Journey to OSCE
Hello everyone, in this blog I want to share my experience of how I cleared Cracking the Perimeter(CTP) Course. Firstly kudos to the people who have shared their knowledge through wonderful blogs and write-ups, which guided me to prepare for the course.
Course Topics:
- Web Application Angle
- Antivirus Bypass Techniques
- ASLR Bypass
- Use of Egghunter in depth
- Zero Day Angle
- GRE Sniffing
Approach:
After going through many well documented blogs on the internet, I started preparing for the course from September 2018. I started with Security Tube’s ‘Exploit Research Megaprimer’ course, which helped me with the basics of SEH Exploitation. After this course I downloaded few exploits from exploitdb to practice SEH Exploitation.
Since this course involves Assembly Language, I started with ‘X86 Assembly Language and Shellcoding on Linux’ course. In this course, I learned about different assembly instructions, how system call works, crypters, how to create custom shellcode etc. I would recommend it to all beginners who want to learn shellcoding.
As I was well aware of the topics covered within the course, the next topic I wanted to learn was Egghunter. Here are the links to few of the write-ups which helped me in learning the concept.
References:
- https://medium.com/@rafaveira3/exploit-development-kolibri-v2-0-http-server-egg-hunter-example-1-5e435aa84879
- https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
- http://www.fuzzysecurity.com/tutorials/expDev/4.html
- https://www.youtube.com/watch?v=Znrvsf8Trvg
- http://ly0n.me/2015/08/01/writing-exploits-with-an-egghunter-part-1/
- http://sh3llc0d3r.com/vulnserver-kstet-command-exploit-with-egghunter/
- https://captmeelo.com/exploitdev/osceprep/2018/06/29/vulnserver-kstet.html
Then I started learning how Windows API’s works and also how to create custom shellcode. Started with implementing custom shellcode in vulnserver and in FreeFloat FTP exploits.
References:
- https://www.fuzzysecurity.com/tutorials/expDev/6.html
- https://www.absolomb.com/2018-07-24-VulnServer-GTER/
- http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/
As this course also includes antivirus bypass, I learnt different techniques to bypass antivirus
References:
All the above topics gave me brief idea about the course. So I finally signed up for 30 days labs in December 2018. Before signing up for the labs, you must pass a registration challenge i.e http://www.fc4.me. In this registration challenge one needs to find a registration code and secret key. Try to solve the registration challenge on your own, this will give you more confidence.
I completed my labs on 8th January 2019 and also booked the exam on 16th January. Before the exam, I practiced on few exploits like myftp, quickzip etc.
References:
- https://www.offensive-security.com/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/
- https://buffered.io/posts/idsecconf-2013-myftpd-challenge/
Finally the day of the exam arrived, which consist of 4 challenges. In order to clear the exam you need to cover 75 marks within a timeline of 48 hours.The marks for the exam are distributed in such a way that you need to attempt most of the challenges.
I started with the first challenge, this challenge was simple. Within few hours, I was able to complete it and this boosted my confidence.
After this I started with the next challenge which was one of the mandatory challenges,within few hours I got the entry point to the machine and after that I couldn’t progress for next 10-11 hours, hence thought of taking a small break.
Took a small break and came with a fresh mind and a fresh idea. Fortunately this idea worked and I was able to complete the challenge within 4-5 hours.
I started with the next mandatory challenge, this challenge was simple as this was related to my daily routine work.
As I was left with few hours only, thought of solving the last challenge as I wanted to attempt all the challenges and was able to complete the last challenge also before the timeline.
Next day I finished with the documentation and submitted the report, 2 days later I got a confirmation email from offensive security stating that I had cleared the exam.
Tips:
- Try different method if one technique is not working.
- Make sure that you are taking regular notes for each module.
- Restart the machine every time after some trial and error.
- Keep patience and practice more.
- Time management.
- Try harder is key to success.