How I Failed Twice… and Finally Passed the Offensive Security OSED 72-hour Exam (EXP-301)

July 8, 2022

If you’re not interested in the long introduction and just want to go straight to my write up of the attempts, start with “The First Try” chapter.

What are Offensive Security and OSED?

Offensive Security is one of the leading training providers for penetration testing and exploitation. Their hands-on training and harder-than-average exams made them one of the most reputable names in our industry.

The OSED certification stands for Offensive Security Exploit Developer, and people must pass the Windows Usermode Exploitation exam to earn this prestigious title. If you want to see the detailed syllabus for the training, you can view it here. As you can see, OSED is about exploiting memory corruption vulnerabilities in a Windows environment where mitigations are enabled to make the exploit development harder.

Memory Corruption

If you don’t know what memory corruption is, imagine that a software developer writes some code where:

  • the program expects a data input no longer than ten characters,
  • yet it does not check for this,
  • and the end-user of the software can input 2,000 characters.

Due to black magic and how computers work, this can either crash the software or, if the end-user has “the skillz”, the program execution flow can be redirected and controlled by the end-user in totally unexpected ways. For example, a user might gain remote access to the computer, download or upload files, turn off the software firewall, and open the CD tray… if it’s 2004 and those still exist.

As more developers created software with memory corruption vulnerabilities, more hackers gained knowledge on exploiting these vulnerabilities. Network worms like Morris, Blaster, or Conficker caused significant global damage.

There was a need to fix this mayhem, and this is where Hungarian researchers “pipacs” and Ingo Molnar rescued the Internet by developing mitigations that could be implemented into the Operating System and made exploit development harder. Most memory corruption mitigations were implemented in Linux first and later reimplemented in Windows.

The difference between exploiting vulnerable software and software with mitigations is like the difference between taking candy from a baby and stealing some Fabergé eggs. And this is exactly what you need to do to pass the OSED exam – to steal the Fabergé eggs, Catherine Zeta-Jones style.

My Background in Reversing

As for preparation and background, I started my “friendship” with Assembly in ~2008 with “Reversing with Lena151.” It taught me the use of the excellent OllyDbg. I even remember reading reverse engineering blog posts with SoftICE, even though I never used it.

Ollydbg – source: https://isc.sans.edu/forums/diary/Some+tricks+from+Confickers+bag/5830/

SotIce – source https://resources.infosecinstitute.com/topic/introduction-to-softice/

With that knowledge, I could solve the easy reverse engineering challenges on bright-shadows.net. Unfortunately, GDPR killed this awesome project 🙁

Anyway, since then, I never had a job where I needed hardcore reversing or writing exploits as my daily tasks. But I was always interested in exploiting. I did OSCP in 2011 and SLAE (SecurityTube Linux Assembly Expert) in 2015. You can find my exam solutions here. I highly recommend SLAE for people not experienced with Assembly. Now it is called “x86 Assembly Language and Shellcoding on Linux”.

I passed the OSCE in 2016, where I failed on my first exam attempt, but in that case, I was pretty close to passing it the first time. I also did the Rastalabs challenge in 2019, which I highly recommend, even though its focus is not on exploiting memory corruption. If you are interested in that write-up, click here.

And finally, in 2021, I signed up for the 60 days lab for OSED, starting in September. I was happy that Offsec created this course because OSEE seems impossible.

Getting Ready for the OSED

I spent around 16 dedicated days reading through the materials and doing the extra mile challenges (many weekends during COVID). I did ~90% of the “extra mile” challenges and could progress 50% on one of the three big challenges referenced at the end of the training material. I had 30 days between the lab access expiration and the first exam. I started the training with high hopes; after reading the syllabus, I knew I could ace this, as I knew everything about these topics, I had developed exploits against these mitigations in the past, no surprise here.

Boy, was I wrong.

To get a feeling of the exam, check the official OSED exam guide, there are good hints there.

The First Try

I failed the first exam in January, and I failed hard. Zero scores, could not solve a single challenge.

I practically worked on a single challenge (the first one, as a clue for those who had already attempted the exam) and could not finish it. My strategy was to start with a challenge I thought was medium difficulty for me. If I could complete that, I would only have to solve the other easy one to pass… In practice, I spent 24 hours on this medium challenge and reached ~90% of it, but I could not finish it due to some missing pieces. What I couldn’t understand was that I felt I was constantly making progress and felt stuck for 1-2 hours only… Maybe I had overcomplicated things, but I have to say that the constraints were not friendly, either.

Before the subsequent exam attempt in February, I solved all three big challenges referenced at the end of the training material, and the only thing remaining was the super-duper-extra-hard homework challenge, which I never solved. I might come back to it in the future. I also realized many small mistakes I made during my first attempt.

Unfortunately, the exam’s virtual machine does not have all the tools and dependencies to work in an “expeditious” fashion.

So, if I could recommend one thing, it is that you prepare your install scripts to work as fast and efficiently as possible.

The Second Attempt

With all this knowledge, I tried my second exam attempt in February. I was, once again, pretty optimistic.

My strategy was the same: solve the first challenge first. In the first 6 hours, I made the same progress as I had in 48 hours during the first attempt. I felt powerful. I could do this. But things started to collapse. It felt like I had learned how to build a house, but once it was almost finished, gravity suddenly shifted in the opposite direction, and I had to rebuild everything. I gave up after having 6 hours of sleep on the first day and working for another 16 hours straight on this single challenge on my second day.

Third Time’s the Charm

It was time to schedule my third exam for April, but other things happened in life, so I had it postponed to June. And the third time was the charm, as I solved the first challenge in 24 hours. OMG, the feeling when I first tried my exploit and it worked (with shellz and everything!). I finished the second challenge in ~ 6 hours. I still have no idea how to solve the the last one, I tried it during the exam, but it was… hard. So instead of pushing the last one too much, I spent my remaining time on proper screenshotting and documenting the first one.

All I can say is: Mad respect for those who pass this exam on the first try or those who ace all challenges.

And thanks to the Offsec team and whoever created this, I learned a lot.

Conclusion

Let me finish this blog post with a quote from the Offsec Discord server, from a member of the Offsec:
“I believe that EXP-301 is the hardest course and exam offered by us except OSEE, so failing the exam isn’t surprising even for Offsec staff.”