Offensive Security CTP course and OSCE exam review

I finally found some time to write about my experience with the Offensive Security Cracking the Perimeter (CTP) course and the OSCE exam. A lot has already been written about the intensity, brutality and sheer ruthlessness of the 48-hour exam on the interwebz. It will thus come as no surpise to personally testify to the above. It is indeed very challenging and will require good preparation, focus and creativity to solve all challenges. But let’s first talk about the course.

Course

In contrast to PWK/OSCP which is breadth-first, covering a large variety of penetration testing topics, CTP is depth-first and focuses on exploitation. You will learn how to create an exploit from scratch: fuzzing, debugging, AV bypassing, some techniques to bypass ASLR and manual shellcode encoding. Yes, OSCP taught the basics of buffer overflows but with OSCE you will get a much better grasp of what entails writing a 0day - after all you will have to write one from scratch for the exam!

Some people complain about the course being outdated, to whom I will rephrase what g0tmilk very eloquently says in his blog post. How do you expect to learn about heap spraying or bypassing CFI and a ton of other modern protections which often require creating a long exploit chain to reach RCE, when you can’t navigate your way around a debugger or know what an egghunter does? If you already know these, then perhaps consider registering for Advanced Windows Exploitation directly or just start writing 0days.

Unlike, OSCP, in OSCE you can’t have extra points from the lab report, and the scoring is less forgiving in the sense that you can possibly omit to complete only one of the simpler challenges without failing. So better get well prepared and fully understand all the lab exercises - especially the shellcode-related ones. To accomplish that, ideally you will not only replicate them but also make your own variations of them. Following them as is shouldn’t be that hard, although there are a couple tricky parts, but you will reap most of the learning benefits and rewards if you make changes in their requirements. For example, a really good learning exercise is to try imposing limitations on yourself (from shellcode space, to type of return shell). Another thing I should mention is that although the course was built with BackTrack, I completed both the lab and the exam using a current version of Kali Linux without any trouble (YMMV).

Practice your own variations of the lab exercises with extra limitations.

In the course, they give you access to a few virtual machines where you can practice all the material and conduct the exercises. For me personally, the CTP lab was not as exciting as the PWK/OSCP one, mostly because it didn’t have a capture-the-flag style that I so got used to while tackling the PWK lab. Regardless though, the nature of the course is such that it makes more sense from an educational perspective to have complete access to your own VMs so that you can practice with using debuggers and writing exploits. On that note, I would also recommend setting up your own little lab on your home network where you can practice some of the techniques. There are ample resources out there to help you while (or before) tackling the course. I highly recommend going at least through the Windows Exploit Development series of Security Sift and then studying the relevant material from Corelan and FuzzySecurity.

Exam

Now let’s talk about the exam. You have 48-hours to solve 4 boxes and due to how the score is allocated, you can only omit solving one of the easier ones to get a passing score. Then you have an extra day to submit the report. Like the OSCP exam, you are given VPN access to a private network where your targets and debugging machines reside.

I scheduled the exam to start on Friday noon - the reason being that I wanted to have gotten as much sleep as possible the previous day and also to have enough time to work out in the morning to start the blood and adrenaline pumping. I can’t stress enough how important it is to have a clear mind and mental fortitude in the 2 days of the exam. It is very common to get stuck in these challenges and go down rabbit holes, so start the exam with a good rest, make sure you take enough breaks and fresh air, pace yourself, eat healthy and always try harder. The OSCP mantra still holds strong.

Having already completed the PWK/OSCP lab definitely helped with some of the exam challenges. The difficulty level is higher though and all attacks are more advanced. But nothing compares to what comes next:

Then the beast made its appearance. The hardest challenge of all: You have to do everything from step 0. Discover the vulnerability, bypass potential protections and limitations and write the custom exploit that pops up the remote shell. The hardest part of all is to do it with the given constraints - and that is why you should heed my advice and practice variations of the lab exercises by placing limitations on yourself. Solving this challenge will require a lot of - wait for it - out of the box thinking. However, keep in mind that there is rarely only one way to reach your goal. If you are creative enough, you might find very interesting shortcuts! In this challenge, I think I was lucky because I apparently found the bug relatively fast. I then spent a lot of time playing around with bypassing the imposed constraints - arguably the most challenging part of the exam but also the one that leaves the most room for taking advantage of your imagination and creativity. As expected, I spent most of my exam time trying to fight this beast. But eventually I won with still ample time before the end of the exam (which I wasn’t expecting!). I used that time to start writing the report so I didn’t have to spend the third day - which I obviously used to mostly relax and sleep after what was a mentally exhausting weekend.

By the time I submitted the report I knew I had passed, because I successfully exploited all the machines but I still couldn’t help but have a tiny bit of lingering stress until I had gotten that reply from offsec verifying the passing results. I finally got the much-anticipated email that I passed on Monday, a day after I submitted the report. No words could describe my exhilaration!

OSCE cert

Conclusion

All in all, the experience was paradoxically much smoother than the OSCP exam for me, but I think it was mainly because I had gone through the rite of passage which is the OSCP exam. I was thus much better mentally and physically trained to withstand the brutality of this exam. Do not underestimate it at all, if you read this. On the contrary, do your best to prepare and practice as much as you can beforehand. The course as well as the exam is well worth the cost, time and effort.