The Offensive Security Certified Expert (OSCE)

while True:
    try_harder()

tl;dr: 2 out of 3 big Offsec certs. Worth taking it just for the exam.

The Course

I read a lot of reviews before deciding I was ready to take the course. Like most of the other reviewers, I was already familiar with the concepts required for getting through most of the modules. Similar to the OSCP, their is very little direction given to you during the course and exam.

Cracking the Perimeter (CTP) is meant to be an extension to Pentesting with Kali Linux (PWK), and for good reason. It is much more focused on exploit development and dives deep into the less explored facets of penetration testing. A strong familiarity with x86 assembly (all examples are in Intel syntax) and the inner-workings of the Portable Executable (PE) format will go a long way, especially during the exploitation development and antivirus avoidance portions of the course.

In order to register for the course, you need to pass the “filter” hosted at fc4.me. Put simply: if you can not pass the filter, it is best you spend some time learning the preliminary knowledge elsewhere so you don’t waste your time (and hard-earned cash) on the course. The available options are:

Option Price (USD)
CTP v.1.0 + 60 days CTP Lab access + certification 1,500
CTP v.1.0 + 30 days CTP Lab access + certification 1,200
CTP Lab access – extension of 60 days 600
CTP Lab access – extension of 30 days 350
OSCE – Certification retake 100

At the suggestion of other reviewers, I purchased the 30 day option, which was only a couple hundred more than I paid for the OSCP (though that was 60 days). 30 days was more than enough to complete the course. By the 20th day I was ready to take the exam (I actually scheduled it for a date that was before my lab time expired). Even though it was much shorter than the OSCP, the modules are packed with material from real-life scenarios meant to evoke a sense of critical thinking. They do a great job of showing you what happened, how they got there, and what they did to get around it.

That being said, the course/exam require a lot of self-teaching and don’t hold your hand very much. Most of the modules have you re-enact the scenario that was written into the course. The scenarios are a bit dated, but the same principles (most importantly the ones that help you think in a different way) still apply today. The course is definitely centered around exploit development, but it is surrounded by the Web Application and Network Infrastructure modules. The module names (which give you a good idea of what’s included in each one) can be found in the syllabus, available here.

The Exam

This time around, the exam is a 48 hour endeavor with an additional 24 hours (total of 72 hours) to turn in your report. It was certainly the most difficult exam I have ever taken. At first look, the exam is deceivingly simple. There are 90 points possible, with a required 70 points to pass. 4 questions (30 points x 2 questions, 15 points x 2 questions), 48 hours, and anything you want to use is fair game. Documentation is a must, and can make a big difference when you need a few extra points to push you over the edge.

Side note: It was never mentioned in the course or on the forum if documentation is required for the exercises. Since it was required for the OSCP, I made sure to document every step in the course and on the exam. I don’t know if the course documentation made a difference, but it was helpful nonetheless.

All of the questions appear to be very straightforward and it was hard to imagine the whole process taking all that time. About 7 hours in, I had finished both of the 15 point questions. I was feeling good…

That feeling did not last. One thing Offsec is very good at is pure, unadulterated deception. The other two took me for quite a ride. One was related to exploit development, the other to web applications. The only advice I can give is that you do need external knowledge to complete the exam objectives. It also pays off quite nicely to automate as much as you possibly can. Research on creative attack methodologies is crucial. The course knowledge will get you part of the way there, but it’s up to you to finish the job. Suffice it to say I finished with what I was confident would pass. I went to sleep early after the exam and looked at my results with fresh eyes in the morning.

One very important note about documentation. They give you an analysis environment for developing exploits and the like. Since that is where a large part of the exam takes place, you need to do your documentation prior to disconnecting from the VPN. If you forget to document a step during the exam that takes place in the analysis environment, it will be absent from your documentation. Take notes and screenshots of everything.

I had a quick scare regarding some missing documentation (hence the above note), then found it in my screenshots folder. I finished the documentation around noon and sent it in. I got an email back stating that I had officially submitted my exam docs and that I should expect to hear something in the next three business days. Well, one business day later and I got my congratulations email.

Conclusion

I learned as much as I did during the exam as I did during the course. It was a surreal experience that I will never forget. One day, maybe I’ll get my OSEE. One day…

3 Replies to “The Offensive Security Certified Expert (OSCE)”

  1. Thank you for your greate post. Recently I’m trying the egghunter technique, and managed to put in my egghunter shellcode but couldn’t find anywhere to put in my stage2 shell code. Hmm.. Tried to put it with other commands before and after the crash and nothing sticks in the memory. Wondering where should i look into. xD

Leave a Reply

Your email address will not be published. Required fields are marked *