Updates

When I left off in my last post, I had only just started working on the OSEE course material at home by myself. Now a whopping nine months later, I’m finally done with the training. It’s been a long road and a lot of work, but it was worth it!

Best Laid Plans

My original plan when I got back from Blackhat and Defcon was to work on one module per month leading up to the exam. They told us during the in-person training that the exam was being updated for the new course material and would not be available until January. This was fine with me, because I figured that even if I managed to work through one module per month, that would bring me right up to January. I busted my hump spending most of my free time from September through November working on this training. I completed all of the modules except for the final one.

Then, in early December, I received an email that unfortunately the exam was not going to be ready in January as originally planned. Instead it would be ready some time in Q1, 2023. This was a bummer, but I figured it at least would give me the ability to take a break for the holiday season. I did end up taking a break for around four or five weeks. I didn’t look at the material at all that entire time. In mid January, I picked it back up again. It was tough to shake off the rust and get back in the groove. I felt like I had made a mistake by delaying for so long, but really it ended up being just fine. I think I finished up the last module by the end of March, but I still had the final extra mile exercise to do. Q1 2023 ended and the exam still wasn’t ready. But then on April 4, I received an email that it was available! I signed up right away, but the earliest I could schedule it around my work calendar was mid June. That gave me around six weeks to work on the final extra mile exercise and refresh my memory on all of the earlier modules for the exam.

The Final Extra Mile Exercise

The final extra mile exercise was a doozy. When I originally read the description back in August I wasn’t sure I’d even be able to do it. Or at least how long it would take me. Months maybe? I think I ended up spending about a month on that final extra mile. It was almost like an entire extra course module, but in the form of an external PDF with research from other folks. It was difficult but I did complete it. I got stuck at the end trying to find a way to make the exploit function without eventually crashing the system. I managed to come up with a hacky solution after fighting with it for a while. It felt really good to work through that exercise. I learned a lot about how the kernel pool makes allocations and I learned some other fun tricks along the way. Some of the things I learned ended up coming in handy during the exam, though I could probably say that about almost every extra mile exercise.

Thoughts on the Course Materials

The 650ish pages of course materials was a LOT to take in. I was able to do roughly one module per month, with the exception of the final extra mile exercise which took about another month on its own. I felt like it was well worth the effort and I learned a TON. I will say that there were a couple of places where the materials were wrong about something. I would try to complete an exercise and it just wouldn’t work out. Luckily, Offsec created a Discord channel for the exercises, so if I ran into something like this and figured it out myself, I could post about it there for other students. In some cases I asked for help and I usually received it. So it wasn’t that bad, though it is frustrating to spend hours and hours trying to solve an exercise only to find out later that it can’t be done the way it was described. It would be nice if Offsec could issue some kind of digital updates to the course material in cases like this. Maybe just a few pages to fix the problems in between versions.

Last Minute Exam Prep

The last week or two before the exam, I spent time refreshing my memory on all of the course material. I had worked most of the modules from September through November of 2022. That was six to eight months ago! I felt like I had forgotten so much. There was so much technical information to remember and it felt like I only remembered bits and pieces. I went back through my notes for every module. My notes were anywhere from 6000 to 8000 lines long, so it felt like they wouldn’t necessarily be that useful to quickly find things during the exam when there would be time pressure. I was overly verbose in my notes.

I reviewed my notes for every module and wrote a new “summary” note for each module. At the top of the note I included a high level step by step guide on how the exploit worked and what mitigations it bypassed. This process was actually very helpful for me to make sure I understood how everything worked, and I found that I didn’t really reference this material during the exam. I had just absorbed a lot of it during the process of writing it all out.

I also made a “cheat sheet” reference page that included a table at the top with all of the various mitigations I learned about and known methods to bypass them. It included references to each module where they were discussed so I would know where to look for more detail. I had another “WinDbg” cheat sheet with a list of the less common WinDbg commands I might need either on the exam or in the future.

I referenced the OSEE exam report template multiple times. It had recently been updated for the new exam and the pre-completed section headings seemed to provide some clues about what to expect on the exam. I tried to spend a bit more time reviewing my notes for things that seemed the most relevant to what I expected to be on the exam, and less on the other stuff.

The Exam

I can’t divulge any specifics about the exam challenges, so I can only speak in generalities about my overall experience.

Technical Problems

My exam was scheduled to begin at 2:00PM. I showed up 15 minutes early, as requested, so I could go through the exam proctoring process. I’m on camera for the entire duration of the exam. The proctors ask you to show them around the office so they can make sure there are no other computers, phones, smart watches, people, etc, in the area. They also verify your identity. Then they begin the exam and I received an email with instructions to download my VPN package to connect into the lab and begin.

Unfortunately, the VPN package link did not work. It just 404’d. I worked with the proctor in their chat system and they ended up escalating to some other level of support. This was quite annoying to deal with, but they were friendly and obviously were trying to fix it right away. It was just frustrating because I had been pretty anxious leading up to the exam, but also very excited to begin. And now I had this unknown amount of time to wait before I could truly begin. Also, my screen was being monitored by the proctor, and I wasn’t allowed to use my cell phone or another computer so I couldn’t exactly do anything interesting while I waited. They also had no way to notify me when it was ready if I stepped away. With time ticking away, I basically just had to sit there waiting for them to message me to ask me to try again. About 90 minutes later, the link worked and I was finally able to begin the exam at around 3:30PM. I asked if my time would be extended and they did extend my time to make up for the 90 minutes I lost with no fuss.

It Begins

The OSEE exam gave me just under 72 hours to complete two exploit challenges. After that, I’d be kicked out of the lab. Then I’d have 24 hours to prepare my exam report which is how I’m graded. Each challenge was split into two parts. Each part was worth 25 points. A total of 75 points was required to pass the exam. I was hoping to get at least the 75 points but I really wanted to ace the exam. I was really hoping to finish the exam with time to spare because I prefer to work on my exam report while I still have access to the exam environment. You never know where you may have missed some screenshots or maybe misunderstood a challenge goal and need to go fix or change something.

Once I had access to the exam control panel and all the information about the challenges, it seemed to me like one of the challenges was likely to be significantly more effort than the other, at least based on my own experience. I therefore decided to focus on the “easier” challenge first. I figured it was likely that I’d be able to complete that entire challenge faster, and then I would only have to finish half of the other challenge to pass.

Challenge 1

I hammered away at this first challenge with only a small break here or there. At first, I was feeling a bit discouraged. It took me longer than I had expected just to get some of my debugging tools up and running properly. Then I felt a bit like I was floundering and unsure where to look or what to do. Eventually I found a good foothold and was able to really dig in. Once the ball was rolling, things moved pretty smoothly. I ended up completing the entire challenge for a total of 50 points by about 4:45AM. It took me almost 14 hours and I stayed up way too late but I just couldn’t stop myself. I really wanted to knock out that challenge and I had good momentum most of the time. I went to sleep at about 5:00AM.

Challenge 2: Part 1

I woke up around 8:00AM with only about three hours of sleep. I was too amped up. I’m pretty sure I dreamt about assembly instructions. I ate some breakfast and quickly got moving on the next challenge. This one did prove to be more complicated for me and it did take longer, so I think I made the right decision to tackle this one second. This one required more reading and preparation up front. I again felt like I was floundering for a while, unsure where to begin. But again, I got a foothold within a couple of hours and was off. I found that although this challenge was more complicated than the first and had more steps overall, I rarely felt stuck or unsure where to go once I got moving.

I hammered away at the challenge until I completed the first part at around 1:00AM. That gained me another 25 points for a total of 75. It felt great! I had enough points to pass the exam and I still had about 34 hours left to finish the final piece. At this point the pressure was mostly off, but I still really wanted to get the 100 points. I was feeling pretty confident with all the time I had, granted I really wanted to save some time to get a rough draft of my report together. Running on only three hours of sleep and it being 1:00AM, I decided this was a good opportunity to take a break and catch some z’s.

Challenge 2: Part 2

Knowing I had so much time left made me comfortable to sleep in a bit later. I woke up around 9:00AM with roughly eight hours of sleep. I ate some breakfast and got back to work on the second half of the challenge. I think I had one instance where I was stuck for a couple of hours trying to decide how exactly to move forward. I had an idea of what to do, but I wasn’t sure exactly how to do it. I had several paths I could take, and I was reasonably sure of one path but after investigating it, I wasn’t able to see a way forward. I then investigated all of the other paths without finding anything. Then, of course, I went back to the original path and it turned out I had missed something important there. I should have trusted my gut and dug a little deeper the first time around. I’d have saved myself several hours!

At around 9:45PM I managed to get the exploit fully functional against the target machine. This netted me all 100 points. I still had about 14 hours left in my exam, which was perfect because it meant I had plenty of time to build a rough draft of my report before I was kicked out. I spent the next two hours or so writing up the first part of challenge 2. Then I went to bed.

The Report

I slept for about eight hours again and then got to work on the report. I finished writing up challenge 2, and then went back to write up challenge 1. It was funny to see how I had already forgotten so much about that challenge since my head space had completely changed while working on the second challenge. Luckily my notes were pretty good and it didn’t take me long to remember what I had done. I did go back and take some extra screenshots, so it was nice to have that extra exam time, though I probably could have gotten away without them.

After finishing the draft, I took a break for a few hours. Then I went back and proofread it again. And again. Eventually I felt like I was just changing minor things and second guessing myself, which wasn’t very helpful and only stressing me out. I had originally intended to wait to submit my report until the next morning, but I ultimately decided to submit it that evening before bed. I just needed to be done with it, and I felt like I had quadruple checked everything already.

That final report submission is always nerve wracking with Offsec exams. They have very specific rules about having your report in the correct file format, with the correct file name, compressed in the correct file format with again the correct file name. You have to have the right proof screenshots and have met the challenge requirements. There’s just a lot of little things you can mess up which will result in an exam failure even though you aced the exam itself. I had to muster up the courage to finally submit the thing and just be done with it.

Results

Offsec says it can take up to ten business days to receive your exam results. For me, I had to wait agonizingly for eight days before finally hearing that… I passed! I was so glad. I didn’t have to refresh my email any more waiting for a results email! I could stop studying! I could finally move on to something else! Maybe find a project to put some of this stuff into practice…

Final Thoughts on the Exam

I thought the exam was great. It felt like the perfect amount of challenge for the time given. It also felt like it covered a lot of the most important things from the course materials. Frankly, I think they nailed it. I had a blast taking the exam, even with the stress and time pressure. My biggest problem now is that I’ve taken all of the Offsec courses I’m interested in and I’m not sure what to do next!