You might have noticed that I have been posting articles on windows binary exploitation recently, and yes. I took the Cracking the Perimter(CTP) course, was preparing my OSCE certification exam. And I have just got the confirmation email from offsec telling me that I have acquired my Offensive Security Certified Expert (OSCE) certification.


As per normal, I am going to write another review on my OSCE journey.


My initial plan is to dive into web security and try Advanced Web Attacks and Exploitation (AWAE) course, besides, offsec was offering special discount at that time, and they are selling AWAE with one month of lab at $999. Another thing is that I am not familiar with binary exploitation at that point of time. However, one of my friend was asking me to take CTP with him. My initial thought is simple, “Since I don’t know much on binary exploitation, CTP would be more challenging, and I might gain more in this course compare to AWAE.” So I just joined him and enrolled CTP course. To register for the CTP course, there is a qualifying challenge for you to complete here. And I simply had no idea on how to solve it. So I turned to google and found one automatic script which helped me to solve that challenge.(I don’t recommend you to do so, and I won’t put links here). But anyway, I was enrolled into CTP course successfully.


This is another sad story. Because I went back to China during my one month of lab time, and my laptop’s graphic card broke so I have to send it back to the factory to get it repaired.(Luckily it is still in warranty). By the time I went back to Singapore and connect to lab, I have only three days left. Apparently I am not able to practice every exercise in the course. And here is what I do:

  • go straight to the last module on GRE Sniffing and play around with the pre-configured lab environment, based on the course material, I think that is the hardest one to replicate the environment on my own laptop.

  • quickly go through the previous modules and note down the software version, so that I practice the exercise in my own environment. Luckily most of the software can be found online. The HP NNM resources turned to be the hardest one to find, and I only managed to get one of the similar version, which is sufficient for me to practice with.(Don’t ask me for it)

  • I didn’t touch the modules on web application, because based on the course material, I am confident that I should not have any problems with that.

So now the only challenge for me is: how to learn binary exploitation from 0, or 0.1?(remember that I can’t even solve the entry level challenge for the registration?)

What makes the situation worse is that the new school semester restarts, and I got busy with six school modules and one teaching assistant job.

One of the module I took at school in that semester is Computer Security and I got to learn some binary exploitation tricks like return to shellcode, and rop, and it did help a little bit with my OSCE journey.(OSCE does not involve rop, but still good to know. Especially if you can get a deeper understanding of code execution in different context while tracing some complex exploitation technique, which I will mention later)

Due to the Covid-19 situation was getting worse and worse, my school is also constantly revising the semester schedule, which eventually clashed with my OSCE exam.(and I have not prepared for it at all) So I write to offsec stating my concern and asking for the extension on the OSCE schedule deadline. Offsec generously gave me one more month.(I asked for two weeks)


This gave me one full month of preparation, which is more than enough.

There are A LOT of supplementary materials online, and you may or may not find these useful:

I didn’t read all the materials mentioned in the above link, instead, I adopted a recursive learning style, meaning that, start from a post which is totally fresh for me, read it, encounter something A I don’t understand, google for it; and found a post B explaining A, read it, encounter something C I don’t understand, google for it; and found a post D explaining C, read it, encounter something E I don’t understand ……

And that would explain why I ended up with 70+ tabs in my browser:


Soon I realized that reading itself won’t help much, so I decided to take note down on what I have learned, and that is how I come up with this post: Writing win32 shellcode

I actually spent more than 70 percent of time with my preparation in writing various shellcode, and I only start to practice the famous vulnserver three days before the actual OSCE exam. Surprisingly, I found those challenges were relatively easy to exploit and I uploaded my solution here. I didn’t provide detailed writeup, but I strongly recommend this. My suggestion is: Don’t go for the low hanging fruit, try for various exploitation techniques. Using egghunter in every exploit is easy, but your exploitation skills won’t get improved.

During my OSCE journey, this has become a norm:





Going to sleep


And popping up calc.exe


And finally, I went to take the OSCE exam.


The exam went quite smooth for me and I managed to solve almost all the challenges before I went to sleep.(My exam starts at 9pm and I went to sleep at around 4:30am) So unlike OSCP, I won’t bother to write a lengthy story describing my OSCE exam situation.

But as usual, writing report is a much more painful process than the exam itself. And this time, I drafted a 57-pages long report, which is even longer than my 43-pages OSCP report. And I managed to upload the report and send the link to the offsec when my exam ends.

I would suggest keeping the exploit scripts in every stage of the exploit development and the corresponding screenshots, so you won’t have to recreate the POCs when you are writing your report. Especially if you only manage to score above 75 points(which is the passing mark for OSCE) near the end of the exam, and you won’t have time to recreate the POCs anymore because you cannot connect to the exam machines.

Offsec is prohibiting recording the screen while it is interacting with any of the course materials, and I would take the course material to include the exam machines. So don’t take the risk.

You must not video record your screen while it is interacting with any of our Course Materials. However, you may take screenshots and copy data to the extent needed for your exam or lab report.


Before I went to the conclusion part, I will consolidate some questions I saw online and from my friends regarding the course.

  1. Is the course outdated?

    Yes. Unfortunately to say, it is outdated, you can take a look at the course syllabus here. However, I myself don’t have any problem with that. Because I am a deadline driven person, and only with the guidance in the CTP course material and the exam deadline, I have the push to learn all those basics and (might be) advance exploitation techniques. Even if I got to learn the up-to-dated techniques, it might become outdated in few years. What I gained from the course is more on the basic skillsets, and the perseverance to trace through the debuggers for hours. And with that, I am confident that I am able to learn any advanced exploitation techniques in the future. Make an analogy, “I learned how to control my chakura, but I never learned kakebunshin no jutsu. However, with chakura controlling techniques, I am able to learn advanced ninjutsu on my own”.

  2. What skillsets should I have before taking this course?

    Stated on the offsec website here

    Cracking the Perimeter is an advanced course and requires prior knowledge of Windows exploitation techniques. You should be comfortable in OllyDbg and understand concepts such as shellcode encoding, use of the Metasploit Framework, and Linux at large.

    People are mistaking that OSCE is a purely windows binary exploitation course, which is not accurate. By referring to the course syllabus, you would notice that there is one module on web exploitation as well. And you would also expect that to appear in the exam as well. That is why it is usually recommended to take this course only after you have acquired your OSCP. But indeed, there is much more focus on the binary exploitation.

  3. I see many people recommending SLAE course, is this necessary?

    While mastering the assembly is not a must for OSCE course, it is definitely a plus. At least, you should know how to call a function in assembly. And there are various resources online. You might or might not find this useful as well.

  4. What if I don’t know assembly at all? Can I take this course?

    It does not matter if you don’t know anything, if you know everything already, what is the point of taking this course? Instead, it really depends on what you want to do in the future. As I mentioned earlier, I couldn’t solve the registration challenge when I registered for the course.


Some tips which I think might or might not be useful:

  • don’t make assumptions unless necessary.
  • If your exploit does not work as you expect, list out the assumptions that your exploit is based on, review them, “Are they necessary? Can I exploit it without this assumption holds?”, and modify your exploit accordingly.
  • Stack alignment and memory alignment might make difference.
  • Be careful with execution context, watch closely on Special Purpose Register
  • IDA pro might come in handy in some scenario



细心的小伙伴们可能会发现我最近一直在发与windows二进制漏洞利用的内容。是的,我最近拿了Cracking the Perimter(CTP)课程,也在准备我的OSCE证书考试。我昨天刚收到offsec给我寄的邮件,告知我已经通过考试,拿到了我的OSCE证书




我最初的打算是深入一下web安全,然后报名Advanced Web Attacks and Exploitation (AWAE)课程的,而且,offsec那时候还在搞活动!只需要999美刀寄可报名配套一个月lab的课程,相比现在1400美刀的价格,是不是感觉损失了一个亿?而且我其实对二进制的漏洞利用并不熟悉,像很多人一样,我只了解OSCP里介绍的最简单的return to shellcode式的漏洞利用手法。然而,我一个朋友拉着我要我一起报名OSCE考试,我才认证考虑了下,“毕竟我不是很懂二进制方面的漏洞利用,人生就在于作死,何不试试?”,于是,我就跟他一起报名了。值得一提的是,offsec实际上有设置一个报名门槛,就是为了拦住像我这样的作死爱好者,你需要搞定这道题才能够拿到注册的门票。然而这并拦不住我。虽然我那时候完全不知道该怎么做,但是我的信息检索能力一直在线。所以我就直接到网上找到了一个自动脚本,把这道题给解决了(强烈不建议你们这么做,所以我就不放链接了)。就这样,我报名了CTP课程,以及后续的OSCE考试。



  • 直接去练习最后一个课程模块,GRE嗅探。因为我在国内的时候看了配套的pdf和视频,感觉这个课程是最难在我的笔记本上搭建环境的,所以我只能在lab里实验。
  • 大概再过了一遍pdf中的课程,然后到lab中找到相关的实验程序,把他们的软件版本记下来,在网上搜索相同版本的软件,这样我就可以在自己笔记本上搭建环境练习了。事实证明,只有HP NNM这个比较难找,我找了好久最后也只找到了相近的版本来练习,但是漏洞是一样的,只需要做些许微调,作为练习来说也足够了。(不要问我要,自己去找)
  • 我完全没有碰web安全的相关课程,因为从课程资料来看,我有信心在考试里面搞定它。



我在学校拿的一门课是Computer Security,CS3235,里面有相关的二进制漏洞利用,但是比较简单,像return to shellcode技术,ROP技术什么的。当然这个对我的OSCE还有有些帮助的(OSCE并不考ROP,但是深入理解了这个漏洞的成因对OSCE还是大有裨益的,还有用gdb去一行一行跟踪汇编代码,这时候我才开始学习汇编)









很快我意识到这样不行,因为我看的东西实在是太多,太杂了,我需要记录下来我学了的,这样,我写了一篇 Writing win32 shellcode




















Offsec在Academic Policy里明令禁止了录屏的操作,只要是与课程资料交互,我把考试机器归类到课程资料中了,所以不要冒这个险。

You must not video record your screen while it is interacting with any of our Course Materials. However, you may take screenshots and copy data to the extent needed for your exam or lab report.



  1. 这门课过时了吗?


  2. 这门课需要的先决技能有哪些?


    Cracking the Perimeter is an advanced course and requires prior knowledge of Windows exploitation techniques. You should be comfortable in OllyDbg and understand concepts such as shellcode encoding, use of the Metasploit Framework, and Linux at large.


  3. 我看见有很多人推荐SLAE课程,这门课咋样?


  4. 如果我完全不懂汇编,该学这门课程吗?




  • 不要去做任何假设,除非他们是必须的
  • 如果你的exploit没有按照预期执行,把你所做的假设列出来,一个一个检查,问自己“这些假设是不是必须的,我可不可以在没有这个假设的情况下把exploit写出来”,再来修改exploit
  • 栈平衡和内存对齐有时候很重要
  • 指令的执行上下文有时候也很重要,注意看特殊用途寄存器
  • IDA pro有时候可能会派上预想不到的用场