OSCE - JollyFrogs' Tale

JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
I have well and truly started preparing for the OSCE now. Unfortunately, things are still very busy at work (my original reason not to do this course any sooner) but it's looking like things will stay busy for a while longer. That's good news since I won't be looking for another job anytime soon, however it means I will not have dedicated time for studying OSCE. I've decided now that I will spend as much time as needed preparing for the OSCE.

So, what have I done to date? Lots already! It's part of the reason to start this post now: If I don't keep track on a weekly basis, I'll forget half the things I did to prepare.

Let's start with what I did over the last couple of days:
Today, I completed the FC4 challenge. The SLAE course really helped me to fully understand the second part of the FC4 challenge. Not only did I complete the challenge but I automated the whole process in Python. Overall it wasn't too hard to automate the FC4 challenge but my lack of Python skills resulted in me taking about 20-30 hours (~3 days) of reading about python modules and string manipulation and coding. I consider myself a beginner Python coder.

I figured there are two things I can do to fix my lack of Python skills:
1) I can take a Python course (SecurityTube offers "Python for Pentesters and Hackers" which is taught by Vivek. I really liked the SLAE32 course which was tutored by Vivek also, so I'm pretty much sold on this course already)
2) Do lots of reading and keep writing more Python scripts

I'll most likely do both, as Python lends itself very well to exploit writing (and, as it turns out, solving OSCE challenges!).

For This is the output of my "fc4solver.py" script (I've kept the print statements generic as to not spoil the challenge for others):

root@kali20:~/osce# python fc4solver.py test3@nowhere3.com
Using email address: test3@nowhere3.com
Retrieving http://www.fc4.me
Solving first challenge...
Security String: f2d91faf22b2953285201f1e7391343b
Sending HTTP POST request to http://www.fc4.me
Solving second challenge...

Registration Code: 25408
Secret Key: b6cc34cb4c8c6ee880424e2a14c8ae2e58623d231fa6a12f0b9d46633d9433a95d516e5e07d0b401d595dba0f22a8558a8d2de0b449ea9c63ec91bd2085be65e
root@kali20:~/osce# python fc4solver.py test4@nowhere4.com
Using email address: test4@nowhere4.com
Retrieving http://www.fc4.me
Solving first challenge...
Security String: f2d91faf22b2953285201f1e7391343b
Sending HTTP POST request to http://www.fc4.me
Solving second challenge...

Registration Code: 25409
Secret Key: 73e04e5ec6824d799836372f778f5f9d8098b5f613cebecd8ae62e715b413b5797f26d8869ac16507fdc653f626343a270e45024e8d656fd95b365449ebab611

Before these last few days, I've been reading up on blog posts and forums on other people's experience.
These are the things I took away from blogs and forums about OSCE (They might not be correct!):
- The exam is the hard part -- expect to learn as much in the exam as in the whole course
- A lot of people fail their first exam try due to not having understood the concepts well enough
- There are 4 hosts in the exam, and you'll need to crack most or even all to get enough points
- There is one host in particular that is difficult: Most people got stuck for 12-20 hours on this one
- There are two that take most people 1-5 hours each. And another that takes about 10 hours total.
- So that's 5+5+10+20 hours = 40 hours... pretty spot on since the total time allotted for this exam is 48 hours
- Basic python skills are critical for this course -- Advanced Python skills make this course a whole lot easier
- Basic Assembly skills are critical for this course -- Advanced Assembly skills make this course a whole lot easier
- The concepts do touch on ASLR but not DEP and ROP as far as I understand
- Corelan and Fuzzylogic seem to be two sites that everyone recommends so I'll be preparing there as well
- People recommend a plethora of books, mostly Assembly books, I will read as many as I believe necessary
- Most of the course is spent in a debugger (OllyDbg/ImmunityDebugger)
- Most people indicate 30 days is enough exam time (as opposed to 90 days for OSCP for instance)

Similar to my earlier OSCP challenge, I have challenged myself to complete this exam on the first try, with a 100% score.

That's it for my first post, I'll try to post updates on at least a weekly basis.


  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    Looking forward to following this thread! You definitely seem to be the kind of person who makes sure they are ready for the challenge. I except your OSCE thread to be every bit as good as the OSCP one was.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Excited to follow your journey in this thread.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • unkn0wnsh3llunkn0wnsh3ll Member Posts: 68 ■■□□□□□□□□
    Hi Jollyfrogs,

    Good to see your thread on OSCE, You are one Kind of Motivator in Offsec course when I see myself feeling down.... Keep up good work, Looking forward for your journey.... Good luck

  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Ok, time for an update! Over the last 2 weeks I've been busy reconstructing the course materials. Starting with the syllabus, then visiting a lot of various blogs and forums, I was able to reconstruct the 9 exercises. I've brought back to life some ISOs of old operating systems, namely Windows XP SP0 (no service pack), Windows 2003 SP1, and Windows Vista SP0 (no service pack) - I still had these laying around in an old CDrom container, lucky me!

    The exercises range from:
    XSS (OSCP prepared me enough for that)
    Manually modifying an .exe file to inject shellcode (essentially what msfvenom does automatically with the -x option)
    Bypassing anti-virus systems (SLAE opened the door and showed how to do this on Linux but I need to practice on Windows as well)
    ASLR and DEP bypass (plenty of online blogs and training resources, corelan seems to be favored here)
    Fuzzing (again, plenty of good resources out there like Sulley and Spike)
    NNM 7.51 exploit (complete with a "shameless plug" to "Backtrack to the Max" here: https://www.exploit-db.com/exploits/5342/)
    Cisco SNMP exploit (Exploiting Cisco Routers - From Vulnerability to Exploit - Praise for Gray Hat Hacking: The Ethical Hacker?s Handbook, Fourth Edition (2015) and Cisco SNMP configuration attack with a GRE tunnel | Symantec Connect)

    So I'm currently rebuilding each of these exercises in my own lab. I know - I'm probably just wasting time - but since I only have weekends to do these exercises, I want to be well prepared before going in to the real labs. I've created a few XSS and manual exe modification exercises, and I'm about to move in to AV bypassing. I'm automating every exercise in Python, even the XSS exploits where my python script (threaded!) will listen on a port while sending out the XSS exploit etc. Of course, it takes a lot of time to program these scripts but I'm learning all the time. I really wish I'd done the SecurityTube Python course first... and I might either do it in the middle of the exercises, or before the labs but I will definitely do it before the exam as I feel it is one of my weak areas and it's really slowing down my progress.

    I'll be sharing some of these scripts via Github. I've kept meticulous notes on the various exercises I've done which I'll be sharing over the next couple of weeks. I will only share what I'm permitted to do by Offensive Security obviously.
  • bluesquirrelbluesquirrel Member Posts: 43 ■■□□□□□□□□
    Good luck with this new adventure and thank you very much for sharing it with us!
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    It's been a while since I posted and I thought it would be good to write about my progress. I haven't updated this post because I was busy with various other things. I was requested at work to do another course in August, I still have my SecurityTube Forensic course to complete (I've decided to postpone starting that one until after the OSCE), I've also assisted an OEM manufacturer with fixing some security flaws including remote unauthenticated root RCE (they sent me two of their high-end devices as a thank-you present), I've had some pretty busy and big projects at work, and I'm helping my elderly neighbor with the installation of a new PC, an Amazon FireTV (she loves Game of Thrones) and setting up her wireless network and teaching her to browse the web safely. And of course I've been very busy with the OSCE itself. I've done so much reading and concentrating of late that my eyes actually were starting to dry out and hurt a little (not kidding) so I've had to use some eye drops and some forced breaks (no reading about overflows on my mobile phone for 2 days, no computer at night for two days (ouch!). Instead, I had some time to enjoy movies and series with my partner which we both enjoyed. She's very supportive of what I do which helps tremendously.

    So, I've rebooked my OSCE which was originally scheduled to start this Sunday, to early September, in order to be able to sit the other (5-day) course from work. Had I known what I know now, I believe I would have moved OSCE either way because I'm not ready for OSCE.

    The more I read, the more I learn, and the more I learn the more I know that I don't know as much as I thought I knew. I'm starting to understand why so many students fail their first exam try: They simply weren't ready. I know I'm not ready. That doesn't mean my aim has changed: I will achieve a 100% passing score in the exam - I just need to study harder, focus on my weak areas more, and automate as much as possible to save time on the exam for surprise events. The phrase "Try Harder" is well chosen.

    So what have I completed in the last few weeks, apart from non-OSCE related things:
    - I finished reading as many reviews as I could find online and sorted them by usefulness. There are 100s of reviews out there and I have read most of them. The reviews come with varying levels of usefulness in terms of what to expect from the course and the exam. I list below the ones I found most useful (in no particular order):
    Offensive Security's CTP and OSCE - My Experience - Security SiftSecurity Sift
    OSCE and Me
    Offensive Security CTP Course and OSCE Certification Review
    Your Friendly Neighbourhood Ethical Hacker • OSCE Exam Prep
    Shellcoding for Linux and Windows Tutorial
    0x5 Course Review: Cracking The Perimeter (OSCE)
    OSCE Review
    tekwizz123's Blog: OSCE Review and Experience

    Based on these reviews, I was able to get quite a lot of information about the course, as well as the exam - even though individually these reviews do not give very much away. I've started creating my own lab using VirtualBox and am creating various exercises relating to the course. I'm using a Windows 2003 machine and a Windows Vista machine to create various exercises. I'm not sure I've got the correct programs to exploit, but that doesn't matter - it's the methods that count. I've automated various XSS exploits via a multi-threaded Python script (I'll share my scripts after I start the course through a GitHub account).

    A few people have asked on the IRC channel whether I would be creating my own blog or website. I haven't yet concluded whether to create one or not. On one hand I like the idea of having a blog, but it would be yet another thing to add to my ever growing list of things to do. But I must admit that something like jollyfrogs.ninja does have a ring to it.

    Apart from having finished reading many, many reviews, I've also compiled a list of "Expected curve balls". I have covered off a lot of possible curve balls that OffSec can throw at me during the exam, but I silently hope to be pleasantly surprised and see a new type of curve ball during the exam - if only to learn more. I'm not sure whether I can share my "Expected curve balls" list yet because I could be giving away actual exam tips which is against the OffSec policy - so for now I will keep the list in my KeepNote.

    I've also completed a list of "practice sites" which contain material I can use to practice. There's a whole bunch of sites on the list, and I'm not yet sure how effective these sites are compared to the OSCE materials, so I'll share this list once I start in early September. And finally, I've compiled a list of tutorial sites. The main difference between practice and tutorial sites being that tutorials are guided, typically with screenshots and explanations, whereas for the practice sites I will be more on my own (the practice sites contain exploit-db articles for instance, whereas the tutorial sites include sites like corelan and fuzzysecurity).

    I've also updated my OSCP Kali 2.0 VM which I still had laying around and I've installed various tools I think I might need either during practice of during the exam. I'll be sharing my OSCE VM installation installation guide after completing the labs; this ensures that all tools etc are included and I don't end up confusing people with differing versions of installation guides. I've created various .asm and .py snippets, and also some larger pieces of code like my fc4_solver.py.

    So where to from here? There is still a lot of work to do before I start the labs. I want to maximize my time in the OSCE labs much like I did on the OSCP. The various things I need to research are fuzzing with various fuzzing tools, SEH exploits, shellcode restrictions like ascii-only shellcode, egghunters and ASLR bypass. Overall, I'm starting to see the light at the end of the tunnel: I finally have a (probably way too extensive) list of research I need to do, I have a destination, and am ready to engage at warp 9.
  • eth0eth0 Member Posts: 86 ■■□□□□□□□□
    Good thread, I also want take OSCE and I am in middle (or even less) of SLAE.

    Can you share your GitHub login? I want subscribe and will wait for your scripts :).
  • rex0rrex0r Member Posts: 31 ■■□□□□□□□□
    JollyFrogs wrote: »
    The more I read, the more I learn, and the more I learn the more I know that I don't know as much as I thought I knew.

    Truer words never spoken!! I feel the exact way you feel. But it only encourages me, as I'm sure it does you too. The hunger really excites me. Its a fascinating world we live in.

    Thanks for all of your wonderful information.
  • 2230622306 Member Posts: 223 ■■□□□□□□□□
  • ChopteethChopteeth Member Posts: 10 ■□□□□□□□□□
    Also looking forward to the OSCE, but will wait for your tale to end first :)
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Just a quick update that I've got tons of notes but haven't had time to write a post yet - trying to maximize my time in the labs as I only have a month and work's busy so can only study during weekends. I've completed all the exercises, now updating notes and redo-ing the exercises without guide.
  • mokazmokaz Member Posts: 172
    So Jolly,

    What up with this ??? hehe.. Looking forward to read more =)
    By the time, i've smashed my 1st DEP bypass exploit with a ROP chain at VirtualProtect() works just so great !!!

    Hope to read from you soon,
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    Great work so far! very interesting and motivating your journey has become!
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • DataFoxDataFox Member Posts: 11 ■■□□□□□□□□
    Hey Jolly,
    Hows are things coming with the OSCE, your OSCP notes have been a great help :)
  • FermionFermion Registered Users Posts: 3 ■□□□□□□□□□
    Hey JollyFrogs, I'll keep this brief. I know your time is valuable. I would just like some advice.

    I have the opportunity through work to take an AccessData forensics course, or continue the Python for Pentesters and Hackers course. My employer will pay for either, but not both. I'm currently a Jr. Network Admin with a CCNA, Security+, and 2 years of networking experience, and dual Associates in Networking/Cybersecurity.

    In summary, I'm looking to get into the pen testing field in the next 2-3 years. Is forensics important, or should I focus on Python & Networking (CCNP R&S), considering my background?

    I really hope this isn't considered a hijack. I would never impose on your thread like that, I respect you too much. I will totally delete this reply if it is deemed inappropriate for this thread.

    Good luck with your OSCE. I can only hope to one day be where you are.
  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    I will admit I am curious here JF is on this these days.

    Always love following their threads.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    I'm curious on how he's doing as well.

    @Fermion, I would copy what you pasted there and then start a new thread with it as you will get a ton more replies that way.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Hey Guys,

    Haven't had much time to update this thread as I've spent ALL my time practicing for the exam. The PDF is deceptively small, and I thought I'd had plenty of time to update as I went. However, the rabbit hole is almost endless, and I've found that a simple ~140 page PDF has turned into a massive 10.000 page reading material. I've kept plenty of notes, including all the reading materials, which I'll be sharing like on the OSCP. My exam is in 4 days, and I'll be keeping you updated on whether I pass or fail. Right now, I've prepared fairly well for the exam and am comfortable in most areas that whatever they throw at me I'll be able to fix. The question is: Can I do it within 48 hours?

    The Frog
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Can't wait to see the PASSED post!
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • xxxkaliboyxxxxxxkaliboyxxx Member Posts: 466
    Good luck mate, get that coffee ready!
    Studying: GPEN
    : SANS SEC560
    Upcoming Exam: GPEN
  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    I know Jolly is going to ace this - looking forward for the passing post and the awesome review that I know will be written.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Good luck on the exam!! Can't wait to read your review and overall experience.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • bluesquirrelbluesquirrel Member Posts: 43 ■■□□□□□□□□
    Best of luck for the exam JollyFrogs !!!
  • winona_ryderwinona_ryder Member Posts: 42 ■□□□□□□□□□
    Exam tomorrow then? Break a leg mate
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    The exam is in 1 hour. I woke up early this morning as expected (04:15) probably due to the excitement of the exam. I did go to bed at 21:00 yesterday so I still had a decent sleep. Took the week off work to get this exam out of the way, and also because it's my birthday this week and I felt like a holiday :)

    Yesterday (Sunday):
    - Charged my phone - I'll need it to get my two-factor token to log in to work email (offsec email will be going to work email)
    - Watched some series and movies from 16:00 to relax so I could go to bed early. Figured if I didn't know what I need to know by then, it won't make a (positive) difference anyhow.
    - Compiled the DirtyCow insta-win exploit that came out 4 days ago just in case I get a Linux box on the exam (how lucky would that be)
    - Checked my scripts, backed up my scripts to another disk just in case, verified I have access to my old windows versions (XP/2003/etc) with all possible service pack combinations. Installed WinXP SP0, SP1a,SP2,SP3,Win2003 SP0,SP1,SP2 in Virtualbox (original CDs and licenses bought from ebay a while back - cheap as chips)

    This morning (Monday):
    - Mostly waiting - hanging out on IRC until I get the mail. Prepped some food and chilling with some music.
    - Shower: Check - Shave: Check - Toilet: Check

    Today's strategy:
    Hardest objective first (most points). Easy objectives only if totally stuck.

    Goal for today: To complete the hardest objective, and to start work on the second-hardest objective
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Ok, connected to the VPN (had to do some firewall stuff), and downloaded exam info. Now on to the machines. Starting with the heavy ones first.
  • winona_ryderwinona_ryder Member Posts: 42 ■□□□□□□□□□
    Good luck mate, kill it
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    It's been 3 hours, and haven't gotten anywhere.
    Time for some "Vangelis - Light and Shadow" :D
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Spent a lot of time on the hard ones getting nowhere. Moved on to the simple ones now.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Ok, the simple ones are done! "Only" the hard ones remaining :D
Sign In or Register to comment.