You might have noticed that I have been posting articles on windows binary exploitation recently, and yes. I took the Cracking the Perimter(CTP) course, was preparing my OSCE certification exam. And I have just got the confirmation email from offsec telling me that I have acquired my Offensive Security Certified Expert (OSCE) certification.

As per normal, I am going to write another review on my OSCE journey.

### Background

My initial plan is to dive into web security and try Advanced Web Attacks and Exploitation (AWAE) course, besides, offsec was offering special discount at that time, and they are selling AWAE with one month of lab at \$999. Another thing is that I am not familiar with binary exploitation at that point of time. However, one of my friend was asking me to take CTP with him. My initial thought is simple, “Since I don’t know much on binary exploitation, CTP would be more challenging, and I might gain more in this course compare to AWAE.” So I just joined him and enrolled CTP course. To register for the CTP course, there is a qualifying challenge for you to complete here. And I simply had no idea on how to solve it. So I turned to google and found one automatic script which helped me to solve that challenge.(I don’t recommend you to do so, and I won’t put links here). But anyway, I was enrolled into CTP course successfully.

### Preparation

This is another sad story. Because I went back to China during my one month of lab time, and my laptop’s graphic card broke so I have to send it back to the factory to get it repaired.(Luckily it is still in warranty). By the time I went back to Singapore and connect to lab, I have only three days left. Apparently I am not able to practice every exercise in the course. And here is what I do:

• go straight to the last module on GRE Sniffing and play around with the pre-configured lab environment, based on the course material, I think that is the hardest one to replicate the environment on my own laptop.

• quickly go through the previous modules and note down the software version, so that I practice the exercise in my own environment. Luckily most of the software can be found online. The HP NNM resources turned to be the hardest one to find, and I only managed to get one of the similar version, which is sufficient for me to practice with.(Don’t ask me for it)

• I didn’t touch the modules on web application, because based on the course material, I am confident that I should not have any problems with that.

So now the only challenge for me is: how to learn binary exploitation from 0, or 0.1?(remember that I can’t even solve the entry level challenge for the registration?)

What makes the situation worse is that the new school semester restarts, and I got busy with six school modules and one teaching assistant job.

One of the module I took at school in that semester is Computer Security and I got to learn some binary exploitation tricks like return to shellcode, and rop, and it did help a little bit with my OSCE journey.(OSCE does not involve rop, but still good to know. Especially if you can get a deeper understanding of code execution in different context while tracing some complex exploitation technique, which I will mention later)

Due to the Covid-19 situation was getting worse and worse, my school is also constantly revising the semester schedule, which eventually clashed with my OSCE exam.(and I have not prepared for it at all) So I write to offsec stating my concern and asking for the extension on the OSCE schedule deadline. Offsec generously gave me one more month.(I asked for two weeks)

This gave me one full month of preparation, which is more than enough.

There are A LOT of supplementary materials online, and you may or may not find these useful:

I didn’t read all the materials mentioned in the above link, instead, I adopted a recursive learning style, meaning that, start from a post which is totally fresh for me, read it, encounter something A I don’t understand, google for it; and found a post B explaining A, read it, encounter something C I don’t understand, google for it; and found a post D explaining C, read it, encounter something E I don’t understand ……

And that would explain why I ended up with 70+ tabs in my browser:

Soon I realized that reading itself won’t help much, so I decided to take note down on what I have learned, and that is how I come up with this post: Writing win32 shellcode

I actually spent more than 70 percent of time with my preparation in writing various shellcode, and I only start to practice the famous vulnserver three days before the actual OSCE exam. Surprisingly, I found those challenges were relatively easy to exploit and I uploaded my solution here. I didn’t provide detailed writeup, but I strongly recommend this. My suggestion is: Don’t go for the low hanging fruit, try for various exploitation techniques. Using egghunter in every exploit is easy, but your exploitation skills won’t get improved.

During my OSCE journey, this has become a norm:

Debugging:

Complaining:

Going to sleep

And popping up calc.exe

And finally, I went to take the OSCE exam.

### Examination

The exam went quite smooth for me and I managed to solve almost all the challenges before I went to sleep.(My exam starts at 9pm and I went to sleep at around 4:30am) So unlike OSCP, I won’t bother to write a lengthy story describing my OSCE exam situation.

But as usual, writing report is a much more painful process than the exam itself. And this time, I drafted a 57-pages long report, which is even longer than my 43-pages OSCP report. And I managed to upload the report and send the link to the offsec when my exam ends.

I would suggest keeping the exploit scripts in every stage of the exploit development and the corresponding screenshots, so you won’t have to recreate the POCs when you are writing your report. Especially if you only manage to score above 75 points(which is the passing mark for OSCE) near the end of the exam, and you won’t have time to recreate the POCs anymore because you cannot connect to the exam machines.

Offsec is prohibiting recording the screen while it is interacting with any of the course materials, and I would take the course material to include the exam machines. So don’t take the risk.

You must not video record your screen while it is interacting with any of our Course Materials. However, you may take screenshots and copy data to the extent needed for your exam or lab report.

### FAQ

Before I went to the conclusion part, I will consolidate some questions I saw online and from my friends regarding the course.

1. ##### Is the course outdated?

Yes. Unfortunately to say, it is outdated, you can take a look at the course syllabus here. However, I myself don’t have any problem with that. Because I am a deadline driven person, and only with the guidance in the CTP course material and the exam deadline, I have the push to learn all those basics and (might be) advance exploitation techniques. Even if I got to learn the up-to-dated techniques, it might become outdated in few years. What I gained from the course is more on the basic skillsets, and the perseverance to trace through the debuggers for hours. And with that, I am confident that I am able to learn any advanced exploitation techniques in the future. Make an analogy, “I learned how to control my chakura, but I never learned kakebunshin no jutsu. However, with chakura controlling techniques, I am able to learn advanced ninjutsu on my own”.

2. ##### What skillsets should I have before taking this course?

Stated on the offsec website here

Cracking the Perimeter is an advanced course and requires prior knowledge of Windows exploitation techniques. You should be comfortable in OllyDbg and understand concepts such as shellcode encoding, use of the Metasploit Framework, and Linux at large.

People are mistaking that OSCE is a purely windows binary exploitation course, which is not accurate. By referring to the course syllabus, you would notice that there is one module on web exploitation as well. And you would also expect that to appear in the exam as well. That is why it is usually recommended to take this course only after you have acquired your OSCP. But indeed, there is much more focus on the binary exploitation.

3. ##### I see many people recommending SLAE course, is this necessary?

While mastering the assembly is not a must for OSCE course, it is definitely a plus. At least, you should know how to call a function in assembly. And there are various resources online. You might or might not find this useful as well.

4. ##### What if I don’t know assembly at all? Can I take this course?

It does not matter if you don’t know anything, if you know everything already, what is the point of taking this course? Instead, it really depends on what you want to do in the future. As I mentioned earlier, I couldn’t solve the registration challenge when I registered for the course.

### Conclusion

Some tips which I think might or might not be useful:

• don’t make assumptions unless necessary.
• If your exploit does not work as you expect, list out the assumptions that your exploit is based on, review them, “Are they necessary? Can I exploit it without this assumption holds?”, and modify your exploit accordingly.
• Stack alignment and memory alignment might make difference.
• Be careful with execution context, watch closely on Special Purpose Register
• IDA pro might come in handy in some scenario

2020年六月14日更新

### 准备

• 直接去练习最后一个课程模块，GRE嗅探。因为我在国内的时候看了配套的pdf和视频，感觉这个课程是最难在我的笔记本上搭建环境的，所以我只能在lab里实验。
• 大概再过了一遍pdf中的课程，然后到lab中找到相关的实验程序，把他们的软件版本记下来，在网上搜索相同版本的软件，这样我就可以在自己笔记本上搭建环境练习了。事实证明，只有HP NNM这个比较难找，我找了好久最后也只找到了相近的版本来练习，但是漏洞是一样的，只需要做些许微调，作为练习来说也足够了。（不要问我要，自己去找）
• 我完全没有碰web安全的相关课程，因为从课程资料来看，我有信心在考试里面搞定它。

### 考试

OSCE考试本身进行的比我预想的顺得多，按照我看过别人写的OSCE考试经验，我以为我会碰到很多坑的，但是实际上并没有。我在我睡觉之前就基本上把所有的题目搞定了（我之所以说基本上，是因为还有一题没有达到题目的要求，但是我很确定能够在醒来之后的半个小时搞定），所以我在四点半左右就去睡觉了，这一觉睡的很安稳。所以我就懒得像OSCP一样把我考试的情景描述再现一遍了。

Offsec在Academic Policy里明令禁止了录屏的操作，只要是与课程资料交互，我把考试机器归类到课程资料中了，所以不要冒这个险。

You must not video record your screen while it is interacting with any of our Course Materials. However, you may take screenshots and copy data to the extent needed for your exam or lab report.

### FAQ

1. 这门课过时了吗？

是的。很遗憾这么说，但是确实过时了，你可以在这里看到课程的大纲。当然我本身并不认为这是一个很大的问题。因为我本身就是一个需要死线驱动的人。有了CTP课程的指引，还有OSCE考试日期的驱动，我才有动力去学这些基础知识以及（可能比较？）高级的技术。另一方面，即使我学到的是最新的技术，这门技术可能过个两三年也就过时了？然而我从这门课程中获得的更重要的技能是基本功，以及用调试器去单步调试程序的耐心。有了这个，我有信心我以后可以学会任何高级的漏洞利用技术。打个比方就是：“马钰道长只是教了郭靖呼吸吐纳的方法，没有教他任何全真教的外家功夫，然而郭靖却可以无师自通，在江南七怪面前使出金雁功”。

2. 这门课需要的先决技能有哪些？

Offsec的网站上有说：

Cracking the Perimeter is an advanced course and requires prior knowledge of Windows exploitation techniques. You should be comfortable in OllyDbg and understand concepts such as shellcode encoding, use of the Metasploit Framework, and Linux at large.

大家可能对这门课程有一些误解，认为这门课程完全是windows下的二进制漏洞利用课程，然而这并不准确。根据课程大纲来看，第一个课程模块是web漏洞利用的，而这个内容也自然很有可能会出现在考试中。这也就是为什么官方建议大家在取得了OSCP之后再来尝试这门课。当然，这门课程确实把重心转到了二进制漏洞利用上。

3. 我看见有很多人推荐SLAE课程，这门课咋样？

这门课是收费的，我虽然有视频资源，但是我并不打算共享出来。另一方面来说，掌握汇编对这么课程而言并不是必须的，当然如果你对汇编很熟悉的话，确实是一个很大的优势。但是至少你得知道怎么用汇编去调用函数吧？事实上网络上有很多汇编的资源，比如说这个，就是免费的。

4. 如果我完全不懂汇编，该学这门课程吗？

你懂不懂一样东西与该不该上某门课程之间并没有必然的联系。而且课程的目的不正是教你吗？如果你全都会了的话，那为什么还要上这门课呢？只有说这门课适不适合你当前点亮的技能树，以及你未来想做什么。退一万步来说，我在注册这门课程之前，作为报名门槛的题目都做不出来，还是找别人写好的脚本搞定的。

### 总结

• 不要去做任何假设，除非他们是必须的
• 如果你的exploit没有按照预期执行，把你所做的假设列出来，一个一个检查，问自己“这些假设是不是必须的，我可不可以在没有这个假设的情况下把exploit写出来”，再来修改exploit
• 栈平衡和内存对齐有时候很重要
• 指令的执行上下文有时候也很重要，注意看特殊用途寄存器
• IDA pro有时候可能会派上预想不到的用场