 A lot of you guys have been asking for me to do a review on OSCE or the offensive security certified expert. I've also had a lot of requests for OSWE the web expert and OSWP now the Wi-Fi one. So in this video, I want to do that or OSCE the offensive security certified expert. So here we go. Let's do this. I want to make this a little bit more I guess practical for you guys. So I want to kind of deep dive into what I do my methodology when I'm going through one of offensive security's courses and show you some of my notes that I can show you and everything that I can realistically show you with the disclaimer that I'm obviously not going to divulge anything from the exam. I want to give you everything that you can still already find online. I just kind of want to help organize it so you guys know what to look through and what to actually work with. So I guess I'll dive in first actually with the course itself. So offensive security, they put out CTP or cracking the perimeter and that is the mandatory course that you have to take in order to take the offensive security certified expert or OSCE exam. So this sort of continues where OSCP or OS or PWK sorry penetration testing with Cali left off. It's kind of considered I think in some circles like the big brother or the older brother to PWK. And with that note when I say older I mean that right now this course has not been updated and it is old like old and that they'll ship with it a backtrack virtual machine for you to work with. And you're working with Ali debug for a lot of your debugging. In that regard, it needs a refresh but I know PWK and OSCP got that update for 2020. So regardless, this is meant to be more exploitation oriented. So not just simply pulling an exploit off the shelf or grabbing it through search sploit or the exploit DB or exploit database. What this one is all about is more about crafting your own exploit writing something in Python or whatever scripting language you prefer. I guess I really recommend Python. That is more about OSCE is more about creating your exploit understanding why this buffer overflow works the way that it does. Moving on to bypassing a SLR address space layout randomization or taking advantage of SEH or structured exception handler. Exploitations. It has a little bit of web stuff in there. It talks about egg hunters and manual shell coding writing your own shell code and trying to encode it or obfuscating the ways it's not detected, etc, etc. So you can totally read up on that if you want to view the syllabus online, or look through some of really what what this covers here in their online kind of breakdown. There are tons of reviews. And I really want to point you towards those. Before I dive into that, though, let me just fire up here some of my notes. I store all of these on my external hard drive. And again, I really, really recommend that you guys get a set of these just so you have kind of a library of certifications that you go through your notes, your resources, your material. So if you ever need to look back on them, you can. I mentioned that in an earlier video with, I think, EJ PT, some of the you learn security stuff is that I've now started to do this, I have like 10 different color to hard drives, so that just so I can keep track of my own library and keep myself sane. So I really recommend you do that. Okay, let's dive into some of my notes here just so I have a structure of what I want to make this video about. So here, when I start an offensive security course, I create a markdown file, I do everything in markdown, because that's just kind of my workflow. I know some people really like cherry tree, I just tend to work in sublime. I need to get back to arch and do some stuff in VIM be real level. Anyway, I use markdown to write my report, I use it to take notes, I do all of my documentation and kind of bookkeeping in markdown and I use that. What is it called ice Vogel kind of Pandoc template so that this can automatically be converted into a PDF. And it looks nice and pretty and beautiful and has images and everything and everything. So I took this course way back. Just after I finished up with OSCP, kind of the end of 2019, I think I had the start of the course in September. Yep. And then it would Oh, no, no, I bought it in September started to take notes and prep for it. And then it began for me in October and labs would go until 30 days in my case. So just November, I think I ended up taking the exam in October, we can probably take a look if I look at the PDFs. Anyway, let's talk about more of the topics. It is going to touch upon some cross site scripting, local file inclusion and common web attacks. This is a super duper small portion of the course, because I guess it continues off of OSCP and it's showcasing more exploitation stuff. But this is not the focus of OSCE. It's called certified expert. And it's all about exploitation. It's about binaries. It's about doing the stuff with computer programs and memory in the stack and registers and all of that kind of lower level stuff. You only see this really once when you're getting into kind of the the course and what follows. Oh, I bumped my mic. Sorry. With that, you still need to know how to do it. But you'll have one machine and you'll see some some actual activity that you need to perform that is much more OSCP like. And that's how it kind of makes that continuation from that. And then it gets into the real actual executable stuff or the exploitation oriented things. You'll backdoor some executables or make it so that when you pop open notepad or a calculator, it's also going to call a reverse shell back to you. What I recommend is because you might be like, Well, hey, Metasploit can do that for me. MSF Venom knows how to do that. Yes, I know, you're not allowed to do that in this case, you have to do it manually. And that's what the course is trying to teach you how you could write something. And I actually kind of went down this rabbit hole for a while. I found out like this, the pi modules, the Python modules to work with L files or exe files, sorry, the portable executables. And I would try and write something that would automatically backdoor and executable rearrange whatever is necessary to get a code cave so we can put shell code in there and jump to it, etc, etc. Maybe do some x or encoding so it hides our backdoor injection. And you're going to need to do that. But you need to do it manually. You can't use any of those tools or if you wrote your own, it wouldn't help you because you are forced and and really, really mandated to go ahead and do this through your debugger. And that's not that bad. Honestly, they'll show you the steps and everything on how to do that. They give you a little bit more stuff on bypassing SLR with the partial EIP overwrite, maybe not strictly a bypass of a SLR. I don't spend a whole lot of time on this and I think it's only covered in a cursory fashion. seh exploits or the structured exception handler exploits, you absolutely need to know how to do that. You're gonna end up doing it with egg hunters. And that's one method of going and finding your shell code. Really, really cool technique. Personally, I didn't end up doing much more with it after the fact. That's just me. Again, your mileage may vary. What I want to explain to you, though, is I know a lot of people say, again, OSCE is very old, in that some of these techniques, yeah, backdooring with an X or stuff. Well, that's not very modern day. That's not very real world right now. Same thing with egg hunters or seh or structured exception handler. Those stuff may be okay, it's not up to date for today's standards of offense and defense on a local host or on a machine. Yes. Okay. Cool. So what I guess I hear the phrase often, you need to learn how to walk before you can before you can run, right? So you need to get these fundamentals down. And that's what this course is wanting you to do is to learn some of the low level stuff on what's actually happening on the binary in the binary between the stack and the memory and the registers, etc, etc. And that's what OSCE is all about, even if it's going through some older techniques for this sort of exploitation, or exploitation, sorry. Fuzzing is huge in this course, you need to absolutely know how to fuzz and you did this probably previously in OSCP or PWK, if you took that course, when you were making your buffer overflow exploit. Good. They taught you how to use it with spike, which is a cool fuzzer I think built into Cali it has some strange commands like generic TCP send it that you wouldn't know correlate to spike. I would recommend that learn spike get it down the syntax isn't that hard to pick up. But I would move on to bufuz and you've probably seen me use this in some other videos I did it for my volenserver hter exploit. I've also done it in my shell code for the masses webinar that I did with the ethical hacker network. I really really think just pick up bufuz the syntax is easy, you just kind of get boilerplate you slap it in your good. And then you won't need to do that later. bufuz is going to be really good at showing you where it crashed because it'll save its results, etc, etc. You can see my video if you want the volenserver HDR one. Okay, it also discusses some network attacks with GRE. This again is just a small sliver at the very, very end of the course. You may not necessarily need to be a master at that focus on the binary exploitation stuff and a little bit of the web stuff that you should already be pretty strong in through OSCP. Okay, some gimmicks that I want to recommend because the course is using Ali debug. You can use Ali debug if you want to. But it's you, right? You're the person that is going through the exam, you're the person that is going through the material, you're the one trying to practice and you're the one trying to learn if you like a different tool. Again, in Windows debugging and disassembling and working with PE files or exes. Personally, I use immunity debugger because I just did that through OSCP for the buffer overflow. And I've done that in every other case where I needed to do an exploit on a Windows machine for a Windows binary and Mona Mona dot pi is awesome and incredible. I really like that it's kind of built into immunity. I know immunity is very clunky. If you're not a gooey guy, and I don't consider myself a gooey guy, that's weird to say. But Mona dot pi can help automate and help do a lot of the things that you will need to do, especially for finding jump instructions for kind of finding specified or specific actual, maybe encoded or alphanumeric encoded instructions, or ones that will work well with alphanumeric bytes. And finding your MSF pattern, if you use a cyclic pattern to find an offset to an EIP instruction, or where you're doing your overflow, or I think you can even do excellent things with SEH, it'll find the structured exception handler position, and even the end SEH or the next one that we do follow and you will use to jump and move to get to a buffer that you can actually work with and put your shell code in. Okay, enough of me talking on that. Those are my recommendations for gimmicks that you might see in the course. Use whatever you want to use. But I tout immunity, because that's I guess what I use. I want to do something different with this course and exam. When the exam began, I wanted to actually kind of get a schedule for myself. So I know I could keep on track. There are less machines, just slightly less than what you would see on OSCP, maybe if you're if you're more used to that. That's a good thing. But it also means that it's a higher stakes, because OSCP you need 70 points to pass. I don't know what numbers I'm holding it. For OSCE, you need 85 points to pass. So you essentially need to compromise everything. Truth be told, that just what you have to do. And I'll dive more into that. But those are the challenges. And I tried to break it down. Hey, time wise, this is how much time I have allocated for each of these things. It's not going to take you this much time, or at least we can hope that it wouldn't take you this much time to go through some of these challenges. The ones that are more OSCP like, you might be able to whip out pretty quickly in a couple hours. And then the other ones you're going to need to spend a lot more time with, because you are wrestling with your debugger, you're trying to figure out why your shell code doesn't work, you're determining bad bytes, you're getting your offset, you're doing all those exploitation things. So, okay, next thing that I kind of want to touch on is, do your research. Seriously, do your homework. And I don't know, I might just be crazy about this. This might just be like a strange symptom or condition that I have, is that I will Google so much, I'll Google everything, just literally Google OSCE review, OSCE exam recap, OSCE, and just I want to get other people's experiences, I want to get their resources, I want to learn what they did to prepare. And I really, really recommend you do the same, you literally just Google the course name. And there are tons of these out there. Maybe less so than OSCP, right, because it's a little bit more specific and niche. I did make a little list of a lot of these reviews, you can go check out. And I'll share this, I guess in the description, or if anyone wants it, ping me message me discord, etc. Okay, a lot of these you can just find simply by Googling. And this is probably just a data dump of like the first Google results. What I would kind of recommend as a Bible for your study, if you're going ahead and researching and doing some of these things. Topo security has a phenomenal resource on actually prepping and preparing for OSCE, the certified expert exam. They kind of tout the same things that I do they actually mentioned slay, or the shell coding Linux advanced exploitation thing that security tube or pentester Academy put out. Some people ask me, hey, is this a good course to prep for OSCE? Yes. So I bought slay, and I did it because it was only I think like 130, or it wasn't a whole lot of money, it would be easy to just kind of jump in and check out the videos learn a little bit. It did help me with learning assembly and it did help me with getting shell code, manually writing shell code kind of down pat, and actually is what spawned that Hello World video that I had made an assembly that some reason got like 100,000 views. Thanks for that guys. But I do really recommend if you want to if you're willing to spend the extra cash, go and check out that SLE course. You don't have to. I recommend it's not necessary. But if you just feel like you want a little bit more exposure, that is a great thing to include. And that you can find out there. Or just Google SLE course. I think it might have a different name now. Honestly, Pentester Academy and a bunch of other stuff. But get your material ready. I spun up a virtual machine and I would have a virtual box that was ready for me with Windows XP Windows 7 Windows 7 actually made sure to get a 32 bit one and make sure you got x 86 32 bit one because finding an egg hunter, getting that egg hunter code to work is going to be very, very different and very, very not working on a 64 bit machine for what you're trying to do when you're testing some of that stuff. Make sure you can get one of those machines. Just you can find a Windows ISO. I know you can and get immunity installed on there or whatever debugger you want. Go ahead and get Yeah, I know Windows, you're not genuine. It's okay. Get Mona, get bufas, get volume server on there and be able to practice that I even got like the Lord PE to do some backdooring stuff. And of course, immunity debugger, you can see me dive into more of that not just talking about it in a surface level with the volume server video. Again, HDR and I'll make more of those. It sounds like you guys really like those and you want to see more of those. I'll cover those. It is later video. Really, really recommend Tulpa security because it's great to kind of get a sanity check and just a benchmark on every single section, what it's going to end up covering what resources they recommend and other things you can learn from. The biggest thing that I did to prepare was practice with vone server. You guys have probably already heard of vone server and you know that I made a video on it for just HDR one. Steven Bradshaw is the guy that put this together. It's just a Windows binary. It's just a command line server that opens up a socket, listens on a port, and you can have vulnerable commands or vulnerable functions that that program is going to do. They don't do anything. They literally are useless. If just other than to showcase, you can exploit this vulnerability. It's just for learning purposes, just for the sake of your education. And this is so well known now that there are tons of write ups and kind of even video tutorials, right on how to go through a specific function and how to break into it. You can find it on GitHub. I really, really, really, really recommend doing this. I probably would not have passed had I not practiced and kind of written a lot of code and made things already set for myself with vone server. That is really what I tout by. I'm showcasing the GitHub screen and I realize you can't see it. Go download it. Steven Bradshaw, vone server, get it on your Windows machine and tinker. It's very, very cool. They showcase even some tutorials here, spike seh stuff. And oh, looks like great corner actually has some Steven has some as well. Once that I ended up using. And I and I tout by this as well is homebrews blog. I don't know if I'm pronounced your name, right? Please forgive me. He ran through OSCE and he did so much prep to work through this sort of thing with fuzzing with seh overwrites with egg hunters and he did it all with vone server and some other other things that he actually recommended you can dig through a lot of his pages. I think they're on like page three or four. You can see his last post and then for he gets into lots of different other. Here's how I did this specific function in vone server. Here's what I learned here are the resources that I went through and found that out and really recommend you go through LT er that is the hardest most toughest one. HDR just has that hex encoding gimmick that I showed you in that video. GM on is absolutely necessary because that showcases an seh exploit. Trun is the kind of classic buffer overflow that you could essentially see an OSCP or other simple right straight to the point of buffer overflows. Show coder also has some great write ups on these. I really recommend you go check out those if you just can't track down or figure out hey I'm beating my head against the wall. I don't know what I'm I haven't got a lead on a vone server function. There's no shame. There's honestly no shame in just looking up a write up and trying to learn because that's the whole thing. You're trying to learn. Don't don't shame yourself on that if you're like literally wasting time because you can't get any progress. It's okay to research and do that do that look. Humbra also showcases some other things you could just pull off of exploit database and see if you could recreate or also craft your own exploit for that specific program. I never ended up doing this but it was on my list. So take that with a grain of salt. If you want the extra practice you can totally do it. I didn't really need it. I think vone server was enough. I maybe I just didn't make time for it. Humbra also recommends a little bit of a Booge in some cool strips some cool scripts and tools that he's put together for even exploiting HTTP or some kind of services that might need more of a specific header or prefix in the packets and the data that you send it because you might need to fuzz in a different location. It might not always be one specific input for the program you're exploiting. Okay, really, really, really recommend you practice on those. Let me get into the last thing that I'll talk about and then I'll pivot to some my other code and things sub encoding. We mentioned that you are going to be backdooring some executables. You're going to be putting in a backdoor so that it will call back to you with a reverse shell or a bind shell whatever you want to create. While it opens up and runs a regular program like calc or notepad. A lot of times in some cases some of these binders are going to be sensitive for bites that aren't just alpha numeric. Let me go to my face so I can get real with you guys. That is hard to do for one thing. And you have a big restriction. You have so many bad bites and only limited sort of good bites. So what you can do is you can sub encode your shell code so that you actually use the ESP register so you can push something into the stack and then pop it on there. So literally as if it's it's generating or what's the right word? It's not dissolving and evaporating or like making it disappear operating on the stack and into the instruction set that your program is going to run through. That is something that I would really recommend that you learn how to do. In fact, I would recommend you learn how to automate sub encoding. There are some resources that I save it. Okay, yeah. Some resources that talk about how you can do this kind of by hand. And then I would recommend you sort of abstract that and write something that can get some Pacific hex instruction and determine how you can go ahead and calculate parts of it or chunks that will help you on the stack build up and do some math to get the instruction that you need in whatever chunks are necessary. This goes into a little bit more in the weed stuff. I won't talk about it right now. But I really, really, really recommend that you know how to do this for one thing manually. You're going to have to it's in the books and you're required to but automating this process is really going to help you when it comes down to crunch time because you need to actually have this set up. You're going to have to use this. You're going to have to sub and code. So know how to do that. Okay. And another good link on showcasing that that might help it stick in your brain is velo sec. They have a good article on this and it showcases just another methodology or maybe a better way of at least explaining or describing the process to you so you understand how you're using different registers to store a value doing some math to get the correct value only using alphanumeric bytes again and then putting that on the actual instructions and it'll just be executed because you grew it into your program, which is kind of cool. I really think it's a fascinating technique and it's super cool. So automate this process if you can. I really recommend it or at least know what it is and know what you're doing. Okay. Those are the talking points that I want to give. Now I guess we can kind of dive into the stuff that I have my files here. What I do when I am going through the videos for offensive security, I should have mentioned this at the beginning. When I'm going through and making that markdown file, what I do is I go through every single video and I take notes on it personally. That's just me and I'll actually rename the video in order with kind of a note as to like what the heck that this just taught me. So I can just simply search a specific topic just by the file name. If I need it in the middle of the exam, I can go track it down and know what it is. A lot of these, I just feel like, Oh, this is a useless introduction to a new topic. And some of them are like, okay, this is actually important. And I should know how to find this if I need it in the future. I also wrote code for a lot of things that I'm going to end up trying to do. In some cases, I would... This is a cool resource, actually. If you haven't seen the simple HTTP server with upload, you've seen the Python 2 module simple HTTP upload or excuse me, simple HTTP server. And that will allow you to download files to get one thing to another host with HTTP. Upload will also make it let you go back and forth. You just have some upload functionally. That's kind of cool. Kind of nice. Do that in a web browser. Make that in there. I wrote some things that would generate Pone Tools assembly code. Work for that in a nice, interpretive way so I can tinker with it on the fly. I also had stuff to prepare my report. I also had stuff to make assembly. Just quick, shorthand convenient functions and bone server. I made folders for everything that I did and went through when I was trying to put things together with bone server. Oh, actually, that's a fine tangent. I would take notes for every single section of what I was doing because there are different parts that you go through in an exploitation procedure. L-C-E-R is the hard one because you have a structured exception handler. You also have finding BLAD bytes and that one actually I think is encoded or it has a alphanumeric restriction. So, see some of my code for that. We can dive into that if you want. Bufa's results, et cetera, et cetera. What does this read me? Let's check it out together. Open it with Sublime Text. Stupid. That's, okay, I was gonna say that's not a read me. Oh, this is just getting Bufa's installed. Go check out Bufa's. I really, really recommend you could do that. Before I lose the topic of sub-encoding because I know that's recent. Slink sub-encode GitHub. Slink is the name of a tool that can do this. Humbra mentions it. Slink, yeah. That's a iHack for Falafel. Credit to him for building that sort of thing. Slink is strange and that's written in Python too. And it also has a lot of time sleep calls which are weird. If you want, you can patch those out and remove kind of the unnecessary output. So, if you're sub-encoding a giant piece of shellcode you won't have to remove all those things to copy and paste them. Really, really cool tool that will automate it. And you are not allowed to use that tool on the test. But good to know that it exists. And if anything, what I would recommend is you can do any of your own things. So why don't you write the tool? If you claim it as your own, if it is your own code, you made it your initiative, then I think that is what they're wanting to see for offensive security grading your test. Okay. That's enough of Slink. That's enough of Vone Server. The syllabus you can go find online. Again, I included immunity debugger and Mona. I had that in my virtual machine. I submitted a lab report. I know you don't have to because they don't ask you to do that in OSCP. You can optionally supply one. I saw actually in the exam guide though that if you want to submit it, you can. So what I did is I took all the notes that I did while I was going through the videos and then I just pooped that into a PDF file and sent that in a log of my report. That was 49 pages and my exam report. Just a quick zoom in on that. That was 77 pages. Maybe an idea for what you want to write and how much you want to write of it. Okay. That is really everything that I kind of wanted to give to you guys. I hope that maybe this will help. I would, I'd recommend practice, right? You know my opinion, and I've probably said it before on the mantra of try harder. No, it is not try harder with an angry face telling you to, hey, GTFO, RTFM. It's try again in my opinion. Keep at it in practice. I think I spent a lot of time in Vuln Server because I would literally try and go through every single function and I would have a script ready for me and how I would want to use that and I'd mastered the SEH technique. I'd mastered sub-encoding. I'd mastered using an egg hunter. I'd mastered the Xor stub, that procedure in immunity or all the debug, whatever you choose to use. Practice, practice, practice. I hope I can give you enough resources with everything that I've shared to let you go at it and jump in. I'm opening that back up in Sublime Text so you can see it. I'll share this and again, obviously you can ping me on the Discord server. Reach out to me. I'm here to help you guys. I want to help you guys but there's so much information that I know you've got this. Crank through it. Cool. Hey, thank you guys so much for watching. If you did like this video, please do leave that like. Hit the thumbs up. The thumbs up one, not the thumbs down. If you do hit the thumbs down, hit it twice so I know you didn't like it that much. I'll leave a comment, do the YouTube algorithm stuff and subscribe. A stutter. A stutter subscribe. Thanks for watching, everybody. I'll see you in the Discord server. Love to see you on Patreon. Love to see you on PayPal. Thanks again. Take care.