Monday 19 June 2017

Offensive Security OSCE (CTP) Review

Intro

I thought a long time about writing one of these reviews - there's so many good write ups out there for both the OSCE and the OSCP and I wasn't sure I had much to add.

I remembered though, that before signing up and while doing the course I read as many of these reviews as I could. Both for some inspiration and some motivation. What follows then is my review of the Offensive Security Cracking the Perimeter (CTP) course.

Signing Up

In order to sign up for the course, you need to complete a preliminary challenge. This is located at http://fc4.me/

This challenge involves some very basic code review and debugging skills that are necessary in order to dive into the course material. The CTP course is not a "beginner" course and this challenge is a good way of gauging whether you have the requisite knowledge to begin the course.

The Labs

This is where the fun begins. You receive a package with the materials required to connect to the labs as well as some videos and a course guide. I won't go into detail regarding what the course covers, the syllabus is available here: https://www.offensive-security.com/documentation/cracking-the-perimiter-syllabus.pdf - I highly recommend taking a look at it before starting the course.

The lab materials started off gently with some web exploitation techniques and worked their way up to full exploit development.

The course material is very interesting, especially compared to the OSCP material, as it requires some "unpacking" by students taking the course.

I spent a few weeks going through the course materials and at first, I thought "this isn't so bad" - in other words the material didn't seem to be very intense. I was wrong.

In many of the reviews of the CTP that you read, you often find students talking about how independent study and research is required in order to pass the course, and I found this to be very true.

Going through each of the modules, you might feel a certain comfort level, but do not get lulled into a false sense of security. Only when you go through each module in detail and begin unpacking exactly what is being shown do you realize how dense each module is and how much you have to learn. You really have pay close attention to every line of code and every instruction to truly understand what is being taught.

Going back to the earlier point about independent research - originally I had taken this to mean practicing what you learned in the labs on other known vulnerable software; perhaps recreating exploits found on exploit-db. I don't think this is bad advice, however, it lead me down a path of confusion and doubt. I wasn't sure that I would choose the right level of exploitability or difficulty so I took a slightly different approach.

In each of the modules I first followed the exercises to the letter and then once I understood what was going on I went back and "made them my own." By this I mean I swapped the shellcode, changed certain instructions, used various techniques to jump to my code etc. I found that I learned a ton through this method. I would not have been successful in passing the exam if I had not done this.

The Exam

After spending a few months in the labs I was feeling fairly confident going into the exam. I knew the material well but I had no idea what to expect for the exam. As soon as the package came in I was feeling a little overwhelmed and began doubting myself. For two days straight I hammered away at the various exercises and got nowhere. I failed the first attempt.

In Between Exam Attempts

I took a few weeks between exam attempts to go over the lab material again and gain some confidence. I also practiced a little on vulnserver.exe. I didn't really learn anything groundbreaking or new during this time, but going through the material again helped me get some confidence back, because I knew that I didn't fail the first exam due to lack of knowledge.

Exam Attempt Two

Going into the second exam attempt, I knew I had to have more confidence in myself and to not get overwhelmed. I knew the material well and had put a lot of time and effort into studying. This time around, the exam went much more smoothly. I had a few targets down after 12 hours and after a quick nap I had the last of the targets down. I read and re-read the documentation instructions again, put together a report and sent my materials in and received my passing email shortly thereafter.

My Advice to You

If you happen to be reading this, you're probably either already taking or are thinking about taking the CTP course. Here's some tips I wish I would have had at this stage.

- Believe in yourself. I know this one seems silly but self-doubt will get you nowhere in this course. Everything you need to pass the exam is in the course materials and if you put in the time and effort required to study and understand them, then you are well equipped to pass the course.

- Do not get overwhelmed. This is where I went wrong during my first exam attempt. The exam is fourty-eight hours for a reason. You have plenty of time. Think about what you are doing, take your time, take breaks, take care of  yourself.

- Understand what is going on in the lab exercises. Really dissect them all and take them apart. They may seem shorter than the ones found in the OSCP lab materials, but they are very dense. Make sure you understand every command used and why it's there.

- Make the lab exercises your own. I alluded to this earlier but I cannot stress enough how much this helped me. If a lab exercise uses a certain JMP ESP or POP POP RET instruction, go and find your own. If it uses a long jump, try to use an egghunter. If it uses a bind shell, try to use a reverse shell instead. If something you do breaks your exploit, figure out why and get it to work. This is a great way to learn the materials and perform your own independent research.

- Read every forum post. When you sign up for the course you will get access to the offsec OSCE forums. There is a lot of information here, some of the posts are older but do not let that deter you. Most of the challenges you are having were shared by other students taking the course, so this is a great place to start.

- Take really good notes. Take note of everything you tried, even if it doesn't work. There's lots of note taking apps. OneNote worked well for me during my OSCP and OSCE. If you come across something interesting in your googling, highlight it and clip it to OneNote, you never know when it will come in handy.

- Do not get discouraged. Often during the course things will not work and you will get stuck. Do not get discouraged by this. If you didn't get stuck at any point that would mean you are either a genius or this course is too easy. If it's the former than congratulations :) The latter is the desired result, this course is meant to be hard, getting stuck is okay; you'll figure it out and will feel great when you do.

- Make the time. This is a very time consuming course. To give you an estimate, during my first months I would spend about 4-5 hours per weekday in the labs and about 8 hours a day on the weekends. This tapered off towards the end of the course but was still a very significant time investment.

- Enjoy. This is completely cliche, but enjoy the course and the labs. The course materials are put together by experts through first hand, hands-on experience during their penetration tests. How cool is that?

Me

I read many reviews of both the OSCE and OSCP and what I felt personally lacking was some information about the persons background. Some of the reviews I looked at - mainly harmj0y's (http://www.harmj0y.net/blog/uncategorized/cracking-the-perimeter-ctp-and-osce-review/) and OJ's (http://buffered.io/posts/osce-and-me/) left me thinking - of course these guys can do it, they're best in class security pro's. Indeed they are, but you don't need to be a harmj0y or OJ to pass the course.

I'm hoping that by giving you a little bit of detail about my background that it will add some comfort and confidence that you too could take the course.

At the point of taking the CTP course, I was in the security industry for about 5 years. I started out in a service / help desk role and worked my way into a information security role. At the time, I mostly did administrative work like access reviews, preparing for audits, helping project teams understand our security policy and the like. I did not get into the technical bits of security, but I was sure craving it, especially after seeing our first penetration test. I wanted to understand what was going on.

In late 2015 I signed up for the PWK/OSCP course. Before this, I hadn't done any hands on Sysadmin work or technical security work. I had completed a 3-year technical IT college diploma and I loved to tinker with computers but my IT-related background was very thin. After college I did a Bachelors and Master's in History - far far away from the computer world.

I did a ton of reading and prep work prior to starting my OSCP and spent three months in the labs soaking up all the knowledge I could. I passed the exam on the first try, exploiting every target on the exam. A very proud moment for me.

After my OSCP I transitioned to a more technical security role and spent the next year and a bit diving into the more technical aspects of security. I built up the SIEM and Vulnerability Management systems at work and did basic ad-hoc penetration tests and poked at some of web applications. It was at this point that I decided to sign up for the CTP course.

I consider myself a security noob and every day I find a new thing to dig into or an exploitation technique that I didn't know existed. My point here is that if you think that you don't have enough knowledge or a strong enough background to start the CTP or PWK, then you might be mistaken. Sure if you don't have a good grasp of the basics, get those under your belt first, but do not be discouraged. If a noob like me can do it, so can you.

Resources

The following is a dump of links I found extremely helpful to me during the course. It is non exhaustive.

Link
Description
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
A classic and indepth tutorial on exploit development. A must read.
http://fuzzysecurity.com/tutorials.html
Very good tutorials on exploit development. Also a must read.
http://www.securitysift.com
Great tutorials and write ups here, also a great OSCE review found here.
https://www.exploit-db.com/shellcode/
A good database of shellcode, you can take a look at some of the assembly required for various shellcode types
http://buffered.io
OJ’s blog – a good OSCE review found here as some well some helpful tips for jumping around shellcode and shellcode encoding
http://thestarman.pcministry.com/asm/2bytejumps.htm
A reference for jump instructions in assembly, very helpful
http://www.asciitohex.com/
A simple ASCII to HEX or HEX to ASCII converter
Good write-up of some tips for using OllyDbg
https://github.com/mgeeky/expdevBadChars
Useful script for finding bad characters during exploit development
Good write-up of using the SPIKE fuzzer
http://blog.knapsy.com/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/
Really good write-up of on exploit in QuickZIP. Many useful tidbits here.
A good converter especially for Endian format.
Good write-up of backdooring an executable file.
Nice overview of some LFI vulnerabilities
Another overview of LFI vulnerabilities
https://defuse.ca/online-x86-assembler.htm#disassembly2
Online assembler / disassembler – I used this so many times, paste some shellcode into the disassemble box and it will spit out a copy and pasteable Python-friendly format
Tons of good stuff here, the CTP write-ups are great
Very good cheat-sheets found here.
Good write-ups on exploiting vulnserver