Monday, November 3, 2014

My CTP / OSCE story

I generally don't write long course reviews, but the Offensive Security ones always leave a deep impression.


Even before you can register to the course, there is a small, two stage challenge which you need to go through. You need to get your registration key from It's not something super hard, but if you can't do it, probably you are not ready to the course or you just don't try harder.

The course

It's much more different then PWB/PWK, the material itself is smaller, and much more focused on some techniques - in these terms I think it's even simpler then the other one. The course consists of 9 chapters, divided to 5 parts.

The web application angle takes you through two case studies on how to get from simple XSS or LFI to remote code execution, it contains some nice ideas.

The backdoor angle is where you start to live inside a debugger, the first part is manually creating backdoors to PE32 executable, and the second is manually modifying executables to avoid AV detection. The technique is not that effective against today's AV systems, but it's still interesting, and you will learn some cool stuff.

The advanced exploitation techniques discuss the topics of ASLR bypass, and the use of egghunters. This is where you start deep diving in the debugger. :)

The next chapter is the 0-day angle, where fuzzing is added to your skillset, and there is a big case study, which on its own takes a few days to go through, it basically will utilize almost all skills you learned so far during the course about exploit development and add some more to it. By this time Olly Debugger probably became your favorite or most hated application in the world by this time :) and you already know some assembly opcodes from top of your head :)

The last part is the network angle, where you are taken through a case study of a WAN attack against Cisco routers.

Overall I found the course really good. I took SANS's Reverse Engineering Malware earlier this year, which greatly increased my confidence in using debuggers, which was really helpful. The course just added to this level. The time commitment for me was much lower (around 40 hours overall) then what I needed for PWB. I followed OffSec's recommendation in general: read the chapter, watch the videos, and do the exercises. Prior the exam I watched again all of the videos, which was really good, and also took some notes, which wasn't needed at the end. I didn't do any other practicing, probably because I was already confident enough with debuggers, and read / learned about some of the concepts somewhere else already.

As for the lab time: I had one day per week to learn, so I opted for the 60 day time which was more then enough, but if you can focus your efforts for a week or two, a 30 day period should be enough.

The exam

The course will teach you everything you need for to pass the exam. You might need still to lookup some stuff, but you should have all skills to be able to pass. Of course you will require creative thinking and trying harder + not giving up.

My advise before you jump into it: be very confident in navigating in the debugger, in the code itself, know and don't afraid to use the basic assembly instructions, and know a bit of shellcoding.

The challenge is 48 hours long, you got 4 tasks to solve during this time. I can't disclose any information about it, so will just write my experience.
I started at 10 AM Friday, and after reading through the guide I felt that I should be OK. I didn't go in order. I solved my first task in about an hour. The next one took about 5 hours, which was still ok. Then I went for the next one, where I hit a wall, I had quick successes early, and reached a point from where I couldn't move forward. I was experimenting with lots of stuff, but at 10 PM still went to sleep stuck at the same place.
I had better nights already :) was dreaming about debugging and the exam.
Next day 6 AM I jumped in again, after two hours I decided to move to the other task, which was a quick hit again, so I could focus my efforts on this last one, where I was still stuck at the same place. I started to feel hopeless. I went for an hour walk to the cool / sunny weather with my son, and it made a difference, I came back with an idea to try. The idea seemed to work, and I saw the light at the end of the tunnel, but after 3 hours I stuck again, because of another problem. It was the time for a second big walk with the family :) When I came back, I was really tired, my eyes wanted to fall out from their place, but luckily I managed to solve my last problem in the next few hours, and everything became clear, the parts found their place in the big picture and my exploit worked - I was so relieved :). I finished around 7PM. After some break, I started to write the documentation, and I went to sleep. Next morning I finished the document I sent it in.
The entire day on Sunday, I was brain washed, tired so spent half of the day outside, and had a big sleep at the end!
I got my results the next day after submission, it was a great feeling :)

My advice for the exam:
1. Don't consider sleep as a time loss, you need to recover (
2. Take breaks
3. Make a few long walks, it will boost your brain, seriously, again don't considered that as a waste of time, you need some recovery, and my big ideas came during walking (
4. Eat properly

Thanks for my family for their support, and their understanding for the time commitment.
Thanks for the OffSec team for the great training and exam.
Thanks for all the admins I talked with during the exam, everyone had some encouraging words to me, which I really appreciated.


Marcus said...

Congratulations! Long time OSCP here, been considering going for OSCE. Stories like yours are encouraging - thanks for taking the time to write it up.

Unknown said...

Hi Csaba,

I would like to take the OSCE course, but i know that i don't have the right amount of knowledge to take this kind of course.

Do you have suggestions where to begin, maybe other courses more entry-level that i could take to begin.

Thank you for your post !

Csaba Fitzl said...


You can start with OSCP and than move to OSCE. You can also read many articles on the net about exploit development, or reversing. Those can be also useful, but not a must. I think it's much more important in general that you are ready not to give up, while trying harder and harder.


Anonymous said...


I'm also doing the osce exam.
I'm a little bit stucked with the 2 bigger tasks.
Could You give me some sort of hints (blogs,reading,books) where to look up for solutions?

Csaba Fitzl said...

No, the idea is that you solve it alone. I would violate the student agreement if I would give out any hints + I think it would kill the purpose of the exam...

SQUALL said...

Thank you for your greate post. Recently I'm trying the egghunter technique, and managed to put in my egghunter shellcode but couldn't find anywhere to put in my stage2 shell code. Hmm.. Tried to put it with other commands before and after the crash and nothing sticks in the memory. Wondering where should i look into. xD