Zeyad Azima

Zeyad Azima

Brain Storming Stuff (Exploit Development, Reverse Engineering & More)

OSED Journey & Guide

14 minute read

Introduction

Welcome to this blog post where I will discuss my journey through the OSED certification process. This post will cover detailed reviews of the course content and the examination, highlight potential challenges, and offer strategies to overcome them. I aim to share a comprehensive overview of my entire experience, from engaging with the course material to ultimately passing the exam and receiving the certification. The OSED program is specifically tailored towards Windows x86 exploit development.

Back In Time

Before I embarked on the OSED certification, my background included hands-on experience with assembly language and various overflow vulnerabilities from 2020 to 2021. My activities ranged from basic fuzzing on real targets to in-depth research, driven by my desire to delve deep into the subjects I study, including their history and evolution. This was particularly true for my interests in Vulnerability Research and Exploit Development. During this period, I applied targeted fuzzing techniques to several live systems, discovering vulnerabilities in real-world applications, including a sharing feature on Xiaomi phones:

image

However, my efforts yielded only a DOS attack due to my limited ability to reverse engineer or debug across different platforms and software. Nevertheless, I continued to deepen my expertise in low-level computing through 2021. By 2024, I had expanded my knowledge across various platforms, including Windows, Linux, and macOS. This story illustrates my preparedness for the course, aiming to encourage others to overcome apprehensions about new or complex topics like low-level systems. Take the time to experiment and immerse yourself fully in your learning journey.

Studying

I completed the course content in roughly 1.5 to 2 months, amidst other commitments such as work and university. This period was largely uneventful, although I encountered and resolved several issues with labs and supplemental materials, which will be discussed later.

The Course

The course kicked off with an introduction to WinDbg and the x86 architecture. Having prior experience with WinDbg, I quickly moved through this section, tackling the exercises with ease. The curriculum then shifted to stack-based buffer overflows, a staple topic for beginners in exploit development. The exercises were straightforward, and the extra miles provided valuable insights and alternative exploitation techniques that are especially beneficial for novices.

Subsequently, the course covered Structured Exception Handler (SEH) overflows, detailing the mechanics and exploitation methods, including the straightforward island hopping technique. This part of the course also offered robust challenges that required a variety of approaches to solve. The introduction to IDA Pro followed, giving a basic rundown on how to use the tool in conjunction with WinDbg for both static and dynamic analysis. The lessons designed to familiarize users with IDA Pro’s features were effective and comprehensive.

The Egg Hunting segment of the course was particularly notable. It required a solid understanding of assembly language to fully grasp the content, and the exercises included applications known to be vulnerable, which enhanced the practical learning experience. The module on creating custom shellcodes discussed the development of Position Independent Code (PIC) shellcodes, which are adaptable to various system versions. While informative, this section had some gaps that could have been better addressed to aid understanding.

Reverse Engineering for Bugs was another standout section, encouraging students to independently identify vulnerabilities. This module was challenging and rewarding, though it could be daunting for beginners without a foundational knowledge base. The DEP Bypass topic was engaging, explaining how to identify and use ROPgadgets to circumvent DEP, though it focused primarily on one method.

The course also addressed ASLR Bypass techniques, showcasing methods to overcome ASLR and DEP using different approaches like the WriteProcessMemory function and developing a ROP decoder for shellcodes with bad characters. The creativity required in the previous two modules’ extra miles likely enriched the learning experience significantly.

Finally, the Format String Vulnerabilities module was divided into two parts: one discussing the vulnerabilities themselves and how to exploit them, and the second on achieving code execution, including techniques like stack pivoting. The exercises and extra miles within these modules provided ample practice opportunities to refine skills independently.

Labs

The challenge labs were well-designed, requiring considerable time to complete. They ranged in difficulty; I found the first to be the most challenging and the second the easiest, with the third falling in between. Although time constraints prevented me from completing all the labs, my preliminary assessments and discussions with peers helped me understand their complexities and learning objectives.

Practicing

In terms of practice, I would study a topic, complete the exercises, and then tackle the extra miles if available. I also practiced on vulnerable versions of software related to the topics covered. For a list of such software, you can refer to my practical notes for the OSED from here, On my github and other resources I have compiled here, Also a huge list of softwares here , And N0P-TECH list from here. These resources are invaluable for anyone looking to deepen their understanding of exploit development through hands-on practice.

Exam

I took the exam 2 times, As i failed the first attemp, Due to time.

1st Attemp

Day 1

I took my first attemp on 01 FEB of 2024, The exam started early in the morning 11 AM, I hadn’t sleep before it for few days, but i took a quick nap before the exam, I got my 3 assignment and read the requirements for each one on my exam panel, In just few hours i was able to mostly finish the 2nd assignment, As it was easier one, After that i went to the first assignment for few hours, and write mostly the half of the exploit and needed some time to think for completing it, But already everything is bluring up in my eyes, As i am out of sleeping for days and just with a nap So, I went to sleep for 3 hours and then after that i waked up completing writing my exploit for the 1st assignment, I faced some issues, So i had to debug my exploit carfully, For the next few hours after debugging, i fixed it and then complete writing it.

Day 2

While complete writing my exploit it was already the 2nd day of the exam, My brain was out, But i was be able to complete, I faced other issues, So i decided to sleep (Which was a bad descion), Cause when i went to sleep i slept for almost 14 to 16 hours, And i still was facing some issues with my exploit and writing my own shellcode to exploit it, But i had no more too much time left and also i couldn’t take screenshots for my process or steps and didnt fully finish my exploit, So, I decided after few hours to back to sleep as my brain and body still tired and it was almost 2 hours remains for the exam to be finished, So i went sleep and decided to do a retake.

2nd Attemp

I found the close time to take the exam again on 25th of march, So i just booked it.

Day 1

For my second attemp i had slept well before the exam and it started early in the morning at 10 AM, The exam ofc not the same as the first attemp, I went for a while through the 1st assignment for few hours, But i saw it’s more challenging than the previous one in the 1st attemp, So after few hours of missing around with the 1st assigniment, I back to the second assignment and done it within almost 4 hours only after debbuiging and fixing issues, Which was a really simple issue with my hex decimal values, But i notice it later. After that I back to the 1st assignment, But still can’t find my way in, So i decided to with the 3rd assignment as it was the hardest one, But while going through it and reach my way in know how to exploit it, I found something in it, similler to the 1st assignment as the 3rd assignment requires more time than the 1st one, So i went back to the 1st assignment and found my way on exploiting it, After that it was almost night I decided to sleep and not. over working so i don’t do the same mistake as the first assignment.

Day 2

I waked up and by the middle of the 2nd day i completed writing my exploit & I already finished it and successfully working & I used it aganist the target and submited my flag, I still got more a lot of time, So idecided to nap and wake up to take screenshots and arrange it, For my report writing, After napping I finished my screenshots and everything required for the 2 assignments as you are required to solve 2 assignments to pass, So after arranging everything, I still had more time, So I just end the exam and start writing my report.

Day 3

I wrote my report using Joplin and a report template from my friend frank4o4 and I detailed everything i did step by step and finally finished it & Recived my results the next day on 29 of march:

image

Final Review

Now, The final review for the exam and answering some questions.

Do i need something before start ?

Yes, You do need the ability to read and write assembly well, Also, Windows APIs, PE File format and how to deal with it & How to create at least basic shellcodes as you will always face issue, When you are weponized with these things i mentioned you can come over the issues you gonna face. Finally, you would also need to have the ability in understanding and exploiting at least the stack-base buffer overflow vulnerabilities.

Are Excersies, Extra Miles and Labs enough for the exam ?

Yes, Excersies, Extra Miles and Labs are enough for the exam, As they are designed for the Try Harder Mindset, Cause you would need to go beyond the content to solve some of them on your own way, And use your way of thinking, So it gives you the ability to break your limits, And if you solved all you would be able to pass it easily.

What about beginners & newcomers ?

If you are new to exploit development on Windows x86, I suggest that you take your time and study the basics first and practice a lot before you go to the OSED, Cause this will give you the ability in trying and facing the issues & problems you would face.

Advices ?

  • Sleep always before your exams and rest xD.

  • Get your notes ready and everything you need.

  • Make sure you have a backup in case of any technical issues, Including the internet.

  • Solve the excersies & extra miles and labs, More than 1 time, Cause you will notice each time you solve it you would do it in a different way on each time.

  • Do more practice with other softwares outside of the course.

  • When you solve any extra mile and practice on softwares, Deal with it as it’s a task for a client, And kick off the siftware from the start, Like do fuzzing on it, Reverse it and identify why, where and what cause the vulnerability, do it from the scratch till you exploit it & try writing a report for it.

  • If you wanna go more further, Do write your own vulnerable software and exploit it.

  • Practice, Practice, Practice!

Your OSED Guide

Now, This is the studying guide with resources for people who are planning to study or take the exam. Also, You can study it next to my practical notes & guide lines from here.

Assembly

As mentioned before you do need assembly and do need to understand & miss around with it very well, You can go through pwn.collage assembly crash course, Then you have also assembly and shellcoding course from pentesteracademy, And finally you can also use the manual from intel. The most important is to practice it over and over and debug your code look around how the code is running and look after the memory and registers & how everyting is happening.

PE File Format

It’s important to understand the PE fiel format very well, As you would need it also in shellcoding, And also as the course is not covering it, You need to study and work with it before enrolling, I already cover it in a practical way in my notes, You have a video from Dr. Ali Hadi on it, Then you also have a series by 0xrick on his blog, Finally, On microsoft documentations.

Debugging & Reverse Engineering

Here for debugging and reverse engineering which is also an important skill for you to have, There are 2 course by OpenSecurityTraining and introduction course and another one intermidiate, Another course from pentesteracademy on windbg, And the documentation from microsoft. Also included in my notes.

Stack Based Buffer Overflows

Now coming to exploiting the vulnerabilities and work with it, There are these articles from Corelan and FuzzySecurity, FuzzySecurity and also Dr. Ali Hadi. Also this article from corelan on different techniques to jump back to your shellcode.

SEH Overflows

For SEH overflows, Also wee have Corelan & Here also, FuzzySecurity, Coalfire, M0chan and finally, Dr. Ali Hadi explained it in a very clear way. and this crash course on SEH to understand it

Egg Hunting

After having the basic type of overflows, You would face space issues that couldn’t be enough for your shellcode, You can fix it with egghunting as usually corelan and fuzzysecurity articles, Also shellcode.blog and also Dr. Ali Hadi. Matt Miller paper on egghunter in 2004.

Shellcoding

Now, When it comes to shellcoding i recommand reading The Art Of shellcoding by Amr Thabet, Also bblog posts by SecurityCafe, And finally, Corelan.

DEP Bypass

Now, After missing around with all of that, It’s time to explore the DEP mitigation and how to bypass it, We got Corelan and also amazing article by Connor McGarr and this blog post by NCCGroup, Finally, some papers by Krahmer, Shacham, Solé, John, Pratt, Tomasz Nowak and Vinay.

Format Strings & ASLR Bypass

Now, For Format Strings & bypassing ASLR Mitigation, We have this amazing blog post from Connor McGarr, Also corelan, Another one from Gal De Leon & Nadav Markus and finally, Tilo Mu ̈ller and for format strings, We have got scut / team teso, Saif El-Sherei and Yajin Zhou

Conclusion

In conclusion, The exam needs you to be creative and will need you to unlock your mind beyond the content and challenge yourself by going deeper into details & discover more by searching, And again will be repeating it, Do assembly as you do your own language. Everything you solve or practice on, Do it again and again & You will notice that you are solving it in different way each time.