OSED || EXP - 301

EXP-301 Offensive Security Exploit Development

The EXP-301 Offensive Security Exploit Development is one of the course that prepare you to Offensive Secuirty Exploitation (EXP-401 / OSEE).
On 13 August 2020, Offensive Security announce that retiring CTP (Cracking the Primeter) and they are going release 2 new courses which including (EXP-301 / OSED (Offensive Security Exploit Development) ). Offensive Security release this course EXP-301 / OSED, the main objective is tackle the gap between OSCE to OSEE.

This course will be focusing on Buffer OverFlow (OSCP level), Reverse Engineering, WinDBG, Custom Shellcode (ASM), EggHunter, SEH, FormatString Specifier, DEP and ALSR Bypass

Review

OSED Review and Exam2 talk

What you should know/learn before enroll EXP-301? My Thoughts

1. Basic knowledge on Buffer Overflow (Vanilla EIP Overwrite)
2. Able to read and write code in Python3
3. Familiarity with debuggers (ImmunityDBG, OllyDBG)
4. Able to read and write 32bit Assembly code, let say (xor eax, ebx ; mov esp, eax; add ebx, ecx; inc edx; cmp eax;ebx;)
5. Basic understand on C Code
6. Able to debug and read ASM Code for hours.
7. Maybe little bit of fuzzer

What you will learn at the end of the course? My Answer

1. DEP Bypass without help of mona
2. Manage to reverse an application and look for vulnerability
3. Write fancy Proof of Concept to get ALSR and DEP Bypass
4. Write your custom shellcode with Win32 API
5. SEH
6. Egghunter that works on current Win10 OS (The old egghunter, nah it's no longer working.)
7. How to use WinDBG and IDA Pro to reverse the .exe
8. ALSR Bypass (through memory leak or through format string specifier)
9. Patch your Shellcode

My comments to EXP-301 / OSED?

Comparing this EXP-301(OSED) with PEN-300(OSEP)and WEB-300(OSWE). I think the OSED is quite beginner friendly. Definitely, it still require certain prerequisite/skills before you can enroll into EXP-301. At least, "Buffer Overflow" EIP Overwrite (level of OSCP). The EXP-301 start from tutorial of WinDBG because most of candidates that have enroll EXP-301 came from OSCP and OSCE background , they been using (ImmunityDBG and OllyDBG) in the OSCP and OSCE course/exam. In this EXP-301 course, We must familiar with WinDBG, once you are familiar with WinDBG. The real game start from the basic (Buffer Overflow and SEH overwrite). This course is a quite rush and move very fast to other topics such as Reverse Engineering with IDA PRO, Custom Shellcode, Egghunter, DEP Bypass, ALSR Bypass & Format String Specifier.
I found out that the EXP-301, they are focusing on severals areas (Reverse Engineering, ROP Chain and CustomShellcode). In the course we are allow to use IDA Pro but in the exam IDA PRO is strictly forbidden and ONLY IDA FREE is allowed ROP Chaining and custom shellcoding is very hard to master it because most people hard to understand the concept and some extra miles requires out of box thinking to craft your ROP Chain without help from Mona. There are 2 chapters on Format String Specifier which talk about "Read and Write primitive" (Which I personally think I need to focus more on the last 2 chapters Format String Specifier)

How I prepare my exam x1

1. Complete the extra miles. (some not finish)
2. Practice my scripting skills (python3)
3. Save all PoC that I have done in the course
4. Do more practice on DEP Bypass
5. Try to use different gadget to craft ROP
6. Enough Sleep

How I prepare my exam x2

1. Redo and complete all the extra miles.
2. Practice my scripting skills (python3)
3. Save all PoC that I have done in the course
4. Do more practice on DEP Bypass
5. Try to use different gadget to craft ROP
6. Enough Sleep
7. Keep a copy of my first exam attempt PoC

Failed and Passed!

First Attempt (Wed, 09 Jun 2021, 16:00 (Asia/Kuala_Lumpur)) Failed


Second attempt (Thu, 08 Jul 2021, 23:00 (Asia/Kuala_Lumpur)) Passed
Second Attempt On 12 Jul 2021, I have received my result from Offensive Security that I have successfully passed my OSED exam.


3 / 3 Completed


FAQ

Q: How many days I purchase for my EXP-301 lab.
A: 60 days + 30 days, I think 60days is enough.

Q: Is this worth?
A: Definitely, YES ! Definitely a preparation to OSEE.
    Starting at this moment, I will definitely try to utilize the skills and tricks that learn in this course to hunt bugs by reversing the application.

Q: SUMMARY | How I Rate this OSED/EXP-301 course??
A: So far so good, I like this course so much. I would rate 85/100 ? . (I think the content can increase more attack vector)