Timeline
Course Start Date: 01 August 2021
Lab Duration: 90 Days
Exam Pass Date: 28 February 2022
Digital Certificate: https://www.credly.com/badges/62b856aa-7a6d-4bb1-aa35-4799a543d160
Introduction
EXP-301 or OSED is the last piece of the three 300-level courses from Offensive Security that I haven't obtained to complete the OSCE3. At first, I am a bit hesitant to take the course, as in my daily work, reversing and exploiting memory corruption vulnerability is not something that I commonly do. However, I feel challenged at the same time to complete the trilogy. I guess learning something new is better than not learning at all and at that time I did not have any other interesting course/challenge that I can use to keep my mind occupied with technical challenges. I started by checking the EXP-301 syllabus that can be found here and trying to learn about the topic on free resources such as the infamous Corelan exploit writing tutorial and other awesome blogs such as h0mbre , connormcgarr , and epi. Surprisingly, I found the topics quite interesting even though it is not something that I commonly do. I signed up for 90 days lab that started on 01 August 2021.
Course and Lab
The PDF course contains 13 chapters and the videos have around a total of 15 and half hours that complement the PDF course. Following are the topics that are covered in the course.
1. Windows User Mode Exploit Development: General Course Information
This chapter consists of generic information about the course, how to access the course and lab, how to access the forum and live support, as well as the information about the exam.
2. WinDbg and x86 Architecture
As in this course, we will do a lot of debugging on the assembly level and focus on x86 win architecture, the course starts with a brief introduction of the x86 architecture, program memory (What is Stack, type of calling conventions, function return mechanics), CPU Registers, and debugger tools that we will use for this course which is the WinDbg (You might hate the tools at the beginning but later will fall in love with the powerfulness of it).
3. Exploiting Stack Overflows
Remember that classic stack overflows that you learned during the old-day OSCP? this chapter is specifically run through how to exploit the stack overflows without any memory protections using the WinDbg. The study case is on the Sync Breeze application that vulnerable to stack overflow: https://www.exploit-db.com/exploits/42928.
4. Exploiting SEH Overflows
Chapter four explains in detail the Structured Exception Handling and how to exploit it for memory corruption. This chapter also used the Sync Breeze application that is vulnerable to SEH overflow: https://www.exploit-db.com/exploits/43936.
5. Introduction to IDA Pro
This chapter briefs the students about the reversing tools called IDA, its features, and a short demonstration on how to perform dynamic analysis using IDA Pro and WinDbg.
6. Overcoming Space Restrictions: Egghunters
What would you do when you found memory corruption vulnerability but you only have a small space to put your shellcode? EggHunters is one of the techniques developed to overcome this situation. This chapter teaches how to create the EggHunters shellcode that works on Windows 10 as well by using the study case on Savant Web Server.
7. Creating Custom Shellcode
One of my favorite chapters. It teaches the student how to create their own shellcode for certain situations where the shellcode generated by tools such as Msfvenom is not suitable.
8. Reverse Engineering for Bugs
The hardest chapter in the course! This chapter runs through how to perform reverse engineering to discover the vulnerability in the application by using the Tivoli Storage Manager as the study case. It's a huge application with a lot of branches and functionality to reverse. This chapter teaches the students how to effectively reverse the big application to discover vulnerabilities.
9. Stack Overflows and DEP Bypass
It is a public secret that classic stack overflow mostly won't work on the modern operating system as the vendor has implemented some memory protection to prevent the execution of malicious shellcode. One of the memory protection is the Data Execution Prevention (DEP) which is the memory protection that marks the memory region as non-executable hence preventing the shellcode to be executed. This chapter teaches the students the foundation of bypassing such memory protection without relying on automation tools such as mona.
10. Stack Overflows and ASLR Bypass
Another memory protection is ASLR which randomizes the address memory to make it harder for exploiter to build their exploit. This chapter teaches several ways to bypass this memory protection as well.
11. Format String Specifier Attack Part I
This chapter and the next one focus on the different types of vulnerability called format string specifiers. In this chapter, the vulnerability is leveraged to bypass the ASLR by developing the read primitive to leak or read semi-arbitrary memory.
12. Format String Specifier Attack Part II
This chapter focus on the write primitive to gain code execution.
13. Trying Harder: The Labs
This is a wrap-up chapter that introduces the challenge labs that are available through the student control panel. There are three (3) challenge labs that are used to practice all concepts and theories taught in the PDF course and videos.
I took around 2 months to run through the PDF course and videos and do the exercises and extra miles. I didn't complete all the exercises and extra miles. In the 3rd month, I start doing the challenge labs and managed to finish all the three challenges before my lab time expired at the end of October 2021. I spend roughly around 300 hours during the 3 months lab with the average of 3 hours/day to really understand the concept that is taught and question everything that I didn't understand from the course.
As with other Offensive Security courses, the course materials are well designed and structured. It starts with the very basic and then moves up to challenged practical stuff. It is explained the WHY and not only the HOW, which is what the students need the most in my opinion.
Exam
Originally, I plan to take my exam as soon as possible after my lab ends, but I get caught up with my work as it's the peak season at the end of the year. I ended up neglecting the course from November onwards till February 2022 without doing anything on the course. In February 2022, when the workloads are not that heavy anymore, I checked the exam control panel and found that my last exam date is 27 February 2022 which is around 1-2 weeks away from the date I checked it. At first, I plan to extend the labs so I can have my exam voucher extended since I kind of feel I didn't have enough time to prepare for the exam. However, I also feel maybe I can just YOLO the exam and see how's the exam format so I can have better preparation for the 2nd attempt. I scheduled my exam for 27 February with not many expectations, but fortunately, it is turn out become a good blessing as I managed to pass the exam in the first attempt! I found it quite surprising since I haven't touched the course for almost 4 months and only have 1 week to refresh the course while on travel. I feel like the hours that I spent during the 3 months of lab are fruitful. I submit my report on March 2nd and got pass confirmation on March 4th.
Conclusion
I enjoyed a lot the course even though I rarely have the opportunity to applied it on my daily work. I think this course is most suitable for security researchers but could be a good additional knowledge as well for security consultants.