BLOG

PWK/OSCP and CTP/OSCE – A review and comparison

2019-04-22 21:59 Ian Budd

Introduction

Greetings, although I am widely known as sabretooth in the hackchallenge community, I adopted the nick Dyntra for Offensive Security and many know me by this name. Feel free to say hi on either irc.wechall.net (#revolutionelite #wechall) or chat.freenode.net (#offsec)

OSCP

It has been a few years since I passed Offensive Security’s OSCP certification.

As well as the excellent training manual and videos, there is a huge, sprawling lab network comprising of various subnets, firewalls and over 50 unique systems to be scanned, infiltrated and explored, however time is tight as lab access is purchased in blocks of 30, 60 or 90 days.

The difficulty of the systems vary greatly with some requiring nothing more than a simple unmodified exploit found via exploit-db, and others requiring some out-of-the-box thinking, managing misconfigurations and other security faux-pas which may not immediately be apparent.

Having said this, I was successfully able to root every lab system within my initial lab access without the need to extend. A few hosts are very well known amongst Offsec students, the ‘big three’ being known as Pain, Sufferance, and Humble. Admittedly, Humble lived up to it’s name and provided me with quite a challenge. The other two – unfortunately not so much. (I had much more of an issue with certain other systems in the lab which do not have the reputation)

With the lab out of the way, the highlight and conclusion of the course is the exam – 24 hours to hack a certain number of systems. Interestingly I was able to knock out all of the systems in around 12 hours (100 of 100 points, 70 being the pass mark), however to save time on reporting only documented those I needed to pass. In hindsight this could have proved to be a stupid move if there would have been an issue with the documentation I had to provide – Thankfully this was not the case and 3 days later I received result of my pass. A great ride and a very interesting course.

OSCE

I passed OSCE around a week ago (9th April 2019) and should state that the CTP course is very different to the PWK. Whereas in PWK/OSCP we were given a huge lab network with dozens of systems to crack, here we are given access to just a handful of systems (these can literally be counted on the fingers of one hand). This is mainly because the course is based around exploit development (which was briefly touched upon in PWK in the most vanilla form) and extends the skills learned in PWK in the following areas:

  • Web application hacking
  • PE backdooring
  • Antivirus bypass
  • Fuzzing
  • ASLR bypass
  • SEH overwrites
  • Egghunters
  • Writing encoders
  • Shellcoding (at a basic level)
  • GRE tunnelling

Being primarily a webapp pentester, I largely ignored the web application sections of the course, giving them just a single run through. Everything else I invested a lot of time studying even before the course started (Thanks to https://tulpa-security.com/2017/07/18/288/) and found that, as expected, repetition and practice are the keys to understanding.

The course was over in just a few days (it really is that short) so I decided to go through it again using a different OS, and again automating everything I came across. This is where the challenge set in. Something that took 3 hours to do manually now took 2 days to code, but once it was done it spit out the required results (and methodology – remember what the teachers always say: it’s not a valid result unless you can show your working) within seconds.

Having gotten everything out of the course which I could and still having a chunk of labtime remaining, I started downloading applications from exploit-db and writing exploits from scratch including fuzzing for the initial vulnerabilities.

Finally the exam was scheduled and it seemed that Offsec did a great job of screwing up the course examples just enough so they were recognisable, but following the steps exactly as done previously would never work. This involved some out-of-the-box thinking for most areas, and after about 30 hours (of 48) I had achieved 90 of 90 points (75 being the pass mark). It was then I messed up my report probably due to tiredness and sent it off. Thankfully Offsec overlooked my mistake (or deducted a few points – I had 15 to spare) and sent me email that I had passed around 4 days later.

Many people say the OSCE is outdated and I would partially agree. Virus scanners no longer work solely with signatures. Fuzzing is a much deeper topic than presented… BUT these skills are a necessity to progress further. Just as PWK provided the knowledge for a vanilla buffer overflow, CTP built upon this and provided us with egghunters, island hopping, SEH overwrites. I personaly like to think of PWK/OSCP and CTP/OSCE to be part of a chain which concludes with AWE/OSEE (Advanced Windows Exploitation) which unfortunately is a live-only course at this time and cannot be completed online.

I would recommend PWK/OSCP without a doubt to anyone looking to enter the security field. CTP/OSCE has a smaller, reserved recommendation for those wanting to learn about exploit development – but don’t expect anything groundbreaking or cutting edge in either of these courses. They are merely stepping stones on the path to greater understanding.