/Journey_to_OSCE

A curated collection of resources that may be beneficial for anyone pursuing the OSCE.

The Journey to OSCE

This repository contains a list of free or inexpensive resources that can be used as preparation for Offensive Security's Cracking the Perimeter (CTP) course and OSCE certification.

The following table shows notes, courses, challenges, and tutorials that can be used in preparation for the OSCE. It should be noted that the content within multiple sources do overlap each other so not all of these resources are needed.

The code located herein is associated with the various tutorials listed.

Sam Sanoop started this list and I noticed that there is more to be done!

Debugging

Name Type Link
[Pentester Academy] (SecurityTube) GNU Debugger Megaprimer Video Series https://www.pentesteracademy.com/course?id=4
[InfoSec Institude] Exploit Dev Debugging Fundamentals Blog https://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/
WinDBG Commands Cheatsheet https://briolidz.wordpress.com/2013/11/17/windbg-some-debugging-commands/
[Corelan] Exploit Writing Tutorial part 5: How debugger modules & plugins can speed up basic exploit development Blog http://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
[Corelan] Mona.py The Manual Cheatsheet https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/r
Mona py : The Exploit Writer's Swiss Army Knife Presentation https://www.youtube.com/watch?v=y2zrEAwmdws

Web Application Security

Name Type Link
PayloadsAllTheThings Directory Traversal CheatSheet CheatSheet https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal
PayloadsAllTheThings XSS CheatSheet CheatSheet https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
XSS Payloads Payloads http://www.xss-payloads.com/
[eLearnSecurity] XSS to Domain Admin Webinar https://www.elearnsecurity.com/resources/webinar_video/xss-to-domain-admin/
Advanced XSS Knolwedge Paper https://www.exploit-db.com/papers/13646
LFI to RCE Exploit with Perl Script Paper https://www.exploit-db.com/papers/12992
Using XSS to bypass CSRF protection Paper https://www.exploit-db.com/docs/13534
Local File Inclusion (LFI) Paper https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf
Local File Inclusion Blog https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a
Web Application Hacker's Handbook Book https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/ref=sr_1_1?crid=TR4RN22XANB0&dchild=1&keywords=web+app+hackers+handbook&qid=1595526654&sprefix=web+app+hackers%2Caps%2C294&sr=8-1

AV Bypass / Evasion

Name Type Link
Art of Anti Detection #1 - Intro to AV & Detection Techniques Paper http://web.archive.org/web/20161213055552/https://www.exploit-db.com/docs/40900.pdf
Art of Anti Detection #1 - Intro to AV & Detection Techniques Blog https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques/
Bypassing AV Scanners Paper https://dl.packetstormsecurity.net/papers/bypass/bypassing-av.pdf
[SecuritySift] peCloak.py - An Experiment in AV Evasion Blog https://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/

Backdooring PEs

Name Type Link
Portable Executable File Format Blog https://blog.kowalczyk.info/articles/pefileformat.html
Understanding PE Structure, The Layman's Way Blog https://tech-zealots.com/malware-analysis/pe-portable-executable-structure-malware-analysis-part-2/
Backdooring PE Files - Part 1 Blog http://sector876.blogspot.co.uk/2013/03/backdooring-pe-files-part-1.html
Backdooring PE Files - Part 2 Blog http://sector876.blogspot.co.uk/2013/03/backdooring-pe-files-part-2.html
Beginner's Guide to Codecaves Blog https://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves
Backdooring Windows EXEs for Fun and Profit Blog http://ly0n.me/2015/07/09/backdooring-windows-exes-for-fun-and-profit-part-1/
Art of Anti Detection #2 - PE Backdoor Manufacturing Paper http://web.archive.org/web/20170401142227/https://www.exploit-db.com/docs/41129.pdf
Art of Anti Detection #2 - PE Backdoor Manufacturing Blog https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/

Assembly Language & Shellcode

Name Type Link
[Pentester Academy] x86 Assembly Language and Shellcoding on Linux (SLAE) Course https://www.pentesteracademy.com/course?id=3
X86 Assembly Guide Paper https://www.cs.virginia.edu/~evans/cs216/guides/x86.html
NASM Tutorial Tutorial https://cs.lmu.edu/~ray/notes/nasmtutorial/
Art of Anti Detection #3 Shellcode Alchemy Blog https://pentest.blog/art-of-anti-detection-3-shellcode-alchemy/
[Skullsecurity] Assembly Language Wiki Blog https://wiki.skullsecurity.org/index.php?title=Assembly
[Sensepost] A Crash Course in x86 Assembly for Reverse Engineers Paper https://sensepost.com/blogstatic/2014/01/SensePost_crash_course_in_x86_assembly-.pdf
[Skape] Understanding Windows Shellcode Paper http://www.hick.org/code/skape/papers/win32-shellcode.pdf
[Corelan] Intro to Win32 Shellcoding Tutorial https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
[FuzzySec] Writing Win32 Shellcode Tutorial http://fuzzysecurity.com/tutorials/expDev/6.html
Basics of Windows Shellcode Writing Tutorial https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html
Create Custom Shellcode Using the System() Function Tutorial http://www.gosecure.it/blog/art/452/sec/create-a-custom-shellcode-using-system-function/
Windows Reverse Shell Shellcode Tutorial http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/
Shellcode: x86 Optimizations Tutorial https://modexp.wordpress.com/2017/06/07/x86-trix-one/
Shellcoding for Linux and Windows Tutorial http://www.vividmachines.com/shellcode/shellcode.html
x86 Instruction Set Reference Reference https://c9x.me/x86/
x86 Opcode and Instruction Reference Reference http://ref.x86asm.net/coder32.html
The Shellcoder's Handbook Book https://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=sr_1_2?crid=39CY4217DENQG&dchild=1&keywords=shellcoders+handbook&qid=1595526424&sprefix=shellcod%2Caps%2C284&sr=8-2
[Sam Bowne] Exploit Development (College Course using The Shellcoder's Handbook) Course https://samsclass.info/127/127_S17.shtml

Fuzzing

Name Type Link
[InfoSec Institute] Intro to Fuzzing Tutorial https://resources.infosecinstitute.com/intro-to-fuzzing/
[InfoSec Institute] Fuzzer Automation with Spike Tutorial http://resources.infosecinstitute.com/fuzzer-automation-with-spike/
Introduction to Network Protocol Fuzzing & Buffer Overflow Exploitation Blog https://blog.own.sh/introduction-to-network-protocol-fuzzing-buffer-overflow-exploitation/
Very Unofficial Dummies Guide to Scapy Tutorial https://theitgeekchronicles.files.wordpress.com/2012/05/scapyguide1.pdf
HowTo: ExploitDev Fuzzing Blog https://hansesecure.de/2018/03/howto-exploitdev-fuzzing/
[Vulnserver] Exploiting TRUN Command via Vanilla EIP Overwrite Blog https://captmeelo.com/exploitdev/osceprep/2018/06/27/vulnserver-trun.html
[Vulnserver] Boofuzzing Vulnserver for EIP Overwrite Blog https://h0mbre.github.io/Boofuzz_to_EIP_Overwrite/#
Boofuzz – A helpful guide (OSCE – CTP) Blog https://zeroaptitude.com/zerodetail/fuzzing-with-boofuzz/

Stack Based Overflow:

Name Type Link
[FuzzySec] Windows Exploit Dev #1: Intro Tutorial https://www.fuzzysecurity.com/tutorials/expDev/1.html
[FuzzySec] Windows Exploit Dev #2: Saved Return Pointer Overflows Tutorial https://www.fuzzysecurity.com/tutorials/expDev/2.html
[SecuritySift] Windows Exploit Dev #1: Basics Tutorial http://www.securitysift.com/windows-exploit-development-part-1-basics/
[Corelan] Exploit Writing #1: Stack Based Overflows Tutorial https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
[SecuritySift] Windows Exploit Dev #2: Stack Based Overflows Tutorial http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/
[SecuritySift] Windows Exploit Dev #3: Changing Offsets and Rebased Modules Tutorial http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/
[Corelan] Exploit Writing #2: Shellcode Jumps Tutorial https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
[SecuritySift] Windows Exploit Dev #4: Locating Shellcode Jumps Tutorial http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/
[InfoSec Institute] Stack Based Buffer Overflow #1: Intro Tutorial http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-introduction/
[InfoSec Institute] tack Based Buffer Overflow #2: Exploit Tutorial http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-2-exploiting-the-stack-overflow/
[InfoSec Institute]Stack Based Buffer Overflow #3: Adding Shellcode Tutorial http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-2-exploiting-the-stack-overflow/

Structured Exception Handling (SEH) Overwrite:

Name Type Link
[Corelan] Exploit Writing #3: SEH Tutorial https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
[Corelan] Exploit Writing #3B: SEH Tutorial https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
[FuzzySec] Windows Exploit Dev #3: SEH Tutorial http://fuzzysecurity.com/tutorials/expDev/3.html
[SecuritySift] Windows Exploit Dev #6: SEH Exploits Tutorial http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/
[InfoSec Institute] SEH Based Overflow Exploit Tutorial https://resources.infosecinstitute.com/seh-exploit/#gref
The Need for a POP POP RET Instruction Sequence Blog https://dkalemis.wordpress.com/2010/10/27/the-need-for-a-pop-pop-ret-instruction-sequence/
[Vulnserver] CTP/OSCE Prep - 'GMON' SEH Based Overflow Blog https://h0mbre.github.io/SEH_Based_Exploit/#
[Vulnserver] GMON Command SEH Based Overflow Exploit Blog http://sh3llc0d3r.com/vulnserver-gmon-command-seh-based-overflow-exploit/
[Vulnserver] LTER - Extreme SEH Overwrite Blog https://www.doyler.net/security-not-included/vulnserver-lter-seh
[Vulnserver] Exploiting GMON Command via SEH and Egghunter Blog https://captmeelo.com/exploitdev/osceprep/2018/06/30/vulnserver-gmon.html

Egghunting

Name Type Link
[Skape] Safely Searching Process Virtual Address Space Paper https://web.archive.org/web/20061010194043/http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
[SecuritySift] Windows Exploit Dev #5: Locating Shellcode with Egghunting Tutorial http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/
[Corelan] Exploit Writing #8: Win32 Egghunting Tutorial https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
[FuzzySec] Windows Exploit Dev #4: Egg Hunters Tutorial http://fuzzysecurity.com/tutorials/expDev/4.html
[Vulnserver] GMON Egghunter with Character Restrictions Tutorial https://h0mbre.github.io/Badchars_Egghunter_SEH_Exploit/
[HackSys Team] Egghunter Paper http://web.archive.org/web/20150717003732/https://www.exploit-db.com/docs/18482.pdf
[SecuritySift] EggSandwich - An Egghunter with Integrity Blog https://www.securitysift.com/eggsandwich-egghunter-integrity/

Address Space Layout Randomization (ASLR) Bypass

Name Type Link
[Corelan] Exploit Writing #6: Bypassing Stack Cookies, SafeSEH, SEHOP, HW DEP, and ASLR Tutorial https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
Bypassing ASLR Paper http://web.archive.org/web/20171015120748/https://www.exploit-db.com/docs/18744.pdf

Network Attacks

Name Type Link
TCP Session Hijacking Paper https://www.exploit-db.com/papers/13587
[Muts] Cisco SNMP Configuration Attack with GRE Tunnel Paper https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=50318646-6402-48f0-82db-25d00ac3d76c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
Hacking Networks with SNMP Blog https://web.archive.org/web/20180808174050/https://0x41.no/hacking-networks-with-snmp/
Bypassing Router's Access Control List Blog https://securityshards.wordpress.com/2016/02/05/bypassing-routers-access-control-list-acl/

Case Studies

Name Type Link
[Muts] From Bug to 0-Day Presentation https://www.youtube.com/watch?v=axTthxE-z6A
[Muts] Bypassing Cisco SNMP Access Lists Using Spoofed SNMP Requests Blog https://web.archive.org/web/20051024151559/http://new.remote-exploit.org/index.php/SNMP_Spoof

Encoding, Restrictions, Bad Characters, and Other Exploit Development Resources

Name Type Link
[Corelan] Exploit Writing #4: From Exploit to Metasploit Tutorial http://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/
[Corelan] Exploit Writing #7: Unicode from 0x00410041 to calc Tutorial http://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
[FuzzySec] Windows Exploit Dev #5: Unicode 0x00410041 Tutorial https://www.fuzzysecurity.com/tutorials/expDev/5.html
[SecuritySift] Windows Exploit Dev #7: Unicode Buffer Overflows Tutorial https://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/
Eliminating the bad characters in your Exploit Presentation https://www.youtube.com/watch?v=IOjl3tU1Ht8

Practical

Name Type Link
Vulnserver Lab https://github.com/stephenbradshaw/vulnserver
Introducing Vulnserver Tutorial http://grey-corner.blogspot.com/2010/12/introducing-vulnserver.html
[Exploit-Exercises] Protostar Lab https://www.vulnhub.com/entry/exploit-exercises-protostar-v2,32/
[Exploit-Exercises] Protostar Lab (Challenges) https://web.archive.org/web/20180322220122/https://exploit-exercises.com/protostar/
[Exploit-Exercises] Fusion Lab https://www.vulnhub.com/entry/exploit-exercises-fusion-v2,15/
[Exploit-Exercises] Fusion Lab (Challenges) https://web.archive.org/web/20180820234507/https://exploit-exercises.com/fusion/
[OverTheWire] Narnia Lab https://overthewire.org/wargames/narnia/

Windows Internals (Not required, but definitely helpful)

Name Type Link
Windows Internals Part 1 (7th Ed.) Book https://www.amazon.com/dp/0735684189/ref=sr_1_1?crid=2Y8M5D8WSTRAO&dchild=1&keywords=windows+internals&qid=1595526058&sprefix=windows+intern%2Caps%2C267&sr=8-1
Windows Internals Part 1 (6th Ed.) Book https://www.amazon.com/Windows-Internals-Part-Developer-Reference/dp/0735648735/ref=sr_1_6?crid=2Y8M5D8WSTRAO&dchild=1&keywords=windows+internals&qid=1595526058&sprefix=windows+intern%2Caps%2C267&sr=8-6
Windows Internals Part 2 (6th Ed.) Book https://www.amazon.com/Windows-Internals-Part-Developer-Reference/dp/0735665877/ref=sr_1_5?crid=2Y8M5D8WSTRAO&dchild=1&keywords=windows+internals&qid=1595526058&sprefix=windows+intern%2Caps%2C267&sr=8-5
[Pluralsight] Windows Internals Course Part 1 Video Series https://app.pluralsight.com/library/courses/windows-internals/table-of-contents
[Pluralsight] Windows Internals Course Part 2 Video Series https://app.pluralsight.com/library/courses/windows-internals2/table-of-contents
[Pluralsight] Windows Internals Course Part 3 Video Series https://app.pluralsight.com/library/courses/windows-internals-3/table-of-contents

Misc/Extra

Name Type Link
[Muts] Live Demo from Backtrack to the MAX 1/5 Presentation https://www.youtube.com/watch?v=kwq5VQj3Ils
[Muts] Live Demo from Backtrack to the MAX 2/5 Presentation https://www.youtube.com/watch?v=ykfHy2lX88c
[Muts]Live Demo from Backtrack to the MAX 3/5 Presentation https://www.youtube.com/watch?v=IWf7UM7qX0M
[Muts] Live Demo from Backtrack to the MAX 4/5 Presentation https://www.youtube.com/watch?v=azepnwdVfyU
[Muts] Live Demo from Backtrack to the MAX 5/5 Presentation https://www.youtube.com/watch?v=6gmAoW1mtYg
[OffSec] Quickzip Stack BOF 0-Day: A Box of Chocolates Blog https://www.offensive-security.com/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/