CTP/OSCE Prep – Wrapping Up Our Prep

CTP/OSCE Prep Conclusion

At this point we have touched on all of the topics I wanted to cover before my exam. We covered:

• alphanumeric shellcoding,
• egghunters,
• SEH overwrites,
• partial overwrites,
• stuffing shellcode into memory separate from crash payload, and
• fuzzing.

For completeness, I’m going to include all of the references I found useful and also some resources for some topics we didn’t cover such as:

• backdooring PEs,
• bypassing AV, and
• socket reuse.

Hopefully this series is helpful to a CTP/OSCE student some day! It’s now exam-prep crunch time so I will be relatively quiet. Looking forward to posting a review for the course after I’m finished and continuing down the exploit dev path for the forseeable future. Thanks for reading along!

Concepts

SEH Overwrite Resources

• My First SEH Overwrite
• Corelan SEH Materials
• Infosec Institute SEH tutorial
• sh3llc0d3r’s GMON SEH Overwrite Walkthrough
• Doylersec’s LTER SEH Overwrite Walkthrough
• Capt Meelo’s GMON SEH Overwrite Walkthrough
• Muts’ 2004 Exploit
• Dimitrios Kalemis POP POP RET Explainer

Egghunter Resources

• My SLAE Egghunter Assignment
• Skape’s Egghunter Explainer
• Fuzzy Security Egghunter Tutorial
• Corelan Win32 Egghunting Guide
• Vulnserver: GMON Egghunter with Char Restrictions

Fuzzing Resources

• ZeroAptitude Intro to Boofuzz
• Boofuzz
• Boo-Gen
• Vulnserver: Boofuzz to TRUN EIP Overwrite
• Using Boo-Gen to Fuzz Xitami Webserver

Alphanumeric Encoding Resources

• Vulnserver: A Noob’s Approach to Alphanumeric Shellcode (LTER)
• Vulnserver: Alphanumeric Shellcode Exploit for LTER v2.0
• OffSec Alphanumeric Shellcode
• Doyler LTER SEH Overwrite Part 1
• Doyler LTER SEH Overwrite Part 2
• VelloSec Carving Shellcode
• Slink by @ihack4falafel
• Z3ncoder

Hex Encoded Characters

• Vulnserver: HTER EIP Overwrite with Hex Encoded Payload

Net Jumping

• OJ Reeves Net Jumping Tutorial
• JMP Opcode Explainer by Unixwiz

Partial Overwrites/Application Memory

• Xitami Webserver 2.5

Backdooring PEs/Bypassing AV

• Backdooring PE File by Adding New Section Header by Capt Meelo
• Backdooring PE File w/ User Interaction & Custom Encoder Using Existing Code Cave by Capt Meelo

Socket Reuse

• Vulnserver KSTET Exploit by Rastating
• Vulnserver KSTET Exploit by Deceptive Security

ExploitDB Recreations

• Easy File Sharing Web Server 7.2
• Xitami Webserver 2.5

Tools/Scripts/Misc

Exploit Skeletons

• Exploit Skeleton Repo by HanseSecure

Tools

• Offset Helper Script
• Boo-Gen (Boofuzz Script Generator)
• Slink Add/Sub Encoder for Alphanumeric Shellcode
• Z3ncoder Sub Encoder for Alphanumeric Shellcode

Vulnserver

• Vulnserver

Prep Guides

• Tulpa’s OSCE Prep Guide
• Abatchy’s OSCE Study Guide

Thanks!!!

Huge thanks to everyone who published/publishes all of this amazing free content on entry-level exploit dev topics. I would be lost without all of your hard work. I truly appreciate it!