Hello everyone, I've prepared an article for the OSWE certification before. You can access this article via the link below.
OSWE >> AWAE Advanced Web Attacks and Exploitation
Today, I will try to explain what is in the content of "Cracking the Perimeter (CTP)" training and some important points in "Offensive Security Certified Expert (OSCE)" certification process.
However, before starting, I strongly recommend that you read the chapter "Do you think our perspective on certificates is correct?" in my OSWE certification article. I will constantly and persistently address this issue. Because on the basis of being successful and improving ourselves, our perspective on certificates is very important.
I will try to give as much information as I can with the headings below. I hope that will be useful.
- Is OSCP certificate need to be obtained before OSCE?
- What's in CTP training content?
- What you need to know about the exam
- Things to need to be mastered before the exam
# Is OSCP certificate need to be obtained before OSCE?
According to the offensive security official website, They say "Cracking the Perimeter (CTP) is the next step for penetration testers who have completed PWK."
CTP training is defined as the next step after PWK(Penetration Testing with Kali Linux) training.In fact, they are very different in terms of training and exam content.
But we can say that PWK touches on CTP training with some of its topics.
Information is provided on the medium level of Buffer Overflow vulnerability in PWK. In fact, one 25-point question in the OSCP exam was created on the exploitation of Buffer Overflow vulnerability. The CTP training and the OSCE exam is almost entirely based on the exploitation of Buffer Overflow vulnerabilities.Therefore, I think that having OSCP certification will be beneficial for OSCE.
With a basic introduction to BOF, you can learn basic issues such as exploitation of existing vulnerabilities through services, transaction processing with the shell session, use of metasploit or automated shellcode generation etc. which should be mastered already in PWK. Therefore, you will be ready for CTP training by coming to a level where you can understand new information with PWK. I strongly recommend that OSCP be taken before OSCE although the contents of the training and exam are different. You will already be familiar with some of the topics as well as gaining experience in OFFSEC exams. It is also very important to have the exam experience before.
# What's in CTP training content?
I will not be able to fully share this educational content due to unethical reasons as I could not fully share in the OSWE article.
I will share general topics and leave references to some important issues already shared in the internet.
The course syllabus is shared by OffSec. You can access via the link below
Offensive Security >> CTP Syllabus
The topics in the training content that directly affect the exam are listed below.
Information on auxiliary tools such as Debugger, Disassembler, PE Editor, Hex Editor etc.
Stack based overflows
SEH - Structured Exception Handlers
Exploitation of some types of vulnerabilities for web applications
Bypassing Antivirus Systems
Bypassing ASLR - Address Space Layout Randomization
PE Backdoor Manufacturing - Portable Executable
Generating Egghunter, usage and working logic
Changing Offsets and Rebased
Identify Restricted Characters/Bad Chars
Locating Shellcode With Jumps
Fuzzing and Exploit Development
Attacking Network Infrastructure
The training content was prepared by Mati Aharoni who one of the founders of Offensive Security and the developer of Backtrack/Kali Linux distributions.
As a matter of fact, you can see his signature on the certificates you have received. Mati Aharoni uses the nickname "muts". Therefore, it is useful to examine the shared vulnerabilties of exploit-db by muts. He narrates through these vulnerabilties in training. You can access the vulnerabilities he has shared through the link below.
Exploit-DB >> Mati Aharoni (muts) exploits
In addition, I would like to add different blog posts for OSCE.
Personal blog >> Jack Halon CTP & OSCE Review
Personal blog >> Mike Czumak CTP & OSCE Experience
All of the training content is based on x86 architecture. That's why I recommend that you get a good understanding of 32-bit architecture.
As I always say, A building with poor foundation can collapses during an earthquake. A information with poor foundation can collapses too. With the understanding of architecture, Assembly language should be learned. It is enough for you to dominate the intermediate level for now. You should at least know what you can do with basic commands like mov, add, sub, jmp, push, pop etc. Otherwise, you'll do a lot of things by rote, and so it's unlikely that you'll have persistence in mind.
It is still useful to practice on auxiliary tools such as Debugger, Disassembler, PE Editor, Hex Editor. Because you will use it often.
Before starting the course, you should be familiar with the concepts of exploitation and shellcode. If you are unfamiliar with these structures, the exam curriculum and the topics covered may be severe and may depress you. But don't overestimate these. There is nothing to can not learn after a good foundation.
The logic and translation calculations of arithmics such as Binary,hex and ascii will be very helpful for you. (Important for manual calculations.)
If your native language is not English, you should definitely deduce the meaning of all abbreviations and terms that you have not encountered before in your native language.
These can be dozens of times like DLL,CPU,RAM etc. you've heard and said thousands of times. You should definitely examine their meaning in your native language by learning its expansions.
In short, I recommend that you first try to master every term and structure in your native language. After that, the original name will already be in your mind.
You should master the popular vulnerabilities of web applications, since the exploitation of web applications is also included in the CTP training and exam.
In the exam you should discover the vulnerability placed in the application in the source code. You are expected to exploit this vulnerability manually.
Almost all of the CTP training is based on BOF. Because of thath you should review previously shared vulnerabilities of type BOF. I recommend you to work on these vulnerabilities in your own lab environment. In this way, it will be of great benefit to be familiar with how the memory is corrupted, what operations should be done after the corruption and how to get the shell from the target system using this vulnerability. Then you can easily continue to the advanced level in CTP.
Finally, I suggest that you investigate the anti-exploitation mechanisms(ASLR,DEP etc.) used on the basis of operating systems and examine their working logic in x64 and x86 architectures.
# What you need to know about the exam
There are four different questions and four different machines in the exam. Two of these are target machines with no connection information provided. The other two machines will perform debug operations. In two of the questions, proof.txt should be read from the target machines( which no connection information provided). and proof.txt content should be clearly stated in the report to be sent.
The other two are the questions with the PoC concept, which you need to perform step by step on the debug machines and present them as a report. Automated exploitation tools are forbidden in the exam, just like OSWE.
You can review the exam guide on the OffSec official website.
Offensive Security >> OSCE Exam Guide
You can collect a maximum of 90 points in the exam(30+30+15+15). The base of the exam passing score is 75. So you have the luxury of not being able to solve only one of 15-point questions.
You have 47 hours and 45 minutes to complete the exam. If you pass the exam, an additional 24 hours reporting period is provided.
# Things to need to be mastered before the exam
You should be familiar with popular vulnerabilities for web applications, and in particular how to turn these vulnerabilities into RCE.
After receiving the reverse shell from the target machine with an low authority user, you should master the methods that can be used during PrivEsc.
You should understand all of the modules in the lab and have worked in a practical way during the lab process. In addition, you should practice the issues shared by these modules over previously shared vulnerabilities.
All topics under "The topics in the training content that directly affect the exam" that I have shared with you in the training content section must be clearly understood and understood together with their basic logic.
That's all I wanted to talk about. You can leave your questions and comments about OSCE in the comments field below. I'il try to answer as much as I can. I hope it has been a useful article.
Ambitious days ;) (AkkuS)