. If you cannot do that, then you are not eligible for this course. This just shows that Offensive Security does not want you to suffer in the course for not having enough prior knowledge and It also helps them to keep a standard. I must say If you really want this course to be a great learning experience and fun at the same time then do not cheat and I must insist to complete this challenge yourself. If you cannot do it yourself, you will have a hard time taking on this course. It took me about 3 hours to complete that challenge and I was able to sign up with the 30 days lab package and complete the payment process. FYI, the challenge is located at http://fc4.me
The Course Work⌗
It takes about 15 days until your course starts and when It is time, you are given the following to download and start the course work:
- PDF Guide
- Tutorial Videos
- Lab Connectivity Pack with your credentials
- Backtrack VM Image
The course consists of 4 major modules and several sub-modules as it can be seen from the Syllabus which is available online. The course is not up to date matching today’s techniques and tools. Some people and I personally think that the content really is obsolete. However, It is the perfect starting point for anyone thinking to get started in the Advanced Exploitation.
The main topics covered in the course can be summarized into:
- Advanced Web Application Exploitation
- PE32 Binary Backdoors
- Antivirus Evasion
- Exploit Research & Development
- Advanced Exploitation Techniques
- Advanced Network Attacks
The PDF guide and the video tutorials are mostly identical but the PDF guide has much more detailing to cover the topics in a very good depth. The course in itself is very nicely designed but you are assumed to know a lot of things beforehand. You are expected to be familiar with a debugger, basic exploitation techniques, and assembly knowledge. This is where you really understand that the fc4.me challenge before the registration was a hint to learn this stuff before signing up.
The lab consists of a few servers where there are various vulnerable applications and designed scenarios which you need to practice with by following the PDF guide and the video tutorials. While you are recommended to use Backtrack for this course, It is not compulsory. You can use Kali or even another distribution like I did. My setup is an Arch Linux running as the host operating system where I have got all the tools needed to complete this course. In the servers itself, you are given Olly Debugger to use as the primary debugger but that is also not necessary and you can work with Immunity or WinDBG as well. The labs are as much flexible as you want. The course is designed to teach you the skills that can be implemented through various tools or your own even.
For me, I had to extend the lab access one time because I had exams in my university the same time I signed up for the course which was a poor decision. It takes about $350 to extend the lab access. Anyone who is familiar with the above topics I mentioned would not need more than 30 days to complete the labs. I recommend to study each and every module in the course work from various other sources to learn about them more in depth.
There are a couple of resources that I followed to do some extra study before the exam.
- Corelan Tutorials
- FuzzySecurity
- SecuritySift
- Exploit DB
The Exam⌗
Then It was the exam time! I had to take the day off from work to mentally prepare myself. I knew that I had about 48 hours for the exam tasks and another 24 hours for documentation. You are required to submit a detailed report of the exam and achieve at least 85% of points to pass the exam. I had heard about Offensive Security’s exams and what they do to you. They really have a way of making you think that you really do not know anything. To be honestly, I did not feel very confident probably because I had not spent enough time in the labs. But I still had to try cause I did spend time learning in depth about the topics taught in the course.
The exam started at 3:00 PM when I got the mail from Offsec with exam lab connectivity pack along with my credentials. You are also given the information about the servers, exam tasks, points allocation, and also an exam guide to tell you what you are allowed to do and what is forbidden. I took the first half an hour to go through and understand all tasks and what was required of me.
Looking at the points, I decided to grab the low hanging fruit first but I guess I was wrong. I quickly realized that I should skip this task and move on to the bigger fishes. By the 5th hour, I had completed one of the tasks which had high points. I then downloaded Offsec’s report template where I put in the necessary information and started writing the steps for this task. I did this for all the tasks; As soon as I completed a task, I started to write the documentation for it. This is not necessary as you are given another 24 hours aside from the 48 hours to work on your documentation but I felt like I will forget some things If I don’t do it this way. I was still left with 3 tasks. I then started working on another task with low points and It was fairly easy to complete it. It took me about 3 hours more. Then came the time to work on another high point task but little did I know what I was getting into. For the first two hours, I thought Offsec deliberately wants me to fail as I found no way to get started on the task but then I thought back to the course work and It gave me an idea where to look for and it worked. But then again it took me another 5-6 hours to get done with this. About 13-14 hours had passed but I had enough points to pass the exam but I did not want to stop here so I picked up the task that I left in the beginning. I started working on it again and this time, I figured out a way which worked but It was not quite according to how it was asked for in the instructions so I kept on researching about this until I put the pieces together and eventually, I made it work. All in all, It took me about 17-19 hours to get done with the tasks which includes the poor documentation I did. Then I decided to get some sleep and wake up in about 6 hours or so. I spent another 5 hours or so looking at the documentation to improve it and add more detail to it. Once I felt confident about it, I sent the mail to the Offensive Security’s Challenges Department.
Results⌗
Once your documentation is successfully sent and obtained by the Offensive Security’s Challenges Department, A confirmation email is then sent back to you within 12 hours to wait as your report is being evaluated by the department. I then waited for 26 hours until I got the mail telling me that I had passed the exam.
Conclusion⌗
There are very few resources and detailed study guides available for this course. So, I have written a very detailed preparation guide for this course. Check it here.
It is not required to take Pentesting With Kali/OSCP course If you already have the required skills to take on OSCE. You can certainly go and take on this challenge without taking OSCP.
Anyone thinking about taking this course must make sure to have required skills as mentioned above. No matter how much you prepare, It is not enough. However, you should not give up and keep trying harder. This course will teach you a lot but you must not get frustrated and follow their motto “Try Harder”.
Thank you so much to Offensive Security for such a wonderful course!