Advanced Windows Exploitation 2018 Review
It’s been a little more than 4 months since I returned from Offensive Security’s Advanced Windows Exploitation (AWE) course at Black Hat USA this past August. I’ve decided to take some time to recount my experience before 2018 runs out and provide information for those wanting to take the course. Registration for the course is very competitive and is usually one of the first to be sold out within hours of it being announced. The 2018 course registration was no different, and was sold out within a few hours. I am a current Offensive Security student and had successfully completed both the OSCP and OSCE certifications prior to attending the AWE class. I had a lot of questions before taking the course and really couldn’t get any of them answered before actually arriving in Vegas to attend. So, with that, let’s begin from the top.
Is there a pre-registration requirement before being able to take the course?
Yes and no. Anyone can register for the class via the Black Hat Training registration page. Offensive Security repeatedly will warn perspective students of what to expect as a student taking the course and the level of difficulty with the material being covered. From that perspective, anyone can register for the course if you are lucky enough to get a spot. Once you are registered, Offensive Security sometime in the next several months (as was the case with me) will send you a confirmation email and outline a registration challenge. The goal of the registration challenge is to prepare the student for what to expect during the course. The challenge is a typical Offensive Security challenge; not a lot of information, but everything that you need to solve the challenge is provided. The challenge will introduce the student to WinDbg and does a good job identifying gaps in using the debugger. Once the challenge is completed you are to email the solution back to Offensive Security. Ironically, during the course they (Offensive Security) asked if everyone completed the challenge and it looked like not everyone did from the hands being raised. So, this led me to believe that the registration challenge isn’t required, but you should complete it for your own good. Some of the course material referenced the techniques used in the registration challenge to successfully complete exploitation.
What kind of preparation work can I do before taking the course?
I had asked Offensive Security numerous times if there was anything I could do to prepare for the course. In response, they sent all students many readings around exploit development that have been discovered over the years. The readings range from short to long, but overall have a lot of good material in them to allow the student to be aware of some of the topics to be covered. It goes without saying, there is just too much material to be 100% ready for the course. Unless you are a full-time exploit developer or have a career that’s working in software development, assembly and/or Windows internals, I don’t think it’s practical to know everything prior to taking the course.
Do I need to be a Security Researcher to understand the course?
Perhaps the $10,000 question for most people is if they can really take the course if they are not a full-time security researcher. In my opinion, the answer is YES. I am an Information Security Manager currently, which is a far cry from anything security research or exploit development related. As long as you have a decent understanding of programming, basic exploit development, and some assembly you will do okay in the course. In my case, having taken the OSCE certification course was very helpful. This does not go without saying that having a background in those other areas will absolutely help you. It was obvious during the course that some people were current security researchers and the material came easier for them. I myself struggled with a few topics, but nothing where I was completely clueless. The Offensive Security team does a good job answering questions and helping the students with the material.
What do I need to bring?
All you will need to bring is yourself, the Black Hat pass, and a decent laptop that can run 3 VMs. The VMs provided to the students by Offensive Security were 2 Windows 10 (x86 and x64) and a Kali Linux. I always have an up-to-date version of Kali on my laptop so I only needed the 2 Windows 10 VMs. The Kali VM is only used during the course for producing shellcode for exploits.
When you arrive at the course and take your seat, the Offensive Security team will inform the students that class will start 30 minutes early on days 2-4, lunch time will be reduced to 30 minutes for all days, and that class will be ending 30 minutes later for all days. This is to ensure enough time is allotted to cover all the topics in the material. For BH-USA 2018, Offensive Security had 3 instructors (Ryujin, Blomster, and Sickness) teaching the course. All three of them were very helpful and encouraging throughout the 4-day course. I will discuss an overview of the 4 days, but will not go into a lot of detail. Be prepared to work hard; Offensive Security has some after class challenges or homework that you can do if the daily class work isn’t enough for you. For me personally, I was too tired after class each day to go back to the hotel room and keep at it. I didn’t even go outside for 4 ½ days as I was very mentally drained after each day of class.
Day 1 started off with Ryujin covering some theory on heap overflows, DEP/ASLR, ROP, and then how to bypass DEP/ASLR. Once the theory was done being covered, we went right into the first module that involved an Adobe Flash Player bug discovered by Google’s Project Zero team. The bug was an integer overflow that was not simple to exploit for code execution and required chaining together many steps to complete exploitation.
Half of the second day was concluding the Flash Player vulnerability exploitation. During the final steps of exploitation, the references to the registration challenge exercise were made while doing the sandbox escape. As explained by the Offensive Security crew, a sandbox escape presents quite a challenge. This first module was all done using the Windows 10 x86 VM. The second half of day 2 was led by Blomster who introduced module 2, a Microsoft Edge type confusion vulnerability. This module also introduced the class to x64 assembly and expanded the scope considerably. This was my favorite module because it covered many of the Windows 10 advanced mitigations (CFG, ACG) and what was required to bypass them.
For much of day 3 we kept going at module 2 and Microsoft Edge. By mid-morning I was out of my comfort zone and into areas not familiar to me in exploitation. While it was hard to keep up, this is why I wanted to take the course. It never much made sense to me to take a course if you already know the content. During the mid-afternoon, after bypassing ACG and DEP with a nice ROP chain; Blomster finished module 2 with an Edge sandbox escape that chained together another vulnerability. To finish off the day Sickness began giving us a very high-level crash course on x64 kernel exploitation.
Day 4 was a day that we could fully devout to module 3 (kernel exploitation on Windows 10 x64). For me personally, this was the first bit of kernel exploitation I had done so it was very new. Conceptually, I thought the Edge exploitation was more difficult, but my biggest takeaway from this module was that kernel vulnerabilities are routinely used to escape a sandbox. This module focused on an endpoint security product that had a device driver vulnerability. Sickness was great at cramming in so much information in the allotted amount of time, but making sure the class didn’t get lost.
Overall, I was pleased with the course. It was insightful, interesting, and covered a lot of information I have never been exposed to. I would recommend the course to anyone who has an interest in security research and exploit development. After the course, Offensive Security gives you an exam voucher for the OSEE certification exam. I have yet to attempt the exam, but my hope is to perhaps give it a try in 2019. If and when I attempt and pass the exam I will do a full write-up on the experience.