[amckenna]

Don't know if you have taken it in the last year or so since they updated it, but it's pretty tough. You may be able to use a public exploit to elevate your shell once on a box, but getting code execution was the difficult part. One of the challenges involved fuzzing, writing custom buffer overflow exploits, and dealing with weird stack pivots. That only got me about 20% of the way to passing the test. All in 24hrs. My girlfriend was taking the GPEN at the same time. While I was banging my head against a debugger she was making flash cards. I think that highlighted the difference between the certs.

[tptacek]

Describe the overflow exploit you wrote. What was the vulnerability, and what did the exploit look like?

[amckenna]

Unfortunately I can't get into too much detail because I had to sign an NDA (to prevent cheating). But the process was similar to when I have found them in the wild: identify the app, install it locally, fuzz various parameters (it was a real application, albeit an old one), find the crash, figure out stack space, figure out bad characters, find the right JMP ESP or equivalent instructions in a loaded library, write shell-code, encode shell-code, slap it all together, hope your hex math doesn't suck, run the exploit. No DEP, ASLR bypass, SEH manipulation, use after free, or heap related work - I learned that on my own.

Their web app challenges were fun too. LFI to code execution, SQL injection, things like that. They have a bunch of network related recon, standard red-teaming stuff.

The OSCE involves ASLR bypass, AV bypass, and using egg hunters.

The big thing about the OSCP, OSCE, OSEE certs is that you actually have to _do_ all of the stuff they teach you. Not a multiple choice or written question in sight. For the test they drop you in a network with vulnerable machines and you have 24, 48, and 72 hours (depending on the cert) to get code execution on each through various techniques. It was challenging, interesting, and satisfying.

Edit - it's worth mentioning that I still find vanilla buffer overflows on projects. These days most thick-client applications that I see are old as hell and are still vulnerable to exploitation techniques from decades ago. So while the skills that the cert makes you prove are cursory and introductory, they are still useful. In any case it's a good starting place for those that want to learn stuff on their own but do better when they are given the push to prove it.

[q3k]

This sounds like a 100-150 points (== entry-level) CTF challenge.

[tptacek]

In what way did the exploit they had you write differ from the kind we wrote in 1997?

[alltakendamned]

It doesn't. The OSCE targets are Vista and 2K3 Server.

That being said, the nice thing about OSCP imo is that it gives you some structure and a well set up environment to play in. I think OSCP is a great entry-level certificate and serves as a good filter to interview junior candidates.

Does this help at a more elite level, nope, but that's also not the purpose of it.

[lawnchair_larry]

mona.py does that entire exploit in 1 command. It won't work against any supported version of Windows.