After I woke up on October the 16th, I had a new unread email from Offensive Security in my inbox. It was a perfect start of the day knowing that I had passed the horrifying 48 hour OSCE exam. Cracking the Perimeter was a great course. It was a hard journey and I learned a lot, especially about assembly, shellcoding and buffer overflows. I’m not saying that the course is only about buffer overflows, but out of the nine modules, you are staring at assembly code in a debugger in six of them. The three other modules were about advanced web and man-in-the-middle network attacks. These modules were great and I really wanted more of them.

I wish this course was more like PWK/OSCP, but harder, like penetration testing on a higher level. Instead it feels like a course for exploitation research. Fuzzing a service for buffer overflows and using extensive amounts of time creating a sophisticated proof of concepts for getting RCE is not something one usually do in a penetration test.

If you blindly compare PWK and CTP (which is not actually fair), then the latter comes out short. This is primarily due to the minimal lab environment, where CTP doesn’t have a lab like PWK, filled with machines for you to exploit. The CTP lab consists only of 3-4 machines used for developing exploits for the modules. The course is also more expensive, costing $400 USD more than PWK, but it is still worth every penny in my opinion.

The course content is not that big and you should seek information and hands-on practice outside the official material itself. Corelan and FuzzySecurity are extremely good resources for this. Also consider enrolling for the Assembly and Shellcoding course at SecurityTube/PentesterAcademy.

Lastly, I want to say that the course might be old, and many techniques covered won’t work with modern operating systems and new anti malware solutions. However, you should always learn the fundamental principles before exploring advanced techniques.

Now back to the waiting room for AWE/OSCEE and AWAE/OSWE to come as online courses.


Daniel Solstad

Information security, life and stuff