Offensive Security Certified Expert && me

20. Februar 2018

As promised on Twitter here is my OSCE review. You can read my time line from before course enrolling until the end of the exam here. So, let’s go.

Stage_0: Preparation just before enrolling!

First, I read a ton of other reviews to get an idea about the course and the exam. There is nothing special or important in these before enrolling. The only thing I would really recommend you: Do the SLAE from penetestacademy! The other things like exploitDev tutorials etc. are not much important at this stage.*

Stage_1: Crack the challenge and waiting for course starting!

Before you can enroll for the course you need to solve a small challenge. Nothing to add here, just one thing: Do not bother yourself and search the web for the solution. If you can’t crack it, you are not ready for the course at the moment!*

Stage_2: Studying the course material while decreasing sleeptime

The course material is not comparable to these from the PWK. You have a PDF with ‚only‘ 150 sites and additional videos. Following topics are covered.*

I would recommend checking the videos after finishing each module in the PDF.  Another very important point: Report everything in a well written form (I used cherryNote and Word, but this is your choice). Do these steps for the whole material and go to Stage_4.

The Web Application angle

This is a small upgrade to your skills learned in the PWK. Clever XSS attacks, DirTraversal and other things I can’t tell you 😛
If you are familiar with pentesting in general or CTF games you should not have any trouble here.

The Backdoor angle

Manually backdooring of PE-files (executables). Always nice to have 😉

Advanced Exploitation Techniques

Here begins the fun (and most important stuff). You learn the basics about buffer overflows in windows and mitigation of the low-level kernel protections like SEH or ASLR.

The 0Day angle

This was my favorite part. You are going to recreate the whole exploitDev process for the evil NMM exploit from fuzzing up to RCE. You are also encountered with several curve balls here 😉

The Networking Angle – Attacking the Infrastructure

This part is about a very rare area of pentesting, so relax and learn something uncommon.

Stage_3: TrainingTime -> rebuild | improve | change exploits from exploitdb

Now comes to the most important part for your journey to receive your OSCE certification… „Wait, but I finished all the course materials!“
Welcome to the infoSec world 😉*

Without the following additional steps, I wouldn’t have any chance within the exam. So, pay attention 😛

Re-Study Course Materials

At first you should go through the course materials again, but rebuild the exploits from the scratch (fuzzing) and use custom techniques (other registers, fancy jumping, etc.)

External Study Ressources

Check this study plan. All topics are covered and each got links to several very good resources. The most important ones are

  1. FuzzSecurity: Windows Exploit Development Tutorial Series
  2. Corelan: Exploit writing tutorial

Another well written preparation guide is here. If you finished these preparations you should switch from reading newspapers to reading exploits on exploitDB. Going through these will give you nice ideas for custom bufferoverflow magics. But the most important thing is: Try to find vulnerable software version mentioned in the exploits, download them and go through the whole exploitDev process. From fuzzing to CodeExecution. And be creative with jumping techniques, used registers, encoders or other techniques. Also try to cover SEH or ASLR protected software.

PS: You can also check my little post about a simple bufferoverflow in the recent coolplayer here 😉

Go into the wild

At this stage I decided to look for 0days in recent software from huge German computer magazines. I found several ones (from local DoS to RCE), which will be released on this blog, if they are fixed or my deadline is reached 😛

Sharpen your Weapons

Following things turned out as very useful

  1. Build skeleton exploits and fuzzing config-files for several use cases. (will release some of these on my github account)
  2. Automate things you can automate (some small helpers are already here)
  3. Prepare a command cheat sheet (for example eggHunting code, custom jumps, etc.)

Stage_3.5: Relax && Have fun in the exam.

If you followed this guide, you are well prepared and should handle most problems within in the time. I started my exam action here. This exam was crazy and brutal. I thought several times that I am lost and don’t see any foothold. All targets got different points for achieving several challenges. I decided to start with the higher ones. I found the entry point for all higher pointed targets, but didn’t find a way to reach the aim. So, I switched to the lower ones. Same problem here, finding the entry point knowing which steps should lead to the solution but crashing against a wall or running into rabbit holes.

I took a break for pizza and had a shower. I went back to my laptop and tried an idea which come to my mind while having my meal. I did a longer research in the web for this specific idea and – BOOM, the first important step on a high target accomplished. After another half an hour I owned this one totally.

Now I retried some things on the other high target and noticed that I have several smaller mistakes in my code. So, doing some magic here, reconstruct here and – YES, next one owned.

Okay, only the lower targets and about 24 hours left, I went to bed. After 6 hours of sleep, I recharged my laptop and tried my best on the lower targets… But these were just evil. I did a lot of research in the web and really tried harder. Finally, both challenges were finished.

I finished the report and reached Stage_4.

Stage_4: Submitting my Exam Report and hoping for the best

I was very nervous because my report was very technical (more than for my OSCP) and maybe I missed an important task. But in the end I received the holy email and got a retweet from offensive-security themselves 😛*


I would recommend this course to everyone who works in technical infoSec area.

Thank You Offsec for this awesome journey!

Ähnliche Beiträge

After gaining my OSCP in June i decided to go deeper into exploitDev and shellcoding. And here we are, this [...]

9. Oktober 2017

Welcome back to my second post for the SLAE certification. Today we are going to build a reverse_shell shellcode and [...]

9. Oktober 2017

Ready for the next level? – Method to exploit software even with small space for shellcode: EggHunting The third task [...]

9. Oktober 2017

Hey ho, it’s time for some low-level shellcode encoding. After going through the encoder examples of the SLAE material i [...]

9. Oktober 2017