OSCE PREP

August 21, 2020 · View on GitHub

This repository contains a list of freely available resources that can be used as a pre-requisite before enrolling in Offensive Security's Cracking the Perimeter (CTP) course and OSCE certification.

The following table shows notes, courses, challenges, and tutorials that can taken in preparation for the OSCE. It should be noted that the content within multiple sources do overlap each other so not all of these resources are needed.

Web Application Security

Order	Name	Type	Link
1	PayloadsAllTheThings Directory Traversal CheatSheet	CheatSheet	https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal
2	PayloadsAllTheThings XSS CheatSheet	CheatSheet	https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
3	XSS Payloads	Payloads	http://www.xss-payloads.com/
4	XSS to Domain Admin	Webinar	https://www.elearnsecurity.com/resources/webinar_video/xss-to-domain-admin/
5	LFI to RCE Exploit with Perl Script	Paper	https://www.exploit-db.com/papers/12992
6	Using XSS to bypass CSRF protection	Paper	https://www.exploit-db.com/docs/13534
7	Local File Inclusion (LFI)	Paper	https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf

Anti Detection

Order	Name	Type	Link
1	Backdooring PE Files - Part 1	Blog	http://sector876.blogspot.co.uk/2013/03/backdooring-pe-files-part-1.html
2	Backdooring PE Files - Part 2	Blog	http://sector876.blogspot.co.uk/2013/03/backdooring-pe-files-part-2.html
3	Backdooring Windows EXEs for Fun and Profit	Blog	http://ly0n.me/2015/07/09/backdooring-windows-exes-for-fun-and-profit-part-1/
4	Art of Anti Detection – 1	Paper	https://www.exploit-db.com/docs/40900.pdf
5	Art of Anti Detection – 2	Paper	https://www.exploit-db.com/docs/41129.pdf
6	Art of Anti Detection – 2	Paper	https://www.exploit-db.com/docs/41129.pdf
7	Art of Anti Detection – 1 Blog	Blog	https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques/
8	Art of Anti Detection – 2 Blog	Blog	https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/
9	Art of Anti Detection – 3 Blog	Blog	https://pentest.blog/art-of-anti-detection-3-shellcode-alchemy/
10	Art of Anti Detection – 4 Blog	Blog	https://pentest.blog/art-of-anti-detection-4-self-defense/

Assembly Language

Order	Name	Type	Link
1	Skullsecurity Assembly Language Wiki	Blog	https://wiki.skullsecurity.org/index.php?title=Assembly
2	Sensepost A Crash Course in x86 Assembly for Reverse Engineers	Paper	https://sensepost.com/blogstatic/2014/01/SensePost_crash_course_in_x86_assembly-.pdf
3	SecurityTube Windows Assembly Language Megaprimer	Videos	http://www.securitytube.net/groups?operation=view&groupId=6

Fuzzing

Order	Name	Type	Link
1	Introduction to Network Protocol Fuzzing & Buffer Overflow Exploitation	Blog	https://blog.own.sh/introduction-to-network-protocol-fuzzing-buffer-overflow-exploitation/
2	HowTo: ExploitDev Fuzzing	Blog	https://hansesecure.de/2018/03/howto-exploitdev-fuzzing/
3	[VulnServer] Exploiting TRUN Command via Vanilla EIP Overwrite	Blog	https://captmeelo.com/exploitdev/osceprep/2018/06/27/vulnserver-trun.html
4	CTP/OSCE Prep – Boofuzzing Vulnserver for EIP Overwrite	Blog	https://h0mbre.github.io/Boofuzz_to_EIP_Overwrite/#
5	Boofuzz – A helpful guide (OSCE – CTP)	Blog	https://zeroaptitude.com/zerodetail/fuzzing-with-boofuzz/

Exploit Development

Order	Name	Type	Link
1	DEFCON 16: BackTrack Foo - From bug to 0day	Presentation	https://www.youtube.com/watch?v=gHISpAZiAm0
2	Corelan Exploit Writing Tutorial part 1: Stack Based Overflows	Blog	http://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
3	Corelan Exploit Writing Tutorial part 2: Stack Based Overflows	Blog	http://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
4	Corelan Exploit Writing Tutorial part 3: SEH Based Exploits	Blog	http://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
5	Corelan Exploit Writing Tutorial part 3b: SEH Based Exploits	Blog	http://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
6	Corelan Exploit Writing Tutorial part 4: From Exploit to Metasploit	Blog	http://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/
7	Corelan Exploit Writing Tutorial part 5: How debugger modules & plugins can speed up basic exploit development	Blog	http://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
8	Corelan Exploit Writing Tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR	Blog	http://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
9	Corelan Exploit Writing Tutorial part 7: Unicode from 0x00410041 to calc	Blog	http://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
10	Corelan Exploit Writing Tutorial part 8: Win32 Egg Hunting	Blog	http://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
11	Corelan Exploit Writing Tutorial part 9: Introduction to Win32 shellcoding	Blog	http://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
12	Mona py : The Exploit Writer's Swiss Army Knife	Presentation	https://www.youtube.com/watch?v=y2zrEAwmdws
13	Eliminating the bad characters in your Exploit	Presentation	https://www.youtube.com/watch?v=IOjl3tU1Ht8
14	Understanding Windows Shellcode	Paper	http://www.hick.org/code/skape/papers/win32-shellcode.pdf
15	Safely Searching Process Virtual Address Space	Paper	http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf

Practical

Order	Name	Type	Link
1	Vulnserver	Lab	https://github.com/stephenbradshaw/vulnserver
2	Fuzzysecurity Part 1: Introduction to Exploit Development	Tutorial	http://www.fuzzysecurity.com/tutorials/expDev/1.html
3	Fuzzysecurity Part 2: Saved Return Pointer Overflows	Tutorial	http://www.fuzzysecurity.com/tutorials/expDev/2.html
4	Fuzzysecurity Part 3: Part 3: Structured Exception Handler (SEH)	Tutorial	http://www.fuzzysecurity.com/tutorials/expDev/3.html
5	Fuzzysecurity Part 4: Egg Hunters	Tutorial	http://www.fuzzysecurity.com/tutorials/expDev/4.html
6	Fuzzysecurity Part 5: Unicode 0x00410041	Tutorial	http://www.fuzzysecurity.com/tutorials/expDev/5.html
7	Fuzzysecurity Part Part 6: Writing W32 shellcode	Tutorial	http://www.fuzzysecurity.com/tutorials/expDev/6.html
8	SecuritySift Windows Exploit Development – Part 1: The Basics	Tutorial	https://www.securitysift.com/windows-exploit-development-part-1-basics/
9	SecuritySift Windows Exploit Development – Part 2: StackOverflow	Tutorial	https://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/
10	SecuritySift Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules	Tutorial	https://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/
11	SecuritySift Windows Exploit Development – Part 4: Locating Shellcode Jumps)	Tutorial	https://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/
12	SecuritySift Windows Exploit Development – Part 5: Locating Shellcode Egghunting	Tutorial	https://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/
13	SecuritySift Windows Exploit Development – Part 6: SHE Exploits	Tutorial	https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/
14	SecuritySift Windows Exploit Development – Part 7: Unicode Buffer Overflows	Tutorial	https://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/

Network Security

Order	Name	Type	Link
1	Cisco SNMP configuration attack with a GRE tunnel	Blog	https://www.symantec.com/connect/articles/cisco-snmp-configuration-attack-gre-tunnel
2	Bypassing Cisco SNMP access lists using Spoofed SNMP Requests	Blog	http://new.remote-exploit.org/index.php/SNMP_Spoof
3	Bypassing Router’s Access Control List (ACL)	Blog	https://securityshards.wordpress.com/2016/02/05/bypassing-routers-access-control-list-acl/

Misc/Extra

Order	Name	Type	Link
1	Mona.py The Manual	Cheatsheet	https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/r
2	Windows Reverse Shell Shellcode I	log	http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/
3	hellcoding for Linux and Windows Tutorial	Blog	http://www.vividmachines.com/shellcode/shellcode.html#ws
4	peCloak.py – An Experiment in AV Evasion	Tool	https://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/
5	EggSandwich – An Egghunter with Integrity	Tool	https://www.securitysift.com/eggsandwich-egghunter-integrity/
6	Live Demo from Backtrack to the MAX 1/5	Tool	https://www.youtube.com/watch?v=kwq5VQj3Ils
7	Live Demo from Backtrack to the MAX 2/5	Tool	https://www.youtube.com/watch?v=ykfHy2lX88c
8	Live Demo from Backtrack to the MAX 3/5	Tool	https://www.youtube.com/watch?v=IWf7UM7qX0M
9	Live Demo from Backtrack to the MAX 4/5	Tool	https://www.youtube.com/watch?v=azepnwdVfyU
10	Live Demo from Backtrack to the MAX 5/5	Tool	https://www.youtube.com/watch?v=6gmAoW1mtYg
11	CTP/OSCE Scripts	Repository	https://github.com/h0mbre/CTP-OSCE
12	OSCE-exam-practice	Repository	https://github.com/epi052/OSCE-exam-practice
13	Vulnserver: Fuzzing and Exploits	Repository	https://github.com/ricardojoserf/vulnserver-exploits