You might have noticed that I have been posting articles on windows binary exploitation recently, and yes. I took the Cracking the Perimter(CTP) course, was preparing my OSCE certification exam. And I have just got the confirmation email from offsec telling me that I have acquired my Offensive Security Certified Expert (OSCE) certification.

image-20200613125039008

As per normal, I am going to write another review on my OSCE journey.

Background

My initial plan is to dive into web security and try Advanced Web Attacks and Exploitation (AWAE) course, besides, offsec was offering special discount at that time, and they are selling AWAE with one month of lab at $999. Another thing is that I am not familiar with binary exploitation at that point of time. However, one of my friend was asking me to take CTP with him. My initial thought is simple, “Since I don’t know much on binary exploitation, CTP would be more challenging, and I might gain more in this course compare to AWAE.” So I just joined him and enrolled CTP course. To register for the CTP course, there is a qualifying challenge for you to complete here. And I simply had no idea on how to solve it. So I turned to google and found one automatic script which helped me to solve that challenge.(I don’t recommend you to do so, and I won’t put links here). But anyway, I was enrolled into CTP course successfully.

Preparation

This is another sad story. Because I went back to China during my one month of lab time, and my laptop’s graphic card broke so I have to send it back to the factory to get it repaired.(Luckily it is still in warranty). By the time I went back to Singapore and connect to lab, I have only three days left. Apparently I am not able to practice every exercise in the course. And here is what I do:

  • go straight to the last module on GRE Sniffing and play around with the pre-configured lab environment, based on the course material, I think that is the hardest one to replicate the environment on my own laptop.

  • quickly go through the previous modules and note down the software version, so that I practice the exercise in my own environment. Luckily most of the software can be found online. The HP NNM resources turned to be the hardest one to find, and I only managed to get one of the similar version, which is sufficient for me to practice with.(Don’t ask me for it)

  • I didn’t touch the modules on web application, because based on the course material, I am confident that I should not have any problems with that.

So now the only challenge for me is: how to learn binary exploitation from 0, or 0.1?(remember that I can’t even solve the entry level challenge for the registration?)

What makes the situation worse is that the new school semester restarts, and I got busy with six school modules and one teaching assistant job.

One of the module I took at school in that semester is Computer Security and I got to learn some binary exploitation tricks like return to shellcode, and rop, and it did help a little bit with my OSCE journey.(OSCE does not involve rop, but still good to know. Especially if you can get a deeper understanding of code execution in different context while tracing some complex exploitation technique, which I will mention later)

Due to the Covid-19 situation was getting worse and worse, my school is also constantly revising the semester schedule, which eventually clashed with my OSCE exam.(and I have not prepared for it at all) So I write to offsec stating my concern and asking for the extension on the OSCE schedule deadline. Offsec generously gave me one more month.(I asked for two weeks)

image-20200613143146475

This gave me one full month of preparation, which is more than enough.

There are A LOT of supplementary materials online, and you may or may not find these useful:

I didn’t read all the materials mentioned in the above link, instead, I adopted a recursive learning style, meaning that, start from a post which is totally fresh for me, read it, encounter something A I don’t understand, google for it; and found a post B explaining A, read it, encounter something C I don’t understand, google for it; and found a post D explaining C, read it, encounter something E I don’t understand ……

And that would explain why I ended up with 70+ tabs in my browser:

image-20200613144806624

Soon I realized that reading itself won’t help much, so I decided to take note down on what I have learned, and that is how I come up with this post: Writing win32 shellcode

I actually spent more than 70 percent of time with my preparation in writing various shellcode, and I only start to practice the famous vulnserver three days before the actual OSCE exam. Surprisingly, I found those challenges were relatively easy to exploit and I uploaded my solution here. I didn’t provide detailed writeup, but I strongly recommend this. My suggestion is: Don’t go for the low hanging fruit, try for various exploitation techniques. Using egghunter in every exploit is easy, but your exploitation skills won’t get improved.

During my OSCE journey, this has become a norm:

Debugging:

image-20200613153436055

Complaining:

image-20200613153648245

Going to sleep

image-20200613154351589.png

And popping up calc.exe

image-20200613154351578

And finally, I went to take the OSCE exam.

Examination

The exam went quite smooth for me and I managed to solve almost all the challenges before I went to sleep.(My exam starts at 9pm and I went to sleep at around 4:30am) So unlike OSCP, I won’t bother to write a lengthy story describing my OSCE exam situation.

But as usual, writing report is a much more painful process than the exam itself. And this time, I drafted a 57-pages long report, which is even longer than my 43-pages OSCP report. And I managed to upload the report and send the link to the offsec when my exam ends.

I would suggest keeping the exploit scripts in every stage of the exploit development and the corresponding screenshots, so you won’t have to recreate the POCs when you are writing your report. Especially if you only manage to score above 75 points(which is the passing mark for OSCE) near the end of the exam, and you won’t have time to recreate the POCs anymore because you cannot connect to the exam machines.

Offsec is prohibiting recording the screen while it is interacting with any of the course materials, and I would take the course material to include the exam machines. So don’t take the risk.

You must not video record your screen while it is interacting with any of our Course Materials. However, you may take screenshots and copy data to the extent needed for your exam or lab report.

FAQ

Before I went to the conclusion part, I will consolidate some questions I saw online and from my friends regarding the course.

  1. Is the course outdated?

    Yes. Unfortunately to say, it is outdated, you can take a look at the course syllabus here. However, I myself don’t have any problem with that. Because I am a deadline driven person, and only with the guidance in the CTP course material and the exam deadline, I have the push to learn all those basics and (might be) advance exploitation techniques. Even if I got to learn the up-to-dated techniques, it might become outdated in few years. What I gained from the course is more on the basic skillsets, and the perseverance to trace through the debuggers for hours. And with that, I am confident that I am able to learn any advanced exploitation techniques in the future. Make an analogy, “I learned how to control my chakura, but I never learned kakebunshin no jutsu. However, with chakura controlling techniques, I am able to learn advanced ninjutsu on my own”.

  2. What skillsets should I have before taking this course?

    Stated on the offsec website here

    Cracking the Perimeter is an advanced course and requires prior knowledge of Windows exploitation techniques. You should be comfortable in OllyDbg and understand concepts such as shellcode encoding, use of the Metasploit Framework, and Linux at large.

    People are mistaking that OSCE is a purely windows binary exploitation course, which is not accurate. By referring to the course syllabus, you would notice that there is one module on web exploitation as well. And you would also expect that to appear in the exam as well. That is why it is usually recommended to take this course only after you have acquired your OSCP. But indeed, there is much more focus on the binary exploitation.

  3. I see many people recommending SLAE course, is this necessary?

    While mastering the assembly is not a must for OSCE course, it is definitely a plus. At least, you should know how to call a function in assembly. And there are various resources online. You might or might not find this useful as well.

  4. What if I don’t know assembly at all? Can I take this course?

    It does not matter if you don’t know anything, if you know everything already, what is the point of taking this course? Instead, it really depends on what you want to do in the future. As I mentioned earlier, I couldn’t solve the registration challenge when I registered for the course.

Conclusion

Some tips which I think might or might not be useful:

  • don’t make assumptions unless necessary.
  • If your exploit does not work as you expect, list out the assumptions that your exploit is based on, review them, “Are they necessary? Can I exploit it without this assumption holds?”, and modify your exploit accordingly.
  • Stack alignment and memory alignment might make difference.
  • Be careful with execution context, watch closely on Special Purpose Register
  • IDA pro might come in handy in some scenario

中文版的照例先鸽着。

2020年六月14日更新

细心的小伙伴们可能会发现我最近一直在发与windows二进制漏洞利用的内容。是的,我最近拿了Cracking the Perimter(CTP)课程,也在准备我的OSCE证书考试。我昨天刚收到offsec给我寄的邮件,告知我已经通过考试,拿到了我的OSCE证书

image-20200613125039008

按照惯例,我再写一篇关于OSCE的经验分享。

背景

我最初的打算是深入一下web安全,然后报名Advanced Web Attacks and Exploitation (AWAE)课程的,而且,offsec那时候还在搞活动!只需要999美刀寄可报名配套一个月lab的课程,相比现在1400美刀的价格,是不是感觉损失了一个亿?而且我其实对二进制的漏洞利用并不熟悉,像很多人一样,我只了解OSCP里介绍的最简单的return to shellcode式的漏洞利用手法。然而,我一个朋友拉着我要我一起报名OSCE考试,我才认证考虑了下,“毕竟我不是很懂二进制方面的漏洞利用,人生就在于作死,何不试试?”,于是,我就跟他一起报名了。值得一提的是,offsec实际上有设置一个报名门槛,就是为了拦住像我这样的作死爱好者,你需要搞定这道题才能够拿到注册的门票。然而这并拦不住我。虽然我那时候完全不知道该怎么做,但是我的信息检索能力一直在线。所以我就直接到网上找到了一个自动脚本,把这道题给解决了(强烈不建议你们这么做,所以我就不放链接了)。就这样,我报名了CTP课程,以及后续的OSCE考试。

准备

又是一个闻者伤心,听者流泪的故事。因为在我lab开启的那一个月里,我回国了,好巧不巧的是我的笔记本的显卡又坏了,只好拿去返厂维修(还好还有一个月的保修!)。等我回到新加坡连上lab的时候,只剩下三天了。很显然,我没办法在三天里面把课程资料里的练习全部实验一遍,所以我就用了点取巧的方式:

  • 直接去练习最后一个课程模块,GRE嗅探。因为我在国内的时候看了配套的pdf和视频,感觉这个课程是最难在我的笔记本上搭建环境的,所以我只能在lab里实验。
  • 大概再过了一遍pdf中的课程,然后到lab中找到相关的实验程序,把他们的软件版本记下来,在网上搜索相同版本的软件,这样我就可以在自己笔记本上搭建环境练习了。事实证明,只有HP NNM这个比较难找,我找了好久最后也只找到了相近的版本来练习,但是漏洞是一样的,只需要做些许微调,作为练习来说也足够了。(不要问我要,自己去找)
  • 我完全没有碰web安全的相关课程,因为从课程资料来看,我有信心在考试里面搞定它。

那么现在就只剩下一个问题了,如何从零,或者零点一开始学习二进制漏洞利用技术?(毕竟我连注册资格都是要作弊的)

然而更加雪上加霜的是,学校开学了。新学期我拿了六门课,又当了一门课的助教,这样我就更没有时间学习了。我OSCE考试的最后一天只能是五月六号,根据学校的安排,我的最后一门期末考试会在五月三号结束,也就是我只有三天时间了。

我在学校拿的一门课是Computer Security,CS3235,里面有相关的二进制漏洞利用,但是比较简单,像return to shellcode技术,ROP技术什么的。当然这个对我的OSCE还有有些帮助的(OSCE并不考ROP,但是深入理解了这个漏洞的成因对OSCE还是大有裨益的,还有用gdb去一行一行跟踪汇编代码,这时候我才开始学习汇编)

因为新冠肺炎的关系,新加坡的形势也是一天天在恶化。然后学校也有段时间不断的在调整政策,修改学期规划,最后直接跟我的OSCE考试冲突了(我本来就啥都没准备,你还给我冲突掉了?)。没办法,我只有给offsec写邮件,说明情况,请求延期考试。Offsec很慷慨的给我延了一个月(我只问他要了半个月)。

image-20200613143146475

这样的话,相当于在我学校考完试之后,我直接有了一个月的学习时间(正好我的实习也延后了一个月),一个月就足够了。

网上实际上有很多辅助资料了,下面这些对你们可能有用,也可能没用,自己判断吧:

说实话,我并没有看完上面罗列的资源(点进去第一个github链接,会发现里面的按照模块分类好了,内容很杂很多,我个人并没有参照上面的去学),也有很多我读过的资料并没有列举上来,并不是因为我想藏私或者什么的,而是因为我真的记不住我看了哪些资料。

我的学习方式有点不太一样,不太建议你们学习。我个人把这种学习方式称作递归式学习,看名字就大概懂了大半了:找一篇完全不懂的文章,开始学;碰到知识点A不懂,去查,找到一篇文章B讲解A的,开始学;碰到知识点C不懂,去查,找到一篇文章D讲解C的,开始学;碰到知识点E不懂……

这就解释了为啥我的浏览器会动辄开70多个tab。。。

image-20200613144806624

很快我意识到这样不行,因为我看的东西实在是太多,太杂了,我需要记录下来我学了的,这样,我写了一篇 Writing win32 shellcode

有同学建议我说一下我在学习shellcode过程中的经验,我只能大概回忆一下了:

其中我参考的文章大概有以下这些,很可能还有更多,但是我找不到了

当然更重要的是得自己动手写。在学习的过程中,也要自己验证,文章里提到的概念,知识点,我都会再次谷歌关键字,然后看是否与文章中有出入,也经常上MSDN上查官方手册。总之就是得自己上手,实践出真知,整就牛。

事实上我在写各式shellcode上花费的时间可能占我准备时间的70%左右了。在这过程中,我也是慢慢习惯了写汇编代码,脑中重现栈布局,各种函数调用约定。我在OSCE考试的前三天,才开始尝试去搞vulnserver(这是一个好心人写的故意留了漏洞的基于TCP的程序,涉及到了几种漏洞利用方式)。令我感到惊讶的是,我并没有感觉这些漏洞很难利用,基本上就是fuzz出来软件触发的点,看下栈布局,就大概知道要怎么利用了(可能是因为我知道的漏洞利用技术还是太少了吧),我把我自己写的脚本上传到这里了,我没有附上详细的讲解,但是这个程序还是强烈推荐。我的建议是:不要偷懒,尝试去用几种不同的漏洞利用方式去搞。用egghunter一把梭当然很爽,但是等到考试的时候出来不让你用egghunter的时候你就懵逼了。

在我准备OSCE考试的日子里,下面成为了常态:

调试程序:

image-20200613153436055

跟朋友抱怨:

image-20200613153648245

睡觉:

image-20200613154351589.png

弹计算器:

image-20200613154351578

有时候对着电脑太久眼睛看花了,就躺到床上听朴树的《平凡之路》:

直到六月五号晚上九点,我的OSCE考试开始。

考试

OSCE考试本身进行的比我预想的顺得多,按照我看过别人写的OSCE考试经验,我以为我会碰到很多坑的,但是实际上并没有。我在我睡觉之前就基本上把所有的题目搞定了(我之所以说基本上,是因为还有一题没有达到题目的要求,但是我很确定能够在醒来之后的半个小时搞定),所以我在四点半左右就去睡觉了,这一觉睡的很安稳。所以我就懒得像OSCP一样把我考试的情景描述再现一遍了。

像上次一样,写报告比考试本身难得多了,这一次,我写了一份57页的报告,比我43页的OSCP报告还要长。我在我OSCE考试结束的当天,就把我的报告上传上去然后把链接发email给offsec官方了。

我会建议你们保留下开发exploit的每一步的代码,从最初的crashing到最后的rce,全部保留成单独的脚本,并且保存相关的截图。这样的话,在写报告的时候就不用再费心重新从头开始开发exploit了。特别是如果你花了将近48个小时才拿够75分(OSCE考试满分是90分,合格线是75分),那么你就没有时间再重写exploit了,因为你连不上考试机器了。

Offsec在Academic Policy里明令禁止了录屏的操作,只要是与课程资料交互,我把考试机器归类到课程资料中了,所以不要冒这个险。

You must not video record your screen while it is interacting with any of our Course Materials. However, you may take screenshots and copy data to the extent needed for your exam or lab report.

FAQ

在我写到总结的部分之前,我先总结一下网上常见的问题,还有朋友问我的相关问题,附上我个人的见解与回答。

  1. 这门课过时了吗?

    是的。很遗憾这么说,但是确实过时了,你可以在这里看到课程的大纲。当然我本身并不认为这是一个很大的问题。因为我本身就是一个需要死线驱动的人。有了CTP课程的指引,还有OSCE考试日期的驱动,我才有动力去学这些基础知识以及(可能比较?)高级的技术。另一方面,即使我学到的是最新的技术,这门技术可能过个两三年也就过时了?然而我从这门课程中获得的更重要的技能是基本功,以及用调试器去单步调试程序的耐心。有了这个,我有信心我以后可以学会任何高级的漏洞利用技术。打个比方就是:“马钰道长只是教了郭靖呼吸吐纳的方法,没有教他任何全真教的外家功夫,然而郭靖却可以无师自通,在江南七怪面前使出金雁功”。

  2. 这门课需要的先决技能有哪些?

    Offsec的网站上有说:

    Cracking the Perimeter is an advanced course and requires prior knowledge of Windows exploitation techniques. You should be comfortable in OllyDbg and understand concepts such as shellcode encoding, use of the Metasploit Framework, and Linux at large.

    大家可能对这门课程有一些误解,认为这门课程完全是windows下的二进制漏洞利用课程,然而这并不准确。根据课程大纲来看,第一个课程模块是web漏洞利用的,而这个内容也自然很有可能会出现在考试中。这也就是为什么官方建议大家在取得了OSCP之后再来尝试这门课。当然,这门课程确实把重心转到了二进制漏洞利用上。

  3. 我看见有很多人推荐SLAE课程,这门课咋样?

    这门课是收费的,我虽然有视频资源,但是我并不打算共享出来。另一方面来说,掌握汇编对这么课程而言并不是必须的,当然如果你对汇编很熟悉的话,确实是一个很大的优势。但是至少你得知道怎么用汇编去调用函数吧?事实上网络上有很多汇编的资源,比如说这个,就是免费的。

  4. 如果我完全不懂汇编,该学这门课程吗?

    你懂不懂一样东西与该不该上某门课程之间并没有必然的联系。而且课程的目的不正是教你吗?如果你全都会了的话,那为什么还要上这门课呢?只有说这门课适不适合你当前点亮的技能树,以及你未来想做什么。退一万步来说,我在注册这门课程之前,作为报名门槛的题目都做不出来,还是找别人写好的脚本搞定的。

总结

下面总结了一些小技巧,可能会有用

  • 不要去做任何假设,除非他们是必须的
  • 如果你的exploit没有按照预期执行,把你所做的假设列出来,一个一个检查,问自己“这些假设是不是必须的,我可不可以在没有这个假设的情况下把exploit写出来”,再来修改exploit
  • 栈平衡和内存对齐有时候很重要
  • 指令的执行上下文有时候也很重要,注意看特殊用途寄存器
  • IDA pro有时候可能会派上预想不到的用场

最后写句话来激励下正在考OSCE,或者打算考OSCE的人吧:

image-20200614010535357