Cracking The Perimeter Registration Code Load

1. Cracking The Perimeter Registration Code Load Calculator

OverviewI had been wanting to take the Cracking The Perimeter (CTP) course for some time but my schedule was pretty hectic. I finally forced myself to start it at the beginning of the new year and I’m really glad I did. As promised, here is my review PrerequisitesOffsec states the following:Many pre-requisites are required, such as good familiarity with a Ollydbg, and a general mastery of offensive network security techniques.Definitely sound advice. Here are my additional recommendations:1) Have a working knowledge of one or more scripting languages.You should be able to write your own exploits, scripts, and tools from scratch. Knowledge of either Perl or Python is suitable. I tend to gravitate more towards Python but I’m comfortable with both which definitely helped.2) Understand Assembly and using a Debugger.In my OSCP review I said this was probably one of the least important recommendations for that course. In this case, it’s one of the most important. You will be expected to write custom shellcode and you will live in a debugger for the duration of the course.

As such, you will be staring at / deciphering / writing Assembly instructions and intimate knowledge of Ollydbg or Immunity debugger is going to help you immensely. There are plenty of free online resources to learn Assembly. If you prefer video format, you might consider the videos over on.3) Get some experience with a fuzzer such as Spike or Sulley.You will be expected to be able to discover vulnerabilities before exploiting them. Both Spike and Sulley are free. Spike is included on Kali, though I’m partial to Sulley because it’s written in Python. The course will give examples on use of Spike so intimate knowledge is not required but it certainly will help.4) Understand stack-based buffer overflows and be able to develop exploits that target them.You won’t be expected to know some of the slightly more advanced topics like developing venetian shellcode to target Unicode-based exploits but you should be very comfortable with exploiting basic / SEH overflows. If you don’t have regular experience developing exploits I would strongly suggest reviewing some online tutorials or books on the subject.

Has some nice, in-depth tutorials, I have created, and there are plenty of other free online resources as well.5) Have a good understanding of web technologies and vulnerabilities such as Cross Site Scripting.A working knowledge of PHP and MySQL and more advanced methods of exploiting XSS (beyond alert(1)) will help you with some of the web-based modules. Am I ready?I get asked via my OSCP review all of the time questions like “I have background X with Education Y and skillset Zam I ready to take the course?” They can be difficult for me to answer because everyone has different learning styles and different rates at which they pick up new concepts. Obviously this is a course designed to teach you so the expectation is not that you know everything walking in to it. That said, it’s definitely not a beginner’s course. If you’re just getting interested in exploit development but haven’t had any hands on experience, you’re probably not ready. If you’ve just completed the OSCP and you enjoyed the section on buffer overflows, but haven’t spent any additional time studying and practicing them, you’re probably not ready.If you’re still unsure, my overall recommendation is thisassuming you have working knowledge of the above topics, get on, find some buffer overflow exploits, download the vulnerable applications, break out your fuzzer, debugger, and favorite scripting language, and start replicating the exploits from scratch. Once you feel comfortable with finding and exploiting basic buffer overflow vulnerabilities you should have the knowledge necessary to tackle the course.In the sections that follow, I will take a quick look at the course registration process and then walk through the course syllabus which you can find here: Course RegistrationUnlike the OSCP, before you can take the course you need to complete a small challenge to unlock the registration code and secret key.You won’t get any help from me here.

If you can’t pass this challenge on your own, you’re not ready for the course so do yourself a favor and study a bit more. Once you’ve completed the challenge and unlocked the registration code you can choose from a 30 day or 60 day lab time. I chose 60, because I knew I wouldn’t be able to devote as much time on nights and weekends as I had with the OSCP and because my goal was to get as much out of the course as possible. You’ll get out of the course what you’re willing to put in and for me that meant taking the extra time.I received my email on 3 January and so it began The CourseI’m going to briefly walk through each of the modules listed on the syllabus but before I do I want to give you my overall strategy. The CTP course is set up in the same manner as the PWB/K.

You’re given a PDF course guide with written tutorials and exercises along with accompanying videos. As such, my approach was very similarwatch the video(s), read the course module, and complete the exercise(s).However, as I said, my goal was to get as much as possible from the course and this meant “Trying Harder”. If you’re a prior OSCP student, you probably cringed when you read those words, but I think the “Try Harder” motto means more than just putting in more effort when you fail. To me, it means putting in more effort even when you succeed. In other words, don’t just go through the motions and replicate what’s in the course material. Explore the topics in-depth using additional resources and come up with new or novel ways to apply it. Develop custom scripts, experiment with additional applications.

Yes, you may be able to get by just replicating the modules and exercises if your only goal is to get the certification. Just remember, the value you get out of a course like this is not from the cert its from the knowledge you gain as a result.Alright, that’s my two cents. Now, here’s a walkthrough of each module and examples of how I Tried Harder. I won’t be giving too much away and I won’t be posting any of my scripts this time because the whole point of the course is to develop your own. The Web Application angleThe first module walks through some real-world attack scenarios to steal cookies, modify account settings, and obtain shell via Cross Site Scripting. I won’t divulge the specific application or vulnerability, but while fairly straightforward, these are great illustrations as to why XSS can pose such a high risk.The second module walks through a real-world directory traversal exploit that ultimately results in shell access to the target machine. Total Elapsed Time: 169The Networking Angle – Attacking the InfrastructureThis section of the course examines bypassing Cisco Access Lists using Spoofed SNMP Requests and using that access to modify router configurations which ultimately allows you to reroute and sniff previously unreachable traffic.

This was an interesting section, though I didn’t deviate much beyond the course material. The ExamAh yes, the portion of the review that I’m sure people are the most interested inwhat was the exam like? Well, I can tell you I found it to be very relevant to the course material and quite challenging. In total you’re given 47 hours and 45 minutes to complete the exam.

I opted to take it a week before my course time ended because I felt I was as prepared as I could be.As with the OSCP, I organized my materials (scripts, notes, etc) that I created during the course prior to attempting the exam. I didn’t do any additional studying or preparation because I was comfortable with the exploit concepts presented in the course and I felt the extra work I put in was prep enough.Also in line with the PWB/K exam, you are provided with a number of targets, each with varying point values. You don’t need to achieve all target objectives to gain enough points to pass the exam but the points are divided in such a way that you need to get most. I won’t provide many details of the exam itself but I will say it does a great job of testing the concepts presented in the course. If you’ve mastered them, you should be ready. Day 1I started the exam at 9:00 am and conquered two of the targets relatively quickly (within a few hours) but being they had the lowest point values, I had nowhere near enough points to pass. I then spent a lot of time on one of the two remaining targets looking in the wrong place for something I knew existed. I wasted hours on this one issue which definitely set me back (both mentally and in terms of time).

In fact, although I did spend some time switching back and forth between the two remaining targets, this pretty much burned up the rest of my first day. I was taking the exam at my office and ultimately decided at 3 am that I would go home, catch a few hours sleep, and pick up again in the morning. Day 2After about 4 hours of rest and a quick breakfast, I headed back to the office and resumed the exam at around 10 am. Having ended day 1 with no idea on how to proceed with one of the remaining objectives, I decided to switch to the other target and spent the majority of day 2 attempting to overcome the limitations presented by that exploit. It was equally as frustrating as the other target because I knew exactly what the issue was and what I wanted to do, but every attempt I made fell short.

Cracking The Perimeter Registration Code Load Calculator

After most of the day had passed, I decided to switch back to the other target. I’m not sure if it was the break I took from it or not, but almost immediately I found what I had spent so much of the prior day looking for and within another hour or so, I had completed the objective and collected full points for that target. It was a great mood booster, but I still didn’t have enough to pass the exam.The goal of the last remaining target was to get a remote shell.

By now it was about 4 in the morning, I had only taken a few short breaks since the exam started, and I was starting to get a bit worried that I wouldn’t conquer this one. After about another two hours, I had finally achieved command execution but couldn’t get the shell working.

I knew I was very close and after another couple of hours, had an idea of what I wanted to do but I couldn’t write the code fast enough and ultimately ran out of time. Given that I had collected full points on the other three targets and gotten nearly to the end of the last, I was hopeful that I had gained enough points to pass.I rested for the remainder of the day and finalized/submitted my report later that evening. The next morning I had a revelation and ended up writing out the working copy of the shell exploit for the final target on a notepad. Of course it was too late to submit, but it validated the fact that I was so close and made me more confident that I had collected enough points.Thankfully, later that day I received confirmation that I has successfully passed the exam. ConclusionThe course, although written several years ago, presents material and concepts that are still relevant and fundamental to current exploit techniques. It’s up to you to determine how far you want to go to master them.The exam does a great job at testing your application of the course material and although there were several times I simply wanted to give up due to sheer frustration, I’m glad I didn’t. Had I not been derailed for so long looking in the wrong place on the one target, I know I could have completed all of the objectives well within the allotted time and not left my passing of the exam up to a point tally.

As in real-world penetration testing engagements, sometimes you get your target quickly and sometimes you’re stumped for hours (often on the silliest of issues).Regardless, I had achieved what I set out to do which was learn and challenge myself as much as possible and I earned the certification along with it. In the end I think the course was definitely worthwhile and I would recommend it to anyone interesting in honing and testing their exploit skills. If you decide to tackle it, just remember to Try Harder!Until next time,Mike. Wow, what an excellent review especially the resemblances that I felt as well on the exam.

I presume the first one was the user01 related (not to give too much away) and the one at the end was the one we all need help with. Do you mind if I ask you some questions regarding the latter? I’m doing a retake and I believe I have done enough to pass (been practicing on my own VM with the monster) and I really can’t get beyond anything outside of getting it to pop calc.exe. If you wouldn’t mind, I would really like to ask you some questions regarding this. Send me an email if you wish.

And excellent review, as alwys.