By Jake Mayhew

Overview

Earlier this month, I passed the OffSec Exploit Developer (OSED) certification exam. As with other 300-level courses from OffSec, this was a practical 48-hour exam following the EXP-301 “Windows User Mode Exploit Development” course. Bottom line: This course was a blast, and it is a fantastic, serious introduction into exploit development that provides a solid foundation in x86 Windows exploit development, exploit mitigation control bypasses (ASLR/DEP), shellcoding, and reverse engineering.

I would highly recommend this course for anyone wants to take an in-depth training in exploit development or is interested in learning reverse engineering. As for prerequisites, I would highly recommend taking the PEN-200 OSCP course first, but I would say it is not required as a prerequisite. I could see those interested in malware reverse engineering benefitting from this course without needing the OSCP as a prerequisite (more on prereq’s below!).

EXP-301 starts right where the old OSCP started with regard to Windows x86 binary exploitation. It focuses exclusively on this and related topics such as shellcoding and reverse engineering to identify vulnerabilities. It covers vanilla stack overflows, SEH overflows, egghunters, custom shellcoding, ASLR, DEP (ROP), and format strings. It only covers x86, but the content is in-depth and certainly prepares you for deeper topics.

This course is not for the faint of heart, but very rewarding. I followed along with all the exercises and recreated them, and did 1–2 extra miles and challenge labs. I wish I had done more just because they were fun. After completing the course, I found the exam to be AN ABSOLUTE BLAST! I will cover that more below. If you are a pentester or red teamer looking to up your game in Windows internals (this was why I was interested!), a security researcher, a malware reverse engineer (or an aspiring one) looking to get more experience with exploitation, or a blue teamer with offensive experience looking to gain deeper insight into how attackers develop binary exploits, then this course is for you!

Prerequisites & A Note on my Background

Having a foundation in offensive security concepts will help you tremendously in this course. This could be accomplished through job experience or of course the OSCP (or e.g., CPTS). A lot of topics such as shells, payloads, Python scripting basics, etc. are assumed knowledge at this level.

That being said, they teach you pretty much everything related to binary exploitation from ground 0. If you don’t have your OSCP but feel very comfortable with Windows internals, taken courses in C/Assembly, or even Linux binary exploitation, you’ll probably do fine. OffSec offers the EXP-100 fundamentals content, and I did a lot of it, sans the x64 assembly and more in-depth WinDbg chapters. These are helpful but not required — they will cover everything you need in the content. I did them because I wanted more experience with WinDbg and because I am insecure about how much assembly I know.

I also think it’s important to share my experience in binary exploitation first for context. I would say when I started EXP-301 I had experience with at least half of the course content in some way, shape, or form. When I did the OSCP in 2017, I had to research, do, and redo the vanilla buffer overflow to pass the exam. I had a wonderful roommate who was a computer engineer who helped me understand the stack, memory management, etc. which made a huge difference.

After OSCP, I did “ye olde” OSCE which had a heavy emphasis on Windows x86 binary exploitation. It covered ASLR (albeit a different bypass method than in EXP-301), SEH overflows, egghunters, and a little bit of custom shellcoding. This was not easy for me at the time, and I had to really work hard as I failed the exam a few times! So I would say I had experience in much of the content, but definitely not a natural talent for it.

Course Content

I really liked the depth & breadth of content coverage:

1. Windows User Mode Exploit Development: General Course Information: Exactly what it says in the description!
2. WinDbg and x86 Architecture: I really appreciated how OffSec starts with a foundational chapter discussing x86 and WinDbg. You spend a lot of time in WinDbg, so make sure you don’t skip this if you’re unfamiliar.
3. Exploiting Stack Overflows: The vanilla stack overflow is great. It provides a gentle introduction into the course and gets you ready for running with the horses. Nothing revolutionary here, but I’m glad they cover it for those who are doing binary exploitation for the first time.
4. Exploiting SEH Overflows: The SEH overflow sections were very thorough. It is not necessary to fully comprehend all the “deep cuts” here, but the content is super helpful in getting more familiar with Windows internals.
5. Introduction to IDA Pro: This is a misnomer. It is IDA FREE! You never use IDA Pro in this course, and it is not even allowed on the exam. Nevertheless, I appreciated an entire chapter dedicated to this tool.
6. Overcoming Space Restrictions: Egghunters: Ah, the classic egghunter. If you’ve never leveraged an egghunter, prepare for a fun ride! Here the Keystone Engine for Python3 is introduced, which allows you to write assembly code, compile with Python3, and print out for your exploit.
7. Creating Custom Shellcode: Don’t skip this module. Make sure to internalize the method of loading libraries and looking up APIs, then make sure you know how to recreate the reverse shell. Perhaps consider creating your own simple shellcode to chain together a few APIs.
8. Reverse Engineering for Bugs: This chapter was very useful as they do a lot in IDA in the course. Follow along carefully in your own environment and you should get what you need from this section.
9. Stack Overflows and DEP Bypass: The DEP section was a good introduction to ROP, but I thought the exercises for this were more challenging than what was seen in the course. Wish they had made this a little less easy to get you ready for the labs, extra miles, etc.
10. Stack Overflows and ASLR Bypass: The ASLR module is excellent. They go over the different methods of bypassing ASLR and get you ready to think of techniques to chain together for code exec.
11. Format String Specifier Attack Part I: The format string sections were interesting and helped me get more used to reverse engineering. Part I covered a memory leak to achieve ASLR bypass.
12. Format String Specifier Attack Part II: With an ASLR bypass through a format string memory leak, Part II covered a stack overwrite using format strings to achieve DEP bypass and RCE. The format string sections were helpful in learning more about reverse engineering; however, I found them interesting but not the most useful sections.

For what it is, I would give the course content an 9/10. I have a few minor criticisms, but overall if you’re looking for a good course to cover Windows exploitation, I would start right here. While there were a few things I wish would have been addressed, the depth of coverage was what I would expect from a 300-level course from OffSec. To me, it did not disappoint. Having taken the original OSCE which focused heavily on x86 exploitation, this revamp and deep-dive was exactly what I had hoped.

The main weakness of the course, in my opinion, is the typical dig against other OffSec courses: a hyper focus on specific scenarios. The topics covered took a deep dive into a specific vulnerability with a unique exploitation scenario. This was helpful, but I wish there were additional examples that may be less in-depth to cover a broader example of scenarios. It can get difficult when you are encountering challenges in the labs and they don’t fit the exact scenario in the content (e.g., the ROP chains in the DEP bypasses were pretty nice in the content but I found them harder to piece together in the labs).

Another note: I did not like the way they taught ROP as much as Corelan’s method. The way they teach it in the course works just fine, but I didn’t find it as helpful as Corelan’s. It stretched me, though, which is good. I recommend checking out that as well. Do both! It will only help.

Labs

OffSec is all about the practical training! The labs were a ton of fun, and were a really great opportunity to refine each topic in the course. PEN-300 has two types of labs: course module labs and challenge labs.

The course module labs were essentially a carbon copy of the environment in the course content. Each chapter had an associated lab where you could follow along with the modules and then do the associated exercises. In my experience, it is imperative that you follow along with all the content in the EXP-301 course.

I did less of the challenge labs, to be honest. I think I did the second one, part of the first, and barely touched the third. That being said, I focused more on the Chapter 10 extra mile withCustomSvr01.exe. I highly recommend doing this challenge.

I always recommend doing as many of the labs as possible. But if you are short on time, I would do exercise 2 and the Chapter 10 Extra Mile with CustomSvr01.exe.

Of course, I recommend documenting some key notes in a note-taking tool such as Obsidian. Write some Python3 scripts to help you such as printing out all characters for bad character analysis, etc.

The Exam

I can’t say much, but as always with OffSec, I LOVED the exam. This may have been one of the more enjoyable OffSec exam experiences for me! I found that the difficulty was challenging but fair for the course. The tasks were fairly straightforward: not too difficult, but not at all easy. There was a ton of adrenaline in my system. I felt less instances of “I’m totally and completely stuck” this time and more of a “Oh dang, I wish I had more time to figure this out!” Unfortunately, I took a ton of breaks this time, and didn’t quite complete the last task (I got it half done). I wish I had procrastinated less to complete it.

Reporting as you go — this is the way! I diverted from my usual “write notes directly in the draft report” and it meant I spent a lot of time copying over content from my notes. I recommend stopping and checking your documentation when you have enough points to pass, but still have access to the exam environment. You don’t want to be stuck with enough points to pass but not enough documentation!

If you get stuck during the exam, I recommend taking a break, eating a snack/grabbing coffee, going for a walk (I did an exercise class that helped me reset my mind and body), and going back to the topics covered in the course. It should all be there!

Conclusion

Overall, an excellent 300-level course from OffSec. While so many are giving them flack these days, I found this course to be enjoyable, tough (but fair), and in-depth. Good luck! On to the OSWE for me…

Learn More About OSED