{"id":17,"date":"2021-02-10T09:46:03","date_gmt":"2021-02-10T09:46:03","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=17"},"modified":"2021-02-10T09:48:08","modified_gmt":"2021-02-10T09:48:08","slug":"my-osce-experience","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/my-osce-experience\/","title":{"rendered":"My OSCE Experience"},"content":{"rendered":"\n<p>Hi guys,<br>After OSCP and OSWP, I finally got my OSCE certification also. I&#8217;m continuing with my personal plan to complete all Offsec certs and just got another beast! As always, I wanted to share my experience and personal studies for OSCE.<br><strong>Status Before OSCE:<\/strong>\u00a0I was capable of exploiting Basic Buffer overflows and had a solid understanding of Memory.<\/p>\n\n\n\n<p><strong>Status After OSCE:<\/strong>\u00a0I learned many complex techniques and able to write my own exploits from scratch.<br><\/p>\n\n\n\n<p>** I was trying to understand how to exploit a basic buffer overflow during OSCP prep and spend hours to exploit Minishare. After OSCE, I was able to write a script for Minishare in 4 minutes. I think this explains everything \ud83d\ude00<br><strong>Before the Lab\/Self Prep:<\/strong><\/p>\n\n\n\n<ul><li>I read as many blog posts &amp; paths as I can for OSCE and created my own path as always.<br>Finished the SLAE course to refresh my understanding of Assembly. That course is outstanding.<\/li><li>I read and wrote exploits from the exploit dev topics of Corelan and FuzzySecurity blogs. They are super cool. These blogs helped me a lot.<\/li><li>I learned how to do fuzzing with different scripts (spike, boofuzz, custom scripts)<\/li><li>I wrote many many many exploits on SEH, Egg hunting. You can check out my Github page to understand what I meant by many \ud83d\ude42<\/li><li>I read other people&#8217;s exploits on ExploitDB and blogposts. I realized that in time, I had my own style for writing exploits.<\/li><li>I started working on AV Bypass. I was working on AV Bypass 3 times per week while writing exploits the other 4 days.<\/li><li>I learned different techniques such as Socket Reuse, Custom Shellcode writing, Alphanumeric Shellcoding (killed me for days, now I can do it even in my dreams)\u00a0<\/li><li>I worked on my assembly knowledge specifically.\u00a0<\/li><li>Fell in love with Immunity Debugger \ud83d\ude00<\/li><\/ul>\n\n\n\n<p>I had a very demanding consultancy job at the same time so had a schedule for self-study as follows:<br><\/p>\n\n\n\n<ul><li>Coming home from work:\u00a019.00-19.30<\/li><li>Self Study:\u00a020.00- 24.00<\/li><li>Self Study2:\u00a004.00-07.00<\/li><li>Go to work:\u00a008.00<\/li><\/ul>\n\n\n\n<p><strong>Human Time:<\/strong>\u00a0???!<br>Believe me, doing this for 4 consecutive months was pretty crazy. But is there anything more beautiful than hacking at night? \ud83d\ude00<br>&#8211; And the last but not the least, during my preparation, I wrote exploits for the following applications:<\/p>\n\n\n\n<ol type=\"1\"><li>BigAnt Server 2.52 SP5<\/li><li>BlazeDVD 5 Professional<\/li><li>Cesar FTP 0.9.9g<\/li><li>Dup Scout Enterprise 10.0.18<\/li><li>DVD X Player 5.5<\/li><li>Easy CD DVD Copy v1.3.24<\/li><li>Easy File Management Web Server 5.3 &#8211;&nbsp;<\/li><li>Easy File Sharing FTP Server 3.5<\/li><li>Easy File Sharing Web Server 7.2<\/li><li>Easy RM to MP3 Converter 2.7.3.7<\/li><li>Easy_Chat_Server_3.1<\/li><li>EurekaEmailClient2.2<\/li><li>FreeFloat FTP<\/li><li>FreeFTP 1.0.8<\/li><li>HP NNM 7.53<\/li><li>KarjaSoft_Sami_FTP_Server_2.0.1<\/li><li>KnFTP_Server_1.0.0<\/li><li>Kolibri v2.0 HTTP Server<\/li><li>LabF nfsAxe FTP Client 3.7<\/li><li>Millenium MP3 Studio1.0<\/li><li>MinaliC WebServer 2.0.0&nbsp;<\/li><li>Minishare 1.4.1&nbsp;<\/li><li>ProSysInfo TFTP Server TFTPDWIN 0.4.2&nbsp;<\/li><li>Quick Zip v4.60.019<\/li><li>R v3.4.4<\/li><li>Ricoh DC Software DL-10 FTP Server<\/li><li>Savant Web Server 3.1<\/li><li>Serv-U 9.0.0.5<\/li><li>Solar FTP Server 2.1.1<\/li><li>Soritong MP3 Player 1.0<\/li><li>Spipe (McAfee HTTP Server (NAISERV.exe))<\/li><li>SysGauge Pro v4.6.12<\/li><li>Vulnserver GMON<\/li><li>Vulnserver HTER<\/li><li>Vulnserver KSTET<\/li><li>Vulnserver LTER<\/li><li>Vulnserver TRUN<\/li><li>Xitami Webserver 2.5<\/li><li>zipper<\/li><\/ol>\n\n\n\n<p>I shared most of them on my Github page already. Then I think I was ready for the lab \ud83d\ude00<br><strong>Lab:<\/strong>&#8211; I already do web pentest with my freelance job all the time so the web section was not a problem for me.&nbsp;&#8211; After my pre-lab, I was already familiar with SEH, Egghunting, ASLR Bypass. I refreshed my knowledge in the lab- AV bypass was pretty straightforward. I did my pre-study very well apparently- I solved all sections in the lab 4 times during my lab time.<br><strong>Exam:<\/strong>I&#8217;m sorry but I won&#8217;t write anything lovely in this section. The exam was brutal. You need to be really familiar with everything and have many practices. I checked my sanity a couple of times during the exam. I&nbsp;&nbsp;finished the exam on the second day.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"#\"><img decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-7TeTH4M3FZY\/XpCzI95Rf5I\/AAAAAAAALlk\/xpGrauU5SzgjIcyDk5iE7XSxSccr_luUACLcBGAsYHQ\/s640\/Screen%2BShot%2B2020-04-10%2Bat%2B19.55.01.png\" alt=\"\"\/><\/a><\/figure>\n\n\n\n<p><strong>Conclusion:<\/strong>After OSCE, I realized that I&#8217;ve born to do binary exploitation. I&#8217;m really into it now and I don&#8217;t think that I will ever be able to stop. Before jumping into OSWE, I created a roadmap for myself to continue on binary exploitation nonstop already. So thanks Offsec guys one more time to help me find my way with TryHarder philosophy. You guys are amazing!<br>Hope this helps people who prepare for OSCE and stay tuned for the next blogpost for OSWE \ud83d\ude42 In the meantime, I&#8217;ll dive into reverse engineering world \ud83d\ude00<br>Cheers!<\/p>\n\n\n\n<p>Busra\u00a0<br><\/p>\n\n\n\n<p><strong>References:<\/strong><\/p>\n\n\n\n<p>Automated fuzzing: (Spike)<\/p>\n\n\n\n<p><a href=\"#\">https:\/\/theitgeekchronicles.files.wordpress.com\/2012\/05\/scapyguide1.pdfhttps:\/\/resources.infosecinstitute.com\/intro-to-fuzzing\/<\/a><br><\/p>\n\n\n\n<p>Assembly and Shellcode basics:<\/p>\n\n\n\n<p>Security Tube Linux Assembly Expert (32 bit) course<br><\/p>\n\n\n\n<p>SEH<\/p>\n\n\n\n<p><a href=\"#\">https:\/\/www.corelan.be\/index.php\/2009\/07\/19\/exploit-writing-tutorial-part-1-stack-based-overflows<\/a><\/p>\n\n\n\n<p><a href=\"#\">https:\/\/fuzzysecurity.com\/tutorials\/expDev\/1.html<\/a><\/p>\n\n\n\n<p>Egghunting<\/p>\n\n\n\n<p><a href=\"#\">https:\/\/www.corelan.be\/index.php\/2009\/07\/19\/exploit-writing-tutorial-part-1-stack-based-overflows\/<\/a><\/p>\n\n\n\n<p><a href=\"#\">https:\/\/fuzzysecurity.com\/tutorials\/expDev\/1.html<\/a><\/p>\n\n\n\n<p>AV Bypass<\/p>\n\n\n\n<p><a href=\"#\">https:\/\/captmeelo.com\/exploitdev\/osceprep\/2018\/07\/21\/backdoor101-part2.html<\/a><\/p>\n\n\n\n<p><a href=\"#\">https:\/\/haiderm.com\/fully-undetectable-backdooring-pe-file\/<\/a><br><\/p>\n\n\n\n<p>My Scripts:<br><a href=\"#\">https:\/\/github.com\/areyou1or0\/OSCE-Exploit-Development<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi guys,After OSCP and OSWP, I finally got my OSCE certification also. I&#8217;m continuing with my personal plan to complete all Offsec certs and just got another beast! As always, I wanted to share my experience and personal studies for OSCE.Status Before OSCE:\u00a0I was capable of exploiting Basic Buffer overflows and had a solid understanding&hellip; <a class=\"more-link\" href=\"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/my-osce-experience\/\">Continue reading <span class=\"screen-reader-text\">My OSCE Experience<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[16],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/17"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=17"}],"version-history":[{"count":1,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/17\/revisions"}],"predecessor-version":[{"id":18,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/17\/revisions\/18"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=17"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=17"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=17"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}