OffSec EXP-401 Advanced Windows Exploitation (AWE) – Course Review
In November of last year, I took the OffSec EXP-401 Advanced Windows Exploitation class (AWE) at Black Hat MEA. While most of the blog posts out of there focus on providing an OSEE exam review, this blog post aims to be a day-by-day review of the AWE course content.
Table of Contents
OffSec Exp-401 (AWE)
During the first day of AWE, the instructors shared with us the following slide:
That’s to explain the “difficulty” of the course for each day. Needless to say, your mileage may greatly vary depending on the prior knowledge of each section you already have.
For example, I found day 3 (Edge browser exploitation and sandbox escape content) the most difficult, as I had limited exposure to browser exploitation topics before, while the Windows kernel topic, which is generally ranked as the most demanding, was still intense but pretty doable for me given the fact I’m already comfortable with that topic. Here is my personal breakdown of the difficulty level of each day depending on the course content:
Each day was roughly split in half, half content before lunch and half later, with in-between exercise sections on each topic, gradually building the POC and exploit.
Day 1 – Custom Shellcode Creation and VMware Workstation Internals
While I didn’t like the chapter on “Creating Custom Shellcode” in the EXP-301 course, specifically due to the use of Python, CTypes, and the Keystone framework, I can definitely see the improvement they made for AWE. Keep in mind that this section in AWE is only a light 22-page refresher and not an entire dissertation on the topic; they greatly built on top of the knowledge and gently expanded the material that was already present in EXP-301 (58 pages), for instance:
- It skips x86 and directly explains x64 shellcoding.
- No more Python: Create shellcodes using Visual Studio and assembly instructions.
It was definitely better explained and expressed than EXP-301; the only downside is that it was not challenging for me. I could bear that, thinking about all the advanced topics I was going to see and reading the material ahead to start formulating questions for the following chapters.
The second half of the day was on VMware Workstation internals. Even if I had limited experience with hypervisors, it was easy to follow along. The material regarding the Front-End and Back-End allocators is scarce (6 pages). The UAF case is a pretty standard one, especially if you already have experience with this bug class and the Windows allocators. The UAF they chose was straightforward, with little “background noise” from the application. It was an easy case per se, but I can easily see myself standing on top of the knowledge I acquired in the Corelan Advanced class (which I strongly recommend).
IMHO, this section is an excellent introduction to what will follow; people who cannot go through it easily should reconsider their participation to the course. It is not going to be easier.
Day content score: 4/5
Day 2 – VMware Workstation Guest-to-Host Escape and Edge Internals
The second day was a continuation of the VMware exploit; the real meat was performing the Guest-to-Host Escape. The exploitation process was mostly linear, with enough twists here and there to keep me engaged.
A fascinating section was the Windows Defender Exploit Guard bypass, with defeating the EAF countermeasure being the most challenging, especially as there isn’t much documentation on it.
At the end of the day, there was also a quick introduction to the Chakra Core internals.
Day content score: 5/5
Day 3 – Edge Type Confusion, Mitigations Bypass and Sandbox Escape
The third day began from where we left off the day before, continuing the analysis of the type confusion vulnerability affecting Microsoft Edge. It was mostly smooth until the first mitigations were introduced; then, the difficulty quickly ramped up.
We were first greeted by CFG, then CET and ACG, but things really became ugly when dealing with the sandbox escape (2nd half of the day). The amount of work put into this section is enormous, a whopping 42 pages full of advanced information. Even if that doesn’t seem a lot, the amount of knowledge packed into the section is vast. You can really feel the experience and creativity of the trainers. Just the reverse engineering session needed to understand the sandbox escape is probably worth a month of work.
So, the second half of the day was really a mess to go through for me. I finished the day completely fried, and my brain was completely melted. Again, remember that I had little to minimal exposure to browser exploitation topics before (especially recent ones).
The extra mile exercise for the day was one of the three granting the precious challenge coin; knowing that I could not compete in this topic, I decided to call it a day and go to sleep early to recharge and be ready for the following day.
Day content score: 5/5
Day 4 –Windows Kernel Internals and Driver Callback Overwrite
The fourth day was entirely focused on Windows driver exploitation, with the first part of the content being an induction to Windows kernel internals, kernel debugging and kernel mitigations.
Then, we were introduced to a vulnerability (callback overwrite) present in a 3rd party driver, how to gain a kernel read/write primitive, how to restore the execution flow and the Meltdown and KVA Shadow.
To me, it was the most interactive session of the course, with the most exercises and steps to be done during the class.
The extra mile exercise was the second one granting the challenge coin. Given that most of my knowledge and experience in Windows exploitation is either in userland enterprise applications or Windows Kernel, I knew I had to fire all my shots at this target. I knew I had the night plus part of the next day trying to solve it, while the last exercise only had the last day of the course to work on. As I didn’t like the option of working on the extra mile exercise during the lesson, in order not to miss important bits and take notes, I decided to focus on that one instead of waiting for the third one.
I returned from the training and immediately started working on the exercise, tackling the first of three tasks. Then, I had a break for dinner and, fully restored, I worked on the second task. I set a timer in order to have enough sleep time for the last training day, and when it triggered, I went to sleep even if I was almost at the end of the 2nd task.
Day content score: 5/5
Day 5 – Unsanitized User-mode Callback and Native Windows Driver Exploitation
On the last day of the course, we covered native Windows Driver Exploitation (Win32k), specifically the graphical interface. All the setup required to achieve reliable primitives and have the exploit work was insane. We faced Virtualization Based Security (VBS), HVCI, CET, and kCFG during our exploitation journey. This was the 2nd most challenging day of the course.
Day content score: 5/5
To achieve the challenge coin, I spent the entirety of the morning completing the 2nd task that I left off the night before, completing the 3rd task and glueing all the steps together. I missed some bits of the training, but in the end, it was definitely worth it:
Morten Schenk and Alexandru Uifalvi are seasoned exploit developers with exceptional reverse engineering skills and a combined experience of ~25 years in the field. You could appreciate their knowledge, experience and intuition across the EXP-401 course material. Things explained in days easily took weeks, if not months, to research and reverse engineering to achieve. On top of that, they are also good content creators.
Their course is battle-tested, leaving little to no room for improvisation. I understand it’s hard to convey complex topics with substantial prerequisites in little time, I understand that it would have been their 100th time doing the same training course, that fatigue can arise after days of training (that’s true also for the attendees) and that the class wasn’t super reactive/showing significant progress. Live teaching is tough and keeping people involved and engaged even more. Still, on the delivery side, it sometimes felt like they were just reading through the material. Like when you are an attendee of a conference, and the speaker reads through the slide deck. Voice tone, highlighting important notes and not rushing some sections could have helped better convey the training content.
Don’t get me wrong, they are really great teachers, always open to answering your questions without giving out the exact answer but pointing you towards the right path. IMHO, they are great, but they are not the best. I would have preferred something similar to Corelan’s teaching* with different multimedia support, something a bit more engaging (exercise-wise) than giving out incremental files every few minutes.
There is always room for improvement.
*Full disclosure here: I think Corelan is the best instructor I have ever had. His usage of multiple multimedia to convey his teaching, voice tonality, and expressiveness makes it highly incisive. What he said during the courses is still stuck in my mind years after the training, and I only need a quick look at the slides he provided to refresh the entirety of the training course material.
Overall, the whole EXP-401 (AWE) experience is a 4,6/5. There is a reason why the EXP-401 is the flagship course of OffSec. It is super challenging, covers advanced topics, and is full of exploitation. I loved it! I wouldn’t have expected anything less from it. I would recommend it to anyone looking for advanced Windows exploitation content.
With that said, here are a couple of remarks I have regarding AWE:
- The allotted exercise time was not much; sometimes, it was barely enough to open the IDE, copy and paste the incremental file and test the result. I would have preferred fewer class-led exercises, starting from a specific step and working towards an outcome. That would also have favoured student collaboration, fervour of questions and discussion across the class regarding the different methodologies each one has taken.
e.g. if an exploit is divided into 14 steps, instead of going through all of the fourteen exercises live, I would have preferred the instructor explaining the content and then the class focusing only on the most critical steps (fewer exercises, just the most critical steps and more time for doing it)
- Price: that’s the elephant in the room. It is the best Windows Exploitation course out of here, with little to no competitors. It’s state of the art, but it is damn expensive (~15k€ at BHMEA and ~13k€ in London). I would love OffSec to pursue their own training courses without being coupled with major cybersecurity events like Black Hat because I’m pretty sure that’s inflating the price a lot.
- Given the steep price and the amount of material, always go for the 5-day-long course if possible. You’ll thank me later.
Wish me good luck with the exam; I’ll keep you posted.
Is AWE still relevant in 2024?
Yes, absolutely. I would say that it’s the state-of-the-art course in the Windows Exploitation field. It would give you excellent knowledge and insights into how experienced exploit developers work, the inventive and genius solutions they can think of, and an astonishing amount of homework to keep you learning and discovering. Still, you can take alternative and cheaper routes and courses, more in the “Alternative Windows Exploitation Resources” section.
How does it compare to SANS 760?
It doesn’t. To compare two things, they should be somewhat similar. Exp-401 is no match to SANS 760 (at least in its current state). You can read my thorough review of SANS 760 here: https://voidsec.com/sans-sec760-advanced-exploit-development-for-penetration-testers-review/
Will I be prepared to take it after EXP-301/OSED? When will I be ready to take the course?
Generally speaking, no, I do not think so. EXP-301 laid the foundations for EXP-401; it is a prerequisite, but it’s in no way sufficient. At the end of EXP-301, you will have a good understanding of x86 stack-based buffer overflows, shellcoding and a bit of reverse engineering, and that’s all.
You would need way more experience and practical exercises to tackle the EXP-401 course and follow along without feeling overwhelmed and lost.
To do so, you will need an advanced understanding and experience in reverse engineering, Windows internals (both userland and kernel mode) knowledge, Windows Heap allocators internals, and a lot of practical exploitation of modern bug classes such as Use After Free (UAF) and Type Confusions.
How much time/exercise will be needed after the course and before taking the exam?
It depends on your previous experience, but you can consider a lot of time. The amount of content to digest is enormous, and unless you already possess some knowledge in one or more of the topics covered in the course, you should consider almost one year of constant study in your spare time. That’s what I’m planning anyway, just to be sure I’ll be ready to face the challenge without burning out on the journey. Asking other certified members about it, the timeframe seems to align.
How do employers perceive the OSEE certificate?
OSEE is the industry’s most challenging exploit development certificate, and it is pretty helpful in applying to Vulnerability Research/Exploit Development (maybe also to red-teaming) roles. In most other cases, it is probably too of a niche to be considered by employers. Let’s put it that way: I would not be surprised not to find it as a requirement in most of the job postings out of here; it is definitely overkill for penetration testing roles.
Additional Windows Exploitation Resources
You managed to reach the end of my review, and if you’re interested in the content mentioned above, let me recommend some other courses (both free and paid) that cover these topics:
Software Implementation Vulnerabilities
Classes covering linear stack and heap-based buffer overflows, out-of-bound writes, integer overflows/underflows, uninitialised data access, race conditions, use after free, type confusion and more by OpenSecurityTraining2:
Windows Kernel Internals
- Architecture 2821 by OpenSecurityTraining2 (free, recorded)
- Windows Internals for Security Engineers by Yarden Shafir (4250€, live)
- WININT/KERINT by CodeMachine (~5000$ each, live)
Windows Heap Exploitation
- Windows Heap Exploitation (Advanced) by Peter Van Eeckhoutte (~4000€, live). You can read my review of the course here.
Windows Kernel Exploitation
- Windows Kernel Exploitation Advanced by Ashfaq Ansari (~4000€, live)
- Exploitation 4011 by OpenSecurityTraining2 (free, recorded) or the Windows Exploit Engineering Foundation by Cedric Halbronn (same author) (4250€, live)