Last year, I completed the OSCP course. In recent weeks, my study buddy Mokaz emailed to ask if I was interested in joining him in the OSCE course. We had both completed OSCP around the same time and the idea sounded appealing but my current workload and commitments won't allow me to commence OSCE before July 2016.
I asked Mokaz if he had some good resources that he used to prepare, and he mentioned he had bought some books on Assembly, and also bought the SLAE course which he recommended as preparation to the OSCE course.
I looked up the SLAE course on-line and it seemed to fill the gap perfectly between OSCP and OSCE. The SLAE course (SecurityTube Linux Assembly Expert) teaches 32-bit low level Assembly programming, with a focus on security. The course comes with a free GDB course which I also enjoyed very much.
For people who are interested in doing the SLAE course, there are two options:
- 1) Completely free. You will need to promote the SLAE course on social networking sites after which you will be sent the courseware for FREE
- 2) Pay 150 US dollars for the full course including the PDF certificate. I personally chose this option as I'm not very active in the social networking world and 150 dollars sounded like a fair price. I don't even have a Twitter account - it's true!
The course is geared to people who have not programmed in Assembly and have little understanding of CPU, registers, memory and how the low level CPU works. I found that having some experience with Linux OS will slightly speed up the course as you won't have to look up what some of the Linux command do (sudo/cp/cd etc... - simple stuff), but it is not a requirement.
I got the SLAE materials shortly after paying for the course. The SLAE course comes in the form of videos, slides and a zip file containing the source codes for all modules. I didn't bother opening the slides because the course tutor Vivek is an excellent teacher and I was able to follow what he was explaining by using just the videos.
In the videos, Vivek is sitting in his living room (likely in his home) behind a laptop with a webcam. In the bottom right of the screen, you can see Vivek and somehow I really enjoyed this way of teaching. There were occasional moments where he would take a bottle and drink, or turn the air conditioning up (or down) or you could hear cars hooting in the background - but to me it just made the experience more personal and real. Vivek didn't cut out the mistakes he makes during compilation of source codes, and - as mentioned by Vivek in one of the videos - this is to show students how they can resolve issues they encounter.
My approach was to follow the video, and keep replaying the video until I fully understood all concepts - at times this meant I had to replay a certain part 3-4 times while I was taking notes in my Notepad++. Once I fully understood the concept(s), I would do all the steps that Vivek performed without going back to the videos. This worked well for me, but it certainly isn't the only way to do this course. Vivek mentions at multiple times during the video that there is not a single best way to approach a problem, and sometimes you can achieve the same result with different code. This is encouraged in the course.
The SLAE course consists of 2 parts with approx 18 modules per part and the GDB part which is another 15 or so modules
In the GDB part, I learnt how to use the GNU Debugger (GDB), whereas before I started the course I shunned away from GDB in favor of graphical debuggers like Immunity, OllyDbg and Evans debugger. I never used GDB because I didn't take the time to learn how it works but it's a great debugger once you get the feel of it. I suggest starting with the GDB part, as gdb is used throughout the course.
In part 1, I learnt about the various registers, the stack, CPU flags and the most popular Assembly instructions like MOV, LEA, PUSH, POP, CALL, etc. I also learnt how Assembly language uses the kernel to make system calls.
In part 2 I learnt about how shellcode works, how to analyze other people's shellcode, and how to write shellcode from scratch in assembly. I can now confidently write a (small) piece of Assembly code from scratch in a notepad editor which will compile in nasm without even looking at an example or text book - this is because Vivek taught the building blocks of the assembly code, and how everything interacts.
I thoroughly recommend doing this course if you are thinking about doing OSCE. I could have used a lot of this knowledge in my OSCP course and saved quite a bit of time. Even if you don't think about doing OSCE, I think that this course is absolutely worth a few days of your time - whether you pay the low price of 150 dollars or get it for free by tweeting the course on social networks.
The very last video in the course explains how the exam works. It is, very much like the OSCP and OSCE exams, a fully practical exam - no multiple questions.
Each student is given 7 assignments to complete at the end of the course. If you satisfactorily complete these assignments, then Vivek will send you a PDF with your certificate. I decided I wanted to certify so I will complete the assignments to try and get the certificate.
The instructions are simple:
- There are 7 Assignments of varying difficulty
- I need to post solutions to my personal blog - via wordpress.com, blogger, or my own domain
- I need to create a github account and store all my used code in my github account
- All code I create should be released under the creative commons license
- Every blog post must contain the following either at top or bottom:
"This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expect certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE - <student ID>"
Sounds fair to me, so here are the assignments to pass the exam:
Assignment #1:
- Create a shell_bind_tcp assembly shellcode which:
- binds to a port
- execs shell on incoming connection
- The port number should be easily configurable (for instance via marked byte in shellcode, or a wrapper)
Assignment #2:
- Create a shell_reverse_tcp assembly shellcode which:
- Reverse connects to configured IP and Port
- Execs shell on successful connection
- IP and Port should be easily configurable
Assignment #3:
- Study Egg Hunter shellcode - Vivek wants pupils to research themselves how egg hunters work
- Create a working demo of an egghunter
- The egg hunter should be configurable for different payloads
Assignment #4:
- Create a custom encoding scheme like the "Insertion Encoder" I was showed in the course
- Proof of concept using execve-stack as the shellcode to encode with your scheme and execute
Assignment #5:
- Take up at least 3 shellcode samples created using msgpayload for linux/x86
- Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode
- Present your analysis on each of the 3 shellcodes
Assignment #6:
- Take up 3 shellcodes from shell-storm and create polymorphic versions of them to beat pattern matching
- The polymorphic versions cannot be larger than 150% of the existing shellcode
- Bonus points for making the polymorphed code shorter in length than the original code
Assignment #7:
- Create a custom crypter like the one shown in the course
- Free to use any existing encryption schema like RC4 or AES
- Can use any programming language
The evaluation Criteria:
- Originality of shellcode - how much out of the box can you think?
- Quality of explanation - detailed and insightful and comprehensive analysis
- Each assignment carries 10 marks - need 50 marks
- Certification criteria: Need to score at least 50 of 70 marks
Extra points:
- Posting additional new shellcodes beyond the assignments (10 points)
- Shellcode submitted and accepted by (10 points):
- Shell-storm.org
- Exploit-db.com
- Community Interaction (5 points)
- Chatter on Twitter, Facebook
- Comments on Blog posts
- Tech forum
Submission format:
- Only the pupil's own work will be accepted - no copy/pasting
- Email to: -email removed for privacy and anti-spam purposes-
- Subject: SLAE Exam Blog Posts
- Email contains:
- Links to all 7 blog posts
- Link to GitHub account where code is stored
- Link to Shell-storm / Exploit-db submissions
- Link to Twitter/Facebook if posted there
- It takes around 5 working days to receive the result
So here's my plan - since I want to max out my score ideally:
- Keep a post with my progress on techexams.net - Max 5 points
- Complete all 7 assignments - Max 70 points
- Pst additional new shellcodes beyond the assignments - Max 10 points
- shellcode submitted and accepted by exploit-db.com - Max 10 points
Note: shell-storm.org does not accept new shellcode as explained by them:
"... we have stop (sic) to accept shellcodes because modern exploitation uses now (sic) ROP payloads"
I figured that submitting shellcode to exploit-db.com would take longest to complete, so I will start with this first. This also happens to be Assignment #1, so I need to make the code good enough so that it is accepted on exploit-db.com.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expect certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE - 747
