Advanced Windows Exploitation (OSEE) Course Review

Summary of tips for the training course

• Study before you arrive
  • Use the syllabus as a guide to fill knowledge gaps.
  • Study the material they send before the course begins.
• When you are given time in class to do an exercise, find the exercise in the guidebook and follow along there.
• Study the guide book in the evening to fill in any knowledge gaps.
• Ask questions during class if you need to. That’s the whole point of being there in person.
• Don’t bother taking notes during the training because almost everything is in the guide book anyway. Only write down things you want to remember that you think won’t be in the guide book, such as interesting anecdotes from the instructors.
• Befriend your fellow students.
• Get enough sleep.
• Relax. Even if you are completely lost during the training, you get to take everything home and spend as much time as you need going through the material at your own pace.

Background

I love Offensive Security’s training courses. Since 2017 I’ve taken six courses and obtained seven of their certificates (OSCE3 is a bonus cert you get after obtaining three other certs). In 2021, I took OffSec’s new Offensive Security Exploit Developer (OSED) course, which was an evolution of the old Offensive Security Certified Expert (OSCE) cert I obtained in 2019. The OSED course taught me the basics of reverse engineering Windows 32-bit user-mode programs with Ida. I also learned how to use WinDbg to debug the same applications. I had always wanted to learn more about memory corruption bugs, finding zero days, and writing exploits, and that course really made me feel like I finally had the skills to get started. Later in 2021, I used those new skills to do some research into ham radio software and wrote my own RCE exploit for a new zero day vulnerability I found. It was a rush!

I’ve known for a few years that I ultimately wanted to take OffSec’s AWE course some day, but I wasn’t sure when I’d ever get around to it. The AWE course is the only course they offer that can’t be taken online. You must take the course in person. They generally only offer the course at the Blackhat security conference. Alternatively, your company can hire OffSec to come give the training to their employees. The Blackhat training only has around 40 seats per year, so it can be competitive to obtain one. You need to be paying close attention and sign up as soon as they open registration if you want to be sure you’ll get a spot. This often happens early in the year, when company training budgets haven’t been finalized yet…

Also, the AWE is expensive. This year it cost $7500 just for the training alone. It included admittance to Blackhat, but as I discoverd later that price didn’t even include access to the briefings. It just covered the business center, which is basically just a bunch of vendors trying to sell you things. This of course doesn’t include travel costs, food, lodging, etc. With all that in mind, and knowing that the course would be very technically advanced, I sort of figured I wouldn’t be taking it for a few years.

Then, in March this year, I received an email from OffSec saying that they had saved a few slots at their Blackhat training for OSCE3 holders and they wanted to know if I was interested in purchasing one. I couldn’t pass up the opportunity. Luckily, my employer was on board with this and they agreed to foot the bill! By the end of the week I was registered for the course with the sudden realization that I was likely going to be in way over my head.

Preparation

I started by finding other blog posts where people discussed their own experiences taking this training. It gave me a good idea of what I was in for.

• 2020 Review
• 2020 Review
• 2019 Review
• 2019 Review

Then, a couple of months before the training I decided to do some studying to prepare. Based on other blog posts I had read, I knew the training would be extremely technical and I figured the more I could learn before the training started, the more likely I’d be able to keep up while at Blackhat. I really didn’t want to end up totally lost while I was there.

Offsec doesn’t divulge many specifics about what exactly is in the training, but they do publish the course syllabus on their website. I started by reviewing the syllabus and listing anything that was new or otherwise unfamiliar to me. Most of the topics in the syllabus were new. That was when I started feeling nervous that I had made a mistake signing up for this.

I essentially just did Internet searches for each topic, reading up on them and taking notes in my preparation notebook. I wasn’t trying to fully understand each concept and how exactly each thing worked, but I figured if I at least knew what something was, it would mean I could spend less time trying to remember high level concepts and acronyms and more time paying attention to the nitty gritty technical details. For example, the following acronyms were all included in the syllabus and were all new to me:

• CFG
• LFH
• WDEG
• EAF
• JIT
• CFG
• ACG
• SMEP

That’s a lot of acronyms to not even recognize. There were also other concepts I was unfamiliar with such as Virtualization-Based Security, use-after-free vulnerabilities, kernel exploitation, and more. I knew the course was going to cram a lot into a short time and there wouldn’t be a lot of time for me to learn these things while there. So I focused on learning them beforehand so they would be more obvious to me during the actual training. I actually wished they would have sent us the course material ahead of time so I could read through it all and get a basic grasp of everything before attending the training. That way I’d be better able to follow along and ask intelligent questions to make the best use of the training time. Unfortunately, that’s not how it works.

At one point I wanted to learn about Microsoft Edge Type Confusion bugs and I ran across a blog series by Connor McGarr. I spent almost two weeks reading his three-part series on that one bug but by the end I felt I had a good grasp of it. It seemed like time well spent because based on hints in the syllabus I had a suspicion that the bug discussed in his blog series was one of the four main bugs we would be discussing during the training. In my research I kept finding more and more blog posts on Connor’s blog that closely aligned with what I was trying to learn. It turned out he had been preparing to take the AWE course for a couple of years, and that explained why so many of his blog posts aligned with my own study goals. He actually was at the same Blackhat training as me. Thanks again to Connor for publishing all of his research. His blog was very valuable for me in preparing for the training.

About three weeks before the training, OffSec sent everyone an email with a list of hardware requirements and about 19 links to recommended reading material. I would have appreciated if they were sent a bit earlier, because three weeks wasn’t much time to go through all the material, but at least it was something. I read through every link they sent, taking notes where I felt appropriate. There was one link that was just too long, technical, and dry for me to really study very well but the rest were good and gave me a high level understanding of what to expect in the course. They helped fill in some blanks I had from my own research and prior study. I also found that they helped me keep my head above water during the training with some of the bugs because I had read a bit about them before and had a high level understanding of them.

The email also included a pre-course challenge designed to test and see if you are ready to take the AWE course. I managed to complete the challenge in about 20 minutes, which had me feeling quite proud of myself. Having taken the OSED course, the challenge was really more of a review of one of the concepts from that course. The only new thing about it to me was that it involved 64-bit architecture. I had read up on 64-bit calling conventions so it was actually pretty simple to get my brain into x64 mode and complete the challenge quickly.

Hardware

OffSec tells you that you need a beefy laptop to use for the training. They send you all the requirements beforehand. I won’t list them here because they are likely to change over time. I managed to get a spare laptop from my employer to use for the training course. I also was sure to bring a mouse because using a touchpad would have been torture.

I was paranoid that I would have trouble working on just a single small laptop screen so I purchased a portable 17" 1080p monitor to bring to the training. I set it up and used it every day, but honestly I found that it wasn’t all that helpful. Just switching between Windows workspaces would have likely been enough but I was paranoid and I felt better knowing I had the extra screen real estate just in case.

Training

The training was pretty much as intense as everyone says it is. The first day we got started at 10:00AM. They handed everyone the course guide book. Normally OffSec gives you a PDF of all the course material. That’s what I was expecting this time around too. Well, for the AWE they apparently only give you a physical copy. They handed me an enormous binder with about 650 pages of content. It was the only copy I’d receive so it was now my responsibility to guard that binder with my life all around Las Vegas and ultimately back home. They did pass around USB drives with the virtual machines and some other course content we’d need.

Then we dove head first into the first main bug. We spent the day talking about that bug and working through the process of understanding the bug and building an exploit for it. We worked right on up to about 7:30PM. We got a short break for lunch and a coffee break or two. Most of the day consisted of one of the instructors (Morten) alternating between a presentation about the bug and live demonstrations of things like reversing with Ida or debugging with WinDbg. Every so often we’d get a short break to work on some exercise.

I must admit on this first day I felt lost every time we got to the exercise breaks. I had just watched the instructor go through a bunch of steps and felt like I understood what he was doing in the moment, but when it came time for me to do it, I couldn’t remember all of the steps, commands, etc. I found I would sort of just stare at my laptop with WinDbg open trying to figure out what I should be doing. By the second day, I realized that everything they were showing us on screen was in the guide book they had given us. They were basically running through the 650 page guide in four days, skipping over details when they weren’t absolutely necessary. Whenever we got to the point of having an exercise to do, I would search for that specific exercise in the guide and follow along there. That made it much easier because I could see the commands at my own pace and replicate the results. This was likely the intention all along but I don’t think the instructors made that very clear. Or it’s possible that they mentioned it and I missed it while trying to absorb some other concept.

About halfway through the first day it dawned on me that my instructor didn’t just understand the bug and exploit he was discussing. He actually wrote it himself. I hadn’t realized that before starting the course. It turned out that all the exploits discussed in the course were written by the two instructors, Morten and Sickness. It was obvious that they really understood what was going on, and that’s because they spent weeks or months building these exploits and then also had to write all the course material. Now and then they would drop small anecdotes about why they made some decision to write the exploit this way or that way. It was interesting insight that you don’t get from just reading the material.

On day two we worked from around 8:00AM to 7:00PM. Day three was about the same. Day four we ended early at around 4:00PM and the instructors stuck around for an hour or so to answer any questions we had about the material, exam, their own personal experiences, or really anything we wanted. Each day my brain melted more than the last, but I was actually a bit surprised to find that I kept up with the material quite well. My studying had really paid off. There were a couple of places where I missed some link between two concepts and wasn’t quite sure how we got from point A to point B, but I found that during our exercise time I could usually search through the guidebook to find that section of material and reread it a few times to try and understand it. Worst case scenario, the instructors were always wandering around the room during exercise time to help those in need. It was easy enough to get one of their attention and ask for clarification on something. That’s the biggest benefit of having the in-person training so I figured I might as well use it when needed.

Aside from the instructors there were also about 39 other students in the class. I ended up getting friendly with the three or so folks who were sitting around me throughout the four day course. It was actually funny how on the first day everyone was pretty reserved and mostly kept to themselves. As events unfolded and we all got more comfortable, we slowly revealed to each other that we were all out of our depth and our minds were all melting together. That seemed to make everyone feel more comfortable and it helped to know that I wasn’t the only one who felt like I wasn’t following everything. It was nice to get friendly with other folks from all over the world who all had a similar niche interest. We even were able to help each other out from time to time when one of us understood something another did not.

Evenings

How you spend your evenings is entirely up to you. You could spend all night studying or go party in Vegas. The first night, I ended up spending a few hours after dinner reviewing the course material from that day to fill some knowledge gaps. It ended up being very helpful because there were some areas I didn’t fully understand. When I showed up the next morning to finish up the module on the first bug, I had a much better understanding of all the components and how they fit together. I still had one question but I was able to ask it before class started and from there I felt very comfortable and confident.

Usually at the end of each day the instructors will offer some extra mile challenge to the class. If you complete the extra mile before the next class you can earn some OffSec swag. Usually just a sticker or something small. The second day I actually did work on and complete one of the challenges and I earned myself a “Try Harder” sticker.

The third evening they issued the most difficult challenge for a chance to earn some more interesting swag. I attempted to solve it in my hotel room but by around 1:00AM I realized I was unlikely to get it finished before class even if I stayed up all night long. The main reason was actually that I just wasn’t very experienced writing the kind of C++ code I needed to write. So even if I understood what I needed to do from an exploitation perspective, I had to spend a lot of time just figuring out how to accomplish that goal in C++. A few people had solved the challenge the next morning, but most either didn’t complete it or didn’t even attempt it. I ended up working on this almost every night for the next several nights, trying to get it done before I left Las Vegas the following Saturday. I ended up finishing it once I got home. I got stuck on something that turned out to be bad information in the course guide. The guide said to perform X step to complete Y, but it turned out that wasn’t actually possible. Someone in the OffSec Discord chat helped me out there. Once I realized I had to accomplish the goal another way I actually finished the challenge pretty quickly.

Speaking of sleep, make sure you get some. I found that I tended to stay up until around 1:00AM or 2:00AM studying or working on a challenge only to have to wake up at about 7:00AM to make sure I had time for breakfast before the training. It worked for me though. It wasn’t as much sleep as I would have liked to get but knowing myself I would have laid in bed for hours thinking about the training anyway so it was worth spending the extra time to make sure I understood the material before continuing the next day.

Course Material

I haven’t had much time to really work through the course material they gave us but so far it seems very thorough and in line with all the other OffSec courses I’ve taken. I’ll likely have more to say about it once I’m finished working through it all. The only disappointing thing I’ve run into so far was the one bit of bad information mentioned earlier. It was frustrating to have spent hours trying to figure out why I couldn’t accomplish the goal, only to discover the goal was impossible.

Exam

I don’t have much to say about the exam yet since I haven’t taken it. It turns out they are updating the exam contents and it won’t be ready until at least January 2023. I can’t take it until then even if I wanted to. It actually works out for me because I was planning to work through the course material over the next few months with the goal of being ready by the new year. So the timing should work out well. We were told that only maybe 1/3 of people who take the training attempt the exam. Also, we should take the exam within a year of the new content being released because they can’t guarantee future versions of the exam will not include new concepts as things change over time. I’m hoping to take it this January, but we’ll see how things go. I’ll post another update after taking the exam with final thoughts.