OSCE - JollyFrogs' Tale

I have well and truly started preparing for the OSCE now. Unfortunately, things are still very busy at work (my original reason not to do this course any sooner) but it's looking like things will stay busy for a while longer. That's good news since I won't be looking for another job anytime soon, however it means I will not have dedicated time for studying OSCE. I've decided now that I will spend as much time as needed preparing for the OSCE.

So, what have I done to date? Lots already! It's part of the reason to start this post now: If I don't keep track on a weekly basis, I'll forget half the things I did to prepare.

Let's start with what I did over the last couple of days:
Today, I completed the FC4 challenge. The SLAE course really helped me to fully understand the second part of the FC4 challenge. Not only did I complete the challenge but I automated the whole process in Python. Overall it wasn't too hard to automate the FC4 challenge but my lack of Python skills resulted in me taking about 20-30 hours (~3 days) of reading about python modules and string manipulation and coding. I consider myself a beginner Python coder.

I figured there are two things I can do to fix my lack of Python skills:
1) I can take a Python course (SecurityTube offers "Python for Pentesters and Hackers" which is taught by Vivek. I really liked the SLAE32 course which was tutored by Vivek also, so I'm pretty much sold on this course already)
2) Do lots of reading and keep writing more Python scripts

I'll most likely do both, as Python lends itself very well to exploit writing (and, as it turns out, solving OSCE challenges!).

For This is the output of my "fc4solver.py" script (I've kept the print statements generic as to not spoil the challenge for others):

root@kali20:~/osce# python fc4solver.py test3@nowhere3.com
Using email address: test3@nowhere3.com
Retrieving http://www.fc4.me
Solving first challenge...
Security String: f2d91faf22b2953285201f1e7391343b
Sending HTTP POST request to http://www.fc4.me
Solving second challenge...

Registration Code: 25408
Secret Key: b6cc34cb4c8c6ee880424e2a14c8ae2e58623d231fa6a12f0b9d46633d9433a95d516e5e07d0b401d595dba0f22a8558a8d2de0b449ea9c63ec91bd2085be65e
root@kali20:~/osce# python fc4solver.py test4@nowhere4.com
Using email address: test4@nowhere4.com
Retrieving http://www.fc4.me
Solving first challenge...
Security String: f2d91faf22b2953285201f1e7391343b
Sending HTTP POST request to http://www.fc4.me
Solving second challenge...

Registration Code: 25409
Secret Key: 73e04e5ec6824d799836372f778f5f9d8098b5f613cebecd8ae62e715b413b5797f26d8869ac16507fdc653f626343a270e45024e8d656fd95b365449ebab611

Before these last few days, I've been reading up on blog posts and forums on other people's experience.
These are the things I took away from blogs and forums about OSCE (They might not be correct!):
- The exam is the hard part -- expect to learn as much in the exam as in the whole course
- A lot of people fail their first exam try due to not having understood the concepts well enough
- There are 4 hosts in the exam, and you'll need to crack most or even all to get enough points
- There is one host in particular that is difficult: Most people got stuck for 12-20 hours on this one
- There are two that take most people 1-5 hours each. And another that takes about 10 hours total.
- So that's 5+5+10+20 hours = 40 hours... pretty spot on since the total time allotted for this exam is 48 hours
- Basic python skills are critical for this course -- Advanced Python skills make this course a whole lot easier
- Basic Assembly skills are critical for this course -- Advanced Assembly skills make this course a whole lot easier
- The concepts do touch on ASLR but not DEP and ROP as far as I understand
- Corelan and Fuzzylogic seem to be two sites that everyone recommends so I'll be preparing there as well
- People recommend a plethora of books, mostly Assembly books, I will read as many as I believe necessary
- Most of the course is spent in a debugger (OllyDbg/ImmunityDebugger)
- Most people indicate 30 days is enough exam time (as opposed to 90 days for OSCP for instance)

Similar to my earlier OSCP challenge, I have challenged myself to complete this exam on the first try, with a 100% score.

That's it for my first post, I'll try to post updates on at least a weekly basis.

Find more posts tagged with

Comments

Mooseboost

Looking forward to following this thread! You definitely seem to be the kind of person who makes sure they are ready for the challenge. I except your OSCE thread to be every bit as good as the OSCP one was.

JoJoCal19

Excited to follow your journey in this thread.

unkn0wnsh3ll

Hi Jollyfrogs,

Good to see your thread on OSCE, You are one Kind of Motivator in Offsec course when I see myself feeling down.... Keep up good work, Looking forward for your journey.... Good luck

Ciao

JollyFrogs

Ok, time for an update! Over the last 2 weeks I've been busy reconstructing the course materials. Starting with the syllabus, then visiting a lot of various blogs and forums, I was able to reconstruct the 9 exercises. I've brought back to life some ISOs of old operating systems, namely Windows XP SP0 (no service pack), Windows 2003 SP1, and Windows Vista SP0 (no service pack) - I still had these laying around in an old CDrom container, lucky me!

The exercises range from:
XSS (OSCP prepared me enough for that)
Manually modifying an .exe file to inject shellcode (essentially what msfvenom does automatically with the -x option)
Bypassing anti-virus systems (SLAE opened the door and showed how to do this on Linux but I need to practice on Windows as well)
ASLR and DEP bypass (plenty of online blogs and training resources, corelan seems to be favored here)
Fuzzing (again, plenty of good resources out there like Sulley and Spike)
NNM 7.51 exploit (complete with a "shameless plug" to "Backtrack to the Max" here: https://www.exploit-db.com/exploits/5342/)
Cisco SNMP exploit (Exploiting Cisco Routers - From Vulnerability to Exploit - Praise for Gray Hat Hacking: The Ethical Hacker?s Handbook, Fourth Edition (2015) and Cisco SNMP configuration attack with a GRE tunnel | Symantec Connect)

So I'm currently rebuilding each of these exercises in my own lab. I know - I'm probably just wasting time - but since I only have weekends to do these exercises, I want to be well prepared before going in to the real labs. I've created a few XSS and manual exe modification exercises, and I'm about to move in to AV bypassing. I'm automating every exercise in Python, even the XSS exploits where my python script (threaded!) will listen on a port while sending out the XSS exploit etc. Of course, it takes a lot of time to program these scripts but I'm learning all the time. I really wish I'd done the SecurityTube Python course first... and I might either do it in the middle of the exercises, or before the labs but I will definitely do it before the exam as I feel it is one of my weak areas and it's really slowing down my progress.

I'll be sharing some of these scripts via Github. I've kept meticulous notes on the various exercises I've done which I'll be sharing over the next couple of weeks. I will only share what I'm permitted to do by Offensive Security obviously.

bluesquirrel

Good luck with this new adventure and thank you very much for sharing it with us!

JollyFrogs

It's been a while since I posted and I thought it would be good to write about my progress. I haven't updated this post because I was busy with various other things. I was requested at work to do another course in August, I still have my SecurityTube Forensic course to complete (I've decided to postpone starting that one until after the OSCE), I've also assisted an OEM manufacturer with fixing some security flaws including remote unauthenticated root RCE (they sent me two of their high-end devices as a thank-you present), I've had some pretty busy and big projects at work, and I'm helping my elderly neighbor with the installation of a new PC, an Amazon FireTV (she loves Game of Thrones) and setting up her wireless network and teaching her to browse the web safely. And of course I've been very busy with the OSCE itself. I've done so much reading and concentrating of late that my eyes actually were starting to dry out and hurt a little (not kidding) so I've had to use some eye drops and some forced breaks (no reading about overflows on my mobile phone for 2 days, no computer at night for two days (ouch!). Instead, I had some time to enjoy movies and series with my partner which we both enjoyed. She's very supportive of what I do which helps tremendously.

So, I've rebooked my OSCE which was originally scheduled to start this Sunday, to early September, in order to be able to sit the other (5-day) course from work. Had I known what I know now, I believe I would have moved OSCE either way because I'm not ready for OSCE.

The more I read, the more I learn, and the more I learn the more I know that I don't know as much as I thought I knew. I'm starting to understand why so many students fail their first exam try: They simply weren't ready. I know I'm not ready. That doesn't mean my aim has changed: I will achieve a 100% passing score in the exam - I just need to study harder, focus on my weak areas more, and automate as much as possible to save time on the exam for surprise events. The phrase "Try Harder" is well chosen.

So what have I completed in the last few weeks, apart from non-OSCE related things:
- I finished reading as many reviews as I could find online and sorted them by usefulness. There are 100s of reviews out there and I have read most of them. The reviews come with varying levels of usefulness in terms of what to expect from the course and the exam. I list below the ones I found most useful (in no particular order):
Offensive Security's CTP and OSCE - My Experience - Security SiftSecurity Sift
OSCE and Me
Offensive Security CTP Course and OSCE Certification Review
Your Friendly Neighbourhood Ethical Hacker • OSCE Exam Prep
https://blog.g0tmi1k.com/2013/08/cracking-perimeter-ctp-offensive/
https://infamoussyn.com/resources/
Shellcoding for Linux and Windows Tutorial
0x5 Course Review: Cracking The Perimeter (OSCE)
OSCE Review
tekwizz123's Blog: OSCE Review and Experience
https://networkfilter.blogspot.sg/2016/01/my-osce-review.html

Based on these reviews, I was able to get quite a lot of information about the course, as well as the exam - even though individually these reviews do not give very much away. I've started creating my own lab using VirtualBox and am creating various exercises relating to the course. I'm using a Windows 2003 machine and a Windows Vista machine to create various exercises. I'm not sure I've got the correct programs to exploit, but that doesn't matter - it's the methods that count. I've automated various XSS exploits via a multi-threaded Python script (I'll share my scripts after I start the course through a GitHub account).

A few people have asked on the IRC channel whether I would be creating my own blog or website. I haven't yet concluded whether to create one or not. On one hand I like the idea of having a blog, but it would be yet another thing to add to my ever growing list of things to do. But I must admit that something like jollyfrogs.ninja does have a ring to it.

Apart from having finished reading many, many reviews, I've also compiled a list of "Expected curve balls". I have covered off a lot of possible curve balls that OffSec can throw at me during the exam, but I silently hope to be pleasantly surprised and see a new type of curve ball during the exam - if only to learn more. I'm not sure whether I can share my "Expected curve balls" list yet because I could be giving away actual exam tips which is against the OffSec policy - so for now I will keep the list in my KeepNote.

I've also completed a list of "practice sites" which contain material I can use to practice. There's a whole bunch of sites on the list, and I'm not yet sure how effective these sites are compared to the OSCE materials, so I'll share this list once I start in early September. And finally, I've compiled a list of tutorial sites. The main difference between practice and tutorial sites being that tutorials are guided, typically with screenshots and explanations, whereas for the practice sites I will be more on my own (the practice sites contain exploit-db articles for instance, whereas the tutorial sites include sites like corelan and fuzzysecurity).

I've also updated my OSCP Kali 2.0 VM which I still had laying around and I've installed various tools I think I might need either during practice of during the exam. I'll be sharing my OSCE VM installation installation guide after completing the labs; this ensures that all tools etc are included and I don't end up confusing people with differing versions of installation guides. I've created various .asm and .py snippets, and also some larger pieces of code like my fc4_solver.py.

So where to from here? There is still a lot of work to do before I start the labs. I want to maximize my time in the OSCE labs much like I did on the OSCP. The various things I need to research are fuzzing with various fuzzing tools, SEH exploits, shellcode restrictions like ascii-only shellcode, egghunters and ASLR bypass. Overall, I'm starting to see the light at the end of the tunnel: I finally have a (probably way too extensive) list of research I need to do, I have a destination, and am ready to engage at warp 9.

eth0

Good thread, I also want take OSCE and I am in middle (or even less) of SLAE.

Can you share your GitHub login? I want subscribe and will wait for your scripts

rex0r

JollyFrogs wrote: »

The more I read, the more I learn, and the more I learn the more I know that I don't know as much as I thought I knew.

Truer words never spoken!! I feel the exact way you feel. But it only encourages me, as I'm sure it does you too. The hunger really excites me. Its a fascinating world we live in.

Thanks for all of your wonderful information.

22306

maybe this? https://github.com/JollyFrogs

Chopteeth

Also looking forward to the OSCE, but will wait for your tale to end first

JollyFrogs

Just a quick update that I've got tons of notes but haven't had time to write a post yet - trying to maximize my time in the labs as I only have a month and work's busy so can only study during weekends. I've completed all the exercises, now updating notes and redo-ing the exercises without guide.

mokaz

So Jolly,

What up with this ??? hehe.. Looking forward to read more

By the time, i've smashed my 1st DEP bypass exploit with a ROP chain at VirtualProtect() works just so great !!!

Hope to read from you soon,
Mokaz

chrisone

Great work so far! very interesting and motivating your journey has become!

DataFox

Hey Jolly,
Hows are things coming with the OSCE, your OSCP notes have been a great help

Fermion

Hey JollyFrogs, I'll keep this brief. I know your time is valuable. I would just like some advice.

I have the opportunity through work to take an AccessData forensics course, or continue the Python for Pentesters and Hackers course. My employer will pay for either, but not both. I'm currently a Jr. Network Admin with a CCNA, Security+, and 2 years of networking experience, and dual Associates in Networking/Cybersecurity.

In summary, I'm looking to get into the pen testing field in the next 2-3 years. Is forensics important, or should I focus on Python & Networking (CCNP R&S), considering my background?

I really hope this isn't considered a hijack. I would never impose on your thread like that, I respect you too much. I will totally delete this reply if it is deemed inappropriate for this thread.

Good luck with your OSCE. I can only hope to one day be where you are.

Mooseboost

I will admit I am curious here JF is on this these days.

Always love following their threads.

JoJoCal19

I'm curious on how he's doing as well.

@Fermion, I would copy what you pasted there and then start a new thread with it as you will get a ton more replies that way.

JollyFrogs

Hey Guys,

Haven't had much time to update this thread as I've spent ALL my time practicing for the exam. The PDF is deceptively small, and I thought I'd had plenty of time to update as I went. However, the rabbit hole is almost endless, and I've found that a simple ~140 page PDF has turned into a massive 10.000 page reading material. I've kept plenty of notes, including all the reading materials, which I'll be sharing like on the OSCP. My exam is in 4 days, and I'll be keeping you updated on whether I pass or fail. Right now, I've prepared fairly well for the exam and am comfortable in most areas that whatever they throw at me I'll be able to fix. The question is: Can I do it within 48 hours?

Cheers,
The Frog

the_Grinch

Can't wait to see the PASSED post!

xxxkaliboyxxx

Good luck mate, get that coffee ready!

Mooseboost

I know Jolly is going to ace this - looking forward for the passing post and the awesome review that I know will be written.

JoJoCal19

Good luck on the exam!! Can't wait to read your review and overall experience.

bluesquirrel

Best of luck for the exam JollyFrogs !!!

winona_ryder

Exam tomorrow then? Break a leg mate

JollyFrogs

The exam is in 1 hour. I woke up early this morning as expected (04:15) probably due to the excitement of the exam. I did go to bed at 21:00 yesterday so I still had a decent sleep. Took the week off work to get this exam out of the way, and also because it's my birthday this week and I felt like a holiday

Yesterday (Sunday):
- Charged my phone - I'll need it to get my two-factor token to log in to work email (offsec email will be going to work email)
- Watched some series and movies from 16:00 to relax so I could go to bed early. Figured if I didn't know what I need to know by then, it won't make a (positive) difference anyhow.
- Compiled the DirtyCow insta-win exploit that came out 4 days ago just in case I get a Linux box on the exam (how lucky would that be)
- Checked my scripts, backed up my scripts to another disk just in case, verified I have access to my old windows versions (XP/2003/etc) with all possible service pack combinations. Installed WinXP SP0, SP1a,SP2,SP3,Win2003 SP0,SP1,SP2 in Virtualbox (original CDs and licenses bought from ebay a while back - cheap as chips)

This morning (Monday):
- Mostly waiting - hanging out on IRC until I get the mail. Prepped some food and chilling with some music.
- Shower: Check - Shave: Check - Toilet: Check

Today's strategy:
Hardest objective first (most points). Easy objectives only if totally stuck.

Goal for today: To complete the hardest objective, and to start work on the second-hardest objective

JollyFrogs

Ok, connected to the VPN (had to do some firewall stuff), and downloaded exam info. Now on to the machines. Starting with the heavy ones first.

winona_ryder

Good luck mate, kill it

JollyFrogs

It's been 3 hours, and haven't gotten anywhere.
Time for some "Vangelis - Light and Shadow"

JollyFrogs

Spent a lot of time on the hard ones getting nowhere. Moved on to the simple ones now.

JollyFrogs

Ok, the simple ones are done! "Only" the hard ones remaining