OSED in 2024
Let's go ropping - the EXP-301 course by Offsec and earning the OSED certificate!
Another one down!
OSED is a penetration testing certification with an emphasis on exploit development. It is in the 300 level series of Offensive Security certifications and one of the three certs required to earn the OSCE3 qualification.
Since my background is in reverse engineering firmware and IoT, this certification is closest to my heart. Because I was dealing with assembly frequently, I really liked the precision that it required. You have to know exactly how many bytes to jump in order to make the exploit work, the exact size of your padding to trigger an overflow, or the values required to navigate through various header checks... I thought that was really fun!
Coursework
Like OSEP, the coursework was demanding but I felt it was quite well structured. I won't rehash the topics covered in OSED since the syllabus is available from Offsec, but in my opinion, the best way to think about OSED is to consider OSED to be made up of three main themes that build on each other. The actual order which the topics are introduced vary a little in order to introduce necessary tools and theory, but the broad themes remain.
Theme 1: Gaining Control
OSED picks up where OSCP left off: stack overflows. It also introduces another type of overflow: SEH overflow. However, not all crashes can be found through fuzzing, and a more structured approach may be required.
The course then touches on the methodology and tools of vulnerability research by introducing tools such as IDA Pro and WinDbg as well as how the earlier crashes can be found. I found this to be especially helpful in understanding how control flows through the program and what kinds of vulnerabilities to look out for.
The coursework focuses on systematically finding vulnerabilities and does not cover fuzzing. With these tools, it then moves into more sophisticated format string specifier attacks as another means to cause a crash or leak information.
Theme 2: Bypassing protections
In this theme, protections are put in place to prevent exploitation of the earlier controls: Data Execution Prevention (DEP) as well as Address Space Layout Randomisation (ASLR) are introduced and discussed.
Offsec's pedagogy does dive quite deep into the theory sometimes, and it can be a bit hard to follow without practice, but I found that this is more effective for my understanding and learning later on instead of example-based approaches with brief explanations.
By going really in-depth to explain why each step is required builds foundational understanding that helped me dive deeper into the complexities of exploit development. I liked that the material was covered in-depth and I frequently referenced these sections when working on the practical exercises and the labsI found that once I practiced overcoming the protections more, I was better able to understand the flow of the explanations.
Finally, in order to overcome the protections, building a Return Oriented Programming (ROP) chain is introduced. A few techniques are introduced to teach how gadgets can be used to achieve different functions in the ROP chain. The ROP chain is the underlying beat in this section, be it built with WriteProcessMemory or VirtualProtect, or prefaced with an info leak to bypass ASLR, its all ROP chains in the end.
Theme 3: Custom Shellcode
So after overcoming all the protections, we can finally execute code, but how do we write the code that executes our instructions?
Of course, msfvenom is there, but how does msfvenom generate the code and how does it work? This section dives into that, introducing the theory of x86 and assembly. It starts off simple: short JMPs for SEH exploitation, then moves into more complicated techniques such as egghunting to find where shellcode is located in memory. Finally, we move into writing our very own shellcode, without any complexity at first, but gradually, additional wrinkles are added into the shellcode: can you write it without null bytes? How about position independent shellcode? Finally, this theme is capped off by writing our own custom decoder to replace badchars in the shellcode.
These are legitimately very useful topics and it gives a small introduction and a good foundation for building custom shellcode to be used in exploits.
Unlike OSEP, I did not find any of the topics to be outdated or misplaced. However, I would have liked a little more practice presented on the reverse engineering or shellcoding sections.
Labs
The labs were self-contained on a Windows VM with the necessary installers provided so there was no environment to share with other students. This was a pleasant experience but my small gripe is that the connections timed out after awhile and the machine reset. This is an issue for some of the practices because installing the software can legitimately take up to 30 or more minutes, and it was very disruptive to install the software each time when following through the content. I hope that Offsec can either provide an uninterrupted VM experience, or provide checkpoints so that students are provided with an image with the software preinstalled and configured.
The labs also featured three additional challenges after the content is finished for students to refine their tradecraft and practice techniques. I liked it, but more signposts to properly take advantage of the challenge machine would have been much appreciated, instead of just providing an application with multiple vulnerabilities.
Exam experience
The OSED exam is a 48 hour exam with another 24 hours being given for you to write your report.
My exam started late because I ran into some issues during my pre-exam check, one silly one being that my network was somehow configured to not connect to the Internet due to the interfaces I had set up, so that was a fun fifteen minutes trying to figure out what was wrong with the VPN to the exam. As per my other Offsec exams, I drank plenty of water so that I would take frequent breaks, but I still found it hard to rest because I was so wired from thinking about the exam.
I thought the exam were very fair as they referred closely to what was taught in the material, and the tasks were clearly laid out. Of all the Offsec exams, I think the OSED was one of the most structured ones I've taken thus far. While I needed some creativity to figure out how to implement parts of the challenge, but at no point did I feel inadequately prepared by the core course material.
I understand the need for additional research because the course will never be able to cover everything that you encounter in real life, but if I am taking an exam based on the course material, I shouldn't need to refer or know about some obscure bit of information not covered in the coursework or mentioned briefly in passing. The OSED exam thankfully, proved that it is possible to write an fair exam without including obscure components.
I was able to reach the requirements to pass on the morning of the second day, and spent the rest of the day tackling the last challenge before I called it and started to take screenshots for the report.
Writing the report did not take a long time, and I was able to submit it early on the third day.
And two days later, I got the email saying that I passed!
Concluding thoughts
I think the OSED is a fantastic introduction into starting vulnerability research and exploit development. However, I think these skills are supplementary to the skills that OSEP teaches you and which I consider to be the baseline for modern red teaming and exploitation.
Between the two, I'd say OSEP is still more valuable as the first certification in the 300 level Offsec course. Nevertheless, OSED will teach you to be more flexible in crafting exploits and discovering vulnerabilities that will push your initial OSEP tradecraft further, and given the wide variety of skill sets that penetration testers need today, I think it is a great certification to learn and earn.