A Story about Weaknesses and Failure
In advance
Who should read this article:
Anyone who is planning to take the "OffSec Exploitation Expert (OSEE)" exam
Anyone who is capable enough of suffering and wants to grow beyond their limits
If some of the following explanations seem wildly exaggerated to you, this is certainly due to the emotions that this exam can trigger. However, one thing is certainly not exaggerated, and that is the total effort required to pass this exam.
This article is available
Long story, told in short...
The course week itself is pure fun! It's big cinema to have Morten Schenk (blomster81) and Alexandru Uifalvi (sickness) as trainers. And to develop the craziest exploits together with a bunch of like-minded (did I say crazy?) people from all over the world...
The exam preparation is tough. The course materials provided explain all the concepts in detail. Essential debugger commands and memory dumps are well documented. Nevertheless, the course material is not a silver platter, there are gaps in it which you need to fill in. It is essential that you work out the exploits yourself afterwards, retrace every single debugging step and also go the extra miles. The whole thing took me about six months while I was working: long evenings and weekends full of privation. Combined with countless situations where I got stuck, had to try things out and experiment. The reward, however, was countless aha moments...
The exam then felt like a rear-end collision. Implementing two exploits at this extremely high level in just 72 hours is really tough. I had to do it twice, and only managed to do it successfully three months later. After all, some even need more attempts...
The feeling afterwards of finally having passed is indescribable! You can't put it into words. Elation, enthusiasm, near to slight madness...
Can I recommend the course? Absolutely! But only with a teeny-tiny warning:
You have to hate yourself a little to go through this school! Honestly, every single line of source code for an exploit needs to be understood, scrutinized, recreated and mastered. This applies to C/C++, assembly, x64 shellcode, WinDbg, and especially to the crash situations that occur again and again and again. None of the exploits covered in the course are vanilla! There are countless hurdles, errors, detours, but also tricks, ideas and recipes. In order to get a reverse shell at the end, or a privilege escalation with NT AUTHORITY\SYSTEM... in order to come out of this learning process in one piece, to be able to master and apply the topics, that is immensely fulfilling and satisfying... It feels like Olympic gold! And I don't mean that arrogantly, but purely emotionally.
I have never experienced a course out there with such a wealth of ideas. No comparable course that shows and teaches so many creative solutions at this level. Morten and Alex explain all the up-to-date security mitigations that Microsoft has built into the kernel, that Intel has built into the CPUs, and at the same time, they show ideas for bypasses. At the end, participants will be able to write a fully functional exploit based on a simple vulnerability description that also runs on a current Windows installation. Awesome shit! Sorry to say so...
The "EXP-401: Advanced Windows Exploitation" course is Offensive Security's flagship. On the website, OffSec writes: "This is the hardest course we offer and it requires a significant time investment. Learners need to commit to reading case studies and reviewing the provided reading material each evening.... The OSEE is the most difficult exploit development certification you can earn."
Nothing more to say... I can sign every single word.
Offsec, Morten, Alex: Kudos! This is an incredibly well-made course, and an intelligently designed exam. The challenges are really tough and difficult to complete under the given time pressure.
One wonders whether having to fail is part of the exam...
In any case, I have great respect for everyone who is OSEE certified!
About me
Manu Carus. Nothing more to say.
The journey
Three years ago, I set off on a journey with my hacker bro Emre Bastuz. Our goal was the triple: OSCP, OSCE, OSEE. The complete pentester program with a final coronation ceremony: Black Hat in Vegas as a small reward. We wanted to get the best out of ourselves and see how far we could get in the end. Whereby the OSEE turned out to be a serious beast...
We found that Paul Jerimy's Security Certification Roadmap is particularly motivating:
The aim was to get to the top on the far right! Sniffing the tip of the spear...
I have no idea how objective this illustration is. I for myself am an "Official ISC2 CISSP Training Instructor" and believe that I have a good overview of the certificate market. I would rate the CISSP between the "upper end of Intermediate" and the "lower end of Expert" in terms of difficulty. And so would I for the OSCP, with the OSCE being Expert, and OSEE going beyond.
I'm not quite sure how many nerds out there are OSEE certified. OffSec is silent about it. And a LinkedIn search only shows a few hundred hits. But one thing's for sure, though: the air up there on the right is pretty thin for OSEE, and nothing comes thereafter. In my humble opinion.
So, on we go...
The OSEE, on the other hand, was a completely different beast...
It was clear to us beforehand: you don't do this thing besides. You need a carefully planned time slot in which things don't get too crazy professionally. So we did: course planned and booked.
But in the end, everything has turned out differently. Pandemic. No classroom-based trainings anymore. Postponed for at least a year. COVID-19 threw a spanner in the works. That means, we had to wait...
In September 2022 the time had finally come: Emre and I traveled to London. 5 days course week. Hotel room near the Tower, great!!!
The course week
We were both really looking forward to the training. But a week before, we got the news: 4 days of training, not 5 days. Training doesn't start until Tuesday.
Queen Elizabeth has decided to say goodbye to the world. So Monday, the day of her funeral, was declared a public holiday. And all over England, especially in London, appropriate ceremonies of honor were held.
For us, this means that Monday has been canceled as a course day and the course week has shrunk from 5 days from Tuesday to Friday to just 4 days. More input in less time. So the training will be even tougher. Well then...
We enjoyed the public holiday in London, walked to Hyde Park and attended the ceremony.
It was very impressive, respectful and solemn. Seeing the country and its people bid farewell to their Queen was a very impressive and moving moment.
Tuesday then. We had a good English breakfast, reached the course location by foot, then off to the classroom, we were full of excitement.
The first slide sets the tone. Morten and Alex get us in the mood for the course week:
Day will be tight
Day will be fierce
Day will be wacky
Day will be insane!
Something like that...
On the morning of day 1, 64-bit shellcode is run through in quick mode. No time to waste. 64-bit reverse shell in two hours. You have to be able to do it, that's all the time we need for that. Too easy. Well, OK...
Then it's time for the first exploit: VMware Workstation Guest-to-Host Escape. Understanding Windows Heap Manager, implementing heap spraying, overwriting function pointers, building ROP chains and overcoming a variety of obstacles. DEP, ASLR and ROP chains are less of a problem here, but CFG, WDEG and EAF are fiends. Morten and Alex demand the famous icing on the cake with every exploit: The reverse shell should also work well even if the VMware tools have not been installed on the guest VM. So we have to understand and recreate VMware's low-level communication between guest and host. Read Linux source code, reverse-engineer Windows binaries. Ah yes... I'm sitting in the training room with 20 other participants, listening with interest, rebuilding the exploits, and I am somehow keeping pace...
By the way, I won't reveal any secrets about the course content here, because OffSec has published the Course Syllabus for everyone.
On the second day, we will work on Edge and Chakra. Constructing type confusions, implementing read and write primitives. Bypass CFG, CET and ACG. Above all: working out-of-context and diving into the depths of Windows-internal RPC communication. COM sends its regards... The whole thing is topped off with a sandbox escape, which is required to execute shellcode at the end and set up a reverse shell. Awesome exploits! In the early afternoon (as I said, we're talking about the second day of the course here), I start to have slight doubts as to whether I'm up to the course week as a whole, but I stay focused. Motivation is everything. At the end of the module, there is the icing on the cake again: The exploit is supposed to be version-independent, i.e. it needs to run on different Edge versions... Not bad... Let's rebuild the code then...
Morten and Alex have built some extra miles into the course for the evenings. Whoever completes these tasks by the next training day can win some OffSec swags. Emre and I decide that our sleep is sacred to us (we are getting on in age!), so in the evening we prefer to go to a pub, enjoy burgers, French fries, ale, enjoy the pub atmosphere after work, in moderation, of course... To be honest, after every single training day we are really exhausted in the evening...
The third day leaves ring 3 and makes its way into the kernel. The aim is to exploit a vulnerability in a kernel driver and gain control of ring 0. Interestingly, the vulnerable driver is part of a well-known security product... Isn't that supposed to protect us rather than open up new attack surfaces? We learn kernel debugging, driver communication, token stealing, and much more. We have to deal with SMEP, paging, meltdown and other mitigations. Although I've read quite a bit about these topics beforehand, I haven't had any practice in kernel at all. DEP, ASLR, ROP, no problem. But kernel exploits? Maybe I should have cracked the HackSys Extreme Vulnerable Driver (HEVD) before the course, then I wouldn't be so lost on day 3. I take it with humor and change my strategy. Instead of trying to keep up and then getting left behind, I switch to spectator mode and start to simply enjoy my time on site: listen, concentrate, take notes, understand, and take in as much as possible. Just having a good time at the end... Oh, and in this module, there is of course the famous icing on the cake at the end again: The kernel exploit also needs to be programmed version-independently...
The fourth day, Friday, is then tough as nails. A vulnerability in the native Windows API is to be exploited. Alex explains how the operating system manages Windows objects internally. And since Microsoft has not documented this part, for good reason, it feels like half the Windows kernel has to be reverse-engineered. Completely wacky! Insane! I suddenly realize that Alex had actually developed the exploit we're working on here himself. I realize that in this course we can experience live how to write such an exploit, what limits you to come up against, and what the perverted hurdles are that you encounter. Incidentally, it was no different in the days before: the exploits presented previously were written by Morten, and here too we were able to follow the entire exploit development process live, from the cradle to the grave. Fierce... These guys aren't just trainers. They are the authors of the exploits. They know exactly what they're doing...
As I said, the fourth day is really bad. But it doesn't help: "Try harder" is the motto... No matter what problems have to be overcome: In the end, the only thing that counts is the result. Privilege Escalation and a stable kernel. And that can only be achieved through persistence! I won't go into the details here. I just remember shaking my head and staring forward with my mouth open, trying to even halfway understand what's going on here... and where I am...
In the end, the exploit runs successfully. I can reproduce it on my computer. And think: awesome...
Of course, Morten and Alex don't stop here. No, the exploit has to run under Low Integrity, which means: more problems, more headaches, more despair, more persistence. And then there come the extra miles...
What I really like is that both trainers give an outlook at the end of the course. What security migrations are Microsoft and Intel currently building into their products? What does this mean for the exploits we have just developed? How can we get around the latest security mitigations that have recently been introduced to the market (and will probably not be widely effective for a few years)? And while we are asking ourselves these questions, they are already developing the first prototypes. We are experiencing a glimpse into the future. No theory. Just practice. How can I bypass these newest mitigations in software and hardware? Now, that's what I call a course!!! I've never seen anything like it out there... You get the impression that the knowledge you gain here will put you in a damn good position for the next five to ten years! If only the world wasn't spinning too fast...
Emre and I leave enthusiastically, not without rewarding ourselves with pub food and ale again for the successful week...
We are left with the impression that none of the exploits presented this week are trivial. You have to do some real capers. Anyone who gives up here is out of place. You need real tenacity, absolute determination and persistence. In other words: If something doesn't work straight away, that has to be motivation enough to keep going all the more. Giving up is not an option, there is always a solution. The only question is: How much effort are you willing to put in? We are only happy when being NT AUTHORITY\SYSTEM :-)
The exam preparation
It took me about 6 months to prepare for the exam, while working. Sometimes I could devote whole days to it, sometimes the whole weekend, but often it was just piecemeal. I am self-employed, and the customer has priority, always...
I then worked through the course materials page by page, line by line, checking and questioning every single statement. Reverse-engineering in IDA, x64 assembler in WinDbg, source codes in C/C++, JavaScript and Python. I found it difficult to progress quickly, because as it turned out, the course materials are very good, but they are not presented on a silver platter. Rather, the materials shows conceptually how the respective exploit works, but you have to work out some gaps in the text yourself if you want to run the exploits live on your test machine.
Now there are certainly people who make faster progress here than I do. I am a person who has to work through every topic myself. Reading only helps to a limited extent, I need hands-on experience, and unfortunately, I tend to make just about every mistake you can think of. So if the course text says: "hasItem() is the 22nd method of the DataView object", then you can accept that. However, if you are like me, you will write a script that tries to confirm this statement. Those additional steps take time, working like so slows things down. But in the end, I know exactly why things are the way they are.
In my opinion, it is also absolutely mandatory to work through the extra miles listed in the course text. Some are very helpful for the exam preparation, others are so insane that you gratefully read over them... Some extra miles only took me a few hours, another one I chewed on for 5 days. It's a mystery to me how people can crack these extra miles within the 5-day course week on the evening, virtually at night after the course day, and then pocket the OffSec swags. For me: not feasible...
Incidentally, the slides and the course materials complement each other very well. When working through the course materials afterwards, it has proved useful to consult the slides again, as well as my own notes that I made during the course week. The slides contain statements that were conveyed on the audio track in the course but cannot be found in the course materials. The latter are quite deep dive, while the slides repeatedly lead into helicopter mode: What is the goal? What hurdles do we have to overcome? How do we get there?
In the end, I worked through it a total of three times!
The first time to understand and reproduce the vulnerabilities, exploits and step-by-step procedures. A second time flying low to scrutinize every statement and write the code myself. A third time, flying high, to get an overview of the procedure, to get a big picture and to note down strategies for security bypasses. For example: How do I bypass CFG? ACG? SMEP? WDEG? EAF? What are the restrictions at low integrity level? And what solution do I have for this?
In the end, I ended up with 1,800 pages of notes and listings!
I think that expresses the effort for the preparation quite well... As I said, the course materials themselves that are handed out have about 650 printed pages...
The exam
The exam is brutal.
The task: Here you have two vulnerabilities (CVE-....-...). Here you have two vulnerable machines. Write fully functional exploits, bypassing all the security mitigations that a modern Windows operating system has to offer against you.
72 hours time, sleeping and eating included...
The problem here is multidimensional. Time, knowledge, psychology.
It is not easy in terms of time to reproduce just two of the exploits covered in the course in these 72 hours. No, OffSec has high expectations of its exam participants. Repeating something familiar that has been chewed over before is not enough for certification. The exam participant should be introduced to new situations, be confronted with new problems, having to work through the unknown and solve their own solutions step by step under time pressure.
This means that the knowledge taught in the course is not sufficient for the exam. What is also needed is the ability to think your way into new problems, develop creative solutions and work them out, however complex they may be, under the given time pressure.
When I had read the two assignments for the first time, I thought: Wow... I'm damn well prepared, but... Wow... That is a challenge.
OK, the first task is tough. So is the second one, but somehow I felt more comfortable with the second one, even if it's generally harder to solve, I guess. So I went for number 2 first. A fully functional exploit then took me a whole two days and nights. I slept normally (well, more like 6 hours than 7), took regular breaks (lunch and dinner 45 minutes each, a short coffee break and a bit of fresh air in between), but actually I worked quite hard and felt like I was working non-stop. From 8 am to 2 am, and then again from 8 am to 2 am.
I then tackled the first task on the third day. After some initial comprehension difficulties, I got quite far. But it was really hard. With both tasks, you always have the feeling that you're constantly driving into the wall: Problem. Thinking. How can I solve the problem? Trying to implement a solution. Next problem. Next thinking. This goes on all the time. You constantly have the feeling that there are 30 hurdles or more ahead of you, and every hurdle has to be overcome somehow. I constantly had the feeling that, yes, what I'd learned on the course would help me, but only to tackle the exam in the first place. And then, with the first exam hour, the whole thing really starts! The exam builds on all of this. OffSec requires you to go above and beyond.
In the end, I ran out of time. I had almost solved the first task as far as the minimum score required, but only almost, and then the VPN connection has been taken down...
The entire exam felt like an accident. Constantly driving into the wall, downshifting, driving around obstacles, only to drive into the next wall again. Self-doubt: Will I manage it in the remaining time? My God, I know what to do, but that's a hefty lift! Really now? Every little bit of progress spurs me on, motivates me to keep going, but only to tackle the next problem, which then takes another few hours. In the end, I believe that every task is designed in such a way that there is only one solution. The corset for the right solution is knitted in such a way that it feels like you are moving in a very narrow corridor, and in the end you have to use a whole dozen techniques to reach your goal. There are probably several possible solutions, but for me it somehow tasted different...
I then wrote the report and sent it off. I thought I was really close to the finish line, and I was only missing a tiny small bit. But I was wrong. OffSec is merciless: "Dear Manu, we are sorry to inform you that you failed to pass the exam..." No wonder, the OSEE certificate is the most difficult challenge that OffSec sets for its exam participants. So I can't hope for bonus points, pity or any other help from the universe. Only one thing counts: Can you do it? Or can you not? If not, are you prepared to put more into it?
It doesn't help.
Retake...
Two months later, second attempt.
I use the time in between to prepare myself, go through all the exploits again, write my codes once more. This time I give myself a break for a week and don't work on the topic at all in the meantime.
I approach it accordingly. The email comes in, I connect to the VPN and go at it again.
More self-confident this time.
I'm rocking it somehow. Even if it takes me an awfully long time again: Tuesday 8 am to 2 am. Wednesday 8 am to 2 am. Thursday 8 am to 6 am. Yes, it's only two hours before the end of the exam that I feel like I've done it. The tasks are simply brutal. At 5:30 a.m., I watch from my desk as the newspaper boy drops the paper in our letterbox. I quickly check whether I've saved all the screenshots and listings I need for the report. I finish the exam, have a good morning coffee, try to take a look at the newspaper, but I'm totally empty and exhausted and can't concentrate on anything.
Off to bed, sleep until noon.
Next, it's time to write the report. I have 450 pages of notes and listings and have to document the material in a comprehensible way. I finish at around 11 pm. Check the file names, upload, and hope for the best.
After four working days, I receive an e-mail from OffSec in the early evening with the subject "Advanced Windows Exploitation - OSEE Certification Challenge Results - OS-xxxxx".
I don't even dare to open the mail. Last time it was really hard to read that I failed. I pull myself together. Open the e-mail. And read: "Dear Manu, we are happy to inform you..." I don't get any further...
Dance wildly through the house! The feeling that overcomes you is indescribable!
What a ride. What a hard pace. And I was in there? I can hardly believe it...
At the end
I wrote this article under the title "A Story about Weaknesses and Failure".
Of course, the AWE is all about vulnerabilities, about CVEs in VMware, Edge, kernel drivers and Native Windows. And of course an exploit does not work with the first proof-of-concept, thanks to CFG, ACG, WDEG, SMEP, EAF, and other mitigations.
But for me, personally, the course, the exam preparation and the exam were above all about learning and overcoming my own weaknesses. A halting progress, stepping from failure to failure...
Professionally, I am "Official ISC2 CISSP Training Instructor" and bring many people to their CISSP exam. It doesn't always work at the first attempt. Some participants fail the exam. After months of preparation. And often the result is only a small bit away from success.
I would like to encourage all these students in particular. Firstly, even so-called "experts" cannot do everything in a second on demand. And secondly, when it comes to achieving a goal, doubting and giving up is not an option. Get up, shake it off, keep going. Effort is rewarded. Always!
As a consultant, I work in cyber threat hunting and Information Security Management Systems (ISMS), in line with CISSP and ISO/IEC 27001, so I'm not too involved in Windows exploiting on a daily basis. Accordingly, I had to plan for long set-up times for the OSEE. Yes, I learned software development under C/C++ from the ground up, JavaScript and Python don't even challenge me. But the pointer techniques and type conversions required for the exam have cost me time. As well as thinking into new challenges I hadn't faced before. For someone like me, who aspires to be able to write every exploit covered in the course material from scratch, the entire exam preparation was one big stumbling block: coding step-by-step, debugging, eliminating errors. Rethink, go different ways, code again, continue until the goal is reached.
A lot of effort...
The depth that has to be achieved here is incredible...
I mean, who debugs "ntoskrnl.exe" and analyzes what Microsoft has silently implemented inside? The whole thing without documentation? There's nothing to find in Microsoft Docs. Microsoft has no interest in publicly documenting the internals which are discussed in this course. Rather, they obfuscate and conceal as much as they can... For good reasons...
The whole course, including the exam, ends up being an absolutely amazing experience.
I have never learned so much in these months. Yes, the training is expensive, but worth every penny.
For me, it was a personal life goal to achieve the triple: OSCP, OSCE and OSEE. To get the maximum out of myself. To see how far I can go. To leave my comfort zone. To grow out of myself.
And that was an amazing experience!
Looking back now and realizing: Really now? You have written this blatant code on yourself?
I wouldn't have dared to say that a year ago. Reading a vulnerability that has been published by Google's Project Zero and building a fully functional exploit from it? That's a thing.
In any case, there don't seem to be too many people of this caliber on the light side of the moon... And that's something to be proud of!
In my opinion, there is one quality that is extremely important for mastering the exam. And that is: real tenacity! The unconditional willing to somehow do it, come what may. If you let yourself be boxed in and throw in the towel, you've come to the wrong place.
However, if you are prepared to accept mistakes and frustration in order to grow, you are in for an incredible boost of energy and happiness.
I say: Thanks, OffSec, for the setup. You really don't make it easy!
Kudos to Morten and Alex, this exam is really smart, damn it....
Thank you Emre for taking this journey together! We are so similar in many areas, and you move through life with such incredible ease!
Thanks above all to Nina, my wife, who has supported me for a long time. And thanks also to my colleague Gabi, who always believed in me.
Vegas, here we come!
