What this prep guide is and isn’t
If you have read my OSCP prep guide (https://tulpa-security.com/2016/09/19/prep-guide-for-offsecs-pwk/), then you know that I don’t just dump a ton of redundant resources on you and say good luck. Your time is precious, and your learning should be well calibrated to studying the best quality information available. This prep course is meant to be completed prior to taking the CTP course. If you look at the CTP covers, you’ll find that I don’t delve into some of the course topics and reason for that is twofold. Firstly, this is meant to prepare you for CTP, not to replace the CTP in anyway. Secondly, CTP is an outstanding quality course and some things are covered from the ground up in such a way that you simply don’t need to prepare for it. Although the resources in this course is carefully curated, it won’t do you much good if you simply read the notes and watch the videos. You have to practice! Repetition is the mother of skill, and exploit development is no different.
You will also find that I would recommend reading two tutorials regarding the same topic. This isn’t about repetition as much as it’s about getting two perspectives on the same topic. This is a great way of really deepening your understanding of the course material.
Disclaimer: I am not affiliated with any of the authors of the resources that I mention here. I recommend them and reference them because I truly believe in their work and its applicability to the OSCE certification.
Lesson 0 – Getting your resources together
In order to follow along, you need to get your hands on the Security Tube Linux Assembly Expert (32 bit) course. It’s quite affordable when you consider the value that you’re getting. As you know, CTP/OSCE is windows based so the SLAE material isn’t going to help you with all the concepts, however it does a very good job of covering a wide range of topics that you need to know. I honestly haven’t found a better guide and believe me when I say that I tried.
I am very pleased to share that the kind people from Security Tube is offering readers of this guide 25% off not only the 32-bit SLAE course, but also the 64-bit version! Thank you Vivek Ramachandran for making your excellent material more accessible to the community. To get the discount, you can follow this link: http://promo.securitytube-training.com/slae64092015
For your lab environment I would recommend that you set up three machines. The first obviously being Kali, the second would be a Windows XP SP3 client, and lastly a Windows 7 client. A lot of people e-mailed me when I wrote my OSCP prep course and asked where they can get ahold of older versions of Windows OS’s. I can’t provide you with a download link, but I’m sure that you will figure it out. In my case, I was lucky enough to have some old MSDN disks laying around. After you set everything up and installed immunity and mona (or olly), then be sure to take a snapshot of your machines before starting.
Lesson 1 – Introduction
The key to deepening and accelerating your learning in this particular subject is dependent upon what you do in this first lesson. While not glamorous, this is ideally where you need to spend some time to memorize the various registers and what they are used for as well as the various sections of the debugger. If you know what an EDI register is used for off by heart as an example, then you can think creatively and form a much deeper understanding of the rest of the material going forward. Don’t forget to also focus on the various sections of the registers in terms of AH vs AL etc. What I found very useful was using a flashcard app at brainscape.com. This app in particular is great because it uses an algorithm to determine how well you know each card and then adjusts the frequency in which they appear.
Go through the below resources in order prior to creating your flash cards.
The first resource you need to go through is http://www.securitysift.com/windows-exploit-development-part-1-basics/ This is where you will get the bulk of your information for your flash cards. Also pay particular attention to the layout of immunity debugger. Both Olly and Immunity uses exactly the same layout so rest assured that this information is worth knowing. Also don’t get too intimidated by the PEB and TEB(S) section. If your struggling with that section, then you can come back to it later in the course at it will click.
Next up is SLAE videos 1-7. The total length of these videos are just over an hour, but you can expect to spend an extra 30 minutes on it because of how frequently you will have to pause and take notes for your flash cards.
In the next lesson you’ll be working through GDB. You don’t have to have your flashcards memorized prior to moving onto the next session so no need to pause your progress.
Lesson 2 – GNU Debugger (GDB)
In order to make the most of the SLAE videos, you have to do the GDB course that’s included. I know that you want to get to the meat of the course and start pwning machines, but you have to walk before you can run.
Tip: These videos are very easy to follow along when you up the playback speed. I found x1.75 to be a comfortable speed for these videos particularly (don’t do the same with the rest of the SLAE course). By doing this you can cut the total video time from 3 hours and 40 minutes down to 2 hours and 52 minutes.
Lesson 3 – Basic Assembly
In this section you need to watch the 8th and 9th video in the SLAE series which is only 30 minutes. More than just focusing on the assembly, I want you to pay particular attention to how he uses a syscall to print hello world. This is the essence of shellcoding which we will get to later.
After that, watch SLAE videos 10-12 which will take you 53 minutes. At this stage it’s a good idea to memorize the op codes for one or two commands that will make reading assembly so much easier down the line. The ones that I recommend to include in your own list.
CALL – FF Dx. This could be anything from D0 to D7 based on the register that it’s referencing. Again you’re just trying to recall what a command does when you see it, so you don’t have to memorize the number for each register.
JMP – EB. You’re going to be seeing this one alot!
INC – 4x. Again this goes from 40 to 47 depending on the register. When you fuzz a program you’re going to be using a lot of A’s, B’s and C’s which translate to 41, 42, 43 respectively. That means that sending A (or 41 in hex) to a program, will be interpreted as a INC ECX command. This is useful to know not just for quickly identifying where your offset lands, but also as a reminder that they can be interpreted as commands.
DEC – 4x. This carries on where INC stopped and goes from 48 to 4F depending on the register.
Careful of information overload here. Limit your list to seven or eight opcodes at most.
Lesson 4 – Stack based overflows
The lesson that you have been waiting for. Let’s pop some shells! Go through these two lessons in order first, because the Corelan tutorial does a good job of including a quick refresher of what you have already learned. Remember to DO the work and not just read them over.
Vulnserver is an amazing go to practice and for you to test a ton of your exploits. Once you successfully exploit them, keep those scripts on hand because it’s such a quick way to get some of your shellcode into memory and also to test out some commands.
You can find the download link for vulnhub here, along with a tutorial on how to exploit it in various ways. Try and do it yourself first and if you get stuck then you can have a look the walkthrough for guidance.
Lesson 5 – Useful information
This is a very short lesson to quickly drop you three resources that was very important to me during my OSCE. Firstly, don’t trust windows calculator for hex. We’ll only be doing these manual calculations later in the course but allow me to explain. Open up windows calculator and set it to ‘programmer’ mode. Click on ‘HEX’ in the left hand side and type in 9A and divide that by 3. The answer is 33 right? Wrong. What windows calculator doesn’t tell you is that the real answer is 33 with a remainder of 1.
You can verify the answer here: http://www.calculator.net/hex-calculator.html?number1=9A&c2op=%2F&number2=3&calctype=op&x=68&y=7
Next up, is the best wallpaper you will ever see. It’s been a great reference and I think you’ll find it very useful for CTP http://i.imgur.com/Mr9pvq9.jpg
Lastly, there’s an online disassembler which I used once or twice when I wasn’t at my Kali machine. https://www.onlinedisassembler.com/static/home/
Lesson 6 – Offsets and JMP’s
When your exploit isn’t working as expected then chances are that your offset is wrong. Make sure you keep this information at the forefront of your mind. http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/
Now it’s time for JMPing around memory. You’ll find in the CTP course that sometimes you need to creatively JMP out of a tight spot to get to a bigger buffer space. At the bottom of the page on the corelan tutorial I’m about to share, you’ll find a reference chart listing a couple of different JMP’s. Pick a couple, load up one of your vulnserver exploits and experiment with them. It’s important that you understand the various conditions that need to be met for some of these JMP’s to occur. https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
Also be sure to check out this article for more inspiration: http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/
Lesson 7 – Fuzzing
For the OSCE, you have to use a fuzzer called Spike. While incredibly power and versatile, it’s not the prettiest and require a bit of work on your part. It’s not difficult to use, but it’s very easy to screw up if you don’t pay attention to your fuzzing template. When building a template, be sure to first interact with the program the normal way while running wireshark. As an example, FTP to a server and have a look at what the traffic looks like. Your job now is to create your spike template to replicate exactly what wireshark has captured. Once again, fire it up when running spike to double check that you’re in fact getting the same result. Since your already familiar with vulnserver, it would be a good idea to practice it there. Here are two tutorials that will help you do just that.
Lesson 8 – More Assembly
Now it’s time to watch some more SLAE videos, except this time you’ll notice that I’m leaving out a couple of them. Your welcome to watch them of course, but as I mentioned earlier I want to give you only the essential for you to focus on given your limited time.
The SLAE videos I recommend is 13, 15-21. The total video length is 1 hour and 27 minutes.
Lesson 9 – Structured Exception Handlers (SEH)
Before we start, rest assured that this is not a hard topic. It’s well documented and once you have the hang of it, then it’s a piece of cake. Start out by going through these tutorials first.
Next up, it’s your time to practice SHE on your trusty vulnserver.
Lesson 10 – Egghunters
A lot of people recommend the scape egghunter paper which you can find here. http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf Your welcome to go through it, but I have to say that after spending a whole day on this, I didn’t walk away with much value that I could apply in practice. Don’t get me wrong it’s a great paper, but it was published in 2004 and effectively you’ll only need to make use of one of the egghunters in that paper.
These two tutorials should give you everything that you need to get cracking (sorry I couldn’t help myself with the pun)
Security Sift also talks about a technique called an omelet. You can skip that part because it doesn’t relate to the CTP course. Now head back to vulnserver and give your egghunter a test!
Lesson 11 – ASLR
Alright, this very similar to SEH in terms of complexity (which to say that it’s not that hard once you get the hang of it). You have to keep your blinkers on and only read the section in this paper that covers ASLR and skip everything else.
In fact, don’t spend much time here because the CTP course does a great job of covering everything you need to know about ASLR.
Lesson 12 – Restricted Characters
By now you know all about bad characters and how to identify them. There is a whole chapter in the CTP course that deals with a particularly restrictive exploit which is quite infamous. Grab some popcorn and watch this amazing defcon talk by Mati regarding this very exploit.
At this stage you’ll be able to follow along without any problems, but don’t worry about trying to replicate it just yet. You’ll be spending a lot of time in CTP doing just that. Instead, I would recommend that you head back to vulnserver. Some of the potential exploits have some bad characters that you can play with, but I would recommend a different approach. Create an exploit – and limit yourself instead. Limit a couple of your favorite commands like EB, and find alternative ways to get the same result. JMP commands are a great way of challenging yourself because the results are obvious and requires a bit of creative thinking. http://resources.infosecinstitute.com/restricted-character-set-vulnserver/
Exploit development requires a significant amount of creative thinking. Blindly following steps isn’t going to get you far so make sure you have a few tricks up your sleeve.
Lesson 13 – Mona
The CTP course is delivered in olly, but your welcome to make use of immunity and mona (neither are restricted in the exam). Mona can make your life a lot easier so I would recommend that you spend a bit of time getting to know some of the most commonly used commands. In fact, identifying bad characters is one of the most useful features of Mona so it builds on the previous lesson quite nicely. There is an extensive reference list here: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
Lesson 14 – Shellcoding
Now this is where the fun REALLY starts. Disclaimer – shellcoding per se is not covered in the CTP course. That being said, I think it’s important enough to include here because it allows you to understand what your shellcode is doing, as well as to make some changes to it yourself. Keep in mind however that when you inspect a metasploit generated shell remember not to encode it otherwise it won’t make much sense. For the corelan tutorial, you should not only read it but actually do it yourself. I cannot stress the value of doing this enough https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
Now would be a good time to watch SLAE videos 22-26 and pay attention to how he makes use of linux syscalls. It’s only one and a half hour but these videos are particularly packed with amazing information.
Next up check out these guides in the order that they are listed.
Lesson 15 – Anti-Virus evasion
This is a particularly tricky topic to recommend resources on because it’s a very deep rabbit hole. Remember that CTP/OSCE is primarily focused exploit development, and AV evasion is just one part of that. The techniques covered in CTP are a bit outdated, but still form the foundation of many other techniques. Because you can easily get side tracked, I would recommend sticking to the SLAE videos 27-36 only. I know it’s tempting to do more research (and your welcome to) but if your time is limited then you can just focus on the videos which will prepare you adequately. There is 2 hours and 30 minutes worth of information to go through in the videos.
Lesson 16 – Develop your own exploit!
At this stage, you know more than enough go out and create and publish your very own 0day (of sorts). Back in 2016, I discovered a set of 0days in products that are all created by one company. Since then, they have released many more versions of the same software – all of them vulnerable but require different exploits. If you search exploit-db, you’ll find that a lot of other people have created exploits since them for all the various different versions, and have done so in various different ways. Now it’s your turn. Download the software, get fuzzing, develop an exploit and submit to exploit-db J Make sure that it hasn’t been done before for the version that your targeting, and if it has then at the very least you have to use a completely different technique to get it working. The company and software downloads can be found here: http://www.flexense.com/
Here is one example of one of my early exploits for one of their products: https://www.exploit-db.com/exploits/40455/
Fuzzing one of the flexsense products will be a great exercise for you because it challenges you to recreate HTTP traffic in a spike template. Remember to look at EVERYTHING you do under wireshark.
Lesson 17 – Web Applications
Last but not least I wanted to discuss the web application section of the course. CTP does a phenomenal job at covering everything you need to know in such a way that preparing you for it would be redundant. That being said, I want to offer you a few resources and words of advice. The two main topics that you really need to master and know everything about is LFI and XSS. Finding those vulnerabilities are one thing, but make sure you know about the various ways in which you can exploit it to gain remote access to a server. Yup that’s right.
Here are a couple of resources that I found useful in my research of the topic:
Lesson 18 – Now what?
At this stage you should be more than ready to take the CTP course. I would recommend working through the entire CTP course a minimum of three times, and make sure you do everything manually. As an example, you will be expected to do some manual shell encoding. Sure you can do this with a script, but you would really be cheating yourself out of an amazing (and painful) learning experience.
Along the way I would also recommend that you spend a bit of time reading the exploits in exploit-db. I have learned a lot of very useful scripting techniques in a very short space of time because of this. In fact, I would go so far as to say that you start a collection of skeleton exploits for various purposes.
I have also gone through a good couple of books in preparation for the OSCE exam and while some of them are really good (like the Shellcoders handbook), it didn’t really help me all that much. Offensive Security does a fantastic job with the course material and I would recommend that you expand your search for additional material only once you have gone through the manual and videos. The course has less to do with reading material, and more to do with practice. There is no substitution for practice and your time will be well spent doing just that.