|
Unfortunately I can't get into too much detail because I had to sign an NDA (to prevent cheating). But the process was similar to when I have found them in the wild: identify the app, install it locally, fuzz various parameters (it was a real application, albeit an old one), find the crash, figure out stack space, figure out bad characters, find the right JMP ESP or equivalent instructions in a loaded library, write shell-code, encode shell-code, slap it all together, hope your hex math doesn't suck, run the exploit. No DEP, ASLR bypass, SEH manipulation, use after free, or heap related work - I learned that on my own. Their web app challenges were fun too. LFI to code execution, SQL injection, things like that. They have a bunch of network related recon, standard red-teaming stuff. The OSCE involves ASLR bypass, AV bypass, and using egg hunters. The big thing about the OSCP, OSCE, OSEE certs is that you actually have to _do_ all of the stuff they teach you. Not a multiple choice or written question in sight. For the test they drop you in a network with vulnerable machines and you have 24, 48, and 72 hours (depending on the cert) to get code execution on each through various techniques. It was challenging, interesting, and satisfying. Edit - it's worth mentioning that I still find vanilla buffer overflows on projects. These days most thick-client applications that I see are old as hell and are still vulnerable to exploitation techniques from decades ago. So while the skills that the cert makes you prove are cursory and introductory, they are still useful. In any case it's a good starting place for those that want to learn stuff on their own but do better when they are given the push to prove it. |