As I have a penchant for offsec courses, i decided to take the Advanced Windows Exploitation(AWE) course this year.As the name suggest, the AWE is an advance course from offensive security that is conducted live at Blackhat USA. As for the difficulty level, this the hardest course offensive security has to offer.
This is what offensive security says about AWE:
”This is the hardest and most intense Offensive Security course we offer and requires a lot of commitment from the students”
Prerequisites:
Anyone taking this course must be comfortable with the following:
- Windbg
- Immunity debugger
- IDA
- Assembly
- X86 architecture
- X64 architecture
- Python scripting
- Javascript
- C/C++
- Will to try harder
Note: prerequisites are not limited to the ones listed above
What do you learn from the course?
- Custom shellcode creation
- Precision heap spray
- Bypassing latest mitigations on Windows 10
- Windows Kernel exploitation
- Constructing ROP CHAIN
Note: the course has much more to offer than the ones listed above
How did it start?
I had read few blogs on the AWE course and was aware of the knowledge it imparts.In 2017 after I passed OSCE, i decided to take up the AWE course and started planning for it.
Firstly, I went through the tweets by @offsectraining and @BlackHatEvents,which made me realise the following:
1)The Blackhat USA registration opens in the month of January
2)The seats for the AWE course sells out within a day
I knew that the training fee for the AWE course at Blackhat USA was $5000 and the whole trip would cost me at least around $10,000, so now it was apparent that I had to make $10,000 before January 2018.
Whenever I need to earn a few bucks I resort to bug bounties, I had planned to give 3 hours every Sunday for bug bounties(as I have a full time job its not possible to do bug bounties on a daily basis).Eventually after 3 months I was able to earn the needed amount.
Registration:
After being observant throughout the month of January , @BlackHatEvents tweeted:
And I registered for the AWE course right away.This time the AWE course sold out within 3 hours.
Note: After the registration Blackhat gives you 2 weeks to finish with the payment, or else your seat will be deallocated.
Note: Once your payment is confirmed , Blackhat will provide you with an invitation letter that can be used for the US VISA interview
In a few weeks time after the registration, offensive security sent me an email with a pre-course challenge ,this challenge ensures if the student has the basic knowledge to understand the course content.
It’s important to know that the course is much more advance than the challenge, hence the completion of the challenge does not guaranty the course to be all smooth sailing.
Few days before the training, i received another email from offensive security with the list of topics and the links that needs to be studied. I read most of the topics mentioned in the email.
Training:
The class had 30 students and 3 trainers(ryujin, sickness, blomster),all the trainers were very helpful and were always ready to resolve all our queries, they also ensured that everyone in the class understood the concepts that were taught.
Day 1:
The training started with an introduction to heap spray and flash player heap internals followed by a case study of “CVE-2015-3104” , here we used the heap spraying technique to spray a large number of ByteArray objects, and created holes on the heap by nullifying the ByteArray’s so our vulnerable allocation ends up in one of the holes created.After that we were shown how to gain the read/write access to the memory space, we then bypassed ASLR by leaking a pointer to NPSWF dll. Once we bypassed the ASLR ,we were then shown how to gain code execution and bypass DEP by using ROP chains.
Day 2:
We started the second day by escaping the sandbox protection, this was done by exploiting a vulnerability in Symantec Endpoint Protection that was installed on the VM, after successful exploitation and shellcode manoeuvre we were able to get a meterpreter shell. We also bypassed the Windows Defender Exploit Guard(WDEG) which is a replacement of EMET in the Windows 10 Fall Creators Update(as EMET has reached its end-of-life support).
In the second half, we were taught about the behaviour of Javascript code on 64-bit followed by a case study of a Type Confusion bug “CVE-2017-8601” found by the Google Project Zero team in Microsoft Edge , the offsec team showed us how to gain the read/write primitive and eventually we were able to bypass the ASLR by leaking a pointer to Chakra.dll.
I did expect the AWE training to be intense, but now it was just getting more and more convoluted.
Day 3:
To make life even worse, we had to bypass two new protection called Control Flow Guard(CFG) and Arbitrary Code Guard(ACG).CFG was bypassed by overwriting a return address on the stack and taking the control of the instruction pointer, while ACG was bypassed by duplicating the handle to the JIT compilation process from the exploited rendering process and then using the duplicated handle to communicate with the JIT compilation process. We achieved code execution by using ROP CHAIN thereby bypassing DEP in the process.We also escaped the sandbox protection by exploiting a kernel vulnerability in the win32kfull.sys driver to get a shell with system privileges.
By this time i was traumatised.
After a short lunch break and two cups of coffee i was able to regain my composure.
In the second half, we started with 64 bit kernel driver exploitation in which the communication with drivers was explained along with the privilege levels and token stealing payload. We also got an overview of the vulnerability “CVE-2015-5736” reported by Core Security.
Day 4:
On the fourth day, the offsec team introduced us to memory paging and structures, we were also shown how to bypass the Supervisor Mode Execution Prevention(SMEP), SMEP prevents the transfer of execution control from kernel space to user space. Our next challenge was to get a shell from a low integrity level, which means we can’t use API’s like EnumDeviceDrivers or NtQuerySystemInformation to get the base address of “ntoskrnl”,we did this by exploiting an arbitrary read vulnerability to leak a pointer which will eventually give us the base address, once we obtained the base address of “ntoskrnl” we were now able to construct a rop chain to bypass SMEP and execute the token stealing payload, thereby giving us a privileged shell.
Pre-Exam:
Just like other offsec courses, there is a certification associated with AWE called as Offensive Security Exploitation Expert(OSEE), so after the training i scheduled for the OSEE exam and started preparing for it,
- Firstly i went through the course material, solved all the exercises and the extramile challenge
- Practiced with HackSysExtremeVulnerableDriver(HEVD)
- Went through the below exploits:
Avast! 4.7 – ‘aavmker4.sys’ Local Privilege Escalation
Microsoft Windows XP/2003 – ‘afd.sys’ Local Privilege Escalation (MS11-080)
Microsoft Windows 8.0/8.1 (x64) – ‘TrackPopupMenu’ Local Privilege Escalation (MS14-058)
Exam:
You will have 2 challenges that needs to be completed within 72 hours. The exam is much more difficult and time consuming compared to OSCP & OSCE. All the skills needed to pass the exam are taught in the course.
I started my exam at 2.30 AM, i was able to complete one of the challenges within 15 hours and then took a 7 hour nap.I then started to solve the 2nd challenge and soon was stuck at certain point ,this is when i decided to hit the bed again.After few hours of sleep i woke up and started where i had left, within few hours i was able to complete the 2nd challenge.
Next day i finished with the documentation and submitted it, a day later i got an email from offensive security stating that i had cleared the exam.
I would like to thank offensive security for yet another fantastic course and all those who have guided and supported me throughout the whole journey.
Hi Arnold
Nice to read your journey in BlackHat
You have demonstrated that how focus and sustained efforts can achieve success.
Thanks for sharing your experience.
Thanks Sir
Yet another milestone … Congratulations Arnold
Thanks Man
Arnold reading your blog gives me inspiration. Keep it up.
Thanks bro
Hey Arnold I know it’s a few months later but congrats on OSEE. Definitely inspiring people who love security to take the cert. I hope I can reach this level as I am still on OSCP. I am going to get there whatever it takes. Cheers!
Thanks and Good Luck mate!!!