It was the summer of 2018, and I had my OSCP for over a year now. While the Penetration Testing with Kali Linux course was great and challenging, I still had this hunger for honing my skills further and learn more about penetration testing, and especially more about exploit development. It was a lot of fun to exploit buffer overflows in the PWK course and I wanted to learn more about it.
I already had set my eyes on the CTP course for a while, but due to my job at that moment I didn’t had enough free time to pursue this further since my job required me to travel quite far and I always returned home in the late evenings. I wouldn’t have had the energy to continue studying. Some months later, I switched jobs in November and was now working much closer to where I live. This also meant for me that I had more spare time. I immediately took that chance and registered myself for the CTP course.
In the sections below you will read about how I’ve experienced the CTP course, along with all it’s fun moments it had and — of course — with all the pain and sufferance that Offsec brought down on me 🙂 Enjoy the ride.
What is the Cracking The Perimeter course?
The Cracking The Perimeter course (CTP) is an advanced penetration testing course, provided by Offensive Security. This course is among one of the most difficult and challenging courses there is in the infosec sector (there’s still AWAE and AWE that are even more advanced). The course itself will focus on topics like:
- Advanced web attacks
- Backdooring Windows PE’s / AV Bypass
- Windows exploit development
- Networking attacks
Who is this course for?
This course is focused towards penetration testers and people who are interested in learning more about exploit development, as this course is highly focused towards that. This course is not an introductory course as you are required to already have some experience with debuggers like ImmunityDebugger or Ollybdg and have a basic understanding of how buffer overflows work. Having knowledge about assembly is also a must. Students are also expected to do research on their own, as the course will sometimes leave out information that requires you to do extra research in order to fully understand certain concepts.
The OSCE exam
The OSCE exam is an online 48-hour practical exam that requires you to exploit multiple machines, while documenting your findings and writing a professional penetration testing report. The exam is also quite different than the exam that you will face during the OSCP exam. You are required to earn 75 out of 90 points to pass the exam.
The exam differs from the OSCP exam as the goal is to not always root a machine. Offsec wants to make sure that you understand the topics that are taught in the course and that you can apply them in other situations as well.
When am I ready to take the course?
If you can answer “yes” to the following checklist, then you’re good to go:
- You have a good understanding of Intel x86 assembly.
- You are familiar with the concept of buffer overflows and basic exploit development.
- You know how memory, registers and the stack work.
- You are familiar with debuggers like ImmunityDebugger or Ollydbg.
- You are familiar with basic web application vulnerabilities and exploits.
- You have a deep passion for learning more about penetration testing concepts, and exploit development in particular.
- You’re not a quitter and want to work hard to achieve something.
- You’re not a cheater and you want to earn something fair and square with the knowledge that you have gained.
Like everybody else that is interested in pursuing something, I first read countless blogs from other people that have done the course. Before I registered, I wanted to feel prepared so that I wouldn’t encounter any unexpected road blocks. The blog post that gave me a lot of inspiration was the blog from g0tmi1k. Nevertheless, all blog posts that I’ve read mentioned interesting materials to read and learn before taking on the course.
One of those learning objectives for myself was to learn Intel x86 assembly, as the course expects you to understand this language for the exploit development modules. This was a big hurdle for me since I found it quite difficult to understand and make sense of it. What were all the different commands doing? What is the purpose of the registers? What happens on the stack when functions are called? What is an SEH?
I wasn’t really a developer and assembly is (I think) easily considered as a difficult language to understand, along with other low-level programming languages like C. Assembly itself also differs a lot when comparing them to the more higher-level languages like PHP or Python, since the lower-level languages also allow you to handle memory in the code. You can’t do that in Python or PHP.
To start off my OSCE journey in the summer, I started off with reading some printed out materials while I was on my vacation to get a theoretical understanding of assembly (I didn’t bring my laptop with me as it might have held myself back from enjoying my vacation). I was reading the following guide:
This guide gave me a good understanding of the assembly language, along with the usage of the registers, how functions are handled in the stack and how memory works in general. If you’re also new to assembly and memory, then I recommend you to give this a read. Take your time with understanding the concepts in this guide, you will benefit from it later on when you start the course.
I also took the time to go through another assembly guide on Tutorialspoint. This taught me more practical stuff and learned me how to work with NASM. It also taught me about the different sections that you have in an ASM file, like .text, .data and .bss. These are also key concepts to understand, as will encounter them in the CTP course at some point.
Next up, it was time for me to apply everything what I’ve learned and follow some exploit development articles on the good old Corelan website. The articles provided practical exercises and because of my preparations it was easier to understand the materials explained in the articles. I attempted to learn from the Corelan articles in the past, but it was a lot harder (and I gave up after a while) as I didn’t had a good understanding of memory and assembly. But now it was different 🙂 I had read all the articles up until article 9 (Introduction to win32 shellcoding, which was very interesting) and I also did some of the exercises. I didn’t do all of them as I already was very eager to sign up for the course.
It took some time for me to complete all of the above preparations. But after doing all this, I felt a lot more confident to take on the registration challenge, which we’ll now talk about.
The registration challenge
Before you can register for the Cracking The Perimeter course, you are required to solve a challenge, which is available on the following website.
You are required to complete two challenges before you can register:
- Bypass the login form by inserting the correct Security String.
- Extract the final code and registration key, which you need to enter in the registration form.
The challenge is there to protect you from signing up for a course that might be too difficult for you. If you can’t solve the challenge, then you’re not ready yet.
While I cannot go into detail about this challenge, I can tell you that the first one wasn’t so difficult for me to complete. It was straightforward and I knew immediately where to look. The other one though required some extra time before I knew what was going on. It seemed simple in the beginning, but at a certain point I felt like: “what do I need to do now?”. Luckily with all my preparations, I figured it out some time later and solved the final challenge.
The challenge can be frustrating at some point, but it is quite logical once you need to know what to do. After all, it’s not rocket science. 😀
I completed the challenge in a couple of hours, and obtained the code and registration key which are required to sign up for the course. A few minutes later, I received my confirmation email from Offensive Security which stated that I’ve successfully signed up for the course. Awesome!
Now, let’s talk about the contents of the course and what you can expect from it. As I already mentioned, there are four big topics that are covered in the course. Let’s go over them one by one.
Advanced Web Attacks
The advanced web attacks modules will teach you some exotic XSS attacks and an interesting directory traversal attack. I was already doing web application pentests for my job, so it didn’t really blew my mind. Still, while I was doing these modules, I sometimes thought: “huh, that’s interesting!”. Even when I already had some web app pentesting experience, I still learned something new from these modules.
Backdooring PE files
The next module that came along was something very new to me: backdooring PE files. I had never done this in my life, and it wasn’t actually that hard to do (remember, this is only my opinion). It’s easy once you know how to do it, and Offsec did a great job explaining the backdooring techniques. These techniques could then be used to create malware that could evade Anti-Virus software. If you do some extra research, then you are also able to use this technique to bypass modern AV solutions. The techniques taught in the course might seem a little old and simple at first, but you will quickly notice that you are being taught the foundation for backdooring executables. Remember, you first need to learn how to walk before you can run.
This was the first moment in the course that I really learned something new. It was just really cool and I enjoyed these modules a lot! I did some research on my own after completing these modules and attempted to create a backdoor in an up-to-date version of PuTTY which could not be detected by a modern AV, and I succeeded! I was able to implement shellcode that would pop a reverse shell after a certain action occurred in the binary. It took some time to do it, but it was worth the effort and I also learned new methods along the way.
The next modules focused around exploit development and are easily the most difficult modules from the course, as you will learn how to develop exploits for buffer overflows which have limited space for injecting shellcode. They first seem impossible to exploit, but Offsec will teach you some neat tricks on how you can eventually exploit these buffers.
If you have already done the PWK course, then you will pick up things where you left off at the buffer overflow exercises. And you will also notice that what you have been taught in the PWK course was only the tip of the iceberg.
You will learn how you can fuzz binaries, how to bypass ASLR and SEH protections and how to implement a custom encoder for your shellcode. You will even have to develop some custom shellcode on your own, which is quite neat. This is where your assembly knowledge is especially required.
These modules were really fun to do, but it took some time to fully understand the exploits.
The final module explains an interesting networking attack against a Cisco router and you will learn how to bypass router ACLs and compromise router configs. Offsec will teach you on how you can use packet crafters to develop and send custom packets to the router. You will also learn how you can sniff router traffic by setting up GRE tunnels. During this module, you will also dig a little bit deeper in the SNMP protocol.
As always, I am never sure if I’m ready for an Offsec exam. You never know what to expect from Offsec when it comes to exams. 🙂 Nevertheless, I finished the course materials after around 3 weeks and had planned my exam a week later.
In that week, I picked out some buffer overflow exploits on Exploit-DB and tried to recreate them on my own. I also took a look at vulnserver which also helped me to prepare for the exam. This application provides a network service to which you can simply connect with telnet or netcat. You can enter various commands in the application and some of them are vulnerable. It is up to you to discover these vulnerabilities and exploit them by yourself.
I didn’t do a lot on the day before the exam. I had the day off from work and just relaxed to keep my stress levels at a minimum. I felt like I had prepared enough and was ready to take on the exam.
On my exam day, I started on 12 PM after receiving the exam email from Offsec, connected to the VPN and slowly went over the challenge descriptions that I had to complete. There were four exam machines available: two machines gave a large amount of points and the other two a smaller amount of points.
I started off with a machine that I felt the most confident in, which also gave lots of points when completed. I was able to quickly discover the vulnerability, but exploiting it wasn’t that obvious. Around 5 hours later I finally managed to exploit it and gain a low-priv shell and was now focusing on privilege escalation, as the goal was to gain root. I managed to obtain a root shell 3 hours later. This gave me a boost in confidence, as I now earned a large chunk of points and I had only spent 8 hours in total on this machine.
Next, I started off with a machine that was worth less points. I expected it to be easier than the previous one, but I was dead wrong. I just couldn’t solve the challenge in the way that it was intended to and I had spent already multiple hours on it. I decided to move away from this exercise and to focus on the next machine.
The next challenge that I attempted was also worth less points and was a little bit easier than the previous one (for me at least). However, it took some time to complete, since a lot of work was required to get this working, but it wasn’t too hard to do. I stopped working halfway through the challenge as it already was quite late and I got some sleep. I only slept for a couple of hours though as I couldn’t stop thinking about the exam. The next morning, I finished the challenge after a couple of hours.
The only machine that kept me from earning enough points to pass the exam was the last machine that gave a lot of points. I had still around 20+ hours on the clock to complete this challenge and I felt confident. What I didn’t know was: this challenge was brutal and merciless.
Everyone who is reading this part of the blog and that has completed the OSCE exam should all be nodding now and thinking to themselves: “yeah, I know what you’re talking about”. The challenge started off simple and I felt that I was going to complete this before dinner. After a while, I discovered the vulnerability and then — some time later examining the vuln — I thought to myself: “this is impossible to exploit”. This is where I started to do a lot of research to discover some methods that could help me on the way. I was able to find some answers, but there were other problems as well that I had to tackle, which I didn’t find answers for. Eventually — almost at the end of the exam — I came close to solving it but I couldn’t fully exploit the vuln. I had already built a complex exploit for it but it didn’t do the trick yet. I realized that I wasn’t able to pass the exam this time as my time was coming to an end. Nevertheless, I felt very close to solving this challenge.
A few months later I tried to do the exam again. I prepared myself a little bit more as well and found some potential solutions on how to successfully exploit this machine. The exam started and already a few hours later I had successfully exploited this brutal challenge and had now earned enough points to pass the exam! I double checked my exploits for the other machines, which luckily all still worked. I used the remaining exam time to write the report, which also took a while to do. 🙂
I had sent in my report on the evening of Sunday and by the end of the week I received on email from Offsec which stated the following.
I couldn’t be any more happy that day. I worked really hard to earn this, although it took a couple of tries for me to earn it. Around a week later I received my certificate that looked really awesome.
The course was fantastic, and the exam was just brutal. 🙂 But I loved every moment of it. I have learned so many new techniques, but more importantly, I learned to think differently in more difficult situations where vulnerabilities first doesn’t seem exploitable. This is what this course was all about for me: exploiting machines in harsh circumstances. The contents that Offsec provided were as always top-notch and I didn’t expect less from them. I was glad that I had signed up for this course as it taught me some much valuable lessons that only Offsec can teach you.
To anyone signing up for the course or thinking about signing up: if you have any questions, feel free to contact me anytime.