My Cracking the Perimeter (CTP) Offensive Security Certified Expert (OSCE) Experience

I can finally confirm that after my ***redacted*** attempt I have passed the OSCE exam from Offensive Security.

This entry will cover some of my experience and review of the Offensive Security Cracking The Perimeter (CTP) course and reflections on that time. I won’t go into the nitty gritty of the course material as that has been covered well in many other write-ups. Before I begin, I’ll give a general background of how I came into this sadistic world of penetration testing. I received my OSCP in 2014; I am not a pentester by trade.

I think at first, I liked the allure of offensive-security, I was curious, how do these guys really do it?  The subtle knowing you get, like being in on an ‘inside’ joke among friends. That is what brought me here first. But I stayed, persevering through late night and early morning sessions, obsessive reading and research covering tangential topics too many to name, and rage quitting time and time again. Along the way, I became addicted to the challenge, solving the puzzles, gathering the evidence, putting the pieces altogether and then shouting in victory (very audibly sometimes) when I collected another shell. The cracking the perimeter course just seemed like the natural next step after OSCP.

The course itself is presented a bit differently than OSCP. You receive lab machines (they appeared dedicated, I never needed to revert), videos and PDF booklet covering a range of topics or modules. Working through each module was a fun and breezy experience the first time around. The core topics were:

• Anti-virus Evasion via Backdooring PE files
• Web application exploitation
• ASLR Evasion
• Egghunters
• Manual Shell Code Encoding
• Techniques for detecting and avoiding bad characters
• Structured Exception Handling
• Exploit Design from Fuzzing to Zero Day

Those general topics were covered through the modules in considerable depth but not maximum depth; there is plenty of room for diving deeper on your own. Each module built on the previous to expand the tool set and knowledge behind identifying and writing exploits. This included becoming more than just casually familiar with debuggers such as Olly or immunity. This included shell coding, oh yes, lots of shell code. The coursework does well to ease you into those things gradually so that by the end you are considerably more proficient than when you began.

So I, finished the coursework in less than 30 days, truthfully much less, closer to 3 weeks without pushing myself to spend long hours on it. The hardest parts were the later modules. Then I did it again, seems easy enough right? I’m ready for the exam right? WRONG! The course “technically” gives you the tools to pass but it is this authors opinion, unless you have a lot of previous exposure to this material, I just don’t think you can pass the exam without diving in even deeper.

Finally, I need to thank the Offensive Security team. The preparation and delivery of the cracking the perimeter course is just astounding on many levels. They succeeded again, in pushing me well out of my comfort zone on a daily basis.

What did I do outside of the CTP coursework that positively helped me?

• I spent weeks working through the Intro to x86 assembly from opensecuritytraining.com
  • https://www.youtube.com/watch?v=9OX0nQTrisQ

This effort was hugely important for me. Having an understanding of even only 50 ASM commands opened new doors for me in my learning. It is a powerful thing to know you don’t have to necessarily rely on pre-baked metasploit payloads to carry out an attack. I went through this after I did the coursework, then I re-did the coursework with completely new perspective. If I had to do it again, I would do it in this order again.

PRO TIP: Shave hours off the intro to x86 Assembly training time by watching in youtube at 1.25x-1.5x speed

• I worked through the NYU ISIS LAB Hack Night materials
  • https://github.com/isislab/Hack-Night/tree/master/2015-Spring

This was somewhat a parallel effort to my CTP study. Some co-workers and I decided we wanted to do better on CTF’s so we committed to working through this material. I didn’t plan for it to happen like this but the timing was right and it just so happened to boost my understanding and performance in CTP. Coincidentally it also includes the recommendation to follow the open security training above. Some of the material wasn’t new but there were plenty of things that were. The most helpful were the Reversing and Exploitation chapters. During this time I took a major detour and started getting into IDA, as well as Hopper (http://www.hopperapp.com) for Linux. I’ll say that I’m still a huge n00b with these tools but again, it opened new doors for understanding and provided new tools for the tool box. YMMV, but I found that course work very helpful in general.

• I studied the exploitation tutorials from Corelan and FuzzySecurity
  • https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
  • https://www.fuzzysecurity.com/tutorials/expDev/1.html

These are referenced everywhere you look on the web, and for good reason. They are thorough in their explanations and the examples are great practice to pair with the topics covered in CTP. The tutorials go even beyond CTP topics so I didn’t overload my brain too much by going too deep into DEP and ROP etc. Take what is useful and leave what isn’t for a later time.

There are of course many other references I can list here but those are the ones most influential to me. I do have to give a nod to another OSCE, http://www.securitysift.com/ , who put together many good write-ups diving into and around the topics covered in the course.

So obviously that’s all a ton of material right? How long did it take you?

Well I’ll be honest this process (OSCE) started in the beginning of 2015. I had to spend some company training funds before year end in 2014 so I registered for CTP. I really didn’t have the time to give the focus that it needed as I was taking Master Classes at the same time. As a result I went through the labs and never sat for the exam as it coincided with paper and finals. I put it down until probably Q4 2015, when I was free of other distractions and I dove in again. From that point onward it was my primary objective and I spent a lot of time working through the additional materials and working the labs 2 and 3 times again to ensure I really got all the nuances of what was being explained and done and why. I developed some templates and scripts to help in some tasks such as fuzzing. So all those activities combined, I’d say I invested multiple hundreds of hours into my study and preparation, easily comparable to the lab time spent in PWK course, but I think it actually exceeded it. YMMV, like I said earlier, some people are just savants with this stuff, some people have had assembly training before, and some people exploit everyday already.

But What about the Exam? Tell us about the OSCE Exam!

What a painful, exhausting and utterly gratifying journey it was culminating in that evil evil beast of an exam.

The 48-hour time limit is more there as benchmark for how utterly weak and unprepared you are, than it is an actual barrier to passing. Many people that do this for a living, or just have “the gift” can skate through the exam without issue; I am not one of them.

The rumors are true; this exam crushes all your hopes and dreams. 48 hours! It is like a warning sign to anyone on the fence that says don’t even bother trying! Well I wouldn’t go that far, if you already went through the labs and paid for the course, absolutely try the exam. It will sort out quickly what you know and what you think you know. A very important distinction indeed! You will learn much and more on the exam. It is similar to the OSCP challenge in that there are set of objectives with point values associated. My advice would be to pick the challenge you feel strongest with regardless of point value and knock it (them) out first. This will get your mind moving in positive direction. Absolutely take snapshots as you go so you don’t have to do it all again when you are tired and writing the report.  Sleep, you must sleep. Eat, you must eat. Have a plan for when you want to rage quit, for me it was video games. I’d jump into a quick 15-20 minutes game, just long enough to take my brain off of the exam. Maybe it is a walk, exercise, family time, whatever it is, when the rage is rising, take a break.

When a particular technique/exploit/whatever isn’t working do two three things:

• Meticulously check that you haven’t fat fingered something. I wasted multiple hours because I stupidly was sending a payload to the wrong host! Yes, seriously, I’m that stupid. Oh yeah, and the classic extra ‘\’ in your byte code ala \x41\\x41\x41\x41. That messed me up more than once. Oh yeah, and the debugging breakpoint \xCC in your code, make sure to take that out or replace it with a NOP if you ever expect a shell. I could go on and on but Minimize or learn to find these mistakes quickly.
• If you are trying the same thing(s) over and over without success, maybe just maybe, that isn’t the way to victory. Think about what you tried, why it may be failing, what else could you try. Things aren’t always as they seem!
• Try. Fail. Try Hard. Fail. TRY HARDER ®. Victory! 

Of course I can’t give out any more details about it. As far as passing or failing the exam, it’s not the end of the world if you don’t pass it! If you are committed to the cause, regroup and retry until you pass. It will feel good knowing you persevered and it’s a credential no one can take away from you.

Final Words

Is it worth it?

For me, if you can’t tell already, it’s a no brainer. The value of this course is tremendous.

Isn’t the CTP course old?

YES BUT….As far as the content itself, ASLR and SEH mitigations have been around since the XP days, 2009 or before. But so what, they still exist today. Are there newer more advanced mitigations now? Absolutely, but this course readies you to transition smoothly into the topics of DEP, ROP, stack canaries and beyond. The old saying you must walk before you run comes to mind. The concepts and material are still highly relevant and of course the exploit development process itself is unchanged.  AV evasion techniques still work just as well today.

The course is based off of toolsets in BackTrack 5. I was able to, without much/any modification; complete the labs and the exam on Kali 2.0

Do you feel like an expert now?

It’s all relative. The more you know the more you realize you don’t know. It is very easy to get trapped in that thought process and forever feel inferior because you don’t know it all or as much as this hacker or that researcher. That’s all well and good but the point is I have a lifetime of learning ahead and this is just as much the beginning of a new chapter as it is the end of an old one.

Thank You

First and foremost, taking this course and passing the exam meant sacrifice. I sacrificed time with friends and family. I skipped social events and even missed work sometimes. Through it all my wife was supportive and stood by me, making sure I had my favorite foods stocked for the exam, tolerating long absences from the living room and weeks without date night. So thank you for that.

Second, the friendly folks in the IRC #offsec channel, who were always willing to talk me off the ledge or provide advice and encouragement.

Finally, I need to thank the Offensive Security team. The preparation and delivery of the cracking the perimeter course is just astounding on many levels. They succeeded again, in pushing me well out of my comfort zone on a daily basis. They were always extremely professional and punctual in delivery of course communications and support. I can honestly say this was a learning experience that has far exceeded any formal class room setting I’ve ever been in.