Cracking the Perimeter (CTP) + Offensive Security Certified Expert (OSCE)

The views and opinions expressed on this site are those of the author. Any claim, statistic, quote or other representation about a product or service should be verified with the seller, manufacturer or provider.

It's been a while (just shy of two years) since I did "Penetration Testing with BackTrack (PWB) & Offensive Security Certified Professional (OSCP)". Over the last couple of weeks I've taken the next step with Offensive Security's training course – "Cracking the Perimeter (CTP)", which, when successfully passed, gives you "Offensive Security Certified Expert (OSCE)" certificate. Below are my thoughts & feelings regarding my overall experience of the course.

Offsec CTP box

Myths

However, before going any further, I would like to dispel up a few "myths", that I've heard, over the years. These "issues" are:

  • Only covers exploit development
  • It's old and "dated"
  • The course itself is (super) hard

Only covers exploit development

Wrong. There are nine modules in the course (syllabus). These can be put into the following four sections:

  • Bypassing Anti-Virus (AV)
  • Exploit Development
    • "Advance" techniques
    • 0Day angle
  • WAN Attacks
  • Web Attacks

Above shows there is more to the course than just exploit development. However, there is more focus on that section than anything else. It's more accurate to say "the main element of the course is exploit development".

People also easily confuse "Bypassing AV" with exploit development as you are using the same set of tools to manually do the encoding - same tools, different purpose.

It's old and "dated"

So what? I don't see an issue with this myself.


The methods and techniques that are covered in the course can still be applied today. Since the release of the course, there has been additional research into each section. As a result, there are different (some people could argue "better") ways to achieve the same outcome. However, being able to understand how these developments came about from the original methods, and give you an alternative technique to use, will give you a broader and deeper understanding.


Some of the standard tools that "everyone" uses are now different. This doesn't mean the techniques are any different. The techniques you need to learn will always be the same. This is especially true as Offensive Security (offsec) likes to show you the manual way of doing things, rather than solely relying on tools to-do the work for you. So even if the course was updated, I believe that the methods would still be the same, it would just be that the interface had changed.

The course itself is (super) hard

PWB is a entry level course, CTP is a intermitted course. There are harder ones to.


The exploit development in PWB is a "taster" with the course material walking you through basic buffer overflows and web attacks. Offsec also have courses called "ADVANCED Windows Exploitation (AWE)" and "ADVANCED Web Attacks and Exploitation (AWAE)"; both of these other courses are even more specialized that CTP.

With that in mind, CTP is somewhere in-between with difficultly. The course starts from the basic in PWB, and stops where AWE & AWAE would take over. For example it's expected that the student knows what EIP is, but they don't need to understand any HEAP exploit techniques.

In the same respect, you'll not be doing any basic "Remote File Inclusion (RFI)", but you are not required to-do a blind "SQL Injection (SQLi)" attacks.

Review

Now, with all that cleared up. Here is my personal experience of going through the course from start to finish. Where possible, I'll try and relate to the PWB course.

Before signing up to the course

I followed along the tutorials from Corelan and FuzzySecurity to improve my exploit development skills (found them both excellent resources for this). I stopped reading them when I got to the HEAP exploitation sections, as this isn't required for CTP. However, this doesn't mean:

  1. You shouldn't know it – it's still good to learn.
  2. If you want to use other methods that are not covered in the course, you are able to, there isn't anything stopping you.

I then moved onto the first few levels of Exploit-exercises's Fusion & Protostar. I didn't feel this was needed, but I felt it was beneficial for me as I wanted something to try out for myself without following a guide (and it's designed to have vulnerabilities to find).


I had already done various web application attacks in designed vulnerable code, so I felt confident in this area and as a result I didn't feel that I needed to-do any extra work in this field. If you want to try some yourself, I would recommend: DVWA, Mutillidae and WebGoat.


Looking into the WAN attacks section; it's done using Cisco routers. When I was doing my CCNA certification, I spent a good amount of time doing extra things that were not technically in the course curriculum. It was a good chance for me to do things like this, that I wouldn't of had access to in my lab, plus my instructor didn't mind. For these reasons, I also didn't worry too much about the WAN attack.


Reading books isn't my thing, but a couple of students have recommended some and they can be found in the list of resources at the end of the page.

Pre-course

Before you're able to sign up for the course, there is a "filter" (fc4.me). This is put in place to make sure that the student who is about to take the course is (hopefully) potentially capable of doing so. This barrier relates to what's required of you from the course.


There isn't any shame in not being able to complete this. It simply means you're not ready... yet!

If you look up the solution online, you're just cheating yourself and wasting both time and money. It's been put there for a reason. Offsec is trying to protect you from yourself (in their own frustrating but necessary way!).

Course

You are provided with the same format for your course material as with PWB, a PDF (~150 pages) and a series of videos (a little bit over 4 and a half hours).

You're also assigned your own machine. However, unlike PWB, you're assigned multiple devices (two machines and a router).


The course material didn't seem to match up as well as PWB (before, it felt like a transcript), for example there were certain sections which were only covered in either the PDF or the video - so be sure to look at both of them.

I would have liked to have seen some more "taxing" extra miles exercises (which I thought was the case in PWB). These extra exercises are optional tasks in the course material to "extend" your knowledge.


Certain things have purposely been "snipped" out of view in the course material. The intention is to make the student think for themselves, instead of just blindly copying the examples. This is another reason why the course is a step up in difficulty.


For me to process all the course material which was provided, took me about 7-10 days. I started off completing two modules a day (sailing through it all) - but this pace didn't last. However, the longest I spend on a single module was a couple of days.

With PWB, I felt the course was building up in difficulty until module 6 (about half way through the course), and then the rest was all down hill - so to speak. However, with CTP, it was all up hill until the second to last module (8 – the HP exploit).


The course begins with web attacks: Cross Site Scripting (XSS) and Local File Inclusion (LFI).

I felt the XSS was only a fraction of a step up in difficultly from PWB and I would have appreciated an automated client (from PWB) to have tested it out on, rather than myself. Additionally the vulnerability could have been more challenging, such as requiring some form of filtering (however this is covered in AWAE).

The directory traversal/LFI was somewhat interesting. It's a publicly known method; however it's not done via the most common way typically shown in examples.


From this point onwards, the rest of the course material was NOT remotely in the PWB course. Bypassing AV was the next category. This consisted of encoding detected files & backdooring existing programs.

Everything is done manually (without relying on other people's encoders/packers). The exact techniques covered have been detected by anti-virus companies as it has been abused for a few years – so don't expect these to work with today's modern AV (or any that's worth their own salt!). However, using the above technique, it only takes a few extra hours to play around and to develop personalized modifications, which, gradually will be detected less and less (the fewer people that know what you did – the longer the chance it will go undetected)...

You can also see this as an introduction into the tools that you'll be using later to do the next section.


The next section is exploit development, which makes up the main "chunk" of the course. To me, all of these modules but the last one (I'll get to that), merged into each other. You begin with a base of an exploit, a "Proof of Concept (PoC)" code and end up creating a "weaponized" exploit resulting in a shell.

After learning a couple of tricks, such as bypassing "Structured Exception Handler (SEH)" and "egg hunters", you re-use them, this time, Offsec guides you through the complete process of discovering the vulnerability to gaining a shell. This can be broken down into; causing a crash by fuzzing, understanding the crash so you can build a PoC, which leads to controlling the registers, from there you look for the user controlled buffer that is in memory, lastly its just a question of squeezing in the shellcode. Once everything is in place, you test the exploit. Trust me; it's not as bad as it sounds!

There are various "commands" missing or incomplete (you just see the output, rather than how it was made). Again, this is done on purpose. For example, when generating shellcode with Metasploit, I had to figure out the bad characters myself. I also found the size of the shellcode was different from the examples, so I needed to-do a little bit of maths and update the values. What the PWB course had over CTP is, it also touches on Linux exploit development, CTP didn't.


Module 8 (the HP exploit), as I hinted at before - I'm not going to forget this exercise! There are various machines that left a scar on me when doing PWB (gh0st, pain & sufferance), but they didn't make an impact as much as this one. This module was hell from start to finish. All the other modules, I was able to-do between half a day to a day. This one took a "while" longer. At the time it was highly frustrating, as my exploit just wouldn't work. I tried redoing it a couple of times, used the examples (I'm still not sure why they didn't work), and, ones from other students (who were doing or had done the course) but none of them would work for me. I had done all the normal tricks of restarting the system, reverting the machine to a clean state, and following the guide exactly to the letter – nothing!

What made it worst was, watching other students who were doing the course at the same time, getting a shell on their first attempt! Having checked the Offsec forum, it was clear that it wasn't just me who was having issues with this task. After reading up on the forum for a few hints, I made a Skype call to a friend (who had already passed the course) with whom I could bounce around ideas. After what felt like a few hundred failed attempts, I discovered my mistake (I'm so glad that person didn't record me doing my "victory cheer/scream"). Due to the non-disclosure agreement I am unable to reveal what I was doing wrong. Needless to say I'm never going to forget it. Looking back at it now, it was so obvious – but not at the time! It's a classic case of "it's easy once you know how".


The last section is a "Wide Area Network (WAN)" attack. The biggest WAN is the Internet, which makes the power of this attack, very scary.

It does require a few things to be "aligned" for it to work, however, I'm sure in "real world scenarios", with some information gathering and poor configurations it can quite easily happen.

There is only one module for this section, so it would have been beneficial to have a bit more padding to the course material. For example, another module or even some "boring" methods (namely, brute forcing) would have enabled me to gain some of the credentials that are required. Brute forcing sadly happens more often than it should, and as a result various companies have had their perimeters breached.


There isn't a "lab" as such, which there was with PWB. There you had multiple networks with pre-populated targets (50 ). This time, you have the course material software pre-installed & configured – ready to be exploited. To help make up for the practice targets, you will need to grab them yourself. This is quite easy and there isn't a shortage of things to-do (see resources at the bottom).

Exam

Unlike PWB, I waited a good while after finishing the course, before taking the exam (three weeks as opposed to two days!). I didn't find the course as taxing & tiring as PWB, however, the CTP exam is double in length (nonstop 48 hours) so I wanted to be well rested before attempting it.

During this time, I went back over the course material again and produced templates of the exploits. The ideas being that these would be "ready to use" for whatever the exam would have in store. With the remainder of the time, up until the exam, I kept on going with the pre-course material that I hadn't completed.


I really enjoyed this exam (something I didn't think I would ever say about doing one!). I liked it much more than the PWB's exam and in an odd way, more than the course itself. I felt satisfied after completing each exam task, somehow it just felt rewarding and that I really did accomplished what Offsec course set out to teach.


48 hours non-stop might seem like a long time for an exam (which it is) and it was hard to find the time to take the exam, however if it was another 24-hour exam I would have failed.


I'm unable to go into details of what's in the exam for obvious reasons. But like PWB's exam, there are multiple machines that have different point values and you require a certain amount to pass. It's also structured in such a way that it forces you to-do certain tasks. However, the style of the tasks are not the same as PWB.

You're only tested on what's in the course syllabus; there isn't anything out of scope, but there are a couple of Offsec curve balls (so watch out)! If you apply the methods and techniques that you learnt, you'll be able to overcome these surprises and pass the exam.

I personally found it easier to do something for a part of the exam that wasn't covered in the course material. This made my way of completing that task much more complicated than it needed to be, but in my eyes my way was more straightforward (I'm putting it down to the lack of sleep). I compared notes with other students via the forum (on a private area, which opens up after passing the exam) and discovered that there was an alternative solution to my complex one, which is covered & taught in the course material.


All the tasks required for the exam are pretty straight forward, you know what to do and can see what you need to do to achieve them, its just a question of being able to do so!

I personally found the higher point tasks (the ones which are seen as "harder" so you need to spend more time on them) much easier than the lower point ones (and these are meant to be simpler)!


I managed to get one of the harder tasks within a matter of hours – which boosted my confidence. However, I then went onto one of the easier ones for which I spent the next 20 odd hours banging my head. The fact it was seen as "easy" was stressing me out even more, which didn't help.

At some stage, I took five hours out to sleep. However before the sun was up, I was at it again. The second night, I didn't try to sleep at all, just powered through it and kept on doing so for the rest of the day. It paid off, because by dawn I had enough points to pass!


Throughout the exam, I gave (and some times forced) myself breaks away from the screen both every few hours and between each task. When I was at the keyboard, I found myself regularly snacking (fruit & nuts – healthy eating and whatnot), and listening to music (big thank you Di.FM!). I didn't get distracted with anything else other than the exam (e.g. no emails, IM and social networks etc). Upon getting stuck, feeling a bit down or informing people of my progress - I would flick to IRC & Skype. Having a couple of people passing on words of encouragement does wonders (big thanks guys). I did bounce a few ideas off people who had already gone through the exam as I found it useful to explain my thoughts out loud to something other than a screen. They didn't say anything other than laughing at me after witnessing my victory dance.


After the time was up and I got kicked off the exam VPN, I had somehow managed to collect enough points to pass – however, it wasn't over just yet, as I still had to complete the exam report. This is the same procedure as PWB and you still have the same amount of time (24 hours) in which to submit it to Offsec.

Using the template from PWB, I did a summary page with step-by-step screenshot instructions (thank you Evernote!) for each task. At the end, I put in some proof that I had actually completed the course material too, as Offsec always suggest putting as much information as possible in your reports for any of their courses.


After submitting the report, it was just a case of waiting three business days to hear the final outcome. On the second day I found a new email from Offsec congratulating me on passing!

Summary

Overall it's hard to compare CTP directly to the PWB course; this is mainly due to PWB being Offsec's "flag ship" course. This is their most well known course and as a result it's had the most time spent on it, so it's been updated more, which has lead to it receiving lots of little interesting improvements. As a result, the high quality of the PWB course has spoiled all the others (not just Offsec courses)!


Not directly comparing it to anything else, it is another quality course from Offsec. The course is well laid out and it's made up of good quality material. It would benefit from having a bit of extra attention along with some of the tricks that they have learnt from developing their other courses. However, I still have learnt a vast amount from taking the course.

Offsec has taken the time to create original material, put it all together in one place and dressed it up nicely with a bow on top. There is also support, both technical, from admins and, social from other students. The cherry on top is you also get a qualification that is recognized worldwide.


The CTP course is more difficult and has more specialized fields than PWB. As a result, it's for people who are really confident in their career path or who are really enthusiastic about self improvement. A lot of people who take PWB are involved in information security as a hobby or are new to the field and want to try their hand at it, whereas CTP is for people who are sure they want to take the next step – which is reflected in the course fees. PWB is more realistic for people who are funding themselves (which is what I did), whereas I was lucky enough for my employer to cover the cost of CTP.

If you're weak in all four areas mentioned above, or generally not confident, then you might be better getting the 60-day option of the course. Otherwise, I would recommend getting 30 days of lab time (and then extend it if required).


Offsec doesn't teach you how to pass an exam, or give you step-by-step for how to-do xyz, instead they show you how to THINK and do things yourself. This teaching style can frustrate some students from time to time. Please be clear about this before embarking on the course. Do not expect to have clear, handholding instructions given to you on a sliver platter.

Advice

To anyone thinking about doing the course

  • If you cheated at fc4.me - this definitely isn't the course for you.
  • If you have been dropping 0days left, right and center – this probably isn't the course for you.
  • If you don't understand the view of any debugger or have NEVER done a thing with assembly (ASM) – this course might not be for you (just yet!).
  • If you haven't done PWB before doing this course - it depends on your own experience and background knowledge (only you can answer that), however I would recommend starting with PWB.
  • If you're not able to learn by yourself – none of Offsec's courses are for you.

To students currently doing the course

  • Use the forums & the IRC channel – You'll find hints and other students who are in the same boat as you. It's a great resource and place to bounce ideas around.
  • Find different methods/tools to do the same thing – it helps to re-enforce & prepares you more for the exam.
  • Do the extra miles – and also some of your own extra homework (for examples, you can see what extra resources I used at the end)
  • If you're stuck – try harder! The frustration and pain is what makes it that much more rewarding at the end!

To students about to do the exam (or currently doing it!)

  • Look at ALL the tasks that are in the exam – even if you believe you're going to fail. Set some time aside and try them all out (you'll do better than you think).
  • Don't spend all your time on certain task(s) – it's easy to get hung up on doing just that one thing. See the comment from before about time management.
  • Take regular breaks – even if you feel like you don't need one. They'll help more than you think. Your brain could thank you by providing you the answer!
  • Get some sleep both before the exam and during it – its 48 hours, after being awake for a certain amount of time, your brain will start to degrade in performance (regardless how much caffeine you consume).
  • If you need some background noise, listen to whatever music you like (I highly recommend di.fm/liquiddnb).

Resources