OSCE advice?

[ajohnson]

Well, like I said, after OSCP I took a hiatus to decompress. Time flies I guess.

How'd it go BTW? Did you write a review?

Totally understandable; I was just teasing

I'm way behind on a lot of reviews I want to write. The next 4-6 weeks are insane for me, so it'll be a bit longer still. I'll definitely post a link here when I have a chance to get to it though.

Suffice to say, it was both the most challenging and rewarding cert I've done.

Manual Shellcode: http://www.exploit-db.com/wp-content/themes/exploit/docs/17065.pdf

Bypassing Anti-Virus Scanners:
http://www.exploit-db.com/wp-content/themes/exploit/docs/17066.pdf

MaXe, how many shells do you have from all of us opening those Intern0t PDFs?

[Dark_Knight]

@DK: I assume you're not sending the shellcode because it doesn't make it there. Otherwise, that would be your first problem

You haven't got all the bad characters out, and even after that, you're not jumping back far enough. You'll currently land in the middle of the shellcode once you correct the characters.

x = ''
for i in range(0, 256):
    x += "\\x%02x" % i
print x

will give you a list of all 256 hex bytes. To start, use that as your shellcode and just keep sending longer and longer lines until it doesn't work, and then strip out a character. I put a break point at the beginning of your jump back and then compared the bytes that were present with what I sent. You could also automate that with pydbg if you're feeling ambitious. There's an example in the courseware.

I seem to be missing something as it relates to jumping back into the stack. Currently I am jumping back approx. 512 bytes. I tried jumping back further but then I jump out of my allocated buffer.

Any help as it relates to jumping back?? Thats where I am having the problem..

[MaXe]

Hm, maybe you just need to visit the forum more frequently; it said GCIA for about the last six weeks.

I put a very intense 4-6 months into the OSCE, so it's not like I just breezed through it.

Well, like I said, after OSCP I took a hiatus to decompress. Time flies I guess.

How'd it go BTW? Did you write a review?

No, but I did:
https://forum.intern0t.org/blogs/maxe/95-cracking-perimeter-part-1.html

https://forum.intern0t.org/blogs/maxe/101-cracking-perimeter-part-2.html
https://forum.intern0t.org/blogs/maxe/108-cracking-perimeter-part-3.html
https://forum.intern0t.org/blogs/maxe/111-cracking-perimeter-part-4.html

Manual Shellcode: http://www.exploit-db.com/wp-content/themes/exploit/docs/17065.pdf

Bypassing Anti-Virus Scanners:
http://www.exploit-db.com/wp-content/themes/exploit/docs/17066.pdf

MaXe, how many shells do you have from all of us opening those Intern0t PDFs?

A couple of thousand, people that appreciated reading them :-) I don't put bad stuff in my papers, code, pocs, etc.
(Some of them may have very basic anti script kiddie measures, but it's as simple as finding the field where I wrote: you have to uncomment this line or the script won't work.)

[ajohnson]

I seem to be missing something as it relates to jumping back into the stack. Currently I am jumping back approx. 512 bytes. I tried jumping back further but then I jump out of my allocated buffer.

Any help as it relates to jumping back?? Thats where I am having the problem..

I put a break point at the beginning of the piece that jumps back and then stepped through it. After it actually made the jump, I was in the middle of the shellcode I used after all the Bs. This is how I went about it with what you already had, so maybe we're going about it in a different manner?

Code:

expl = "\x41" * 1271 + "\x42" * (517-len(shell_reverse_tcp)) + shell_reverse_tcp + jmp_esp + "\x90" * 50 + jmp_back + "\x90" * 361

I'd just start your jmp_back code with a break point, step through it, and see where you end up. I'm also on a different SP as I had to change the jmp esp value, so maybe there are other variables in play. When in doubt, break and step.

A couple of thousand, people that appreciated reading them :-) I don't put bad stuff in my papers, code, pocs, etc.
(Some of them may have very basic anti script kiddie measures, but it's as simple as finding the field where I wrote: you have to uncomment this line or the script won't work.)

Yea, they're great. I definitely referred to the AV bypass one as I was going through the course.

[H1t M0nk3y]

MaXe and ajohnson, you are both gold mines!!!

Now I have a ton of things to read and practice. 

BTW, do you guys know where I can get a WinXP VM that I can use in my lab? I am running a AMD64 Linux machine at home...

Thx

[UNIX]

You could try these ones:
http://www.microsoft.com/en-us/download/details.aspx?id=11575

[H1t M0nk3y]

You could try these ones:
http://www.microsoft.com/en-us/download/details.aspx?id=11575

Great thanks UNIX! You too (and many more here) are a gold mine!!  

I have also found this http://www.mydigitallife.info/how-to-convert-and-import-vhd-to-vmdk-vmware/ to convert these VHD to VMWare VMDK format.

Update: The last step: http://hacktolive.org/wiki/Using_VMware_images_%28.vmdk_files%29

[DragonGorge]

No, but I did:
https://forum.intern0t.org/blogs/maxe/95-cracking-perimeter-part-1.html

First off...I had to read the beginning of your review/blog twice...you took OSCE not having taken the OSCP?!?!  Whoa! I have to give you the Wayne's World "We're not worthy" bow.

Great review. One thing I noticed was that the writing in the beginning differed from the end which seemed much more frenetic - I attributed it to an abuse of Red Bull that Offsec seems to demand. Could also be all those exploded brain cells from the class/exam.

Also, noticed the line "I passed and nothing could ruin my mood. Ex was whining, angry customers, and heaps more bad stuff going on...." Earlier you wrote "my girlfriend understood me...." Couldn't help but wonder if the "ex" status was attributable to the OSCE. I know my SO was more than fed up by the end of the OSCP.

Again, great review.

[MaXe]

Indeed I did DragonGorge, and it was also my first course and certification I had ever taken, plus I don't have any lengthy education, or for that sake, a long history of relevant business experience. (Of course, as I am a community guy, I've been in the hacking world for a long time.)

Yea, during the course and the certification it became increasingly harder, hence the reason the writing style changed to display my frustration  
I'd say it's exploded brain cells, it was nice to be in several scenarios where you have to think outside the box and come up with clever solutions  

Well, in the beginning she said she understood I had to study most evenings where I could be at her place 10pm or so. After a couple of weeks the whining began, but during the actual exam I had specifically told no whining as I will lose concentration completely, she respected that and I am glad she did.

Afterwards though, she began to whine again but that day when I got the email, nothing could as previously said, ruin my mood. Passing a certification is just a great feeling when it's been a long and hard journey.

The reason she became my ex, was not related to OSCE, even though it could've been a cool story   "The only certification that will make your wife or girlfriend leave you" xD (I broke up with her, as I realised I now had OSCE and didn't need a girlfriend, jk, it was for other personal reasons   In short, she was bad for me (I know that most women complain about a lot of things (because it's socially accepted in most cultures), but this one was over level 9000), but it's the kind of bad that feels a little good hehe )

Thanks for the feedback / response, I enjoyed writing it :-)

[cd1zz]

@H1t M0nk3y

OSCE is hard. Best advice I can give looking back is to simply practice. I used to go to exploit db, pull down exploits, strip out all the stuff in the middle and start with a simple crash. From there, rebuild the exploit. If you do that 100 times, you're in good shape

The course material is merely supplemental to what's needed for the exam, assuming you have no experience prior. Go for it though, even if you fail, keep going because it's really really good stuff. You'll eventually get it.

[hayabusa]

@H1t M0nk3y

OSCE is hard. Best advice I can give looking back is to simply practice. I used to go to exploit db, pull down exploits, strip out all the stuff in the middle and start with a simple crash. From there, rebuild the exploit. If you do that 100 times, you're in good shape

The course material is merely supplemental to what's needed for the exam, assuming you have no experience prior. Go for it though, even if you fail, keep going because it's really really good stuff. You'll eventually get it.

Great advice, there.  Sums it all up, nicely.  Even IF you fail the first time (MOST but not all of us did), it opens your eyes, and you'll definitely nail it on a second go, because you'll be confident.  But if you follow cd1zz, ajohnson and MaXe's advice, you'll do well.

[H1t M0nk3y]

Thank you all for these great advice.

I have a pretty good idea now about what to do for exploit development. But what about the web apps and the network sections? Any advice on these two topics?

[UNIX]

The sections about web application and network security are rather short, as the focus of the CTP course lies within application security. Being a web developer you already have a good background, so I'd just recommend to play around with some of the many available vulnerable VMs, if you want some further practice. If you haven't already read it, I'd also recommend The Web Application Hacker's Handbook in order to get a good overview on the subject.

In terms of the network security section, you could look into something like GNS3.