Disclaimer: This guide is by no means a replacement for the CTP course itself. It will only prepare you for it so that you can work in the labs. All the information shared here is my personal opinion only.
Preparing for something that you have no idea about can sometimes be very time consuming and tedious at the same time. You are never sure whether what you are doing is good enough. This is exactly the case when you are preparing for Offensive Security Certified Expert certification. If you haven’t read my review on this certification, you can check it here.
Having done no prior certification before OSCE, I was constantly looking for a guide or something similar to help me prepare for it before I can take on this course. But sadly, nothing in great detail was available. You either had to find people who have already done it and If they are in the mood then they might send you off on the right path or you sign up for the course itself only to find out that you are not good enough yet. I decided when I am done with my exam, I will write a detailed blog post which is going to be a study guide. And here it is.
Unlike other study guides/tips available for OSCE, I am not assuming anything technically high except that you want to take on OSCE, you have got time to study for it, and you have got at least some experience in the Information Security industry. I can tell you what you need to study but then again the rest is up to you to practice the topics multiple times to ensure that you understand everything. The guide needs to be followed in the order it is written.
Before we start diving into the learning material, we need to setup the lab environment first. Some of the resources outlined below do not specifically mention the environment they use so It’s better to take care of this before we start. We will be installing a lot of similar tools mostly because different resources follow different tools and techniques. I will let you figure out how to set these tools up. It’s a learning experience.
It does not matter If you are running a Linux distribution / Windows as your host operating system but I do recommend something that you are familiar with very well. The next thing that you need is either VirtualBox / Vmware Player; they both are available for free. The next thing that I want you to do is to grab an ISO of Windows XP SP3, Windows Vista/Windows 7, and Kali Linux. You need to set them up in your virtualization hyper-visor to get them up and running. After you are done doing that, you need a couple of tools that you need to install on both Windows XP and Windows Vista/Windows 7.
- Olly Debugger.
- Immunity Debugger with Mona.
- CFF Explorer.
- NetWide Assembler aka nasm.
Once you are done setting up your environment, proceed further.
00- Assembly Language
I cannot stress how important x86 Assembly language is for this certification. Without this, I do not think that you can possibly tackle this course. Take some time and let this settle in. Moving on, the best resource that I can recommend for beginners who are looking to start from the very scratch in Assembly Language is Open Security Training’s class “Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration” by Xeno Kovah. It’s FREE. Currently, you can find the 2 days class videos which are pretty detailed and they are available both on YouTube and Archive.org. I recommend that you download them all and then start watching them on your own pace but watch all of the videos and even multiple times If you have to until you are sure that you understand Assembly language when given it to you. I have gone through way too many resources to decide that this is the best one to start with. You can find it here.
01- Basic Stack/Buffer Overflows
Now that you are comfortable enough with x86 Assembly language and you understand how the stack works, and the different types of calls, the Endianness, and you can understand the basic instruction set; It’s time to move forward to learn about Stack/Buffer Overflow basics. Understanding how the stack works is very crucial to understanding how to exploit the overflows in it.
Firstly, I recommend reading the following article by Corelan and follow the entire methodology of how everything fits in together. The next is a paper which I found to have things explained very well by Parvez Anwar.
- Exploit Writing Tutorial Part 1 – Stack Based Overflows
- Buffer Overflows in the Microsoft Windows® Environment
02- Beyond The Basic Stack/Buffer Overflows
By now, you should be comfortable with basic buffer overflows and looking into a debugger. If you are not comfortable inside a debugger. I suggest reading the this paper. It covers working with Immunity Debugger in great detail.
Once you are done doing that, It’s time to step up your game and learn more about the Buffer Overflows. Now, it’s time for me to recommend taking a look at the “Exploits 2: Exploitation in the Windows Environment” class by Corey Kallenberg. You can check it here. This class takes you from the very basics of exploit writing to very strong concepts like SEH overflows, DEP execution, etc in the Windows environment. I highly recommend that you watch all the videos. There is a class prior to this one called Exploits 1 which concerns exploit writing in the Linux environment which is a very good starting point as well.
03- Egg Hunters
Once you are comfortable enough with the above resources, It’s time to go even further and learn about Egg Hunters. They are very handy when it comes to Exploit Writing and you will know why once you go through the following resources.
- “Safely Searching Process Virtual Address Space” By Skape
- Egg Hunters – Fuzzy Security
- Egg Hunters – A Twist In Buffer Overflows
It’s great that you can write exploits for vulnerabilities that are already found by others but how do you go about finding it on your own? This is the 0day angle. This is where Fuzzing comes in. There are various types of Fuzzers available and what they can do.
You can learn more about fuzzing here:
Once you have gone through the above resources, It’s time to practice fuzzing with SPIKE on VulnServer. There are many great articles written on it. I suggest going through them one by one is a good idea. You can download VulnServer from here.
- An Introduction to Fuzzing: Using fuzzers (SPIKE) to find vulnerabilities
- Vulnserver – Fuzzing with Spike
05- Practice With VulnServer
After you have identified the vulnerable commands in VulnServer, It’s time to write the exploits for all of them and I really do mean writing exploits each and every vulnerable command of VulnServer. Why? Because each vulnerable command has a different technique to it and It is certainly a good idea to go through all of them. I highly recommend that you take the challenge from Fuzzing till writing the exploit yourself but here are the walkthroughs If you get stuck with them
06- Bypassing Exploit Mitigation
If you have come this far, you should know by now that there are a couple of things that you have had to disable or use and older version of an operating system to write exploits. This is because various exploit mitigation technologies have been put in the operating systems to stop exploitation of programs but there are ways to bypass them. Some of them are ASLR, DEP, SafeSEH, etc. You can know more about them here:
- Bypassing ASLR/DEP
- Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
- Exploit Dev 101: Bypassing ASLR on Windows
- Bypassing ASLR and DEP on Windows 7: The Audio Converter Case
Now, I want you to practice the same vulnserver exercise from above on Winodws 7 and try to bypass the mitigation technologies using the above given resources.
Writing your own shellcode or even understanding someone else’s is very much essential to learning exploit development. There are many times when you might need to craft your own shellcode for various reasons. You cannot always rely on Metasploit! Following resources are very helpful.
- Exploit Writing Tutorial Part 9 – Introduction To Win32 Shellcoding
- ShellCode By Hand
08- Recreating Exploits
Congratulations! You have come a long way. But It does not stop here. You need to work even harder now. What I recommend doing now is going to sites like Exploit-db and grabbing various vulnerable applications from the local privilege escalation section and writing exploits for them from scratch. This might seem like a very tedious exercise but believe me when I say this, It helped me to learn so much of the stuff which wasn’t covered in any of the articles or the course. You get to learn new tips and tricks that can help you out in completing your exam faster.
09- Web Application Exploitation
Web application security is a very complex topic and one of the core modules in the CTP course. There are various great resources available to study this topic in great depth. I would recommend setting up a LAMP stack locally on an Ubuntu server or another distribution and learn by putting a vulnerable web application like Mutillidae or DVWA.
Some of the important resources are:
- Web Application Pentesting – Webpwnized
- File Inclusion Vulnerabilities
- Guide Book on Cross Site Scripting
- Finding vulnerabilities in Web Applications
0A- Antivirus Evasion
The CTP course techniques are for antivirus evasion are not fit to work against today’s antiviruses but still It lays the ground work for more research into this topic. Here are the resources that are very helpful according to the course
If you have prepared the above resources very well then you are ready to sign up for the CTP course. You can proceed to complete the fc4.me challenge. I wish a very good luck to you. Just remember to spend as much time as you can in the labs even If it’s just recreating the exploits multiple times. There are some things that I have intentionally left out from this guide which are nicely covered in the course itself.