Hunting eggs and 0-days…

What follows is my brief review of the “Cracking the Perimeter” course and the associated OSCE challenge. You can find my reviews of the OSWP and OSCP challenges at the following locations:

“The will, the Wifu, and the paper” – OSWP
“A splash of Pain, a dash of Sufference, and bucket load of Humble.” – OSCP

Right.. with that out of the way, let’s get started.


Here’s the “too long; didn’t read” version….

Harden up.. challenge yourself… and quit sucking on that OSCP pacifier. Prepare to learn more in-depth penetration testing techniques from a challenging and relevant course, and buckle in for the brain frying exam at the end. Try Harder!

Ok.. with the short version out of the way, here’s my more detailed review.

Getting Started

Offensive Security’s Cracking the Perimeter (CTP) is another self-paced course, with a number options for the amount of lab time you would like to purchase. At the time of writing this review, there were two initial course options, a 30 day and a 60 day option, with lab access, course material and an exam attempt included. Should you require it, there are options to purchase further lab time and to also purchase an exam retake.

Am I ready?

Before signing up for the course, I recommend you ask yourself whether you are truly ready for the course. Whilst the course is hard work, it shouldn’t be a tooth pulling experience; it should be enjoyable. I would recommend that you have good foundation skills in the following areas:

– Python (or similar) and general shell scripting
– Basic assembly (x86) and shellcoding ability. E.g. solid understanding of basic or vanilla EIP buffer overflows
– The ability to research/learn beyond the course material
– Entry level web application hacking skills (think general XSS)
– A general understanding of networking

Signing up

Unlike the WiFu and PWK courses, you can not just simply sign up and pay your respective fees to get started. For this course, you need to show that you possess at-least a very basic capability to take the course. Enter stage left, the challenge.

DO NOT CHEAT. I can not stress this enough. Cheating doesn’t get you anywhere, especially in the OSCE course, so make sure you don’t google for the answers for this challenge. Solve it yourself. The challenge is a great foundation for the type of learning you will require to successfully complete the CTP course and the subsequent OSCE challenge. Personally, once I solved the challenge manually, I pushed myself to write a python script which would perform the entire process automagically for me… which was as rewarding, if not more rewarding, then simply solving the challenge manually.

Course Material

As with all Offensive Security courses, CTP is completely hands on. The lab guide is roughly 140+ pages, and the video material is well put together, with step by step instructions which are clear and direct. I noticed that there was slightly different material between the lab guide and the videos, so make sure you read and watch both carefully. All of the pages of the guide are watermarked with your student ID and name, and the videos are also watermarked with the same, as well as your personal contact details.

Make sure you backup your videos and course material as there is an associated fee should you need to re-obtain the material.

The Lab

First off… the OSCP and OSCE are very different beasts, and as such, the labs are world apart. If you are expecting another 50+ boxen to play with like in the OSCP, you won’t find them here. The OSCE lab is very specific to the course material; a sandpit for you to replicate the course exploits, and an arena for you to test your own nasty creations. The OSCE lab may have less toys compared to the OSCP lab, but it has better grown-up toys.

The machines in the lab have everything you will need to get through the learning objectives, which are:

– The Web Application angle
– The backdoor angle
– Advanced Exploitation Techniques
– The 0Day angle
– The Networking angle

I highly recommend that not only do you use the lab whilst following the course-ware bouncing ball, but you also use the lab to try different techniques in order to further develop your skills. If you have the capacity to do so, purchase some extra time and stretch your exploit imagination beyond the standard techniques.

Further learning

If you only know that which is presented in the course material, you will not pass the exam. Sounds harsh? Take it or leave it. While the OSCP was all about enumeration, the OSCE is all about pushing yourself. The course material is excellent, but there is an expectation that you will perform further research and learning outside of just the course material alone.

My method of learning during the course was as follows:

– Watch all the videos in a row. This was just to build the excitement and start to put my mind into the right space.
– Print out the lab guide and read/watch [videos] at the same time.
– Pause every now and then, and replicate what I was learning on the lab machines.
– Once I had completed all videos and lab guide material, I then went back to each module and tried to not only replicate the associated exploits, but also to change and add to the exploits.

I reached the end of the ‘hand-held’ aspect of the course with a good idea of areas which I needed to learn more about. Researching these weaker areas inadvertently lead to me wanting to know more… a bit like when Neo learnt kung-fu in the Matrix and wanted to learn more….

Two particular resources for further learning really stood out for me:

Corelan’s Exploit Writing Tutorials Parts 1-9
Fuzzysec’s Windows Exploit Development Tutorial Series

These two resources compliment the CTP materials perfectly and I highly recommend that you get to know the material very well.

And finally, try to exploit the vulnerabilities in various ways. Don’t just complete the exploit technique which is shown in the course-ware. Think outside the box and learn some crafty new techniques which you will use in real life. You will also need this capability in the exam.

The Exam

Just like my review of the OSCP, the most important bit of advice is to have fun! Yes it’s going to be challenging, and yes you’re going to be nervous, but if you don’t have fun you’ll never get the most out of the experience.

In order to achieve the OSCE certification, you will need to sit and pass a 48 hour exam. Yep… it seems that putting people through a 24 hour exam for the OSCP was not enough for the offsec guys, and they are now after their pound of flesh this time around. The time allocated for you to complete the exam is a single continuous 48 hour period, which once again will examine your penetration testing skills, as well as your time management ability.

There are a number of hosts which you need to exploit, with each host being allocated a set number of points for ownership. You must achieve a minimum number of points in order to pass the challenge. A quick note here… don’t be fooled into thinking the lower point boxes are easier than the higher point boxes. This is far from true; for me the points reflect the amount of time required to complete the challenge rather than the difficulty rating.

As with my advice about the OSCP, take it easy… relax, eat, breath, and rest. Prepare some wholesome meals prior to the exam, and make sure you have a steady flow of caffeine available. Take your time and ensure you have a break every now and then. I would advise that you work hard for a few hours, and then take a good break away from your computer. Go for a walk around the block or some other type of activity and give yourself a breather. More often than not this break will freshen your mind and give you clarity just when you need it.

There is no doubt that during the exam you will feel like Robin:

Do not give in! Take batman’s advice and Try Harder! You will get through the exam if you stay positive.

The End

As with other Offensive Security courses, the CTP course is well put together, the information is well taught, and the formula of self-paced learning coupled with real people willing to answer your questions and help is a great combination. Offensive Security have created very different courses to other vendors, and the recipe ‘just works’. I would strongly recommend the CTP course to anyone that wants to take their knowledge up a few notches and has a genuine interest in advanced exploitation techniques.

To my wife and kids…….. thank you so much!. Again you have all been my rock, and without your support I would have never gotten through this challenge. Thank you for being so patient and understanding. I love you.

Dear Mark,

We are happy to inform you that you have successfully completed the Cracking the Perimeter certification exam and have obtained your Offensive Security Certified Expert (OSCE) certification.


Here are some common questions, in no particular order, which I have been asked, and my own answers to the same. Feel free to ask me any other questions you may have and I will happily answer them and respond accordingly.

Isn’t the course material dated?

I have had this question thrown at me so many times. Whilst the software/services in use were a little dated, the process to exploit the vulnerabilities is very relevant today, and I believe will be very relevant in many years to come.

I am not a programmer. Do I need to know how to write code?

Yes. You will need to be comfortable with Python, shell scripting, and debugging ASM. There are plenty of great free resources on the interwebs to help you with this.

How do I know when I’m ready to take the exam?

If you know all the material in the lab guide, and you have taken a look at further learning such as Corelan’s or Fuzzysec’s tutorials, then you should be ready to sit the exam.

Can you help me pwn osce’z???

No. Don’t be a dick.

In one word, what was the exam like?


How long did it take you to finish the exam?

Every one is different.. some people may need all 48 hours, some may not. At the end it doesn’t matter.

Can you share your notes or reports?


Should I use the provided VM or use my own distro?

If you want it to ‘just work’, then I’d recommend using the VM provided by Offensive Security. There are a few oddities during the course which require you use the provided VM.

What’s next now that you have your OSCE, OSCP, and OSWP?

I would love to Try Harder and do the OSEE, however it’s not available online yet. I’m probably going to take a break and write a sequel to my vulnhub necromancer challenge, hunt for some 0-days, and chill out with some CTF challenges.

One Comment

  1. Wen Bin wrote:

    Hey there, good article, nice review! Good luck on your 0-days hunting! :)