This repository contains all training and tutorials completed in preparation for the Offensive Security Exploitation Expert (OSEE) in conjunction with the Advanced Windows Exploitation (AWE / EXP-401) course.
I want to emphasize that this was a journey that happened over the course of years. When I set my sights on OSEE my goal was never to have the certification but rather to become an Exploit Developer. That said, what follows is a culmination of material I found relevant to the OSEE specifically.
This is not mentioned to deter you, rather to re-enforce direction. Should you stray from this path (e.g study ARM32, ARM64), you may find that it takes you longer to obtain this certification. I cannot emphasize enough focusing on x86 and x64 only (if possible) while embarking on this journey.
I do use affiliate links! So, if you purchase a book, please use them!
The following tables contain notes, courses, challenges, and tutorials taken in preparation for the AWE. Meaning this knowledge was gained before starting AWE.
Not exclusive to AWE, Exploit Developers often use the C programming language when writing kernel exploits. It's imperative that you know how to program in C and understand types, otherwise you will find reverse engineering extremely difficult.
Even if you are the best Golang/Rust developer in the world, I promise you that you will NEVER get the control that C gives you. You are working at a low level, if you're going to be using a high-level language it better be C/C++.
All books shown below were read from cover to cover, and all exercises were completed.
| Order | Type | Name | Links |
|---|---|---|---|
| 0x00 | Book | C The Absolute Beginners Guide | Amazon Purchase Link |
| 0x01 | Book | The C Programming Language | Amazon Purchase Link |
| 0x02 | Book | Effective C | Amazon Purchase Link |
| 0x03 | Open Source Training | Learn C++ | LEARN C++ Online |
| 0x04 | Open Source Training | Windows Kernel Programming (Programming LoL) | My Notes |
| 0x05 | Training | Windows Malware Techniques | WINMAL Course (CodeMachine) |
You will not be reverse engineering as much as you think throughout the AWE, this is not to say there is no reverse engineering. However, if you only focus on exploitation you will be severely limiting yourself. Without a basic understanding of reverse engineering the information will be significantly more difficult to digest. Always chase the knowledge these courses contain, and the certification will come.
Some quick notes on the these recommendations:
- Modern Binary Exploitation (MBE): I took this course BEFORE RET2 Systems released WarGames. If you take plan to pursue WarGames go ahead and skip MBE.
- RET2 Systems: The Fundamentals of Browser Exploitation: Ultimately, I did find this course incredibly beneficial even outside of browsers. However, this course I would argue is more advanced than AWE in terms of subject matter so it's at your discretion whether you should pursue it. Due to my AWE start date I only got about 70% through the course.
- Corelan Heap Exploitation MasterClass: If you fear Windows Heap, look no further. Although to be fully transparent I did not complete all challenges at the time of completion. However, shortly after completion I did discover multiple 0days in Broadcom products.
- The Ghidra Book: I only read up to page 256 of this book in conjunction to WarGames. This book WAS NOT read from cover to cover.
- Evasion Techniques and Breaching Defenses (PEN-300): Although I never attempted the OSEP exam, I cannot deny that the way Offsec covers navigating the Windows API is excellent. If you can learn how to write programs using the Windows API without this course you can easily skip PEN-300. Keep in mind when I say program I mean process injections, memory management, etc.
With that, shown below is the table containing all subject matter that assisted me in gaining this knowledge.
The following table contains notes, courses, challenges, and tutorials taken in preparation for the OSEE. Meaning this knowledge was gained after starting AWE.
Some of these will have "todo links" meaning that I have not uploaded the research yet... but rest assured I will!
| Order | Type | Name | Links |
|---|---|---|---|
| 0x00 | Open Source Training | Ezekiels Wheel (Hells Gate Analysis) | My Analysis |
| 0x01 | Open Source Training | Reverse engineering the _SECURITY_DESCRIPTOR | My Analysis (TODO) Kernel ACE Edit Shellcode (Sickle Module) |
| 0x02 | Open Source Training | Leverage knowledge from RET2 to exploit CVE-2018-0617 | My Analysis (TODO) |
| 0x03 | Open Source Training | Writing shellcode with Sickle | Tutorial (TODO) Sickle Project |
| 0x04 | AWE | Study and understand JOP Gadgets | N/A |
| 0x05 | AWE | Create functions to leverage exploit primitives | N/A |
| 0x06 | AWE | Create high-level diagrams for each exploit within course | N/A |
| 0x07 | AWE | Complete as many extra-miles as possible before exam | N/A |
| 0x08 | AWE | Create a stable exploit for each section | N/A |
| 0x09 | AWE | Create a cheatsheet for all WinDbg commands | N/A |
| 0x0A | AWE | Create a cheetsheet for Ghidra | N/A |
| 0x0B | AWE | Create a cheatsheet for Sickle | N/A |
| 0x0C | AWE | Create a cheatsheet for Metasploit | N/A |
The AWE course uses a multitude of tools including IDA and from my understanding IDA Pro IS ALLOWED on the exam. However, I chose to use Ghidra instead... my reasoning for this can be summarized in three letters: N - S - A.
Aside from my choice of decompiler/disassembler I used the following tooling for the course and exam:
- Ghidra: Throughout the entire course I used Ghidra v11.1.2, I went with this version from beginning to end. Upon completion of OSEE I upgraded to the latest version. To avoid any problems my recommendation is to use whatever version you install until you pass OSEE.
- Sickle: Shameless plug I did use my framework on the exam... although you can do without it I heavily recommend it. I plan on creating a tutorial on how I used it on the exam (without revealing any spoilers) but for now you can also check out my Black Hat Arsenal Talk where I demo some use cases. The exact version used on the exam was v4.0.0-Beta.
- Samba: When performing debugging locally I used a local share for file transfers. This method WAS NOT used on the exam virtual machines since you will likely be reverting the remote machines... which would require re-authentication.
- xfreerdp: I did use this on the exam to "recreate" a share environment to that of what was used locally. The command used can be seen below.
- xfreerdp /u:< username > /p:< password > /v:1.2.3.4 /size:1980x920 /drive:share,/< path to working directory >
- apache2: I'm not sure why but there were times my exploits did not fully function when using a python webserver - so I instead opted for apache2.
- Metasploit Framework: For the sake of simplicity, I decided to use meterpreter as my implant, however any C2 framework should work!
- Visual Studio: Anything I needed to compile I used Visual Studio but ultimately you can use any compiler you are comfortable with.
- WinDbg: Notice how I did not say WinDbg Preview. I chose to only use Windbg Preview, when necessary (e.g: use time travel debugging), this was due to random bugs I would encounter. I found the WDK version to be a lot more stable.
- Python: For any userland exploitation I stuck with python3 unless the objective in a real-life scenario warranted the use of C. For example, any remote exploit is normally ran on your machine NOT the target machine. What runs on the target is the payload itself / exploitation buffer.
- C/C++: This was the language I used for local kernel exploits and anything intended to run on the target machine. I also stuck to "Windows" syntax. For example, instead of using an unsigned long type I would use a DWORD type.
- rp++: This was the tool I used for ROP gadget hunting.
Below are some references used throughout my journey. Please keep in mind that I try to include resources in each blog post as well. I like many others stand on the shoulders of giants.
I also wanted to thank God my lord and savior Jesus Christ, I feel incredible blessed to be where I am today.
https://codemachine.com/index.html
https://codemachine.com/trainings/winmal.html
https://connormcgarr.github.io/pte-overwrites/
https://connormcgarr.github.io/swimming-in-the-kernel-pool-part-1/
https://fluidattacks.com/blog/hevd-smep-bypass/
https://github.com/LordNoteworthy/windows-internals/blob/master/IRP%20Major%20Functions%20List.md
https://github.com/NationalSecurityAgency/ghidra
https://github.com/sam-b/windows_kernel_address_leaks/tree/3810bec445c0afaa4e23338241ba0359aea398d1
https://h0mbre.github.io/HEVD_Stackoverflow_SMEP_Bypass_64bit/#
https://idafchev.github.io/research/2023/06/30/Vulnerable_Driver_Part2.html
https://kristal-g.github.io/2021/02/07/HEVD_StackOverflowGS_Windows_10_RS5_x64.html
https://kristal-g.github.io/2021/02/20/HEVD_Type_Confusion_Windows_10_RS5_x64.html
https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/paged_code
https://m0uk4.gitbook.io/notebooks/mouka/windowsinternal/find-kernel-module-address-todo
https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf
https://microsoft.public.windbg.narkive.com/MamhR9YH/win7-and-kpcr
https://vulndev.io/2022/07/14/windows-kernel-exploitation-hevd-x64-use-after-free/
https://wafzsucks.medium.com/how-a-simple-k-typeconfusion-took-me-3-months-long-to-create-a-exploit-f643c94d445f
https://web.archive.org/web/20230602115237/https://www.alex-ionescu.com/kernel-heap-spraying-like-its-2015-swimming-in-the-big-kids-pool/
https://wumb0.in/finding-the-base-of-the-windows-kernel.html
https://www.corelan-training.com/
https://www.corelan.be/
https://www.coresecurity.com/sites/default/files/2020-06/Windows%20SMEP%20bypass%20U%20equals%20S_0.pdf
https://www.kn0sky.com/?p=194
https://www.offsec.com/courses/exp-401/
https://www.python.org/
https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf
https://www.vergiliusproject.com/
https://www.welivesecurity.com/2017/03/27/configure-windbg-kernel-debugging/
https://youtu.be/Ca3dAXDdoz8?si=oN_DsgyLz-Z4fVYL
https://youtu.be/FKcX-6jReAc?si=C9ww_wBdCA0vlSe3