I tend to hibernate in Winter and work on some kind of crazy project and I knew this Winter would be no different. I figured if I'm going to go into my hyper-focus cave, I may as well have something to show for it at the end.

When I first started my career in OffSec, I was most interested by reverse engineering to find vulnerabilities in binaries and writing exploits for them. Don't get me wrong, I wasn't going around finding 0-days all over the place - far from it! Actually, I didn't really know what I was doing at this stage - I was still learning, but I was keen. I'd download vulnerable binaries from ExploitDB and practice writing exploits for them. Solving challenges on overthewire was also a massive part of my learning journey.

Fast-forward a few years and with all the other aspects of Offsec/Penetration Testing to learn, reverse engineering and exploit development kind of took a back seat. It always bugged me that I did all this self-learning in a really interesting topic and never really had anything to show for it. I figured the Offensive Security EXP-301 course and exam would be the perfect way to remedy this and a good use of my Winter hibernation time.

Despite over 15 years in OffSec, I had never sat an Offensive Security course and exam before. I had taken the CREST route with CRT and CCT-INF, so this would be my first. I was excited but also a little apprehensive to try the (new to me) exam format!

Offsec-OSED-EXP-301

The Course

The course mostly focuses on reverse engineering and exploitation of 32-bit binaries. I initially wondered if this might be a little out-dated but decided to go ahead anyway. If anything the course would help me build a solid foundation of knowledge of exploit development and security bypass techniques that would be transferable to 64-bit architecture in future.

Syllabus

  1. Windows User Mode Exploit Development: General Course Information
  2. WinDBG and x86 Architecture
  3. Exploiting Stack Overflows
  4. Exploiting SEH Overflows
  5. Introduction to IDA Pro (IDA Free)
  6. Overcoming Space Restrictions: Egghunters
  7. Creating Custom Shellcode
  8. x64 Custom Shellcode
  9. Reverse Engineering for Bugs
  10. Stack Overflows and DEP Bypass
  11. Stack Overflows and ASLR Bypass
  12. Format String Specifier Attack Part I
  13. Format String Specifier Attack Part II
  14. VMWare Workstation Guest-To-Host Esacape
  15. Windows Defender Exploit Guard
  16. Trying Harder: The Labs

Syllabus

Having spoken to a few people on Discord, it was clear that a subset of people only focused on the syllabus modules that contained the knowledge required to pass the exam. However, this is was not the approach I wanted to take. I didn't just want the certificate. I wanted the knowledge and experience. The certificate is just a means of proving that I have the knowledge and experience. To this end, I studied each and every module once with the video aid and then again, following the text and performing the same steps in my lab environment.

The course mandates the use of WinDBG, which I had not used before. I had previously used Immunity Debugger, so I was familiar with all of the concepts, just not where all the features lived in WinDBG. Throughout the course, I learned how powerful WinDBG actually is. It's great, and now I'm familiar with most of the features, I wouldn't hesitate to use it again!

The course wasn't just theory. There were plenty of practical, real-world examples to follow along with and replicate in the lab environment. I found this really helpful. Being able to follow along and inspect register values in real-time was a great way to learn and helped me understand what was happening internally at each step of execution. And if there were any concepts that were a little more challenging to grasp, the Discord community was always happy to help.

At some points, I did find the format of the videos to be a little out-dated and monotonous. I can't tell you how many times I watched the lady "reset her environment", which is at least 30 seconds each time. I feel they would benefit from updating with some modern animations and visual aids to help explain some of the more technical concepts.

Along the way, you'll find yourself performing the same tasks over and over again. There are some awesome tools on GitHub to help automate some of these, but this is your opportunity to build your own tooling to help speed up your own workflow and make your life easier.

Most modules have an "Extra Mile" exercise and sometimes more than one. I completed all of these. I figured the extra experience would only help in the exam later on. Some of the extra miles force you to dig deeper into concepts that are touched upon in the course material. You have to head to Google, do some reading and some of your own problem solving. I found this exercise very useful and it only added to my overall knowledge and better prepared me for the exam.

Whilst it was challenging, I managed to get through the whole course material and exam in about 4 months. This was most weekends and evenings after work. I'm glad I did this over Winter as there's no way I would have been able to get away with dedicating as much time as required over the spring/summer months.

Overall, I think the course was great. The syllabus was well thought out and each module built on the knowledge of the previous module. As I mentioned previously, the course did focus mostly on x86 architecture, but the knowledge absolutely builds a solid foundation and introduces concepts that are very applicable in the x64 world too. The labs were really helpful in following along and practicing the new techniques and concepts learned in a module. And the challenge labs at the end provide a really solid proving ground to practice and hone the skills you've learned throughout the course.

The Exam

There's only so much I can say about the exam, obviously. So I'll stick to my experience of the exam, rather than any specifics of what concepts or techniques were tested.

The exam guide has some very useful information, so this is the best source of truth when it comes to the exam.

Firstly, a piece of advice - I'd recommend booking the exam for some point in the future as soon as you start the course material. This will give you something to aim for and should help keep your learning on track. You get the opportunity to move your exam date twice, free-of-charge IIRC. So if your scheduled exam date is approaching quickly and you don't feel ready, you can always move it.

The exam comprises a 48 hour proctored, practical portion and 24 hour reporting portion.

With this being my first ever experience of an OffSec exam, I was not fully appreciative of the torture I was about to endure in this 72-hour period of my life!

I felt I was pretty prepared for the exam, and largely I was. I had studied hard, completed all of the "Extra Mile" exercises and all of the challenge labs. What I wasn't prepared for was the curve-balls! The exam really forces you to think outside the box and to "Try Harder"!

The first few hours of my exam, I was flying. Everything was going as I had hoped it would with no roadblocks. Then all of a sudden, I hit a brick wall and my rate of progress ground to a halt! For the next 8 hours, I got absolutely nowhere and made ZERO progress. Mentally, this was very difficult to handle. I was very concious of how much time I had "wasted". Well at the time I thought this was wasted time, but I have since realised that it wasn't - I was mapping out dead-ends and narrowing down the available paths I could take before I finding the correct path I needed to take.

I decided that I needed a break. If I was going to be productive tomorrow, I needed sleep. It was about midnight at this point, so I went to bed for 5 hours. When I woke up, I sat straight down at my keyboard again and got to it. I must have spent the next 6-7 hours getting nowhere before I finally had a breakthrough and found the path I needed to take. Again, this was a huge mental battle. I felt like I had just been wasting time and now I really had to knuckle down and get this first assignment completed!

After about another 8 hours I finally completed the first assignment. At this point I had used 32 hours and had 16 hours left and it was 9pm at night. I had 2 options, get some sleep or just power through. I was mentally and physically exhausted. It's amazing how tiring siting at a desk can be!! At this point I really had to dig deep. I decided to stay awake through the night and tackle assignment 2.

Thankfully, assignment 2 went smoothly with only a few minor speed bumps. I powered through the night and managed to complete assignment 2 with about an hour to spare. I made sure I had all of my screenshots and evidence and ended the exam. At this point I was absolutely drained of all energy, both physically and mentally. I had been sat at my computer for about 30-31 hours straight and I needed a break. I knew I wasn't finished yet - I still had to get the report written. But there was no way I would have been able to write anything in my current state. I needed sleep.

I slept for a few hours and got to the reporting. With code snippets and screenshots, I think my report ended up being about 75 pages.

I'm really thankful, that I spent time before the exam working out how I was going to write and format the report. If you're using any tools to help you write or format the report during the reporting phase of the exam, I highly recommend that you do a few dry-runs to make sure you know how to handle any little errors that may crop up in-case you experience them during the exam.

Overall, the exam experience was a positive, if not very stressful experience. You're definitely challenged to "Try Harder" and the feeling of accomplishment when you finally solve the challenges under exam pressure is something special.

I got the email after a couple of days of waiting that I had passed on my first attempt. To say I was relieved would be an understatement. I couldn't imagine having to sit the exam again any time soon, so I was very happy about this!

passed