OSCE³ and OSEE Study Guide

OSWE

Content

• Web security tools and methodologies
• Source code analysis
• Persistent cross-site scripting
• Session hijacking
• .NET deserialization
• Remote code execution
• Blind SQL injections
• Data exfiltration
• Bypassing file upload restrictions and file extension filters
• PHP type juggling with loose comparisons
• PostgreSQL Extension and User Defined Functions
• Bypassing REGEX restrictions
• Magic hashes
• Bypassing character restrictions
• UDF reverse shells
• PostgreSQL large objects
• DOM-based cross site scripting (black box)
• Server side template injection
• Weak random token generation
• XML External Entity Injection
• RCE via database Functions
• OS Command Injection via WebSockets (BlackBox)

Study Materials

1. timip-GitHub- Reference guide
2. noraj-GitHub - Reference guide
3. wetw0rk-Github - Reference guide
4. kajalNair-Github - Reference guide
5. s0j0hn-Github - Reference guide
6. deletehead-Github - Reference guide
7. z-r0crypt - Reference guide
8. rayhan0x01 - Reference guide
9. Nathan-Rague - Reference guide
10. Joas Content - Reference guide
11. Lawlez-Github - Reference guide
12. 0xb120 - Reference Guide
13. Jaelkoh

Vulnerabilities

1. XXE Injection
2. CSRF
3. Cross-Site Scripting Exploitation
4. Cross-Site Scripting (XSS)
5. Unrestricted File Upload
6. Open Redirect
7. Remote File Inclusion (RFI)
8. HTML Injection
9. Path Traversal
10. Broken Authentication & Session Management
11. OS Command Injection
12. Multiple Ways to Banner Grabbing
13. Local File Inclusion (LFI)
14. Netcat for Pentester
15. WPScan:WordPress Pentesting Framework
16. WordPress Pentest Lab Setup in Multiple Ways
17. Multiple Ways to Crack WordPress login
18. Web Application Pentest Lab Setup on AWS
19. Web Application Lab Setup on Windows
20. Web Application Pentest Lab setup Using Docker
21. Web Shells Penetration Testing
22. SMTP Log Poisoning
23. HTTP Authentication
24. Understanding the HTTP Protocol
25. Broken Authentication & Session Management
26. Apache Log Poisoning through LFI
27. Beginner’s Guide to SQL Injection (Part 1)
28. Boolean Based
29. How to Bypass SQL Injection Filter
30. Form Based SQL Injection
31. Dumping Database using Outfile
32. IDOR

Reviews

1. OSWE Review - Portuguese Content
2. 0xklaue
3. greenwolf security
4. Cristian R
5. 21y4d - Exam Reviews
6. Marcin Szydlowski
7. Nathan Rague
8. Elias Dimopoulos
9. OSWE Review - Tips & Tricks - OSWE Review - Tips & Tricks
10. Alex-labs
11. niebardzo Github - Exam Review
12. Marcus Aurelius
13. yakuhito
14. donavan.sg
15. Alexei Kojenov
16. (OSWE)-Journey & Review - Offensive Security Web Expert (OSWE) - Journey & Review
17. Patryk Bogusz
18. svdwi GitHub - OSWE Labs POC
19. Werebug.com - OSWE and OSEP
20. jvesiluoma
21. ApexPredator
22. Thomas Peterson
23. NOH4TS
24. Alex
25. RCESecurity
26. Dhakal
27. Karol Mazurek
28. 4PFSec
29. Cobalt.io
30. hakansonay
31. Jake Mayhew
32. Organic Security
33. Bitten Tech

Extra Content

1. OSWE labs - OSWE labs and exam's review/guide
2. HTB Machine
3. Deserialization
4. B1twis3
5. jangelesg GitHub
6. rootshooter
7. svdwi

OSEP

Content

• Operating System and Programming Theory
• Client Side Code Execution With Office
• Client Side Code Execution With Jscript
• Process Injection and Migration
• Introduction to Antivirus Evasion
• Advanced Antivirus Evasion
• Application Whitelisting
• Bypassing Network Filters
• Linux Post-Exploitation
• Kiosk Breakouts
• Windows Credentials
• Windows Lateral Movement
• Linux Lateral Movement
• Microsoft SQL Attacks
• Active Directory Exploitation
• Combining the Pieces
• Trying Harder: The Labs

Study Materials

• OSEP Code Snippets
• Experienced Pentester OSEP
• OSEP Pre
• PEN 300 OSEP Prep
• OSEP Thoughts
• OSEP Code Snippets README
• Osep
• Google Drive File
• Awesome Red Team Operations
• OSEP Study Guide 2022 - João Paulo de Andrade Filho
• OSEP PREP Useful Resources Payloads
• OSEP in3x0rab13

Reviews

• nullg0re
• SpaceRaccoon Dev
• HackSouth YouTube
• Schellman
• Cinzinga
• YouTube iUPyiJbN4l4
• BorderGate
• Reddit OSEP Review
• Reddit OSCP Review
• Purpl3F0xSecur1ty
• MakoSecBlog
• YouTube iUPyiJbN4l4
• YouTube 15sv5eZ0oCM
• YouTube 0n3Li63PwnQ
• YouTube BWNzB1wIEQ
• SpaceRaccoon Dev
• Cas van Cooten
• BorderGate
• MakoSecBlog
• David Lebr1 GitBook
• Offensive Security
• João Paulo de Andrade Filho LinkedIn
• YouTube R1apMwbVuDs
• YouTube iUPyiJbN4l4
• Cristian Cornea Medium
• Security Boulevard
• YouTube R1apMwbVuDs
• Fluid Attacks
• Heartburn.dev
• YouTube FVZkVZKIyOA
• RootJaxk
• Dhruvagoyal
• IT Security Labs
• Benjamen Lim
• Marmeus
• Winslow
• Jakob Bo Moller
• swzhouu

Labs

• SpaceRaccoon Dev - OSEP Review and Exam
• Exploit-DB - Evasion Techniques Breaching Defenses
• OSCP Exam Report Template Markdown
• Offensive Security - OSEP Exam FAQ
• CyberEagle - OSEP Review
• PentestLab - Defense Evasion
• PentestLab - Antivirus Evasion
• PentestLaboratories - Process Herpaderping Windows Defender Evasion
• YouTube - PentesterAcademyTV
• YouTube - PacktVideo
• YouTube - PentesterAcademyTV
• GitHub - In3x0rabl3/OSEP
• GitHub - timip/OSEP

OSED

Content

• WinDbg tutorial
• Stack buffer overflows
• Exploiting SEH overflows
• Intro to IDA Pro
• Overcoming space restrictions: Egghunters
• Shellcode from scratch
• Reverse-engineering bugs
• Stack overflows and DEP/ASLR bypass
• Format string specifier attacks
• Custom ROP chains and ROP payload decoders

Study Materials

• snoopysecurity - OSCE Prep
• epi052 - OSED Scripts
• Exploit-DB - Windows User Mode Exploit Development
• r0r0x-xx - OSED Pre
• sradley - OSED
• Nero22k - Exploit Development
• YouTube - 7PMw9GIb8Zs
• YouTube - FH1KptfPLKo
• YouTube - sOMmzUuwtmc
• ExploitLab Blog
• Azeria Labs - Heap Exploit Development Part 1
• ZeroKnights - Getting Started Exploit Lab
• Google Drive File 1
• Google Drive File 2
• Google Drive File 3
• Corelan - Exploit Writing Tutorial Part 1: Stack Based Overflows
• wtsxDev - Exploit Development
• corelan - Corelan Training
• subat0mik - Journey to OSCE
• nanotechz9l - Corelan Exploit Tutorial Part 1: Stack Based Overflows
• snoopysecurity - OSCE Prep
• bigb0sss - OSCE
• epi052 - OSCE Exam Practice
• mdisec - OSCE Preparation
• mohitkhemchandani - OSCE BIBLE
• FULLSHADE - OSCE
• areyou1or0 - OSCE Exploit Development
• securityELI - CTP OSCE
• Google Drive File 4
• Coalfire Blog - The Basics of Exploit Development
• Connor McGarr - Browser Exploit
• KaliTut - Exploit Development Resources
• 0xZ0F - Z0FCourse Exploit Development
• dest-3 - OSED Resources
• Infosec Institute - Python for Exploit Development
• Anitian - A Study in Exploit Development Part 1: Setup and Proof of Concept
• Sam's Class - WWC 2014
• Stack Overflow - Exploit Development in Python 3
• CTF Writeups - Converting Metasploit Modules to Python
• PacktPub - Networking and Servers
• Cybrary - Exploit Development Part 5
• SpaceRaccoon - ROP and Roll EXP-301 Offensive Security Exploit Development (OSED) Review
• Offensive Security - OSED Exam Guide
• epi052 - OSED Scripts
• YouTube - 0n3Li63PwnQ
• epi052 - Windows Usermode Exploit Development Review
• PythonRepo - epi052 OSED Scripts
• dhn - OSEE
• PythonRepo - epi052 OSED Scripts
• nop-tech - OSED
• Ired Team - ROP Chaining Return Oriented Programming
• InfoSec Writeups - ROP Chains on ARM
• YouTube - 8zRoMAkGYQE
• Infosec Institute - Return Oriented Programming ROP Attacks
• dest-3 - OSED Resources
• mrtouch93 - OSED Notes
• wry4n - OSED Scripts
• r0r0x-xx - OSED Pre

Reviews

• YouTube - aWHL9hIKTCA
• YouTube - 62mWZ1xd8eM
• ihack4falafel - Offensive Security AWEOSEE Review
• LinkedIn - Advanced Windows Exploitation (OSEE) Review - Etizaz Mohsin
• Animal0day - Reviews for OSCP, OSCE, OSEE, and Corelan
• AddaxSoft - Offensive Security Advanced Windows Exploitation (AWE/OSEE) Review
• jhalon - OSCE Review
• YouTube - NAe6f1_XG6Q
• SpaceRaccoon - ROP and Roll EXP-301 Offensive Security Exploit Development (OSED) Review
• kuhi.to - OFFSEC EXP301 OSED Review
• epi052 - Windows Usermode Exploit Development Review
• SpaceRaccoon - ROP and Roll EXP-301 Offensive Security Exploit Development (OSED) Review
• YouTube - NAe6f1_XG6Q
• LinkedIn - Offensive Security Certified Expert 3 (OSCE3) - Cristian Cornea
• NOP Blog - OSED
• Deep Hacking - OSED Review

Labs

• CyberSecurityUP - Buffer Overflow Labs
• ihack4falafel - OSCE
• nathunandwani - CTP OSCE
• sufyandaredevil - OSED - Exploiting SEH Overflows
• firmianay - Life-long Learner - SEED Labs - Buffer Overflow Vulnerability Lab
• wadejason - Buffer Overflow Vulnerability Lab
• Jeffery-Liu - Buffer Overflow Vulnerability Lab
• mutianxu - SEED LAB - Buffer Overflow Attack
• INE - Windows Exploit Development
• Connor McGarr - Browser Exploit
• Coalfire Blog - The Basics of Exploit Development
• Pentest Magazine - Exploit Development Windows
• Steflan Security - Complete Guide to Stack Buffer Overflow (OSCP)
• Offensive Security - EVOCAM Remote Buffer Overflow on OSX
• Exploit-DB - Exploit 42928
• Exploit-DB - Exploit 10434
• OCW CS PUB RO - Lab 08
• epi052 - OSED Scripts

OSEE

Content

• Bypass and evasion of user mode security mitigations such as DEP, ASLR, CFG, ACG and CET
• Advanced heap manipulations to obtain code execution along with guest-to-host and sandbox escapes
• Disarming WDEG mitigations and creating version independence for weaponization
• 64-Bit Windows Kernel Driver reverse engineering and vulnerability discovery
• Bypass of kernel mode security mitigations such as kASLR, NX, SMEP, SMAP, kCFG and HVCI

Study Materials

• https://www.linkedin.com/pulse/advanced-windows-exploitation-osee-review-etizaz-mohsin-/
• https://www.crowdstrike.com/blog/state-of-exploit-development-part-2/
• https://www.youtube.com/watch?v=pH6qocUEor0&ab_channel=BlackHat
• https://github.com/nccgroup/exploit_mitigations/blob/master/windows_mitigations.md
• https://hack.technoherder.com/sandbox-escapes/
• https://www.youtube.com/watch?v=LUH6ZxYNJFg&ab_channel=ZeroDayInitiative
• https://www.youtube.com/watch?v=NDuWcGn5hTQ&ab_channel=ZeroDayInitiative
• https://www.youtube.com/watch?v=p0OaGMlBb2k&ab_channel=BlackHat
• https://github.com/MorteNoir1/virtualbox_e1000_0day
• https://blog.palantir.com/assessing-the-effectiveness-of-a-new-security-data-source-windows-defender-exploit-guard-860b69db2ad2
• https://github.com/palantir/exploitguard
• https://github.com/microsoft/Windows-classic-samples
• https://github.com/SofianeHamlaoui/Pentest-Notes/blob/master/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c%2B%2B.md
• https://github.com/ndeepak-zzzz/Windows-API-with-Python
• https://int0x33.medium.com/day-59-windows-api-for-pentesting-part-1-178c6ba280cb

Reviews

• https://ihack4falafel.github.io/Offensive-Security-AWEOSEE-Review/
• https://www.richardosgood.com/posts/advanced-windows-exploitation-review/
• https://www.youtube.com/watch?v=srJ1ICC4ON8&ab_channel=DavidAlvesWeb
• https://medium.com/@0xInyiak/my-offensive-security-journey-part-1-5ffbd66fe0c2

Labs

• https://github.com/BLACKHAT-SSG/EXP-401-OSEE
• https://github.com/timip/OSEE
• https://github.com/dhn/OSEE
• https://github.com/orangice/AWE-OSEE-Prep
• https://github.com/matthiaskonrath/AWE-OSEE-Prep
• https://github.com/ihack4falafel/OSEE
• https://github.com/gscamelo/OSEE
• https://github.com/w4fz5uck5/3XPL01t5

Social Network

Joas Antonio - Linkedin

CyberSceurityUP- GitHub

C0d3Cr4zy - Twitter

Filipi Pires - Linkedin

Filipi Pires - GitHub

Filipi Pires - Twitter