How would you respond to such a proposal? There is a topic that most information security specialists bypass, called “binary exploitation”. First, you need to solve a test task: just reverse the assembly code and generate a key in 60 days at the stand of the 2000s. Then you can prepare using the book, but it will help you understand the topic by only 20 percent. Then there will be an exhausting exam of four tasks for 48 hours, and immediately after it you will be given 24 hours to prepare a report in English. And all this pleasure costs $ 1800.
I said, “Give me two!”
So, further I will tell you how I prepared and passed the exciting exam for the international certificate in the field of penetration testing Offensive Security Certified Expert, or OSCE for short, from Offensive Security…
This organization has several more certifications, but Expert assumes confirmation of expert knowledge in several areas at once: attacks on web applications, attacks at the network level, fuzzing and development of exploits for Windows x86. Despite the fact that the course is often criticized for being outdated, the basics of operation have not changed, and as a result, a lot can be learned:
- find and exploit web vulnerabilities, for example, XSS or Path Traversal, with the development to a complete compromise of the operating system;
- conduct network attacks GRE Sniffing, SNMP, bypass Access Lists using Spoofed SNMP Requests;
- find buffer overflows using fuzzing and use them to enter the program, bypass protection mechanisms (stack overflow, bypassing ASLR, egghunter, bad characters, etc.), and also bypass static protection mechanisms of the antivirus.
What kind of beast is the OSCE: an example
In order not to overload the article with technical terms and abbreviations, I will give a typical example. Imagine that you have software (software) that receives data via TCP, and you need to operate on a remote server where this software is deployed in order to be able to execute commands at the operating system level.
- First, we analyze the protocol at the network level: it is necessary to analyze its components and highlight all the places that make sense to modify. Then we write a fuzzer that will substitute various values in all these places and try to send them to the server.
- After a while, a certain string buffer with a certain symbol and (or) length will cause a stack overflow, and this will break the program and lead to its critical termination.
- Next, using this buffer, you should place the payload (payload) in the form of assembler instructions in binary form, but not just place the instructions on the stack, but take control of the EIP register. To do this, you can either simply find the correct mix in the buffer, or try to throw an SEH exception.
- After interception, EIP control must be transferred to the sequence of its commands. The difficulty here is that the data in memory is located each time at a new address. Therefore, you should find in RAM a section of a static address that will refer to a register, and that, in turn, to an address in memory (with the ability to write and execute), where you can also place your data.
It seems that all that remains is to mark up the shellcode, and everything is very simple. But it happens that first you need to bypass the ASLR mechanism, if you cannot find a static address in memory, or it turns out that the buffer in memory is limited by the alphabet (allowed characters), then you need to collect all the allowed characters and build a chain of alternative commands from them. And if the buffer is limited in length, then you need to find another place in the program memory, where you can additionally place data, find them in memory and make a transition to them (egghunter technique), or even write your own shellcode that will do what you want, in the constraints presented.
It also happens that this additionally posted data is partially damaged, so you should evaluate the damage and figure out how to get around this limitation. For example, remove badchars, chain your shellcode, and chain your calls. To complicate matters, the debugger (your main tool) may not properly allocate memory and display data in memory incorrectly while debugging – Bingo!
In fact, binary exploitation, and penetration testing in general, is a game of bypassing a bunch of restrictions, using various techniques and applying ingenuity. The solution to such a task can take from 6 hours to infinity, so 48 hours for 4 tasks does not seem redundant to me.
How I passed the exam
I managed to pass the OSCE on the second try. The first time – this was in June – I could not properly prepare for the exam due to the workload on projects, but as a “real pentester” I decided to do everything “on the fly.” As a result, in 48 hours, 10 of which were spent on sleep, I solved only 1.5 problems.
In September, I made a strong-willed decision to deal with everything qualitatively: to study more topics, including those related to operation (and this turned out to be an endless hole), to do all the laboratory ones, to communicate with other experts, to think over the tasks on the first attempt to pass the exam, to prepare various scripts for automation.
As a result, the second attempt was in November: during the 12 hours of the exam, I drank 7 glasses of tea, a couple of pills for headaches, had a delicious dinner, walked in the yard – and all 4 tasks were solved. Fortunately, they were similar to those that I came across on the first try. After a pleasant sleep, it took another 5 hours to form the report, and a day later I was told that the exam had been successfully passed and that I could ask for a salary increase from the management.
Updating certification rules
October 2020 Offensive Security statedthat plans to update the OSCE course. Already now, this certification cannot be paid for, and the OSCE status under the new rules can only be obtained by passing three exams:
- Advanced Web Attacks and Exploitation (AWAE)
- Evasion Techniques and Breaching Defenses (PEN-300)
- Windows User Mode Exploit Development (WUMED) – to be announced in 2021
It turns out that I tried in vain and now I have an outdated certificate? But no, the company adheres to the position “Anyone who has earned an OSCE will always retain it”, which means “Anyone who has received an OSCE will keep it forever”. Probably, many people choose Offensive Security for this. Yes, it’s expensive, yes, the training manuals are weak, yes, the exam is exhausting and contains many pitfalls, but at least once you pass something, you carry this title until the end of your days! Unlike a bunch of other certifications, where every 2-3 years you have to continue paying money for renewals and new exams.
What did the certification give me in the end?
- Most importantly, I got out of my comfort zone and got to know more about the binary operation base. Even my experience as a virus analyst and the delivery of the OSCP did not give such an impetus, allowing me to feel comfortable while studying the next exploit.
- Now I am not afraid of the term “shellcode” and understand a lot of nuances.
- I learned how to exploit on my own, of course, at the level of bypassing the security measures of the 2010s, but this is only the first step.
“I am an expert, what have you achieved?”
- Together with the team, I will use the knowledge gained on penetration testing projects: modifying exploits, bypassing security measures.
- I will continue to study the already relevant techniques.
- I will delve into the architecture of operating systems.
- I will receive new useful and beautiful “pieces of paper”.
Would I take the exam at my own expense?
Our company pays great attention to the development of hard and soft team skills, so I managed to get certified at the expense of the employer. Otherwise, perhaps, I would have decided on such a challenge just for the sake of the certificate itself. To gain only knowledge (and save personal finances), it would be wiser to study the leaked materials and blogs of other pentesters on medium.com, recreate and pass the booth, and also pay attention to other courses, for example, SLAE.
Will I continue to take Offensive Security exams?
Of course, I am generally satisfied with the “try harder” approach, and their new courses are interesting, and everything else can be survived.
PS Thanks to my colleagues and my girlfriend who supported me!