How would you respond to such a proposal? There is a topic that most information security specialists bypass, called "binary exploitation". First, you need to solve the test task: just reverse the assembly code and generate a key. Then it is necessary to complete 8 modules of laboratory work at the stand of the 2000s in 60 days. Then you can prepare using the book, but it will help you to understand the topic by only 20 percent. Then there will be an exhausting exam of four tasks for 48 hours, and immediately after it you will be given 24 hours to prepare a report in English. And all this pleasure costs $ 1800.
I said, "Give me two!"
So, next I will tell you how I prepared and passed the exciting exam for the international certificate in the field of penetration testing by the Offensive Security Certified Expert, or OSCE for short, from the Offensive Security .
This organization has several more certifications, but Expert assumes confirmation of expert knowledge in several areas at once: attacks on web applications, attacks at the network level, fuzzing and development of exploits for Windows x86. Despite the fact that the course is often criticized for being outdated, the basics of operation have not changed, and as a result, a lot can be learned:
- find and exploit web vulnerabilities, for example, XSS or Path Traversal, with the development to a complete compromise of the operating system;
- conduct network attacks GRE Sniffing, SNMP, bypass Access Lists using Spoofed SNMP Requests;
- find buffer overflows using fuzzing and use them to enter the program, bypass protection mechanisms (stack overflow, bypassing ASLR, egghunter, bad characters, etc.), and also bypass static protection mechanisms of the antivirus.
What kind of beast is the OSCE: an example
In order not to overload the article with technical terms and abbreviations, I will give a typical example. Imagine that you have software (software) that receives data via TCP, and you need to operate on a remote server where this software is deployed in order to be able to execute commands at the operating system level.
Decision
- : , . , .
- () stack overflow, .
- payload ( ) , , EIP. , SEH.
- EIP . , . , , — ( ), .
It seems that all that remains is to mark up the shellcode, and everything is very simple. But it happens that first you need to bypass the ASLR mechanism, if a static address cannot be found in memory, or it turns out that the buffer in memory is limited by the alphabet (allowed characters), then it is necessary to collect all the allowed characters and build a chain of alternative commands from them. And if the buffer is limited in length, then you need to find another place in the program's memory where you can additionally place data, find them in memory and make a transition to them (egghunter technique) or even write your own shellcode that will do what you want, in the constraints presented.
It also happens that this additionally placed data is partially damaged, so you should evaluate the damage and figure out how to get around this limitation. For example, remove badchars, chain your shellcode, and chain your calls. To complicate matters, the debugger (your main tool) may not properly allocate memory and display data in memory incorrectly while debugging - Bingo!
In fact, binary exploitation, and pentesting in general, is a game of bypassing a bunch of restrictions, using various techniques and applying ingenuity. The solution of such a task can take from 6 hours to infinity, so 48 hours for 4 tasks does not seem redundant to me.
How I passed the exam
I managed to pass the OSCE on the second try. The first time - this was in June - I could not properly prepare for the exam due to the workload on projects, but as a "real pentester" I decided to do everything "on the fly". As a result, in 48 hours, 10 of which were spent on sleep, I solved only 1.5 problems.
In September, I made a strong-willed decision to deal with everything qualitatively: to study more topics, including those related to operation (and this turned out to be an endless hole), to do all the laboratory ones, to communicate with other experts, to think over the tasks on the first attempt to pass the exam, to prepare various scripts for automation.
As a result, the second attempt was in November: during the 12 hours of the exam, I drank 7 glasses of tea, a couple of pills for headaches, had a delicious dinner, walked in the yard - and all 4 tasks were solved. Fortunately, they were similar to those that I came across on the first try. After a pleasant sleep, it took another 5 hours to form the report, and a day later I was told that the exam had been successfully passed and that I could ask for a salary increase from the management.
Updating certification rules
In October 2020, the Offensive Security announced that it plans to update the OSCE course. Already, this certification cannot be paid for, and the OSCE status under the new rules can only be obtained by passing three exams:
- Advanced Web Attacks and Exploitation (AWAE)
- Evasion Techniques and Breaching Defenses (PEN-300)
- Windows User Mode Exploit Development (WUMED) - to be announced in 2021
It turns out that I tried in vain and now I have an outdated certificate? But no, the company adheres to the position “Anyone who has earned an OSCE will always retain it”, which means “Anyone who has received an OSCE will keep it forever”. Probably, many people choose Offensive Security for this. Yes, it's expensive, yes, the training manuals are weak, yes, the exam is exhausting and contains many pitfalls, but at least once you pass something, you carry this title until the end of your days! Unlike a bunch of other certifications, where every 2-3 years you have to continue paying money for renewals and new exams.
FAQ
What did the certification give me in the end?
- — . OSCP , .
- «-» .
- , , 2010- , .
« , ?»
?
- : , .
- .
- .
- «».
?
Our company pays great attention to the development of hard and soft skills of the team, so I managed to get certified at the expense of the employer. Otherwise, perhaps, I would have decided on such a challenge just for the sake of the certificate itself. To gain only knowledge (and save personal finances), it would be wiser to study the leaked materials and blogs of other pentesters on medium.com, recreate and go through the booth, and also pay attention to other courses, for example, SLAE .
Will I continue to take Offensive Security exams?
Of course, I am generally satisfied with the try harder approach, and their new courses are interesting, and everything else can be lived through.
PS Thanks to my colleagues and my girlfriend who supported me!