Preparing for something that you have no idea about can sometimes be very time consuming and tedious at the same time. You are never sure whether what you are doing is good enough. This is exactly the case when you are preparing for Offensive Security Certified Expert certification.
Unlike other study guides/tips available for OSCE, I am not assuming anything technically high except that you want to take on OSCE, you have got time to study for it, and you have got at least some experience in the Information Security industry. I can tell you what you need to study but then again the rest is up to you to practice the topics multiple times to ensure that you understand everything. The guide needs to be followed in the order it is written.
Before we start diving into the learning material, we need to setup the lab environment first. Some of the resources outlined below do not specifically mention the environment they use so It’s better to take care of this before we start. We will be installing a lot of similar tools mostly because different resources follow different tools and techniques. I will let you figure out how to set these tools up. It’s a learning experience.
It does not matter If you are running a Linux distribution / Windows as your host operating system but I do recommend something that you are familiar with very well. The next thing that you need is either VirtualBox / Vmware Player; they both are available for free. The next thing that I want you to do is to grab an ISO of Windows XP SP3, Windows Vista/Windows 7, and Kali Linux. You need to set them up in your virtualization hyper-visor to get them up and running. After you are done doing that, you need a couple of tools that you need to install on both Windows XP and Windows Vista/Windows 7.
Immunity Debugger with Mona.
NetWide Assembler aka nasm.
Once you are done setting up your environment, proceed further.
1. Basic Stack
Now that you are comfortable enough with x86 Assembly language and you understand how the stack works, and the different types of calls, the Endianness, and you can understand the basic instruction set; It’s time to move forward to learn about Stack/Buffer Overflow basics. Understanding how the stack works is very crucial to understanding how to exploit the overflows in it.
Firstly, I recommend reading the following article by Corelan and follow the entire methodology of how everything fits in together.
2. Beyond The Basic Stack
By now, you should be comfortable with basic buffer overflows and looking into a debugger. If you are not comfortable inside a debugger. I suggest reading the this paper. It covers working with Immunity Debugger in great detail.
Once you are done doing that, It’s time to step up your game and learn more about the Buffer Overflows. Now, it’s time for me to recommend taking a look at the “Exploits 2: Exploitation in the Windows Environment” class by Corey Kallenberg. You can check it here. This class takes you from the very basics of exploit writing to very strong concepts like SEH overflows, DEP execution, etc in the Windows environment. I highly recommend that you watch all the videos. There is a class prior to this one called Exploits 1 which concerns exploit writing in the Linux environment which is a very good starting point as well.
3. Egg Hunters
Once you are comfortable enough with the above resources, It’s time to go even further and learn about Egg Hunters. They are very handy when it comes to Exploit Writing and you will know why once you go through the following resources.
“Safely Searching Process Virtual Address Space” By Skape
Egg Hunters – Fuzzy Security
Egg Hunters – A Twist In Buffer Overflows
It’s great that you can write exploits for vulnerabilities that are already found by others but how do you go about finding it on your own? This is the 0day angle. This is where Fuzzing comes in. There are various types of Fuzzers available and what they can do.
You can learn more about fuzzing here:
Once you have gone through the above resources, It’s time to practice fuzzing with SPIKE on VulnServer. There are many great articles written on it. I suggest going through them one by one is a good idea. You can download VulnServer from here.
- An Introduction to Fuzzing: Using fuzzers (SPIKE) to find vulnerabilities
- Vulnserver – Fuzzing with Spike
5. Practice With VulnServer
After you have identified the vulnerable commands in VulnServer, It’s time to write the exploits for all of them and I really do mean writing exploits each and every vulnerable command of VulnServer. Why? Because each vulnerable command has a different technique to it and It is certainly a good idea to go through all of them. I highly recommend that you take the challenge from Fuzzing till writing the exploit yourself but here are the walkthroughs If you get stuck with them
6. Bypassing Exploit Mitigation
If you have come this far, you should know by now that there are a couple of things that you have had to disable or use and older version of an operating system to write exploits. This is because various exploit mitigation technologies have been put in the operating systems to stop exploitation of programs but there are ways to bypass them. Some of them are ASLR, DEP, SafeSEH, etc. You can know more about them here:
- Bypassing ASLR/DEP
- Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
- Exploit Dev 101: Bypassing ASLR on Windows
- Bypassing ASLR and DEP on Windows 7: The Audio Converter Case
Now, I want you to practice the same vulnserver exercise from above on Winodws 7 and try to bypass the mitigation technologies using the above given resources.
Writing your own shellcode or even understanding someone else’s is very much essential to learning exploit development. There are many times when you might need to craft your own shellcode for various reasons. You cannot always rely on Metasploit! Following resources are very helpful.
- Exploit Writing Tutorial Part 9 – Introduction To Win32 Shellcoding
- ShellCode By Hand
8. Recreating Exploits
Congratulations! You have come a long way. But It does not stop here. You need to work even harder now. What I recommend doing now is going to sites like Exploit-db and grabbing various vulnerable applications from the local privilege escalation section and writing exploits for them from scratch. This might seem like a very tedious exercise but believe me when I say this, It helped me to learn so much of the stuff which wasn’t covered in any of the articles or the course. You get to learn new tips and tricks that can help you out in completing your exam faster.
9. Web Application Exploitation
Web application security is a very complex topic and one of the core modules in the CTP course. There are various great resources available to study this topic in great depth. I would recommend setting up a LAMP stack locally on an Ubuntu server or another distribution and learn by putting a vulnerable web application like Mutillidae or DVWA.
Some of the important resources are:
- Web Application Pentesting – Webpwnized
- File Inclusion Vulnerabilities
- Guide Book on Cross Site Scripting
- Finding vulnerabilities in Web Applications