“The OSEE is the most difficult exploit development certification you can earn.” (OffSec). To attempt the 72-hour exam you have to have physically attended the demanding EXP-401: Advanced Windows Exploitation (AWE) course that has limited seats available. At the time of writing it is estimated that there are only around 100 OSEEs in the world whilst the course is taught since 2011.
In this blogpost I discuss the AWE course and OSEE certification, it contains my endeavors as well as tips for researchers that contemplate starting this journey.
First, I describe my preparations towards even enrolling into AWE. Then the registration, the study before taking AWE and the course itself. Finally, the preparations for the exam using the materials provided and the exam itself.
“We are going to continue from here as easy as possible” - Morten
During my “pentesting time” back in 2019 I realized that I wanted to know why and how these exploits actually work that I used. I had heard from AWE/OSEE in the official OffSec Discord, how hard it is to get in, to follow, to study and to take the exam. It’s the toughest of information security certifications. I had to make it my goal. I slowly shifted my focus towards (malware) reverse engineering, vulnerability research and exploit development. Started with Linux x86 stack exploitation for the concepts, moved towards Windows XP/7 x86 stack exploitation, took Stephen Sims' (@Steph3nSims) and Jaime Geiger’s (@jgeigerm) SANS SEC760: Advanced Exploit Development for Penetration Testers class and took Peter van Eeckhoutte’s (@corelanc0d3r) Corelan “ADVANCED” course for Windows heap exploitation. This gave me enough confidence to try to enroll in the AWE classes.
AWE is known for being sold out at BlackHat USA within minutes. So, people resort to writing scripts that poll the training pages to see if they are up, and if so, notify them immediately. I was extremely lucky to obtain a seat for the AWE classes in 2022 as only a handful of seats were left. The others were taken by the 2020 and 2021 students that still had vouchers because of the COVID pandemic and some reserved seats for OSCE3 holders (Richard Osgood, blog).
In 2023 AWE is not taught at BlackHat USA unfortunately, and at the time of writing it is unsure what the training options for AWE will be. For me, part of the AWE/OSEE experience was trying to enroll. And just to add my two cents, I don’t think enrolling wil get easier as they want to keep it in-person, demand is very high and only a few OffSec staff are able to teach AWE.
Pre AWE study
There is not a ton of information out there except from some course reviews and the information OffSec has made available.
OffSec states that:
Students should be experienced in developing windows exploits and understand how to operate a debugger. Familiarity with WinDBG, x86_64 assembly, IDA Pro and basic C/C++ programming is highly recommended. A willingness to work and put in real effort will greatly help students succeed in this security training course.
which can act as a starting point, but doesn’t give much guidance on what exactly to prepare for. For that you can refer to the course syllabus that they also made available. My advise would be to go through this syllabus and read materials on these topics. You’ll probably end up finding the blog of Connor McGarr, a fellow student who blogged his preparations for AWE/OSEE since 2019. Whilst preparing I highly recommend using IDA (Free) and WinDbg for static/dynamic analysis as these are the tools used during class.
AWE @ BlackHat USA 2022
I took AWE at BlackHat USA 2022 back when OffSec was still called Offensive Security. A wonderful experience as you get to meet your fellow students whom you’ll likely need studying the materials. It was interesting to see people I knew from talks and blogposts: John Hammond (@_JohnHammond) known from his YouTube channel; Eugene Lim (@spaceraccoonsec) known from his work on bug bounties, talks and blog and Connor McGarr (@33y0r) known from his talks and blog that contains a lot of information on modern exploit development.
During class you’re given a 650 page binder which you must protect with your life as it is the only copy you have (no digital copies). A USB is passed around containing the VMs you’ll need for doing the exercises. And at the end of the course the slide deck as well as issued commands are distributed.
The course was taught by the sensei Alexandru Uifalvi (@_sickn3ss_) and Morten Schenk (@Blomster81) who wrote all the exploits discussed in the course. There was also support from Martin Mielke (@xct_de) who is as highly skilled.
“Exploit Development is not an exact science. It is trial and error.” - Morten
It is true what they say about the course. It is difficult, you’ll have moments where you feel lost. Take the opportunity to ask the instructors or other skillful students. Each evening, go through the materials for the next day and try to identify questions you already have. Try to take some rest and enjoy Vegas!
At the end of each day tasks are given that can earn you OffSec swag, ultimately being able to earn the uniquely numbered “Try Harder” coin on the last night. I took the challenge and was one of the few awarded the coin. It took me all night, got no sleep which I definitely felt the last day. But it was so worth it!
Back home from an AWEsome #DEFCON30 and #BHUSA2022. Thanks @Blomster81 and @_sickn3ss_ from @offsectraining for the mind boggling days and sleepless nights (worth it taking the coin home). This heavy binder will be the stepping stone towards #OSEE and the uncensored samurai! pic.twitter.com/x6rk21lO22— Gerr.re (@gerr_re) August 16, 2022
After a small break I decided to go through the binder, going over each topic, understanding each page and doing every exercise and extra mile. I tried to write the proof-of-concepts from scratch instead of using the provided ones, which helped me identify my weaknesses early on. Also, by doing this I found out that some of my solutions were different from the materials, but made more sense to me.
This is also the time to ask for the “EXP-401 Student” role in the OffSec Discord to get access to the
#exp-401-exercise channel that has all members that are studying the materials or have already certified themselves as OSEE.
I found that doing the extra miles taught me how to independently do research and apply the concepts I have been taught. You will get stuck at some point, but you will also be during your exam. Try your best to figure it out yourself, but ask guidance if needed (obviously not during exam).
During class, the samurai from the slide deck got undressed more and more, up to the point where he was completely naked - but censored - during the last module. As the final extra mile you have to develop a 1-day from scratch and students that were able to complete it were awarded the uncensored samurai.
“For the last extra mile, the award is the uncensored samurai.” - Sickness
I claimed my copy of the uncensored samurai at the end of April 2023 only to find out I missed the deadline by about 7 months 😂. It turned out the deal was within 30 days of the class. Very unfortunate, but I don’t regret doing this extra mile as it taught me a lot!
Scheduling the exam
Before attempting the exam, I made sure to read the OSEE Exam Guide thoroughly. Failing to adhere to the rules in the guide may result in an unnecessary fail for the certification attempt.
During class, we were told that the OSEE exam was being updated and not being released before January 2023. In December we were notified that due to some unforeseen circumstances this would be delayed to somewhere Q1, 2023. Beginning of April they announced that we were able to schedule the updated OSEE exam, I immediately reserved my spot as I already had reached the end of my study. Unfortunately, there was some confusion about when we could schedule the exam due to the lack of communication from OffSec’s side. This still applies to the plans for teaching AWE in 2023. I think they can do a better job communicating as AWE/OSEE is an investment in time & money for students and it takes some planning to do.
The updated OSEE Exam Guide and accompanying Exam Report template hints us that there are only two problems to solve. Each having a partial solution (25pts) and a full solution (50pts). 75pts and a detailed report are needed to pass the exam. You’ll have 72 hours of exam lab time and another 24 hours to finish your documentation. I say “finish” because you’ll have to document during the lab time as well because you cannot take screenshots in your last 24 hours of documenting.
From the template you could derive that one challenge is a browser vulnerability and sandbox escape, and the other challenge is a kernel elevation of privilege vulnerability. But that might not be the case during the exam.
For me, the exam was a real feat of endurance. But in the end I managed to obtain both
proof.txt files from the targets, possibly passing the OSEE exam with 100pts (they don’t tell you how much points you earned, only pass/fail).
I feel that OSEE gave me the confidence to work on these real world topics myself. It is now up to me to continue this journey. Let’s see where it takes me…
Special thanks to the sensei Alexandru Uifalvi (@_sickn3ss_), Morten Schenk (@Blomster81) and Martin Mielke (@xct_de) for teaching me this craft and my fellow students Connor McGarr (@33y0re), Richard Osgood (@rickoooooo), Victor Khoury (Vixx) and all other
#exp-401-exercise members for the discussions on the materials.
“If you think this was it: you can dive deeper in the hatred of humanity…” - Sickness