Back to Posts

Share this post

OffSec EXP-401 Advanced Windows Exploitation (AWE) – Course Review

Posted by: voidsec Post Date: January 18, 2024
Reading Time: 13 minutes

In November of last year, I took the OffSec EXP-401 Advanced Windows Exploitation class (AWE) at Black Hat MEA. While most of the blog posts out of there focus on providing an OSEE exam review, this blog post aims to be a day-by-day review of the AWE course content.

OffSec Exp-401 (AWE)

During the first day of AWE, the instructors shared with us the following slide:

That’s to explain the “difficulty” of the course for each day. Needless to say, your mileage may greatly vary depending on the prior knowledge of each section you already have.

For example, I found day 3 (Edge browser exploitation and sandbox escape content) the most difficult, as I had limited exposure to browser exploitation topics before, while the Windows kernel topic, which is generally ranked as the most demanding, was still intense but pretty doable for me given the fact I’m already comfortable with that topic. Here is my personal breakdown of the difficulty level of each day depending on the course content:

Each day was roughly split in half, half content before lunch and half later, with in-between exercise sections on each topic, gradually building the POC and exploit.

Day 1 – Custom Shellcode Creation and VMware Workstation Internals

While I didn’t like the chapter on “Creating Custom Shellcode” in the EXP-301 course, specifically due to the use of Python, CTypes, and the Keystone framework, I can definitely see the improvement they made for AWE. Keep in mind that this section in AWE is only a light 22-page refresher and not an entire dissertation on the topic; they greatly built on top of the knowledge and gently expanded the material that was already present in EXP-301 (58 pages), for instance:

  • It skips x86 and directly explains x64 shellcoding.
  • No more Python: Create shellcodes using Visual Studio and assembly instructions.

It was definitely better explained and expressed than EXP-301; the only downside is that it was not challenging for me. I could bear that, thinking about all the advanced topics I was going to see and reading the material ahead to start formulating questions for the following chapters.

The second half of the day was on VMware Workstation internals. Even if I had limited experience with hypervisors, it was easy to follow along. The material regarding the Front-End and Back-End allocators is scarce (6 pages). The UAF case is a pretty standard one, especially if you already have experience with this bug class and the Windows allocators. The UAF they chose was straightforward, with little “background noise” from the application. It was an easy case per se, but I can easily see myself standing on top of the knowledge I acquired in the Corelan Advanced class (which I strongly recommend).

IMHO, this section is an excellent introduction to what will follow; people who cannot go through it easily should reconsider their participation to the course. It is not going to be easier.

Day content score: 4/5

Day 2 – VMware Workstation Guest-to-Host Escape and Edge Internals

The second day was a continuation of the VMware exploit; the real meat was performing the Guest-to-Host Escape. The exploitation process was mostly linear, with enough twists here and there to keep me engaged.

A fascinating section was the Windows Defender Exploit Guard bypass, with defeating the EAF countermeasure being the most challenging, especially as there isn’t much documentation on it.

At the end of the day, there was also a quick introduction to the Chakra Core internals.

Day content score: 5/5

Day 3 – Edge Type Confusion, Mitigations Bypass and Sandbox Escape

The third day began from where we left off the day before, continuing the analysis of the type confusion vulnerability affecting Microsoft Edge. It was mostly smooth until the first mitigations were introduced; then, the difficulty quickly ramped up.

We were first greeted by CFG, then CET and ACG, but things really became ugly when dealing with the sandbox escape (2nd half of the day). The amount of work put into this section is enormous, a whopping 42 pages full of advanced information. Even if that doesn’t seem a lot, the amount of knowledge packed into the section is vast. You can really feel the experience and creativity of the trainers. Just the reverse engineering session needed to understand the sandbox escape is probably worth a month of work.

So, the second half of the day was really a mess to go through for me. I finished the day completely fried, and my brain was completely melted. Again, remember that I had little to minimal exposure to browser exploitation topics before (especially recent ones).

The extra mile exercise for the day was one of the three granting the precious challenge coin; knowing that I could not compete in this topic, I decided to call it a day and go to sleep early to recharge and be ready for the following day.

Day content score: 5/5

Day 4 –Windows Kernel Internals and Driver Callback Overwrite

The fourth day was entirely focused on Windows driver exploitation, with the first part of the content being an induction to Windows kernel internals, kernel debugging and kernel mitigations.

Then, we were introduced to a vulnerability (callback overwrite) present in a 3rd party driver, how to gain a kernel read/write primitive, how to restore the execution flow and the Meltdown and KVA Shadow.

To me, it was the most interactive session of the course, with the most exercises and steps to be done during the class.

The extra mile exercise was the second one granting the challenge coin. Given that most of my knowledge and experience in Windows exploitation is either in userland enterprise applications or Windows Kernel, I knew I had to fire all my shots at this target. I knew I had the night plus part of the next day trying to solve it, while the last exercise only had the last day of the course to work on. As I didn’t like the option of working on the extra mile exercise during the lesson, in order not to miss important bits and take notes, I decided to focus on that one instead of waiting for the third one.

I returned from the training and immediately started working on the exercise, tackling the first of three tasks. Then, I had a break for dinner and, fully restored, I worked on the second task. I set a timer in order to have enough sleep time for the last training day, and when it triggered, I went to sleep even if I was almost at the end of the 2nd task.

Day content score: 5/5

Day 5 – Unsanitized User-mode Callback and Native Windows Driver Exploitation

On the last day of the course, we covered native Windows Driver Exploitation (Win32k), specifically the graphical interface. All the setup required to achieve reliable primitives and have the exploit work was insane. We faced Virtualization Based Security (VBS), HVCI, CET, and kCFG during our exploitation journey. This was the 2nd most challenging day of the course.

Day content score: 5/5

To achieve the challenge coin, I spent the entirety of the morning completing the 2nd task that I left off the night before, completing the 3rd task and glueing all the steps together. I missed some bits of the training, but in the end, it was definitely worth it:

Instructors

Morten Schenk and Alexandru Uifalvi are seasoned exploit developers with exceptional reverse engineering skills and a combined experience of ~25 years in the field. You could appreciate their knowledge, experience and intuition across the EXP-401 course material. Things explained in days easily took weeks, if not months, to research and reverse engineering to achieve. On top of that, they are also good content creators.

Their course is battle-tested, leaving little to no room for improvisation. I understand it’s hard to convey complex topics with substantial prerequisites in little time, I understand that it would have been their 100th time doing the same training course, that fatigue can arise after days of training (that’s true also for the attendees) and that the class wasn’t super reactive/showing significant progress. Live teaching is tough and keeping people involved and engaged even more. Still, on the delivery side, it sometimes felt like they were just reading through the material. Like when you are an attendee of a conference, and the speaker reads through the slide deck. Voice tone, highlighting important notes and not rushing some sections could have helped better convey the training content.

Don’t get me wrong, they are really great teachers, always open to answering your questions without giving out the exact answer but pointing you towards the right path. IMHO, they are great, but they are not the best. I would have preferred something similar to Corelan’s teaching* with different multimedia support, something a bit more engaging (exercise-wise) than giving out incremental files every few minutes.

There is always room for improvement.

Score: 4/5

*Full disclosure here: I think Corelan is the best instructor I have ever had. His usage of multiple multimedia to convey his teaching, voice tonality, and expressiveness makes it highly incisive. What he said during the courses is still stuck in my mind years after the training, and I only need a quick look at the slides he provided to refresh the entirety of the training course material.

Overall

Overall, the whole EXP-401 (AWE) experience is a 4,6/5. There is a reason why the EXP-401 is the flagship course of OffSec. It is super challenging, covers advanced topics, and is full of exploitation. I loved it! I wouldn’t have expected anything less from it. I would recommend it to anyone looking for advanced Windows exploitation content.

With that said, here are a couple of remarks I have regarding AWE:

  • The allotted exercise time was not much; sometimes, it was barely enough to open the IDE, copy and paste the incremental file and test the result. I would have preferred fewer class-led exercises, starting from a specific step and working towards an outcome. That would also have favoured student collaboration, fervour of questions and discussion across the class regarding the different methodologies each one has taken.

e.g. if an exploit is divided into 14 steps, instead of going through all of the fourteen exercises live, I would have preferred the instructor explaining the content and then the class focusing only on the most critical steps (fewer exercises, just the most critical steps and more time for doing it)

  • Price: that’s the elephant in the room. It is the best Windows Exploitation course out of here, with little to no competitors. It’s state of the art, but it is damn expensive (~15k€ at BHMEA and ~13k€ in London). I would love OffSec to pursue their own training courses without being coupled with major cybersecurity events like Black Hat because I’m pretty sure that’s inflating the price a lot.
  • Given the steep price and the amount of material, always go for the 5-day-long course if possible. You’ll thank me later.

Wish me good luck with the exam; I’ll keep you posted.

FAQ

Is AWE still relevant in 2024?

Yes, absolutely. I would say that it’s the state-of-the-art course in the Windows Exploitation field. It would give you excellent knowledge and insights into how experienced exploit developers work, the inventive and genius solutions they can think of, and an astonishing amount of homework to keep you learning and discovering. Still, you can take alternative and cheaper routes and courses, more in the “Alternative Windows Exploitation Resources” section.

How does it compare to SANS 760?

It doesn’t. To compare two things, they should be somewhat similar. Exp-401 is no match to SANS 760 (at least in its current state). You can read my thorough review of SANS 760 here: https://voidsec.com/sans-sec760-advanced-exploit-development-for-penetration-testers-review/

Will I be prepared to take it after EXP-301/OSED? When will I be ready to take the course?

Generally speaking, no, I do not think so. EXP-301 laid the foundations for EXP-401; it is a prerequisite, but it’s in no way sufficient. At the end of EXP-301, you will have a good understanding of x86 stack-based buffer overflows, shellcoding and a bit of reverse engineering, and that’s all.

You would need way more experience and practical exercises to tackle the EXP-401 course and follow along without feeling overwhelmed and lost.

To do so, you will need an advanced understanding and experience in reverse engineering, Windows internals (both userland and kernel mode) knowledge, Windows Heap allocators internals, and a lot of practical exploitation of modern bug classes such as Use After Free (UAF) and Type Confusions.

How much time/exercise will be needed after the course and before taking the exam?

It depends on your previous experience, but you can consider a lot of time. The amount of content to digest is enormous, and unless you already possess some knowledge in one or more of the topics covered in the course, you should consider almost one year of constant study in your spare time. That’s what I’m planning anyway, just to be sure I’ll be ready to face the challenge without burning out on the journey. Asking other certified members about it, the timeframe seems to align.

How do employers perceive the OSEE certificate?

OSEE is the industry’s most challenging exploit development certificate, and it is pretty helpful in applying to Vulnerability Research/Exploit Development (maybe also to red-teaming) roles. In most other cases, it is probably too of a niche to be considered by employers. Let’s put it that way: I would not be surprised not to find it as a requirement in most of the job postings out of here; it is definitely overkill for penetration testing roles.

Additional Windows Exploitation Resources

You managed to reach the end of my review, and if you’re interested in the content mentioned above, let me recommend some other courses (both free and paid) that cover these topics:

Software Implementation Vulnerabilities

Classes covering linear stack and heap-based buffer overflows, out-of-bound writes, integer overflows/underflows, uninitialised data access, race conditions, use after free, type confusion and more by OpenSecurityTraining2:

Windows Kernel Internals

Windows Heap Exploitation

Windows Kernel Exploitation

Hypervisor Exploitation

Hypervisor Vulnerability Research or Advances Hypervisor Exploitation by Alisa Esage (~2500€, recorded)

Back to Posts

Related Posts

June 15, 2023

Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver

Read More
January 18, 2023

SANS SEC760: Advanced Exploit Development for Penetration Testers – Review

Read More
December 22, 2022

Naughty List Challenge Write-Up – X-MAS CTF

Read More
December 1, 2022

Windows Exploitation Challenge – Blue Frost Security 2022 (Ekoparty)

Read More
July 21, 2022

Browser Exploitation: Firefox Integer Overflow – CVE-2011-2371

Read More
January 20, 2022

Windows Drivers Reverse Engineering Methodology

Read More
December 16, 2021

Merry Hackmas: multiple vulnerabilities in MSI’s products

Read More
October 27, 2021

Driver Buddy Reloaded

Read More
September 29, 2021

Crucial’s MOD Utility LPE – CVE-2021-41285

Read More
August 25, 2021

Homemade Fuzzing Platform Recipe

Read More
July 28, 2021

Root Cause Analysis of a Printer’s Drivers Vulnerability CVE-2021-3438

Read More
May 19, 2021

Reverse Engineering & Exploiting Dell CVE-2021-21551

Read More
May 5, 2021

CVE‑2021‑1079 – NVIDIA GeForce Experience Command Execution

Read More
April 28, 2021

Malware Analysis: Ragnarok Ransomware

Read More
April 14, 2021

Exploiting System Mechanic Driver

Read More
March 17, 2021

Fuzzing: FastStone Image Viewer & CVE-2021-26236

Read More
February 24, 2021

Software Testing Methodologies & Approaches to Fuzzing

Read More
November 18, 2020

Tivoli Madness

Read More
October 7, 2020

.NET Grey Box Approach: Source Code Review & Dynamic Analysis

Read More
August 11, 2020

CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!

Read More
May 13, 2020

A tale of a kiosk escape: ‘Sricam CMS’ Stack Buffer Overflow

Read More
April 8, 2020

Tabletopia: from XSS to RCE

Read More
April 2, 2020

SLAE – Assignment #7: Custom Shellcode Crypter

Read More
April 2, 2020

SLAE – Assignment #6: Polymorphic Shellcode

Read More
March 26, 2020

SLAE – Assignment #5: Metasploit Shellcode Analysis

Read More
March 17, 2020

SLAE – Assignment #4: Custom shellcode encoder

Read More
March 13, 2020

Perform a Nessus scan via port forwarding rules only

Read More
February 20, 2020

SLAE – Assignment #3: Egghunter

Read More
January 22, 2020

SLAE – Assignment #2: Reverse TCP Shell

Read More
January 9, 2020

SLAE – Assignment #1: Bind TCP Shell

Read More
December 23, 2019

SCADA, A PLC’s Story

Read More
October 2, 2019

SolarPuttyDecrypt

Read More
July 17, 2019

Windows Kernel Debugging & Exploitation Part1 – Setting up the lab

Read More
June 19, 2019

State of Industrial Control Systems (ICS) in Italy

Read More
April 24, 2019

Rubyzip insecure ZIP handling & Metasploit RCE (CVE-2019-5624)

Read More
November 16, 2018

A Drone Tale

Read More
August 30, 2018

Telegram Secret Chat Bug

Read More
electron July 20, 2018

Instrumenting Electron Apps for Security Testing

Read More
May 18, 2018

GraphQL – Security Overview and Testing Tips

Read More
March 27, 2018

VPN Leak

Read More
December 30, 2017

Uncommon Phishing and Social Engineering Techniques

Read More
September 18, 2017

Analysis of the Joomla RCE (CVE-2015-8562)

Read More
June 30, 2017

Descending into Cybercrime

Read More
May 30, 2017

VoidSec CTF: Secure the Flag – Writeup

Read More
March 27, 2017

Cerber Dropper Ransomware Analysis

Read More
January 13, 2017

Hacking the DJI Phantom 3

Read More
November 3, 2016

HackInBo 2016 – Winter Edition

Read More
July 3, 2016

Cybersecurity in Italy

Read More
May 19, 2016

The Curse of the Antivirus Solution

Read More
May 4, 2016

ImageTragick PoC

Read More
April 21, 2016

Phorum – Full Disclosure

Read More
April 19, 2016

LinkedIn – CSV Excel formula injection

Read More
April 13, 2016

Avactis – Full Disclosure

Read More
March 1, 2016

Backdoored OS

Read More
March 1, 2016

Backdoored OS

Read More
January 28, 2016

Keybase

Read More
January 28, 2016

KeyBase

Read More
December 22, 2015

Aethra Botnet

Read More
December 22, 2015

Aethra Botnet

Read More
November 20, 2015

Tecniche Evasive #2

Read More
November 16, 2015

WineHat 2015

Read More
October 26, 2015

Reportage: HackInBo 2015 – Winter Edition

Read More
October 15, 2015

DiamondFox

Read More
October 6, 2015

Pirate’s Night Show

Read More
October 1, 2015

Deep Web & Hacking Communities

Read More
September 24, 2015

Tecniche Evasive

Read More
July 2, 2015

Secure The Flag

Read More
June 18, 2015

Minds.com – Full Disclosure

Read More
June 17, 2015

HTML5 Injection

Read More
May 28, 2015

Reportage: HackInBo 2015 – Lab Edition

Read More
April 21, 2015

Host Header Injection

Read More
April 12, 2015

Android (Un)Security Guidelines

Read More
March 11, 2015

Panoramica degli Attacchi 2014

Read More
March 7, 2015

Report: Ghost Blogging Platform

Read More
February 1, 2015

GHOST, Analisi Tecnica

Read More
January 11, 2015

Botnet

Read More
December 8, 2014

Report: Yahoo Messenger

Read More
December 3, 2014

Poodle

Read More
October 30, 2014

NewPosThings Hacked & Exposed

Read More
HackInBo October 14, 2014

Reportage: HackInBo 2014 – Winter Edition

Read More
September 27, 2014

Shellshock/BashBug

Read More
September 22, 2014

Trend Watch: Drop Hack

Read More
August 12, 2014

WhatsHack

Read More
June 25, 2014

Attacchi DDoS: Hit and Run

Read More
May 29, 2014

TrueCrypt, mistero d’autore

Read More
May 16, 2014

Reportage: HackInBo 2014

Read More
April 12, 2014

Reportage: Deftcon 2014

Read More
April 11, 2014

Heartbleed Bug

Read More
April 8, 2014

Windows XP

Read More
March 20, 2014

Phishing Coinbase bitcoin

Read More
March 14, 2014

Ransomware Virus Killer

Read More
February 14, 2014

Droidcon Italy 2014

Read More
February 1, 2014

Bulletproof Hosting

Read More
January 8, 2014

Black Hat SEO

Read More
November 24, 2013

Report: McDonald’s Wi-fi Login System

Read More
October 27, 2013

Linux Day: Penetration Test con Kali Linux

Read More
October 18, 2013

Trend Watch: DDoS

Read More
October 11, 2013

Skype Social Engineering

Read More
HackInBo October 2, 2013

Reportage: HackInBo 2013

Read More
September 9, 2013

Analisi di un Dropper

Read More
August 3, 2013

Symantec Cyber Readiness Challenge

Read More