How I Conquered the OSED Exam: Tips, Tricks, and Insights

OSED Logo

Introduction

The Offensive Security Exploit Developer(OSED) course, also known as EXP-301, is a course offered by Offensive Security that teaches learners the basics of exploit development on x86 Windows. As of January 2nd, 2024 I was notified that I passed the exam portion of this certification; a great way to start the new year! In this post I’ll be detailing what this course is, who this course is for, and try sharing some tips and tricks that will hopefully help you pass or, for those that haven’t started, make a more informed decision on whether you want to try this course or not.

Understanding the OSED Course

The OSED course teaches learners how to exploit user space programs on x86(32-bit) Windows. This is of course worth noting since almost all modern systems operate using x86_64(64-bit). This distinction is noteworthy in some cases and probably a place for improvement in the OSED course; however, since we’re strictly learning the basics of exploitation in this course it doesn’t make too much of a difference. These skills can pretty easily be ported over to 64-bit exploitation with a bit of work.

THE OSED exam is broken up into several chapters, each, for the most part, building upon the previous set of chapters. The full syllabus can be found here, but the top level items that are gone over are:

- WinDbg tutorial
- Stack buffer overflows
- Exploiting SEH overflows
- Intro to IDA Pro
- Overcoming exploit space restrictions with Egghunters
- x86_32 Shellcode from scratch
- Reverse-engineering bugs
- Stack overflows and DEP/ASLR bypass
- Format string specifier attacks
- Custom ROP chains and ROP payload decoders

Along with each of these topics there are associated challenges called “extra miles”. These challenges come at the end of each chapter and serve to provide a challenge related to the content you just learned, but without help along the way. Doing this really helps solidify concepts and I highly suggest doing as many as you can.

Additionally, the final chapter is a set of 3 challenges where you’re meant to use the skills and techniques shown throughout the course to exploit medium-large sized programs where you don’t necessarily know which protections or bypass techniques you’ll need. This is important as it’s really the only time where you’re doing challenges without knowing what to expect or look for as it relates to the vulnerability or exploit. That makes it all the more practical.

The course comes accompanied with a 600+ page PDF and associated videos that go over the same material(it’s certainly a large download). Additionally, within the offsec portal, you can go through the material in a somewhat nicer format within your browser. This is the same place where you’ll turn on/off the machines. This was my preferred method for going over the course material.

Preparation Strategy

Note: this explains some of how I prepared. I came in with background knowledge in exploitation already, so I don’t expect or suggest everyone follow my exact path.

The way I preferred to prepare was by going through the reading material within the offsec portal. I found it helped to make the material much more digestible since it was just individual pages; it provided a sense of incremental progress that I think the large PDF somewhat lacks. I would occasionally listen to the videos for a particular section if I was wanting to just listen to content rather than read, but other than that I never really used the videos. That’s not to say the videos aren’t useful, but learning is a trait with unique characteristics for each person, so make sure you find which is the most fruitful for you.

My study routine wasn’t very rigorous. I was still working full time, doing contract work, and making sure to make time to hangout with my girlfriend. What that ended up meaning was that my OSED time was mostly late at night for an hour or two. Now obviously the weekends were easier and the nights varied, but that’s my best estimate as I didn’t really keep a log. What I can say is that I definitely knocked a lot in the beginning, but slowed down as the course progressed.

I completed all of the extra miles in the sections that I did, but I never actually completed any of the format strings content during my studies, those being the final 2 chapters. Additionally, I didn’t attempt any of final 3 challenges in the course. This wasn’t really for lack of trying, but rather just being tied up with other commitments and not having the free time after work to finish the last bit of the course. At that point the course had already taught me a lot though, so I felt confident enough to take the exam.

To reiterate, I am by no means suggesting that folks should not complete the final challenges or not watch the videos. This process will look different to each individual, so the more learning you can do will never hurt. I can admit going in to the exam I did wonder if that would come back to bite me, but luckily it didn’t.

Below I’ll outline some general strategies I took on the content I did complete.

Taking Notes

When going through the chapters the most important piece of advice is to be sure you fully understand each piece. It can feel easy to try and speed through the course and maybe at some places go “ah, I know how to do that, I’ll remember it.”, but building up that muscle memory is definitely useful. This is definitely apparent as it relates to using WinDbg as there’s lots of commands and ways to use it which can help you save time. For some folks, just reading and understanding is enough, but I always preferred to take good notes and manually type out any example code or commands as this really helped to make concepts stick.

As it relates to notes, be sure you’re taking them. The amount and depth will vary per person and also per topic, but the worst thing you can do is not take notes at all. I took all my notes using vim. I’m a big fan of people using the tools and techniques that work for them and not always worrying about how to maximize efficiency. vim is comfortable for me to write and navigate, so I went with it. YMMV, but you should use whatever note taking method feels the most natural.

In addition to taking notes for the learning material, make sure that when you solve the extra miles(and you should try to solve most of them) you do writeups over the pitfalls and successes of each. To include, how you finally got the msfvenom shellcode to run properly, why you couldn’t spot that bad character that broke your exploit for hours, or reminding yourself that functions can be found in the EAT even if they’re not used directly (Obviously none of these happened to me).

Community

There are a great number of community resources on learning the OSED. I won’t pretend I used them to their full capability, but there’s a vibrant discord community where folks are asking and answering questions daily. Definitely be sure to get plugged in there and meet folks. There you can find other community built tools and resources that you can use to assist during or once you finish the OSED content.

Tooling

There are a number of tools you’ll encounter in the course. One major tool I chose to use throughout the course was pwntools. It’s a great library for doing binary exploitation, though admittedly not as robust for windows. It was mostly used as a familiar interface for connecting, packing data, assembling shellcode, and finding ROP gadgets. Some folks have had miscellaneous issues in the past and the API is always changing, so yet again, YMMV.

Another great tool that is used throughout the course is mona which is a python script that can be loaded into windbg with .load mona. It has a number of useful functions that you can find on the GH and that are also detailed within the course.

I came to understand later in the course that several folks had written scripts to help with menial windbg tasks; however, I’m stubborn, so for whatever reason I prefer most things to just be vanilla when I use them. I find this often helps me really understand topics intuitively, but also not be too reliant. Perhaps if I had better understood the topics or wrote scripts myself I would have been more inclined, but you get burned by one too many scripts and it haunts you.

I would encourage those that are curious about tooling to check the discord because there seems to be a lot of great content there.

Exam Day

My exam was scheduled for Dec. 17th, 2023 at 5pm.. Yes, I got a night exam because it was the earliest one I could find, lol. As a reminder, the exam lasted for ~48hrs, so I had access to the exam environment until Dec. 19th at 5PM. After that time period ended a new 24hr clock started and this was the time I had to submit the report.

The first 24

Starting the exam I felt great. I had loaded up on snacks and energy drinks and I was ready to go all night if I had to, little did I know I was actually going to. I connected to the exam and started on challenge one. Obviously I can’t share details about what it was, but suffice it to say I was confident in the first few minutes that I would be able to solve it. What I wasn’t prepared for was the twists and turns that the challenge led me down. I worked on the challenge all night. The next morning rolled around quickly and I had to leave for a while and head to work for several meetings that I couldn’t miss. Luckily it didn’t take too long and I was back home in 3ish hours. I was feeling especially sleep deprived and decided to sleep for awhile and then woke up at around 3PM. So now it’s Dec. 18th, 3PM and I don’t have a solve yet. Remember how I said I’m stubborn? Well yeah, I hadn’t actually even glanced at the other challenges yet because I was so sure I could get this one. I started to wonder if I should consider switching to another challenge, but I let sunk cost fallacy win. However, after about 2 more hours, and after some great sleep, at the 24 hour mark I was able to solve the first challenge fully and submit my proof.txt, nice! I felt a nice bit of relief, but was also annoyed at how long it took. Now it was time to figure out which of the other two challenges I wanted to try.

The last 24

I got 30 points from the first challenge, so now I need to decide which challenge to do next. I have to solve at least one of them to pass the exam.

“You must obtain a minimum score of 60 points out of a possible 100 points to pass the exam”

So I took a look at both and decided that challenge 2 seemed the easiest. This challenge proved to be very tedious, but the instructions were very clear and so I was consistently progressing. Which was a nice contrast to the previous challenge where I was mostly hard stuck and confused for the majority, so each progression was major. This challenge took me about 9 hours in total to solve. By midnight I was feeling great and had realized that with a good writeup I should pass since I now had 60 points. So with about 15 hours remaining, I went to sleep and got a good nights rest. My plan was to wake up the next day and do the writeups for the challenges I had solved and then with any leftover time, try and solve the final challenge just for fun. I woke up the next day at about noon (I was sleep deprived, give me a break). As I was doing my writeup for the 2nd challenge I noticed a very small, but very important, discrepancy. At this point it was about 3:30, so I had 1.5hrs left to identify and fix the issue. The stress at this point was unbearable as I just kept thinking “Is THIS really the reason I’m going to fail and lose 48hrs of my time..?”. I’ll spare you the suspense.. I was able to get it done in about 30min. Fortunately it didn’t change things too much, but it did change my heart rate. After getting that done I continued with the writeup and my exam time had ended. I made sure to try and get as many screenshots as possible in that last hour as you can’t access the environment anymore after the exam time is up. This was another reason why doing the report early was useful. I would have undoubtedly forgotten many screenshots. However, having to deal with this time scramble didn’t allow me to attempt challenge 3, which was worth 40 points. I was able to do some precursory work the night before when I was deciding which challenge to do though.

Documentation

Since I had already done a majority of the documentation throughout the exam period, I wasn’t too rushed to get the exam report and proof of concept files submitted. Though I must admit it is very stressful when you’re about to submit due to how strict and rigorous offsec is with their reporting and submission requirements. After all was said and done I was able to submit my report of around 57 pages along with my python proof of concept scripts.

Results

Since I submitted my exam near the holidays it took some time to process, but on January 2nd, 2024 I got the following email while I was at work.

Passing Exam Email

Though I did expect this result, it’s still very easy to worry that you may have misunderstood, had some edge case, or just simply not documented enough. Like I said, offsec has very strict reporting requirements. Nevertheless, I’m very happy to now be OSED certified! Now I can say that I at least know a little about windows :)

Post-Exam Reflection

I wanted to share a few useful tips I have for exam day. Some I used myself some I wish I had.

Take breaks/sleep

This is something I did fairly well. When I got stuck I would walk around my apartment and think; Sometimes doing a little stretch or workout since I was sitting for so long. I specifically remember one instance where I had got up to take a break and almost instantly as I had walked out of the room, away from the screen, the final idea to solve challenge1 came to me. I thought about it a bit as I walked around and actually formulated the plan when I wasn’t at my computer and when I came back the idea worked! I was admittedly very sleep deprived the first day as I hadn’t slept much at all, but again after I woke up even from like a 4 hour sleep I was able to be better focused and solved the challenge 2 hours later. These could be coincidences, but I doubt it.

Prepare Environment

This refers to IRL environment and your computer environment.

IRL Environment: Remember you have to be video for 2 days straight. I repositioned my desk as to not have my girlfriend sleeping/walking around in the background. This can be a nice measure to employ so you don’t burden others who live with you to be on alert for a couple days if they don’t want to be on camera. Additionally, I cleaned my desk to help with a clearer mind and made sure to have ample food and drink for the duration.

Computer Environment: Make sure any and all scripts you need are ready to go. Remember you’re transferring to a non-internet connected windows machine, so you may need dependencies installed separately.

Time management

Something I did very poorly. I don’t know the optimal time management strategy here, but locking in 24hrs on one challenge without even reading about or opening the others seems like it’s not the best strategy. However, context switching when you’re mental stack is already filled up with all the info from one challenge can be really tough. Point is keep it in mind.

Key Takeaways and Insights

For one, make sure you have fun with the course. Most of us are busy and doing stuff in our spare time, so if you really can’t stand this type of work, I would suggest not doing it. There’s nothing wrong with being confused and frustrated, but if it’s just genuinely not rewarding or enjoyable, especially early on, you’re probably not going to have a great time.

That being said, I don’t know if I would do another offsec certification. I don’t really enjoy the long term commitment of the training. The number of times I would be doing something else and thinking “I should probably go finish that challenge” or “I should review XYZ” was really stressful. It also depends on your stage of life and if you’re a student, looking for a job, or already employed. For me, this was just meant to be a fun thing I could do in the evenings to learn a bit about windows exploitation; decided to do it because most of the defcon trainings this year seemed a bit meh. Make sure your know your reason and temper expectations appropriately.

This course is a great introduction to windows exploitation. I thought coming from a linux exploitation background that it would be much easier(and it was), but windows really is a sort of different beast with all kinds of different hidden internals. Having this collective resource to learn all the common pitfalls out of the gate is a major time save and the materials can likely serve as a reference for future windows shenanigans!

My last note: Hard work wins out over natural ability a majority of the time. If you’re someone like me who doesn’t feel naturally talented at this stuff or you feel you’re too far behind to catch up, just know that hard work will almost always make up the difference. If you’re already in the course and prepping for the exam, you got this. If you’re trying to decide if you should take this course, weigh the options of time and money and interest and see where that lands you. No matter what, always keep learning.

OSED Cert