This post is a summary of my journey to obtaining the Offensive Security Exploit Developer (OSED) certification.
Before diving into the article, here are the most common questions regarding the OSED exam:
Is OSED difficult?
- Yes, it is. This was the hardest Offensive Security exam I took, compared to OSWE, OSCP and OSEP. Of course, it might not be the same for you. If you’re already an exploit developer with experience on Windows or a malware analyst with an extensive reverse engineering background, you might not be as challenged by this exam. If not, you’ll encounter plenty of fun challenges in your journey.
How many attempts are there for OSED?
- You have unlimited attempts, as long as you pay the retake fee. As always, everything you need to pass is in the course. Proper time-management during the exam is critical and lack of it is also what led to my first failure.
Is OSED an entry level certification?
- The course for OSED is named as EXP-301 in OffSecs notation. Courses that contain the 30x are supposed to be advanced. Having that said, the concepts taught in EXP-301 create a good foundation for a beginner malware analyst or exploit developer.
Can I get a job after OSED?
- OSED is a newer certification from Offensive Security, so it might not be well known by hiring managers.
Does OSED expire?
- No, the OSED is a lifetime certification.
How long is the OSED/EXP-301 course?
- Like all current OffSec certifications, you can get a minimum of 90 days of lab time or you can go with one of the subscriptions. 90 days were enough for me to solve the labs and extra miles.
What should I learn before OSED?
- From the official website: know how to use a debugger (ImmunityDBG or OllyDBG), familiarity with basic exploitation concepts on 32-bit, familiarity with writing Python 3 code, ability to read and understand C code at a basic level (optional but recommended), ability to read and understand 32-bit assembly code at a basic level (optional but recommended)
What is the syllabus of EXP-301 course?
- Here it is: https://www.offensive-security.com/documentation/EXP301-syllabus.pdf
How long will it take to prepare for the OSED?
- Depends on your experience with assembly, reverse engineering, Windows memory protection mechanisms, ROP and shellcode writing. Three months of lab time should be enough, but you might get there quicker if you’re familiar with some of those concepts.
What is the format of the OSED exam?
- It’s a 48 hour exam and another 24 hours to write a report. For OSED, you don’t have to write a “professional” report like a pentester would (as you have to do for OSCP).
What positions would benefit from the OSED?
- application security engineers, penetration testers, red-team operators, exploit developers, security researchers, malware analysts, and software developers working on security products.
Is OSED proctored?
- Yes, it’s an online, proctored exam.
The Offensive Security Exploit Developer certification and the Windows User Mode Exploit Development course is one of the three certifications that get you the prestigious OSCE3 title, together with OSWE & OSEP. OSCE3 (Offensive Security Certified Expert 3) is a certification which replaced the now defunct OSCE certification that students would get when completing the Cracking The Perimeter (CTP) course. The CTP materials have been broken down into three separate courses:
- Advanced Web Attacks and Exploitation (OSWE)
- Evasion Techniques and Breaching Defenses (OSEP)
- Windows User Mode Exploit Development (OSED)
Road to becoming an OSED
Having taking two swings at the OSED exam, I can affirm it was the most difficult and at the same time most interesting certification I’ve obtained from Offensive Security. If you’re asking yourself is EXP-310/OSED worth it, I say it definitely is! That is, unless you’re an experienced exploit developer, in which case you probably already know all the techniques being taught in the course.
However, if you’re like me, you’ll discover an awesome foundational exploit development course. I’ve gained new skills and took old ones to an entire different level in several areas like reverse engineering, assembly, writing shellcode, stack manipulation and ROP chains. Working in Product Security often involves wearing several hats and working cross-team. So having exploit development skills does help you cover more disciplines. Of course, if you only work with Java web applications for example, this probably won’t help you much other than getting you closer to OSCE3. It’s up to you to decide if it’s worth your time and resources.
What is the Windows User Mode Exploit Development [EXP-301] course about?
EXP-301 is targeted at professionals who have some experience in finding known vulnerabilities and using public exploits to attack them. The course presents exploit development for binary applications on the Windows operating system. It also provides an introduction to reverse engineering binary applications to help locate those vulnerabilities.
Here’s a quick summary of the syllabus:
- Reverse engineering
- Introduction to WinDbg & IDA Free
- Exploiting stack & SEH overflows
- Writing custom shellcode
- Bypassing memory protections (DEP & ASLR) & ROP chains
- Format string specifier attacks
I’ve found the “Format string specifier” part a bit concise. But rest assured, you do learn how to read and write memory which is enough to write an exploit if you do encounter similar vulnerabilities.
Things to know about EXP-301
The course is made for 32bit machines, which makes it a bit easier to understand the basics. Furthermore, it doesn’t take a huge effort to move from writing 32bit exploits to 64bit. It’s a lot easier than going from nothing to 32bit so it should be easy enough.
Another thing to be aware of it that you’re going to use IDA Free during the course and the exam. Basically you can’t make use of the “easy to understand C code” offered by IDA Pro. You have to manage only with assembly.
A cool thing about the course is that you’ll be learning vulnerability discovery and exploit development on modern software used in the wild. So it’s not custom code with made up vulnerabilities, it’s actually real software that you have to reverse engineer, understand and exploit. Don’t worry, the course walks you through all of that in its +600 pages of content.
I didn’t need to go over extra materials, other than what’s already in the course. As a matter of fact, I didn’t even do all the extra miles. In my defense, a few of them were marked as “advanced/highly difficult” in the course. I did have some prior knowledge gathered from OSCP, but most of my experience with exploits comes from HackTheBox and CTFs.
The hardest parts for me were identifying bugs using reverse engineering and finding the proper ROP gadgets.
The Offensive Security Exploit Developer Exam
As I said, I passed the OSED the second time I took it.
The first attempt
The exam consists of 3 challenges. You have to complete 2 of them to pass. I started the first challenge and everything seemed to be like in the course. As time went by, everything seemed similar, but with a twist. I’ve ended up working about 20 hours including short brakes on the first challenge. At least after all that effort, I did complete it. I had fully working reverse shell! Already very tired, I went to sleep. Next day, I started working on another challenge which I thought I would handle better. That was a mistake. I wasn’t able to finish it in time. And you only get points for completed challenges. Having exhausted the allocated exam time and having looked at only 2 of the 3 challenges, I went to sleep disappointed. Third day, I wrote the report and a few days later, I got the expected response: I had failed.
Second time’s a charm
The second time, I already knew what to expect from the exam. I managed my time better and everything fell into place a lot sooner. About 8 hours in, I finished the first challenge! Oh, the rush! Another 6 hours and I had enough points to pass (as long as I didn’t mess up the report, of course). At that point, I went to sleep, being content with the progress I made. Next day, I spent about 16 hours on the remaining challenge, with good progress, but without achieving a complete working exploit. Gah, it is what it is! I decided to spend the rest of the time making sure I had everything I needed for the report and called it a day. Next day, I wrote the report and in a couple of days I got the “you passed” email. Hurray!
OSED exam takeaways
- Take brakes, eat & sleep. I didn’t take enough brakes during my first attempt because I panicked due to the lack of progress. Which gave me “tunnel vision” and made me miss some things. Don’t be like me.
- Comment your stuff: in IDA (use color-coding!) and in your exploits.
- Practice ROP. In the course, try to find multiple ways of making a ROP chain.
- Join the OffSec Discord. That’s where I found out that you might need to know how to resolve IAT entries without IDA. And I learned lots of assembly tricks.
The OSED was the hardest exam I took from OffSec yet, harder than OSCP and OSWE. But that made passing an even more rewarding challenge! And the skills I gained make me a better AppSec Engineer! Next on my todo list, is to get on the path to OSEP and OSCE3! Happy hacking!