After the OSCP exam, I promised myself that I was done with the suffering… I broke, and ended up on the Offensive Security Cracking The Perimiter (CTP) course to take things to the next level. The course is heavily debugger and assembly based, with a few web based modules and an interesting networking module. Before starting the course, I prepared by reading through the various tutorials on Corelan.be, taking the SecurityTube Linux Assembly Expert and Windows Explotation Megaprimer course, and making good headway into The Shellcoder’s Handbook. I didn’t find the course mind bending, however it was definitely difficult, and I did need to rework and practice one of the modules in particular a few times before I felt that I’d fully “got it”. I also found the tutorials at FuzzySecurity to be helpful in preparation.
OSCE
You are required to pass a challenge before even being able to pay and complete registration for the CTP course. The challenge gives a nice taste of what is to come in the course, with a series of steps required to crack it starting at obvious and finishing with something more interesting.
After the prep, I signed up for CTP lab access. I used about 20 days of lab time and then took a week after to practice for about 4h each evening before taking the exam.
While on the PWB/OSCP course and labs, completing all lab machines in multiple ways should put you in good shape for the exam, I didn’t find this to be the case on CTP/OSCE. After completing the CTP labs, I worked on a tool with another student to automate certain techniques that we’d learned in the labs. I also went ahead and re-read a lot of the exploitation tutorials on Corelan.be and manually produced several different exploits from scratch including the Ken Ward Zipper exploit and the Quickzip exploit, right from fuzz to shell. I’m glad that I put in this extra work, because I doubt I would have passed the exam in time without it.
On to the exam, I passed first time! It’s a 48 hour challenge, with 24 hours after to send in the documentation. Like the course, the exam itself is not mind bending, but it’s difficult, and it requires a mastery of the techniques presented in the lab. Just following through and understanding the exercises isn’t enough, practice is essential for this exam. Without that practice and confidence it’ll be too much fumbling and not enough time. I managed to clear all challenges in about 26 hours with a 6 hour sleep break in between. Just like the OSCP, make sure to read the instructions thoroughly rather than heading straight in. I didn’t (again), and I missed an obvious pointer in the instructions for one of the challenges and wasted a few hours banging my head against the monitor and losing confidence over something I hadn’t realized that I’d already completed successfully.
In preparation for the exam, it’s also an idea to have templates for exercises completed in the labs ready for modification, enough Python to manipulate and send payloads, and enough BASH expertise beyond OSCP level, to manipulate text streams and handle shell code generation on the command line. I had pre-written shell scripts and one liners that manipulated files, converted between hexdump and ‘\xbyte’ representations, ndisasm output to shellcode, and so on. The obvious advice for the exam is to take regular short breaks and have a decent night’s sleep before starting.
I found the course to be highly enjoyable, clear, and well presented. Another winner from Offensive Security at a very reasonable price. Will I take AWE in future? I’m not sure, maybe, probably..