Study Guide & Tips: Offensive Security Certified Expert (OSCE) / Cracking The Perimeter (CTP)

Disclaimer: This guide is by no means a replacement for the CTP course itself. It will only prepare you for it so that you can work in the labs. All the information shared here is my personal opinion only.

Preparing for something that you have no idea about can sometimes be very time consuming and tedious at the same time. You are never sure whether what you are doing is good enough. This is exactly the case when you are preparing for Offensive Security Certified Expert certification. If you haven’t read my review on this certification, you can check it here.

Having done no prior certification before OSCE, I was constantly looking for a guide or something similar to help me prepare for it before I can take on this course. But sadly, nothing in great detail was available. You either had to find people who have already done it and If they are in the mood then they might send you off on the right path or you sign up for the course itself only to find out that you are not good enough yet. I decided when I am done with my exam, I will write a detailed blog post which is going to be a study guide. And here it is.

Unlike other study guides/tips available for OSCE, I am not assuming anything technically high except that you want to take on OSCE, you have got time to study for it, and you have got at least some experience in the Information Security industry. I can tell you what you need to study but then again the rest is up to you to practice the topics multiple times to ensure that you understand everything. The guide needs to be followed in the order it is written.

Lab Setup

Before we start diving into the learning material, we need to setup the lab environment first. Some of the resources outlined below do not specifically mention the environment they use so It’s better to take care of this before we start. We will be installing a lot of similar tools mostly because different resources follow different tools and techniques. I will let you figure out how to set these tools up. It’s a learning experience.

It does not matter If you are running a Linux distribution / Windows as your host operating system but I do recommend something that you are familiar with very well. The next thing that you need is either VirtualBox / Vmware Player; they both are available for free. The next thing that I want you to do is to grab an ISO of Windows XP SP3, Windows Vista/Windows 7, and Kali Linux. You need to set them up in your virtualization hyper-visor to get them up and running. After you are done doing that, you need a couple of tools that you need to install on both Windows XP and Windows Vista/Windows 7.

  • Olly Debugger.
  • WinDBG.
  • Immunity Debugger with Mona.
  • CFF Explorer.
  • LordPE.
  • DevCPP
  • NetWide Assembler aka nasm.
  • VulnServer

Once you are done setting up your environment, proceed further.

00- Assembly Language

I cannot stress how important x86 Assembly language is for this certification. Without this, I do not think that you can possibly tackle this course. Take some time and let this settle in. Moving on, the best resource that I can recommend for beginners who are looking to start from the very scratch in Assembly Language is Open Security Training’s class “Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration” by Xeno Kovah. It’s FREE. Currently, you can find the 2 days class videos which are pretty detailed and they are available both on YouTube and Archive.org. I recommend that you download them all and then start watching them on your own pace but watch all of the videos and even multiple times If you have to until you are sure that you understand Assembly language when given it to you. I have gone through way too many resources to decide that this is the best one to start with. You can find it here.

01- Basic Stack/Buffer Overflows

Now that you are comfortable enough with x86 Assembly language and you understand how the stack works, and the different types of calls, the Endianness,  and you can understand the basic instruction set; It’s time to move forward to learn about Stack/Buffer Overflow basics. Understanding how the stack works is very crucial to understanding how to exploit the overflows in it.

Firstly, I recommend reading the following article by Corelan and follow the entire methodology of how everything fits in together. The next is a paper which I found to have things explained very well by Parvez Anwar.

02- Beyond The Basic Stack/Buffer Overflows

By now, you should be comfortable with basic buffer overflows and looking into a debugger. If you are not comfortable inside a debugger. I suggest reading the this paper. It covers working with Immunity Debugger in great detail.

Once you are done doing that, It’s time to step up your game and learn more about the Buffer Overflows. Now, it’s time for me to recommend taking a look at the “Exploits 2: Exploitation in the Windows Environment” class by Corey Kallenberg. You can check it here. This class takes you from the very basics of exploit writing to very strong concepts like SEH overflows, DEP execution, etc in the Windows environment. I highly recommend that you watch all the videos. There is a class prior to this one called Exploits 1 which concerns exploit writing in the Linux environment which is a very good starting point as well.

03- Egg Hunters

Once you are comfortable enough with the above resources, It’s time to go even further and learn about Egg Hunters. They are very handy when it comes to Exploit Writing and you will know why once you go through the following resources.

04- Fuzzing

It’s great that you can write exploits for vulnerabilities that are already found by others but how do you go about finding it on your own? This is the 0day angle. This is where Fuzzing comes in. There are various types of Fuzzers available and what they can do.

You can learn more about fuzzing here:

Once you have gone through the above resources, It’s time to practice fuzzing with SPIKE on VulnServer. There are many great articles written on it. I suggest going through them one by one is a good idea. You can download VulnServer from here.

05- Practice With VulnServer

After you have identified the vulnerable commands in VulnServer, It’s time to write the exploits for all of them and I really do mean writing exploits each and every vulnerable command of VulnServer. Why? Because each vulnerable command has a different technique to it and It is certainly a good idea to go through all of them. I highly recommend that you take the challenge from Fuzzing till writing the exploit yourself but here are the walkthroughs If you get stuck with them

06- Bypassing Exploit Mitigation

If you have come this far, you should know by now that there are a couple of things that you have had to disable or use and older version of an operating system to write exploits. This is because various exploit mitigation technologies have been put in the operating systems to stop exploitation of programs but there are ways to bypass them. Some of them are ASLR, DEP, SafeSEH, etc. You can know more about them here:

Now, I want you to practice the same vulnserver exercise from above on Winodws 7 and try to bypass the mitigation technologies using the above given resources.

07- ShellCode

Writing your own shellcode or even understanding someone else’s is very much essential to learning exploit development. There are many times when you might need to craft your own shellcode for various reasons. You cannot always rely on Metasploit! Following resources are very helpful.

08- Recreating Exploits

Congratulations! You have come a long way. But It does not stop here. You need to work even harder now. What I recommend doing now is going to sites like Exploit-db and grabbing various vulnerable applications from the local privilege escalation section and writing exploits for them from scratch. This might seem like a very tedious exercise but believe me when I say this, It helped me to learn so much of the stuff which wasn’t covered in any of the articles or the course. You get to learn new tips and tricks that can help you out in completing your exam faster.

09- Web Application Exploitation

Web application security is a very complex topic and one of the core modules in the CTP course. There are various great resources available to study this topic in great depth. I would recommend setting up a LAMP stack locally on an Ubuntu server or another distribution and learn by putting a vulnerable web application like Mutillidae or DVWA. 

Some of the important resources are:

0A- Antivirus Evasion

The CTP course techniques are for antivirus evasion are not fit to work against today’s antiviruses but still It lays the ground work for more research into this topic. Here are the resources that are very helpful according to the course

Conclusion

If you have prepared the above resources very well then you are ready to sign up for the CTP course. You can proceed to complete the fc4.me challenge. I wish a very good luck to you. Just remember to spend as much time as you can in the labs even If it’s just recreating the exploits multiple times. There are some things that I have intentionally left out from this guide which are nicely covered in the course itself.

Good Luck!

4 Comments

  • Sam

    Hardy Congratulation for clearing OSCE (which is in my bucketlist) and thank you very much for sharing your experience and resources with us! !

    I wish you a great success ahead!

    Regards,

    Sam.

  • some

    Hey man. Wondering what about SLAE course?
    Also the books “The Art of Exploitation 2nd ed.” and “Shellcoder’s book” ?

    Thanks

    • Amin

      SLAE is certainly a good course but it focuses on Linux. SLAE is a good starting point as well. These resources are certainly great and there are many more endless resources available however my study guide focuses on passing OSCE itself and what is important according to my knowledge.

Leave a Reply

Your email address will not be published. Required fields are marked *