Advanced Windows Exploitation (OSEE) Training and Exam Review

Every individual who has a passion for understanding and exploiting the memory corruption vulnerabilities has dreams of attending the most advanced and up-to-date course on exploit development by offensive security.

Modern exploits for Windows-based platforms require modern bypass methods to circumvent Microsoft’s defences. In Advanced Windows Exploitation, OffSec challenges students to develop creative solutions that work in today’s increasingly difficult exploitation environment. The case studies in AWE include large, well-known applications that are widely deployed in enterprise networks.

The course dives deep into topics ranging from precision heap spraying to bypassing DEP, ASLR, Supervisor Mode Execution Prevention, Control Flow Guard, Arbitrary Code Guard to 64-bit kernel exploitation. This is the toughest course offered by offensive security and it requires a significant time investment.

Offensive Security Exploitation Expert (OSEE) is the certification earned when one passes the exam after following the advanced windows exploitation course. The exam consists of a dedicated lab environment which has a limited number of target systems. The software within contains specific, unknown vulnerabilities. Students have 71 hours and 45 minutes to develop and document exploits and then submit a report with step-by-step documentation of how the challenges were completed within the next 24 hours.

Course Registration
AWE requires a significant amount of student-instructor interaction, for that reason AWE is limited to a live, hands-on environment. The AWE course is delivered at BlackHat USA in Las Vegas every year. It costs 5000 US Dollars and it spans over 4 days. The real problem is that this course has a track record of getting sold out in 30 minutes on average for many years. In order to get a seat for the course you have to have a game plan, otherwise, registration will be full before you know it.

Luckily for me, Offensive Security offered the AWE class for the first time at BlackHat Asia 2019 and I was notified on time. So without wasting any time, I registered for it before it was sold out. The training was held on March 26-29, 2019 at Marina Bay Sands Singapore.

Course Prerequisites
One should be experienced in developing windows exploits. Familiarity with WinDbg, IDA and x86_64 architecture is highly required.

Pre-Course Challenge
A few weeks after the registration, offensive security sent an email containing a pre-course challenge. The challenge is meant to inform the students of the minimum technical background required to survive the course.

If you have absolutely no idea how to solve it, Offensive Security suggests either reconsidering taking the course or contacting them to explain the issues you’re facing and they’ll provide recommendations on study materials that you will want to complete before attending the training. A few weeks before the training, Offensive Security sent another email with the list of links to the topics that needed to be studied.

Course Content
The course consisted of 3 modules and each of them was equally tough

  1. Heap Overflow Exploit on Flash running in Firefox x86
  2. Type Confusion Exploit on Edge and Chakra JavaScript Engine
  3. Windows 10 x64 Kernel Exploit

About the Class
The class had 25 students and two instructors (Morten Schenk and Alexandru Uifalvi) who were really helpful and the best at what they were teaching.

Day 1
The first day started with a quick recap of exploit mitigation controls, DEP and ASLR and the techniques to bypass them. Until the first coffee break, everything seemed smooth but after that, I started to lose track as the instructors build up the pace. From here onward, we examined the flash player heap internals, what heap spray is and how to perform precise heap spraying.

We used CVE-2015-3104 vulnerability to corrupt the ByteArray’s data structures and gain arbitrary read/write primitives to search for interesting objects in the memory and leak the base address of modules to bypass ASLR and write the ROP chain onto a memory location to bypass DEP.

Day 2
I arrived late to class and to my surprise the instructors had already started teaching about escaping the sandbox protection. Firefox was running the Flash player in low integrity sandbox mode. In order to break the sandbox, we exploited a vulnerability in the kernel driver of Symantec Endpoint Protection to perform an Elevation of Privilege. Followed by that we bypassed the Windows Defender Exploit Guard.

Later that day, we started module 2 which was about dealing with a Type Confusion vulnerability “CVE-2017-8601” in Microsoft Edge that was discovered by the Google Project Zero team. We began the exploitation process by looking for a way on how to get read/write primitives and bypass ASLR by leaking the function pointer.

Day 3
On the third day, we were introduced to the additional exploit mitigation controls implemented by Edge, Control Flow Guard and Arbitrary Code Guard. After successfully bypassing all of these protections, ROP based technique was used to gain code execution. We escaped sandbox protection by exploiting a kernel vulnerability in the win32kfull.sys driver to get a shell with system privileges.

Later that day, we started module 3 which was about 64-bit kernel driver exploitation. The instructors explained the process of communication between userland applications and kernel-mode drivers, CPU privilege levels and token stealing payload.

Day 4
On the fourth day, instructors introduced us to memory paging and kernel exploit mitigation controls, SMEP and KASLR. We looked through a case study of “CVE-2015-5736”, which exploited a vulnerable windows driver under a least-privileged user to get the system privileges.

Pre-Exam Preparation
I began my preparation by going through the complete study guide and also did the extra mile challenges. Moreover, my focus also relied on relevant available public resources to prepare for the exam. I kept my pace slow just to thoroughly understand everything and not to make a rush.

The exam was 71 hours and 45 minutes. I was presented with two challenges. One of the challenges could be solved in two ways that is hard or easy and each one of them had different points allocated. Since it is the hardest course offered by offensive security, so one should expect it to be the hardest exam as per its hype.

However, for me, things became easier as I had already gone through everything with a lot of practice, case studies and problems. So it did not take me long to understand that the exam challenges were actually a combination of all I had practised so far. After ending up solving the exam challenges, in total I took one and a half-day and submitted my exam report as well.

After submitting the report, within two days received this email from offensive security
The other thing that makes one stand out is the ability to pass the exam and not just attend the training, something that the offsec instructors told us that only 3 out of every 10 students who attend the AWE training appear for the exam and there are currently less than 100 OSEE certified across the globe.

My Thoughts
If I had to wrap up my experience with my thoughts, I would first of all like to thank the instructors Alexandru Uifalvi and Morten Schenk who proved to be amazing and supportive throughout the course. This just reminded me of Morten’s advice to me during a break session,

“If you study this domain for the next 5 years and even 10 hours every day, you won’t be able to cover everything.”
At first, I didn’t realize the actual value of what he said. However, while preparing for the exam, I became well aware of what he actually meant as there were so many things that had to be covered in such a short time span. And in order to master any domain a lot has to be done.

For those who are willing to take this course in future, Here is my advice. Consider it as a journey in which the offsec team will carry you starting from the corner of the sea and then leaving you in the middle of nowhere, expecting you to find the way and reach your destination. This journey will always be a living memory for all of us.

TN Media News