Offensive Security CTP/OSCE Review

After I woke up on October the 16th, I had a new unread email from Offensive Security in my inbox. It was a perfect start of the day knowing that I had passed the horrifying 48 hour OSCE exam. Cracking the Perimeter is a great course. It was a hard journey and I learned a lot, especially about assembly, shellcoding and buffer overflows. I’m not saying that the course is only about buffer overflows, but out of the nine modules, you are staring at assembly code in a debugger in six of them. The three other modules were about web attacks and man-in-the-middle network attack. These modules were great and I really wanted more of them.

I wish this course was more like PWK/OSCP, but harder. Penetration testing on a higher level. Instead it feels like a course for exploitation research. Fuzzing services for buffer overflows and using extensive amounts of time creating sophisticated proof of concepts is not something one usually do in penetration test, where you rather want to use the time on covering more ground to surface more risks. People might not agree with this statement so I’ll stop it there and save the topic for another day.

If you blindly compare PWK and CTP, then CTP comes out short. This is due to the minimal lab environment. CTP doesn’t have a lab like PWK, filled with machines for you to exploit. The CTP lab consists only of 3-4 machines used for developing the exploits in modules. The course is also more expensive, costing $400 USD more than PWK.

The limited lab environment brings me to another issue with CTP/OSCE. You should seek information and hands-on practice also outside the CTP course material. Corelan and FuzzySecurity are extremely good resources for this. Also consider enrolling for the Assembly and Shellcoding course at SecurityTube/PentesterAcademy.

Lastly I want to say that the course might be old, and many techniques covered won’t work with modern operating systems and new anti malware solutions. However, you should always learn the fundamental principles before exploring advanced techniques.

Now back to the waiting room for AWE/OSCEE and AWAE/OSWE to come as online courses.

Written on October 25, 2018