Monday, 18 January 2016

My OSCE Review




INTRODUCTION
___________________________________________________
Offensive Security Certified Expert (OSCE) is a certification earned when one passes the exam after following the Cracking The Perimeter (CTP) course. It is more specialised than OSCP, and can be a natural continuation after OSCP. You can read my previous OSCP review to learn about my experience with it.

In this review, I will of course give my experience and opinion about the course and the exam, but will also first cover the path between OSCP and OSCE. Indeed once OSCP achieved, if you want to continue with OSCE, a lot of questions may arise: can I jump directly from one to the other? Should I learn or pratice particular topics? Is there a gap between OSCP and OSCE? How does PWK and CTP courses compare? etc... I wondered myself all of these questions, and I had to read all reviews and ask these very questions to OSCE's as well. Below I will thus cover my own experience for this particular topic, that many OSCP may wonder about.



1. FROM OSCP TO OSCE
___________________________________________________
First of all, there is a challenge one has to do to register for CTP course. You cannot simply register, pay, and start the course. This challenge is there to prevent people not having the sufficient knowledge from hurting themselves with a course and certification above their reach (with their current knowledge). This alone is a strong indicator that there is indeed a gap between OSCP and OSCE. However, for the story, I was still able to find the challenge solution right after OSCP, despite not having the required knowledge. It would have been anyway a wrong idea to register and do the CTP course directly, as I would not have been prepared at all.

After investigating about the required knowledge to know before hand, I then made myself a learning program to follow to get me to the necessary level. Have I not done that, I would have had a nightmare following the CTP course and would have miserably failed the exam. This is based on my personal knowledge level however, and it may not apply to an OSCP already a pentester, and used to find 0-days and develop exploits everyday for the breakfast. If however you got your OSCP but that you never done more than the stack overflow covered in PWK, and you are not particularily fluent in assembly, then the program I followed may be well suited to you as well.

The program described below is done to cover: shellcode, assembly, reversing, and exploit techniques such as stack overflow, SEH, and Egghunter. It is a minimal program which was enough for me as I praticed a lot, but other people like to add more topics such as fuzzing.

1) My first biggest advice is to take the intermediate SecurityTube Linux Assembly Expert (SLAE) certification which can be quickly made depending on time spent on it (3 weeks for me on holidays). It allowed me to learn assembly easily, to build shellcode, learn about polymorphism and encoders, and overall a good knowledge of basic x86 assembly. This is totally security oriented, not a general and boring assembly course. This was what helped me the most and I heartedly recommend it if you want to get the OSCE certification. CTP course per se does not require you to be an assembly expert, but the more you know it, the more you will be able to focus on exercices instead of fighting with assembly.

2) My second advice is after SLAE, to improve your stack overflow knowledge, and learn about SEH and Egghunter, by practising the following exploit developpement tutorial websites:
- http://fuzzysecurity.com/ : Windows Exploit Development Tutorial Series (less detailed)
- http://www.securitysift.com/ : Windows Exploit Development (more details)
- https://www.corelan.be/ : Exploit Writing Tutorials (a lot of details!)

Do all of the exercices about stack overflow, SEH, Egghunter, and Win32 shellcoding. There is no need to learn other kind of exploits as they are not covered in CTP.

3) As a third step, you can go to https://www.exploit-db.com/ and take random stack/SEH/Egghunter exploits and recreate them from scratch by yourself, without reading first and memorising the solution (you may find a different way than the original exploit). Optionally, you could try to find yourself unknown flaws on various softwares (0-days!). To my own surprise, I myself found 3 vulnerabilities, including one remote code execution (CVE-2015-7874) in KiTTY portable software. That was not obvious to me, at first I though it was not exploitable, but after some acrobatic movements I found a way. I used this opportunity as an exercice to practice more, to find my own way of thinking, and to get used to assembly and shellcode.

I did all of the above in 4 months. I could have taken more time if I did SLAE while I was working and not on holidays, or I could have made it shorter if I practiced less by doing less exercices. It is just a matter of being confortable with the aformentioned subjects. If in 2 months you feel absolutly ok, then that's fine. It is totally individual, and depends on you current experience and knowledge. This learning program I designed is just an example I built for myself, that may be useful if you had no idea what to work on.


2. THE COURSE
___________________________________________________
Once you successfully passed the CTP registering challenge and have received your course material, some differences with PWK/OSCP jump out. Firstly, instead of a 350 pages course you have a 150 pages one. This means CTP covers less topics than PWK, but is more specialised (9 topics, more details on the course syllabus). As such, the required learning time is less than PWK, you can go over the course more quickly, but then you can use more time to exercice. CTP was clearly less intense than PWK was for me, also I was much better prepared and I could focus on the topics and enjoy the course. Secondly, in the course there is few gaps or missing parts, to prevent the student to blindly follow the course without thinking and understanding what is talked about. The course is an exercice in itself. Lastly, if you are well prepared the course might seems not that hard, however the course is only a way for you to do more research. Only following the course, and doing once the requested exercices, is a sure way to fail the exam.

The lab is also very different than PWK. There is not plenty of servers to hack, but instead few machines you have full control of, and that will allow you to replicate the course exercices. You are provided with a Backtrack virtual machine, and like PWK you have a VPN connection to your lab. If you enjoyed hunting servers to get your OSCP, you will find CTP to be very different on that point.

Briefly, CTP takes some topics covered in PWK such as XSS/LFI/RCE/AV evasion, go deeper with them, and then add new topics such as SEH/Egghunter/ASLR/Encoding/Router hacking. The exploit modules cover harduous scenario where exploitation is not obvious, or even a nightmare, that require multiple tricks and sorcery to get it working. This is why it is very important to be well prepared before taking CTP to avoid being hit too hard by the course, and be able to follow it mostly fluently. Although there is web modules and one network one about Cisco routers, all of the others require you to live in a debugger. OllyDbg is the debugger used in the course, but I prefered to use Immmunity instead combined with the excellent mona module. I used Immunity for my CTP preparation, then CTP itself, and finally for the OSCE exam.

Regarding the fact that some of the course is dated, I did not find it to be a problem at all. All modules are still very relevant. For instance, the AV evasion module if applied as is will not bypass anymore modern antivirus. However with some custom modifications, it is still perfectly possible to evade even the best AV out there. Also, old tools such as msfpayload and msfencode are used, but nothing prevents you from using msfvenom instead (from Backtrack or from a secondary Kali VM for instance). Of course doing so will require slight modifications sometimes to follow the course and make things working, and can add some headaches, but it is perfectly possible.

Finally, I see CTP as a very exciting course, often seen as "hard" (and somehow it is), but for which, with enough preparation, is really fun to go trough. I finished CTP in 5 weeks, as at the end of each module I did the given exercice multiple times, and I searched for similar exercices I additionaly did. Then, for my revision program, I used the remaining 3 weeks as below.

My pre-exam revision program:
- I took my time to go over the course again starting from scratch, took eventually missing screenshots
- I did again the exercices until I felt really confortable with them
- I did additional exercices
- I automated and scripted everything I could, that I have not already automated while doing the course
- I made additional research on each topics to go further
- I tried to anticipate traps Offensive Security could throw at me in the exam

I have cut my program in 3 weeks, so that I would not go over the course too fast, which allowed me to thoroughly work the 9 topics. I wanted to be able to do any exercice from any topics as naturally as possible to have more time while the exam to think about the problem and the solution, without loosing time remembering how to proceed. I took my notes together, screenshots and visual schemas, scripts, additional research exercices and links, and kept close to me few "trick" scripts or code I made in anticipation to traps I could foresee in the future exam (with little imagination, it is obvious Offsec will have some ambush for you!). Once I felt really prepared, I booked the exam for the January 06 2016.



3. THE EXAM
___________________________________________________
The exam is a 24 48 hours marathon where you have to accomplish some tasks, and reach at least 75 points to pass. There is either "easier" tasks giving a low ammount of points, or the hardest tasks which give you the double. The way the points are distributed over the tasks, you must nearly have them all to pass.

That was to objectively describe the exam

Now, to describe my experience: the exam is brutal, I was sometimes in total despair while the exam, and at multiple times I felt like I was getting nowhere and that it was lost... Before the exam I though I would be so much prepared I would overcome the easiest tasks easily and attack the hardest ones with a great mood, but the exam was much harder than I anticipated. No matter how prepared you are, the exam will be hard. If you are not prepared enough, and just followed the course without mastering what was taught, you will fail the exam. I have read some OSCE reviews arguing about if everything to pass OSCE was in the course or not, and sometimes the answer I have read was "yes and no". To elaborate a bit about this, yes the exam's topics are directly from the course, however to overcome surprises encountered in exam's challenges, external research helps a lot. In all cases, you can only succeed if you mastered what you did learn and if you are able to apply them creatively in unknown situations. I am aware that seems vague, but I cannot be more precise :-)

Now to be more specific about what happened. I started the exam on Wednesday at 10AM. I put so much pressure on my shoulders that I was feeling sick since Tuesday, and I did not have the good night sleep which is advised. Once I received the exam instructions and saw the challenges, I jumped on the "easiest" exercices as I though I would be able to go over them quickly. Of course Offsec did put some obstacles on the way, and I have found that I needed everything I learned from exam preparation to painfully get these challenges. In 7 hours I was able to get them, but with only 30 points I was far from the required 75 points to pass. It put me anyway in a great mood as I did not loose time on them, and I had plenty of remaining time to tackle the hardest ones. Of the two remaining challenges, by reading the instructions one seemed to me much more difficult, as it was about a subject I considered to be my weak spot (although I did practiced it as much as I could). I decided to go for the other one first as I felt more confortable with it. I quickly found the first step, but then it seemed like a deadend. I then went for a quick sleep for 5 hours, and get up and resumed where I left. Sleeping is absolutely necessary, your brain cannot work efficiently without it, even with cafein! Given the fact I was stuck, I looked at every possible angles I could see at that time to see if there was another starting/entry point, but found none. So I found the beginning of the exploitation, but then nothing worked, I was truly stuck... 6 hours after I started this challenge, I realised I was getting nowhere and decided to switch to the other second challenge I did not yet try. Unlike what I expected, I quickly found the first exploitation step. That highlights the fact that you should try every exercice, even if you think you will fail them, as you could do better than you think. However then, I was here too unable to find the following step, everything I learnt and tried fell short...

At that point it was very hard to understand the situation. I prepared as much as I could for the exam, I did additional research and exercices, anticipated everything I could think of, had some nifty tricks and scripts under the belt to help me, but still the challenges were beyond my capabilities... That was the hardest moment, when you realise you are still not good enough to surpass the challenge.

Try Harder. Yes, trying harder is the only possible way, if you badly want the certification, it is not possible to give up. It is a good time to take a break, rest, drink a coffee, walk, why not taking a shower. Then, I resumed the second challenge, and after some tries, I had an idea which led me to more research. Later on, I finally found something very interesting which happened to work! I was finally able to move forward and do the remaining of the challenge quickly, and got my score up to 60 points. I then moved back to the first challenge I was stuck earlier, and resumed my efforts on it. To pass the exam the full 30 points were not needed, only half of it would be enough. However as stuck as I was, I did not have enough points. It was still the second day after one night of sleep, I was not late on my timing, so I tried to relax and be creative. As I had no idea how to proceed, I have written a draft of some possible paths to follow, without having a clear vision of the entire picture. I then went on testing these various paths, and although I had some failures, progressively it narrowed down the possibilities. At the end I was nearly sure of the technique to use to progress, but was still unable to exploit it! The feeling I had at that moment was like trying to make a Rubik's Cube, moving forward step by step, without being sure to reach the end (disclaimer: I'm not good at Rubik's Cube!). Suddenly, out of nowhere, I had the best idea I had in hours as to what was the big picture, how to progress, what it would lead to, and how it should give me a remote shell at the end. Of course it was still a theory, but it all became clear. Then it was just a matter of making it to work, and although I never endured so much pain in an exam, I found one way to get it working. I had to use everything I knew, and learn some new knowledge in the process, but I got it. When you get you remote shell on your last target, after so much suffering, tears and blood, you feel ecstatic!

At that point it was 37 hours after my exam started (23h00 or 11h PM), and although the method I used on the last exercice may not give me full points, even half of it would be ok. I was initially ready to go trough this second night without sleeping, but as I found the solution sooner, I choosed instead to sleep another 5 hours, instead of improving my last challenge solution. The next morning, I started to write my report, which ended up taking most of the day. It was longer than OSCP report, as I have taken a lot of screenshots, and I went on many directions, done many mistakes and had many failures, and the path to every solution was not a straightforward step by step process. I have finished and sent my report around 18h (6h PM).

I was then exhausted, but satisfied of the result. I kept my fingers crossed until I received the result next monday, an email from Offensive Security telling me I successfully passed the exam and got the OSCE certification :-) I was lucky enough to pass it at first try.



CONCLUSION :
___________________________________________________
Going from OSCP to OSCE is definitely possible, even if you are not working in the offensive security field. It requires more work in that case, some perseverence, and a well constructed preparation. The CTP course should not be rushed, even if it easy to go trough it quickly just following it (minus few missing parts you have to figure out yourself). I personally found that taking the 2 months for the course was fine, while other reviews say that 1 month is enough. I think it really depends on your expertise level to begin with. For me, 5 weeks on CTP and 3 weeks for the revision and to prepare the exam was perfect.

The exam is a monster of its own. Different strategies are possible, such as doing the hardest challenges first, get most of the points, and ending with the easiest ones. That worked for me for OSCP, as I nearly did this begining by the challenge giving the most points. However in OSCE exam I would have been in total despair should have I done it that way. Indeed I would have been stuck on the hardest challenges with 0 points in my pocket, that would have been an unbearable path. It is easier to be stuck at something when at least you got the other points, and you are good on the timing. That is my personal opinion though, I have read g0tm1lk review where he apparently found the hardest challenges the easiests, and inversely for the easiest ones. In all cases, taking frequent breaks and resting is essential. While I prefer to work without any music as it distracts me, if you work better with it then go for it. Anything that puts you in a confortable and productive state of mind can only help. The exam is unique in the way you also learn a lot while doing it, as you need to improve your skills while doing the challenges.

I was able to obtain OSCP and OSCE certifications in one year, including the 4 months preparation for CTP. It was a full year dedicated to Offensive Security courses, and what I earned from them is above what I initially expected when starting PWK one year ago. CTP/OSCE is clearly for people who knows learning by themselves, and who are highly motivated and dedicated. CTP course is fun to follow, but OSCE exam is traumatic! However once you earn the coveted certification, it is an extremely rewarding moment, being a recognition of months of hard work.



Cracking The Perimeter course and OSCE exam are a wonderful experience teaching you a lot. I heartedly recommend them.

Thanks for reading.



6 comments:

  1. Thank you for the great review .Besides those reference links , Did you use any reference books or any books you would recommend for bridging the gap between OSCP and OSCE? I have just earn my OSCP and planning to take the CTP course this year .

    ReplyDelete
    Replies
    1. I did not really focus on books. However "Assembly Language Step-by-Step: Programming with Linux" is good as an assembly bible, from chapter 6 or 7 to the end. It is helpful while doing SLAE, or any other assembly learning program.

      Guillaume

      Delete
  2. Thanks for sharing your OSCE review with us, it'll help a lot when we'll go for it :)

    ReplyDelete
  3. Thanks for great review. Do those buffer overflow tricks exist in applications? If you could suggest some applications which contain some of those.

    ReplyDelete
  4. Hello,

    Thanks for your review. I have a doubt, only by following your research with online stackoverflow courses and finding 0-day vulns could be enough to start directly to the start of CTP? I mean, do you believe you could achieve your way yourself to the CTP without the OSCP first?

    ReplyDelete
    Replies
    1. Hello,

      OSCP is mandatory, you are not allowed to suscribe for CTP/OSCE if you did not pass OSCP first.

      Delete