OSED Review - an intellectual pursuit
“At least the Buffer Overflow is easy and free points. Would be neat to get more into this field at some points.” - me during my OSCP, 2019
In April 2024, I have attempted and passed my OSED exam, rounding up the OSCE3 trifecta. Here I’ll share my background, strategies for the exam, and go into what worked and what didn’t.
Background
Before OSED, my only experience with exploit development was doing the Buffer Overflow part of OSCP, which I remember finding rather obtuse but manageable at the time. I do not work with low level languages or windbg on a general basis. I had never coded in assembly before OSED or done any sort of reverse engineering. In short, I was almost completely new to the field.
I didn’t particularly have an interest in OSED, but I had the opportunity to do it via my employer and I figured I would give it a go to wrap up my OffSec arc.
The course
The course is high quality, but falls in the same pitfalls that the OSEP course fell into of going oddly in depth in some sections and eschewing other sections that are still very important. I have no way to confirm but I’m inclined to believe that both OSED and OSEP share the same creator, so if you’ve done one of them, the other will seem familiar.
Syllabus: https://www.offsec.com/documentation/EXP301-syllabus.pdf
The course itself is split into 12 chapters. The first 3 chapters are just getting familiar with the toolset and buffer overflows, and the last 2 chapters are an expansion on some attacks and vectors. That leaves us with 9 chapters of actual relevant content. These chapters go through SEH overflows, egghunters, shellcoding, using IDA to discover functions and bugs, DEP bypasses and ASLR bypasses. All of them are important to understand, although I really wish the PDF would focus a bit less on egghunters and more on shellcoding and using IDA. The DEP chapter is also a bit weird in its focus, but a lot of the question it raises (including the extra mile) are answered by the ASLR chapter. It’s a weird way of structuring it that caused me a lot of frustration but it worked out in the end.
Study plan
I did a mad rush through the OSED course and completed it in about 2.5 months. While I enjoyed it as a puzzle, I knew that it wouldn’t sustain my interest long term so I tried to be efficient. It was also hard to focus on it while LLMs were evolving so fast and I wanted to return to experimenting with them.
The process was quite grueling as I hadn’t done any prep for the course as I have done with OSEP and OSWE, and I distinctly remember struggling even with the basic buffer overflows as I was trying to get used to the new toolset. Nevertheless, I focused on following along with the videos/PDF - and I relied a lot more on the videos here as the PDF does omit a lot of details. I did all the exercises, which you will naturally do by following along, and about half of the extra miles. If I got stuck on an extra mile for more than 3-4 days, I’d move on and maybe come back to it once I learned more tips and tricks. The support from the Offsec server has been pretty abysmal, but I was incredibly fortunate to have a friend help give me hints for a lot of the extra miles.
I’d study for about 4-5 hours every night after work. I work from home so I’d be able to get right into studying after finishing work. This was very tiring and exhausting, which made me crash at some point and do nothing for a whole week, but once again, speed was a priority for me. Shellcoding was the first real difficulty wall and I ended up spending about 3 weeks just making sure I was good at assembly and writing shellcode. Unfortunately, the IDA chapter mostly flew over my head and I could not even get close to solving the extra mile. The DEP and ASLR modules took a while to understand, and I spent another 3 weeks on DEP and 2 more on ASLR but once they clicked - helped tremendously by my ability to use assembly gained in the shellcoding module, they went pretty swimmingly. The other modules weren’t too difficult and I’d spend a few days up to a week on them at most.
There are 3 challenge labs at the end of the course which are very good for preparing you for the exam. I skipped the first one after spending about a day on it as I couldn’t really make heads or tails of the challenge, but did the 2nd and 3rd one and I would strongly recommend you do the same.
Once you are done with the labs, I’d recommend going to exploitdb and looking for already existing exploits for win32 applications. Track down the vulnerable version of the application and try to recreate the exploit. One of the repos at the end of this post is full of examples of this.
Chatgpt
Just when I started OSED, I bought a chatgpt pro subscription - primarily so my data would not be fed into their models, but also for the more intelligent GPT4. I have made use of this extensively as a way to make me understand the material. I will raise the same complains I had about OSEP here, and that is the author has a strangely academic approach for a course that is still just a foundational one. Chatgpt has been great at summarizing some explanations. It cannot figure out assembly though, due to the predictive engine that LLMs are built upon. Little Endian architecture just contradicts that, so you will still have to write your own assembly code. But for explaining concepts and making up where the PDF wasn’t enough, it was tremendously useful.
The exam
After about 10 weeks of studying and one week of slacking off, I scheduled my exam. I was eager to get to it as fast as I could as I could feel my exhaustion catching up with me. I started at 10 AM local time, and for the first time in my history with offsec, the exam started without any issues!
I won’t go into any details not covered by other blogposts, so I will just say that there are 3 challenges and you will need to complete at least 2 in order to pass. It will be fairly easy to tell their difficulty level from just reading the requirements, so I started with the easiest one. I managed to complete it in about 6 hours, which gave me a huge confidence boost and I was sure I would pass.
Then I started on the 2nd challenge and it all fell apart. I made some decent progress at the start, but then progress halted for the better part of the day and only after about another 8 hours I managed to go past a roadblock. I was now 14 hours into the exam and I had solved a challenge and, by my estimations, completed about 30% of the other one and I had some ideas on how to get it to 50% so I went to bed for about 7 hours.
I woke up and decided to revisit and test my solution and found it out it was deeply flawed. Turns out I had made maybe 10% progress into the solution. I spent the next 6-8 hours tinkering with it and managed to come with a few different approaches, out of which one finally worked. Then I was able to implement my previous solution from last night and it got me about 50% through the challenge. I got lunch and then despaired as I got truly stuck on the remaining half. It took another 10 hours to get about 80% through the solution, but I got really stuck on one aspect and I realized that the PDF only briefly explained it in about 2 short paragraphs, so I went back and re-read them really, really carefully. After some experimenting it finally clicked and I was able to complete the exercise with about 6 hours left in my exam time. I decided to go to sleep and maybe look at the 3rd exercise in the morning. I slept for about 4 hours, woke up and decided to not even bother with it and just make sure I have a solid report with enough screenshots instead.
I submitted my report and about 3 days later I got the pass email and a well deserved sigh of relief.
Complaints
Besides the academic tone and odd pacing of the course, I also have to bring up the fact that the challenge labs are built with internet connectivity in mind and now they no longer have that connectivity. This causes the debugger to hang for about 5 minutes every time you set a breakpoint, which is beyond infuriating. There are also a bunch of other issues and errata with the PDF, and you are best off using the search function in the OffSec discord server to find solutions to them, as asking will likely not get you an answer. On the other hand, this has been the best stability I’ve had since dealing with Offsec and I don’t remember more than a couple of hours of downtime. Even the VPN was mostly stable!
Final thoughts
I have very much treated OSED as an intellectual curiosity and video game, as I knew this kind of vulnerability research was not high on my radar - nor are there a lot of jobs in the field. This helped lessen the pressure on me and allowed me to deal with the exhaustion and frustration caused by the course in a more manageable manner. I ended up really enjoying the segments where I had to code in assembly, and the DEP chapter was also a lot of fun because it basically worked like a puzzle. Everything else just reinforced my idea that I wouldn’t really enjoy doing this as a day job, although Offsec courses are a far cry from what a real job entails. I am glad I did it though, even if it was purely for the joy of learning and working with assembly. I do believe that it will come in handy for writing payloads in the future.
Learning resources
https://github.com/epi052/osed-scripts Extremely useful collection of scripts used across the OSED labs and exam. I cannot stress enough how useful this repo is. Use it, get familiar with it, it is a lifesaver.
Exapunks - https://store.steampowered.com/app/716490/EXAPUNKS I have played this a while back, but the psuedo assembly language used in the game came in extremely helpful during the course. It’s also a lot of fun!
https://connormcgarr.github.io/ROP2/ - this is a writeup from Connor, a SWE at Crowdstrike that goes into borderline painful detail to explain DEP and ASLR bypasses. Very thorough and what I wished the PDF used.
https://github.com/mrtouch93/OSED-Notes/tree/main This repo has a lot of examples for all the relevant modules that are really useful for getting a more thorough understanding of the concepts.
https://github.com/bmdyy/signatus
https://github.com/stephenbradshaw/vulnserver
These are great practice for ROP and ASLR once you finish the labs.