OSCE Review and Exam – I Tried (Even) Harder!

I finished at the beginning of this year, but here is my OSCE Review!

OSCE Review – Introduction

I know this is a bit back dated, but I wanted to finally post my OSCE review and how the exam went.

This course was intense, but it was exactly what I was looking for. A more intermediate level exploit development course, that easily picks up after some of the other courses that I’d done.

The entire course took most of the 90 days, but I was able to knock out the exam in even less time than the OSCP.

I’ll cover the course as best I can after these last ten months, but feel free to reach out to me if you have any questions or suggestions.

OSCE – Course Work

There were five main sections to the course, and I want to at least touch on each of them briefly.

The Web Application Angle

The first section in the course was the web application part. This section was straight-forward, and I was able to knock it out pretty quickly given my web app background.

That said, I did work through automating all these exploits, which helped a ton for understanding how they worked.

I may dig up my automation scripts for these vulnerabilities, as they are already public domain.

The Backdoor Angle

The first binary section of the course was the backdoor angle (which, made me giggle like an 11-year-old).

This module covered back-dooring executables, as well as bypassing anti-virus.

While the basics of this module were straight-forward, it was my additional research that turned up some cool tricks. Note that most of this section was signature avoidance, and not a lot in the realm of heuristics. This would have been really cool but would likely have to be most of another course.

I’m not sure how much of this section that I automated, but I’ll hopefully be able to share some tools eventually

OSCE Review – Advanced Exploitation Techniques

Module #3 was where the course really started to ramp up in difficulty. The main topics covered in this section were ASLR bypasses and egghunters.

Thankfully, having written my own egghunter, I was familiar with this topic.

The extra work and learning in this section challenged me, and this was the first section that I did not automate as much as I would have liked.

There was a nice complimentary nature between this section and the GXPN. The OSCE didn’t cover ROP much at all but went further in depth into other ASLR based attacks.

I know that a lot of these techniques can be dated, but it was a great place to start building a base for advanced exploitation.

The 0Day Angle

Wow, this is the section that people talk/think about when someone mentions the OSCE.

Module 4 covers two different 0-day cases, for TFTP and the HP Network Node Manager.

I was able to understand the TFTP section easily, but it was awesome building the “0-day” from scratch.

The NNM exploit was a different beast entirely. This section took the most time of any in the course, and for good reason.

I ended up writing multiple different Python scripts to help me, as well as working out a lot of math by hand on paper. In the end, I had a great understanding of this exploit, and may blog about it eventually!

The Networking Angle – Attacking the Infrastructure

So, to be honest, I didn’t finish this section of the course in time. I was pretty sure that the Cisco exploits wouldn’t be on the exam, and that I would have to cover this on my own.

That said, the material was interesting, and I’m hoping to go back and really play with it a little more on my own.

OSCE Review – The Exam

With my 90 days of lab time (mostly) completed, it was time to schedule the exam.

Like the OSCP exam, there are a number of objectives/machines, worth varying point values. A score of 75 out of 90 is required to pass, so most of the objectives need to be completed. Unlike the OSCP exam, you are given a full 48 hours to complete the practical portion of the OSCE.

If you have a good understanding of the coursework, as well as the theory and reasoning behind it, then you can pass the exam.

I don’t want to share any spoilers, but I did want to briefly mention one of the “harder” challenges. There was one part of the exam that required some creativity to solve, and it is even more obvious once you get onto the forums and see all of the different solutions.

OSCE Review – Tweets

Similar to my OSCP exam, I did a fair bit of live Tweeting, especially during the exam.

I’m not going to repost everything here, but feel free to read my frustrations and triumphs!

• Automation and Module 3
• Exam scheduled
• Live Tweeting
• Outfit
• Pre-exam
• Dawn of The Second Day
• First point
• Updates (oops)
• 2nd pwnage, more points!
• Protein shake
• Only 7.5 hours in, and already passed
• Break
• Next “morning”
• Reporting
• 100%
• Report submitted
• What’s next?
• Passed

Additional Work

While I’ve mentioned it a bit already in my SLAE Review and Exam post, the SLAE was a huge benefit for me before the OSCE.

There isn’t any manual shellcoding necessary during the exam, but it helps. Being able to read assembly quickly and easily makes debugging various payloads much simpler.

Also, understanding how to minimize shellcode length is SUPER valuable *hint* *hint*.

In addition to my SLAE work, I also did some Vulnserver exploits. These vary in difficulty, but helped keep me focused on exploit development.

• https://www.doyler.net/security-not-included/boofuzz-introduction
• https://www.doyler.net/security-not-included/introducing-vulnserver
• https://www.doyler.net/security-not-included/three-byte-overwrite-vulnserver-trun
• https://www.doyler.net/security-not-included/vulnserver-trun-vanilla-eip
• https://www.doyler.net/security-not-included/vulnserver-lter-seh
• https://www.doyler.net/security-not-included/lter-seh-continued
• https://www.doyler.net/security-not-included/vulnserver-lter-eip-overwrite

OSCE References

While I can’t cover all of these in depth, I wanted to share a few references that I found helpful (either during or afterwards).

The Tulpa guide is great, although I didn’t use it a ton – https://tulpa-security.com/2017/07/18/288/.

The OffSec discord channel is super helpful and has a lot of great resources – https://discordapp.com/invite/VPFWfdt.

Abatchy’s study guide is great, and I wish I found it earlier in my course – https://www.abatchy.com/2017/03/osce-study-plan.

Finally, here is a list of reviews that I read when I was making my decision or taking the actual course.

• https://community.infosecinstitute.com/discussion/120656
• https://dilsec.com/2017/06/01/offensive-security-ctp-course-osce-certification-review/
• https://coffeegist.com/security/my-osce-review/
• https://haveyousecured.blogspot.com/2017/06/offensive-security-osce-ctp-review.html
• http://binholic.blogspot.com/2018/04/yet-another-osce-review.html
• https://blog.badatsecurity.net/2018/09/07-yet-another-osce-review.html

OSCE Review – Conclusion

All in all, this was a great course. Since it’s from OffSec, it’s going to feel like a lot of poorly arranged blog posts combined with an awesome lab environment. You’re going to have to do most of the studying and learning on your own, but the materials are a great start.

I was hoping to get into the OSEE course at Black Hat this year, but it sold out almost instantly.

That said, I still plan on finishing the Vulnserver posts, and am always open to suggestions for what cert that I can take next!

Finally, here is a picture of my coveted prize.