Previously on “Patrick does OffSec Courses”

Summary

Another year another OffSec certificate. Concluding the year 2023 I completed my 3yr plan on becoming an Offensive Security Certified Expert ^ 3 by passing the exam for the course EXP-301: Windows User Mode Exploit Development.

The following sections will give a brief insight into the course, the exam and everything around it.

Preperation Phase

As I already said at the end of the blog post about OSWE, this time I went for the Learn One subscription. This gave me 1yr time to access the course material and 2 exam attempts. I started the course in October 2023.

After enrolling I started looking at the course material. As this topic was far off my comfort zone I took it really slow. After the first couple of pages and excercises my frustration level already peaked the first time. Thinking to myself “How can I learn all this nonsense? This is going to be impossible!”, I had a really hard time with the topics.

From the previous courses I learned that the OffSec discord server was a really good place to look for help. So I did try to get in touch with people, ask stupid questions, get good and qualified answers. To my suprise the community sucked this time (at least at first). To be fair, as I am living in Germany and the time difference to US based learners are horrible, it was hard for me to get in touch with people. Also I am really impatient. I had questions and I needed answers immediately 😄.

But finally I met some really good learners and nerds and got the help I needed. The initial spark though was kindled by 3t3rn4l v01d. I will be forever thankful for the help I received.

So after having a little bit of help here and there the topics tought in this course started growing to me. I actually started having fun going through the labs chapters, which is nothing I am used to when doing OffSec stuff. Well, that was until I was starting the chapter about IDA Pro and Reverse Engineering.

I have never used IDA Pro before and was never one of the best when it comes to Reverse Engineering. To be honest I did give RE a wide berth until now. So going through that chapter of the course was really intense for me again. And this is where my frustration level peaked the second time. I find the course material to be not precise enough at this point. They show you where the vulnerabilities are in an executable and how to do static analysis combined with dynamic analysis and interconnect those two methods. But what they do not show you enough is, how you would discover the vulnerabilities to begin with.

They are mostly like: “If you look at address something you will see …, then further down the flow A gets compared to B and this leads to C”. But the chapter is not detailed enough in my opinion. Well, nontheless I fought through this chapter and developed a comprehensive method to tackle static analysis to find vulnerabilities.

So to conclude the course material I did all the extra miles in the course material and finished all 3 challenge labs, which are supposed to be comparable to the exam tasks. Now I should be prepared for the exam.

Walking the extra extra mile

As I was afraid of this course to begin with and I still felt 100% insecure about passing the exam and considering my timeline, I decided on doing additional excercises provided by the community. At this point it was mid November, so plenty of time left.

There are plenty of good resources. Some of them are summarized in nop’s repository https://github.com/nop-tech/OSED. The once I did were:

signatus
RemoteApp
QuoteDB
Vuln1: Sent to me by a community member in discord

They all were really fun and I want to thank people for being awesome and creating such challenges.

Walking the extra extra extra mile

So now I did a few extra apps and have learned a few new things, but then again I still was insecure about the exam. So it was time for me to write my own vulnerable app and implement what I have learned. Invictus is like the other vulnerable apps and is meant for you to prepare for the exam. It is compiled with ASLR and DEP.

This did take me some time to create. Exploiting things is one part but writing exploitable applications is a whole different game. But finally the application did work as intended and was exploitable as planned.

Playing the waiting game, again…

My time management with OSED was not that good again. Well it was not as bad as with OSEP, but I had to wait a long time between learning and taking the exam.

I chose to take a cool down period, where I would not touch anything OSED related for several weeks before then going to the exam on the 19th of December, 2023.

And this is dangerous as you might forget faster than you learned.

The Exam

This time I was really afraid of the exam. Nontheless I did sleep quite good the night before starting the exam. Then I almost forgot to login in time to do the pre-exam enrollment tasks. But I managed to get through the identity check in time and was ready to start the exam.

So here we are again at 8 am first day, looking at the exam objectives, doing things. You know. Unfortunately again, I cannot talk about exam specifics but I can tell you that you need to finish 2 out of 3 assignments. I almost immediately decided on 2 specific assignments and did postpone one as a backup, if I would get stuck.

And well, yes I did get stuck a lot. So during the exam I looked at the postponed assignment only to decide I will not touch it ever again after looking at it for 10 minutes.

After the first day, in the evening I was already done with one task and had one “flag” and the second task was almost completely done. But unfortunately I hit a wall and “a thing” that was supposed to be working did not work. There was no logic explanation as of why it didn’t work, but it just didn’t. So I left the first day of the exam with a desperate feeling of not being able to pass the exam this time. Would OSED be the one I would need to have a second exam attempt on? Was it foreshadowing to buy the Learn One Subscription with it’s 2 exam attempts? I would not find out until the second day of exam.

Starting the second day of exam with a pot of tea and bringing the kids to kindergarden my mood was good. I had a good night with some quality sleep of around 8’ish hours. So what could possibly go wrong?

Well, at least the problem I had the day before was still there. It did not magically vanish over night. What a bummer. But with a fresh mind there came new ideas. One of which lead to an accidential discovery of “a fact” that I needed to solve the assignment. Now it all became clear and finally I was able to connect all the pieces and solve the second assignment. What a great feeling. I left for lunch knowing I would be able to pass the exam first try.

I have done it once again. Did I have fun doing the exam you might ask? Well not as much as with OSWE, but way more than doing OSEP.

The Aftermath

Returning from lunch I made sure I got all the screenshots and bits and pieces I needed for the report. I then wrote the complete report in a very raw format and added all the screenshots.

It was around 4 pm on the second exam day, that I hit the “End Exam” button and left for the rest of the day. I was not as tired as I anticipated, but I did not touch the exam report until the next morning.

After returning to the exam report the next morning I polished it a bit and handed it in via OffSec’s upload form.

This time it did not even take 24h for the exam report and results being checked by OffSec. These guys sure do work quick right before christmas. And so I left for christmas being OSED and OSCE³ certified.

OSCE³ Coin — OSCE³ certificate and challenge coin

Comparison between the courses of OSCE³

So topic wise the courses cannot be compared. But what I can compare are personal subjective perception like fun-level and difficulty (0 to 10 with 0 less and 10 more).

Cert	Fun Level	Difficulty
OSEP	2	6
OSWE	8	4
OSED	6	5

This is only my perception and might highly differ for you guys.

Conclusion

So the OSCE³ journey comes to an end. What started 2021 as a 3yr plan to become OSCE³ finally comes to an end. I am more than pleased with how it went. I was able to pass all three exams first try. I had quite a lot of fun and good times doing them and at the same time they were challenging enough for me to get frustrated a lot. But this is really needed to gain as much knowledge out of it as possible. So It was worth all the struggle.

I am glad I am over with it though. This I could say the least.

What up next?

Do I really hate myself enough to go for OSEE, the hardest course there is with OffSec? I don’t know yet. Maybe? We will see…

As always I hope you enjoyed reading the insights of becoming OffSec certified.

Cheers, Patrick

My journey to OSED and concluding OSCE³