OSED Review - Offensive Security Exploit Developer

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody what's up my name is john hammond i uh i wanted to see if i could get through like the intro to this video without cheesing you know without without grinning from ear to ear cause i'm happy i'm uh i'm pretty pleased so uh for those of you that if you aren't tracking if you aren't uh getting maybe cyber stalking me on social media uh over the past weekend i was taking my osad exam so osed is the offensive security exploit developer and that's a certification exam that would follow the windows user mode exploit developer course that offensive security puts out so a little bit of background a little bit of backdrop before i kind of dive into this video although this video is going to be a review of that course windows user mode exploit developer and osed i guess osed however you want to call it but uh offensive securities exploit developer exam the certification training preparation etc just my perspective so first let me kind of tell the story if you aren't familiar with the os ed course if you aren't familiar with w-u-m-e-d windows user mode x-play developer it is a course in binary exploitation and reverse engineering so this kind of follows off the tales of oscp or the offensive security certified professional where in that course in kind of that foundational fundamental level oscp you as the student would work through a buffer overflow exercise just a classic vanilla kind of stack based buffer overflow but osed takes that one step further and not just one step further but a lot of steps further in that okay now that you're working uh following from above for overflow you'll be looking with seh exploits or the structured exception handler you're going to be working with egg hunters you're going to be working with shell code or custom shell code or shell code that you might write yourself and then dep or the data execution prevention dep security mitigation you'll be trying to bypass that so you can still execute your shell code off the stack you'll be bypassing aslr or the address-based layout randomization another security mitigation it's super cool it's a lot of in the weeds technical stuff because you're literally looking through assembly op codes or writing assembly op codes or developing a rock chain return oriented programming tons and tons of stuff this course the exp 301 or the windows user mode exploit developer course that came from a blog post that offensive security published back in august of 2020. they originally wrote that their old course osce that came from cracking the perimeter or ctp was going to be retired and i think the community was pretty happy to hear this because that course was old and dated it was still using backtrack linux and was working through a muted debugger for teaching some older techniques uh so it was ready for a welcome revamp so when offensive security had announced that they were retiring that course they also said they were going to be releasing two new courses one of which was the offensive security experience penetration tester or os ep and i have a video on that previously on my channel and this course that i'm talking about right now the windows user mode exploit developer or osed now i was pretty excited about this news because with that offensive security had said the osce name for certified expert was now going to sort of be transformed and have a special designation as the osce3 if a student were to hold three certifications between the offensive security experience penetration tester osep uh exploit developer osed and oswe or their advanced web attacks and exploitation certification and training then they would automatically be designated as osce3 and that you are really an offensive security certified expert and can certainly crack the perimeter between your knowledge of web application security uh active directory and windows domain stuff as well as windows exploits and reverse engineering etc so i was pretty excited about this you guys know me for one thing i love offensive security i love their training i love that it's a challenge i love that just something to prove yourself and to learn from and i was super stinking excited if you check out the other video that i talk about osap or the experience penetration tester i'm talking about how i just dive right in to the new course as soon as it is released and this course oh said the exploit developer is absolutely no different okay now that i have the five minutes of background explanation out of the way i kind of want to break down what i want to do in this video so first i want to offer a timeline as to how i was pursuing this course uh then the exam right i'll talk about how i prepared how i trained how i studied kind of my workflow i'll talk about the exam as much as i can being super vague and uh i'll talk about the report the reporting process that's necessary after the exam and i'll try and answer questions that i had asked for before recording this to try and make sure i get some of the points that i know you as the audience might want to uh listen in and kind of get the perspective i will try to include time stamps in the description so you can kind of click into what parts of the video you that you would like to check out but uh without further ado i guess i'll get started on the timeline how this process looked for my osad review so as i mentioned i was super duper excited when this course dropped i think i originally got the email back on like january 27th of this year and i was stoked so you know me uh kind of have a cannonball mentality for taking certs and training so i signed up right away like the very same day as soon as it was available i wanted to make sure that i could book my spot and get started with the labs get started with the course and the material as quickly as i could so the very same day i signed up january 27th and it lets me know hey saturday march 6th is when i was gonna get my hands on the material and i could get started when march 6th finally rolled around i got started right away scheduling my exam again i just wanted to speed run i kind of had this mentality like hey let's let's crank out as quickly as we can let's hold ourselves to it let's set deadlines so i don't put this off or procrastinate i just wanted to keep moving so i scheduled my exam for saturday june 12th so this past weekend i was working through the exam and it started at three in the morning so a little bit of a long haul i was working kind of with my sleep schedule to see what could i do to crank through this thing and uh i finally went ahead and submitted my exam report and i got the classic kind of automated solution automated response like hey hey we received your exam documentation please wait 10 business days or so uh just today this morning at the time recording on wednesday i get the notification i get the email hey john we're happy to inform you you've successfully completed this course and you've earned your offensive security exploit developer certification i did it i was super happy i got the fancy badge you know how they send you like acclaim or i guess it's credly now or whatever they'll give you a nice little decal or picture you can scream about and share it on social media and i obviously did that hey let me say that uh i was super worried and nervous and scared for this test uh if anyone actually tuned in to the offensive security webinar that i did just the day before i got started uh i'm telling the individuals and i'm telling the audience like look i don't know how this is gonna go uh i at that point i hadn't finished the challenges uh like the preparatory lab exercises before you start to take the exam i only ended up finishing one of them and i said straight out and i will always say look uh i'm not all that good at reverse engineering binary exploitation is by no means my strong suit you've seen it in videos you i i say it all the time so you now you're i think you're going through exp 301 is that right yes oh man i i have had a lot of thoughts in my mind about how this is going to shake out uh my exam for osed and the exploit development course starts tomorrow oh what are you doing here then yeah don't tell anyone right um i am really nervous i'm really anxious like more so than i ever have been before uh because i i know and i'll be the first to admit i'm not sharp on reverse engineering or binary exploitation uh so normally i pour and invest a lot of time in studying um i i've sort of showcased my workflow before in other youtube videos but i'll i'll work through all the course videos rename them so that they're in like a chronological order and i can index them if i ever need them again and i'll like i'll take the course book and i'll practically rewrite it like i'll write my own copy just by going through the videos that gives me the opportunity to properly get all the source code to kind of understand what when where and how and it's extremely time consuming because then i'll be thinking great i have plowed through the course but now i need to invest the time in preparation and tooling like i've got some challenges in the lab environment that i need to get through and it would be great if i could get myself a little sharper on that maybe get some tools utilities spun up with automation to make my life easier that is another time sync i i don't think i've been able to do that the way that i normally would for osed so i'm a little scared well best of luck tomorrow um looking forward to hearing how it goes for you thanks so much i guess i pulled it out i guess i was mentioning how i needed to invest more time into it um so uh maybe that night hey on friday i just crammed even more than i could i actually i tweeted about it there was a tweet that i sent out that was like hey it's three o'clock in the morning the day before and i had a lot of work that due that week for my day job i said hey it's time to hack and then my boss like for my job my boss sent me a text it's like i don't know if that's work life balance so kyle if you happen to see this i know dude thanks just after i got the congratulations email for osed i got another email that was just incredible and lovely and fantastic and so sweet from the ceo at offensive security um thank you uh i i i know a few you offensive security folks some of you off sec fellows tend to tune in and watch some of these videos so if you're listening in hey thanks guys thank you so so much um i guess yeah i mean between getting uh osw e some time ago and uh os ep that i have the video previously and now this osed i guess that makes the trio and i'm i'm minted as uh osce the offensive security certified expert the three subscript so thanks so much i screamed about it you know i shared about it i i put this out on the socials and that seemed to be pretty well received on twitter and linkedin so thank you again and again and again thanks guys i i just super appreciate the love okay okay now that we are over 10 minutes in in a review video and i haven't done any reviewing let's talk about this thing so the course the curriculum the lab the guidebook the pdf the videos it is everything that you need to pass the exam in my opinion i don't think that it spent as much time as it could have specifically in reverse engineering because reverse engineering is extremely slow and it's tedious and it is time consuming so that on its own is going to suck up and take a lot of time uh there's kind of one section dedicated to it that it goes through throughout the course but that's the most that you'll see at least for the the actual like gross engrossing definition of what you're going to be doing for reverse engineering when it gets to the later modules that do things with your reverse engineering skills because it has to talk about the exploitation process it will sort of speed run to the point that you would have figured out had you done reverse engineering but it takes so so much time because reverse engineering is a time consuming process because it's it's a time sink on its own it it's not something that it is able to go through due to the nature of the course of its own but i think it we it could have some more love because i for one still felt like in a frenzy when i'm opening up ida uh when i'm trying to dig through opcodes and assembly instructions and figure out what ends up going with what and you'll you'll parallel it with your debugger and you'll be using uh windy bug in this course we might be used to immunity debugger and i'll actually include that as kind of a snippet here if you're a little bit more familiar with immunity bugger once you end up using windy bug the very first time you see it it's extremely bare bones it's not all that intuitive and it's not user friendly kind of right out of the gate i kind of dug some homework i was doing my homework and dug around a little bit and found oh you can customize workspaces as it discusses in kind of the beginning of the course but you can set it up to look and feel a little bit more like community debugger so you can see the memory you can see the stack you can see the call calling queue you can see maybe registers of course automatically and have it displayed alongside the instructions in the command panel uh i'll showcase something that i used in this case to do that and uh i guess that will lead me into more of my workflow and procedure and process so you've heard me say it before i take a lot of notes i literally go through everything and just take copious amounts of notes trying to prepare and trying to stage as much as i can i'll try to include like mental checkpoints as to what to do and what situation if you either forget or if you just don't remember or you need another nudge or reminder it's like follow this process or do these things run these commands figure this out that is what i would recommend some folks do additionally i would recommend kind of staging and preparing your own environment because as i mentioned if you want to configure immunity debugger excuse me if you wanted to configure windy bug to what you like or if you know oh i want to have mona i want to have mona to work and win debug get that stage and get that ready and get that prepared so you can rapidly pull it in to the environment whenever you're in front of it uh you won't have internet right in that exam environment so you've got to make sure all that stuff is ready on your machine and you can readily pull it down i tend to use updog for that just to be able to transfer files back and forth with http and you'll see some of the syntax here that i have already ready and prepped so that like cool let's get mona let's get this pi kd rendition let's make sure we have keystone and all these other things that you might end up needing when it's exams when it's show time when it's go time and i'm sure you can see kind of in my notes here try to prepare yourself for whatever circumstance or whatever situation you might find yourself in and what i mean by that is like okay if you know something can be accomplished in a number of different ways try to have already thought out the procedure for each of those different ways concrete example rop or return oriented programming you can use that technique to bypass step or the data execution prevention you know okay say you could do that with win32 api functions x y and z try and have it prepped for each of those situations if you know you're going to end up in that situation or custom shell coding right you know you might have to deal with some bad bytes try and figure out okay what procedures can you do whether it's working with two's complement or negating something to avoid null bytes on the stack or trying to use a multi-step addition or multi-step attraction uh sorry subtraction each of those things will be super duper handy when it comes to show time and on that note actually one thing that i would recommend and i i think i'll be able to showcase code here if uh it's kosher um i would try to script out or automate some simple things like uh pushing a string and its representation on the stack uh in little endian and byte order that's necessary being cognizant of null bytes and what register i should work with whether it's a 32-bit register or a 16-bit or the lower half with 8-bit registers to do that or if it's finding um specific and useful tiny rop gadgets that you might get from rob gadget the binary like the program utility or pwn tools if you use it or rp plus plus or whatever utility you use to find rop gadgets try and extract a simple pop register or a simple increment or decrement gadget or a negate instruction whatever you could track down um i will link some code below in like pastebin links or gis i guess on github to uh showcase that uh and some utilities that i would work with and and modify to be able to uh make my life easier in those situations i would again recommend you do that actually in that vein um if you're not in the official offensive security discord server you absolutely should be there are incredibly smart people having incredibly smart conversations about what more you can be doing uh some folks have graciously shared some fantastic tools and tooling i think epi forgive me if i'm butchering your name epi uh he's been a fantastic fellow showcasing some great stuff so definitely go take a look at some of that that you could potentially use if you're interested in this when it comes to exam time you're totally ready you're totally set you've got everything in the mix uh in my opinion i think that there were some curveballs or something that kind of threw me for a loop i don't know if you will have the same reaction i don't know if you'll have the same set of challenges of problems of tasks i don't know if other people have had that same thought when they were approaching the exam uh there were a couple things that i were expecting that were not immediately what i would have expected uh i think going through this process taking these in-depth notes preparing yourself for whatever situation you might find yourself in and you're still hit with something that you didn't expect um at that point you're strong enough to be able to do that critical thinking to have the innovation to think of like oh actually maybe i could take a different approach and it could work and then try it actually try it like try everything that you think of you've got a lot of time 48 hours might seem like a time crunch and if you're doing some reverse engineering and that's something you can pour yourself into you still have a lot of time push through it crank through it try everything and you might start to see oh that thread that you're pulling on that could really work that idea has some ground and some legs to it uh if you find yourself being thrown a curveball think critically and uh you'll still be able to piece things together yeah obscure vague i will showcase a snippet of my exam report here or just how i really built it and put it together this is the first time i wrote my exam report in obsidian which is the same program and utility that i took all these notes in that lets me work in markdown beautifully display things etc and i'm using the no raj template to convert markdown into latex that can be transformed into a pdf which i could very easily submit uh i've showcased that before in my like taking notes for oscp video and i think i display that template and everything you could use to set it up and my report for osad was 87 pages long now that's not to say yours should be that long or yours could be shorter yours could be longer i don't know the reason that i think this is so lengthy is because of a significant amount of screenshots or code blocks and code samples i try to showcase everything that i can in fact i write my report as i'm taking the exam and i just do that like in a cursory way like okay i'll slap down a sentence for like what i'm doing or what i'm thinking or what i'm going to approach next and it saves so much time in actually writing the report after the exam because it's like in obsidian i can take a screenshot and just paste it in and that's done and i can slap down a sentence as to what i'm thinking what i'm doing and then it's done and then i can go back later refine it if i need to but the report is already there because i've written out my thoughts like a walk through as i'm working through the tasks and the assignments so that is my advice to you write your report while you're working through this not so much that it completely distracts you and it eats up all your time but literally just jot down a sentence every time you do something or you're trying something new and just like oh this worked oh it didn't work and okay maybe i'll go refine remove pieces that didn't work or i spent significant amount of time on xyz it was a lost cause whatever but uh that's my suggestion and reporting hey for the whole rest of this video i'm gonna go through uh your questions that you submitted either through twitter on discord um i'm i'm going to do that in a casual just back and forth way so forgive me i'm just going to end up kind of letting my hair down and chilling for the rest of this video it's not going to feel like the whatever formal or professional setting previously it's just going to be me talking so if that's not what you're interested in click away thanks for watching i hope this was a good video blah blah blah now i guess i'm going to get to the raw core genuine stuff but tune in if you're still interested thanks i want to take the rest of this video to uh answer some of your questions i tried to tweet out and post in my discord like hey if you guys have any questions that you'd like me to answer i will do that in the video i am going to screen share for this so i can kind of get my thoughts right and it's taking me a long time to edit back and forth and i don't want to pour more time into this so i had tweeted out hey what questions would you like answered in a review video and one was hey i'm currently enrolled i got a couple questions actually what automation if any did you end up using in windy bug or ida were there challenges enough to prepare you for the exam if you have additional tips and tricks for finding rop gadgets with mona so yes uh i mentioned the automation that i ended up using with some python scripts that i had pre-prepared i kind of used that to work in in tandem with the exploits that i would end up writing i didn't do a whole lot of scripting for windy bug i wanted to do things with pi kd i wanted to like automate fuzzing or automate the reverse engineering process because reverse engineering was just so daunting to me in my mind and i never ended up getting anywhere with that uh i don't know if that's something that you would be interested in but you're more than welcome to go for it i think it would be a great idea um but if you end up going through reverse engineering you just gotta drone through ida and we're working with ida free so you can't use like their python plugins extensions to do things with ida uh you just gotta stare at it and follow through and take notes as to what brought you to what block try and check out the arguments that go through it as you step through it in windy bug that's really the best you can do i'm sorry or the challenge is enough to prepare you for the exam granted i you know full disclosure i only completed one of the challenges um one of the challenges was fantastic and exceptional and great for preparing me for the exam uh and that's the one that i ended up doing the others i banged my head against the wall repeatedly and still kind of came up empty-handed not to deter you try the challenges do the challenges if you can't i i'll admit some some something stumped me but it's not going to be the end-all be-all when it comes to showtime for the exam if you have any additional tips or tricks for finding rop gadgets with mona if you end up using mona to find rop gadgets more power to you uh truthfully i stuck with rp plus plus and again i would use kind of a python script to get a starting point for rob gadgets that i knew would be handy because they're simple and you'll see that in the code that i share but i don't consider that the end-all be-all that is a starting point that's a baseline that's a foundation you still need to drag yourself through the entire output of the rob gadgets that you find and try to see what could i use to carry the stack pointer value what can i use to keep track of esp while i'm doing all this voodoo magic what could i do to juggle uh registers and work with values that i know i need to push on the stack that i can control to take care of my placeholder or my w frame to call it a window to api function you have to drag yourself through the rop output and work with it one thing that i would do is i would actually just have it all in sublime text and i would remove the things that i knew would be useless for me like gadgets that included a jump instruction or a leave would actually get annoying the leave instruction would get annoying same thing that would use a call instruction i'd try to remove those so they're out of my mind and then i would try to hunt for the things that would use registers specifically that i needed to work with so i would use like regular expressions find and replace just in my text editor to find the gadgets that had that and match that criteria and i'd move those into a different pane or a different window in the text editor so i could analyze and look through each of those options and try to see what would be the best what would have the least side effects or what would have any other extra damage that i could still take care of after the fact yeah that's that here we go we'll see what the other questions are during your coast work excuse me during your coursework was there any instruction application on advanced networking concepts or skills and is it worthwhile to get comfortable with the linux arch distribution uh no truthfully in offensive security exploit developer they're just not going to get into some networking concepts and you won't need to use arch linux you could use cali i used ubuntu any linux you want to use you use how is the challenge in comparison to the other courses knowledge gained from the process is equal to or not equal to the other courses what's next how's life congrats on the third thanks so much elias i super appreciate it uh how is it challenging comparison with the other courses so you've heard me probably say before um i still actually this gives me a run for my money now i would say i used to say oswe the web exploitation course was the hardest one for me because it was uh like finding a needle in a haystack it's a white box analysis test where the source code is all given to you for the applications that you're trying to exploit and take advantage of but there's just so much code it was like finding a needle in a haystack that took up a lot of time because it was reverse engineering on its own naturally and it just changed the game it changed my mindset because it's normally for all the other offensive security courses it's a black box test you're just beating stuff up the white box test for oswe you've got everything laid out in front of you just a matter of finding it for osed if i were to say oswe was finding a needle in a haystack os ed and the exploit developer was trying to thread the needle because it was like oh i know that there is a solution here i know that there's something that i can do it's just a matter of me carving and trying to pry and dig it out and it was grueling uh there were a lot so other advice take breaks step away from your computer like at least if you've been if you've been going for like four hours or five hours straight stand up dude walk in a circle if you have to just do something to like uh mentally reset um because you and i in my opinion you start to have your eyes glaze over it's like i'm trying to figure out the solution here and it's like one puzzle piece after the next um that was that was difficult for me so in the moment i'd have to say that os ed was was harder uh than what i would think oswe was i don't know if my opinion on that will change but i use this analogy sometimes where i say it's like putting my head through fan blades because it's like oh my this is this is rough this is hard i got that feeling in the lowest low of uh my my exam i'm sure you guys all have that same feeling like when you're taking a course when you're taking a test there will be a point that you're like i've given everything just keep going just uh keep turning the crank yeah sorry i hope you guys don't mind this like casual after the fact just screen share sort of thing is the pentas plus worth it even though someone already has ejpt or just jump right to oscp [Music] that's your decision that is totally a thousand percent your call if you have a certification in mind that you know that you want go for that certification because you know that that is your crown jewel that's your priority that's your number one go for that certification don't feel like you need to keep putting these intermediary steps um in between each one if you know that you want some milestone out out in the distance that course or that certification or that training oscp as you mentioned um it will prepare you like the course itself prepares you for the courses certification and capstone exam so don't hold yourself back or try to put more stumbling blocks in your place if you know that this is something that you want go after that go after that one go after what you want how approachable is this for someone with moderate reverse engineering experience how approachable is it for someone with moderate binary exploitation experience yes is is my answer to that um i've said that hey i don't consider myself an expert or a guru or i don't think i'm good at reverse engineering or binder exploitation but i'm familiar with it right like i took osce i've done through a couple capture the flag challenges where i'm doing reverse engineering or binary exploitation i think it's doable even if you aren't at moderate experience level even if you're like totally new it will the course does bring you through it i i it does showcase from the baby steps that you had in the buffer overflow of oscp all the way to your format string bypass aslr still bypass depth custom shell code whatever you want it it gets you there so if you're moderate inexperienced then you're already like you've already got solid footing so it is approachable and i wouldn't be scared of it again with all the mentality like yes go after the things that you want speed run and crank and cruise through it because you want to keep yourself studying and growing and learning and that's why i have that cannonball mentality for search and training and maybe that's a double-edged sword maybe that's to a fault when i get scared when i get nervous but if you don't throw yourself at it then you're never going to know what it is the reason that i'm so totally unabashedly comfortable with signing up for the exam right away is because if i fail i don't care like so what now i can take it again and i've i've learned what i need to improve and what i need to practice and what i need to get sharper on so it's like i'm totally comfortable with the failure because then it just points me in the right direction and course corrects me to do better the next time so i know some folks might not be in the situation where they can do that just oh retake it just do it again but i really think you should don't be scared and if it's if you're worried about if it's being approachable or not it it doesn't matter you'll pick it up and if you are a little bit experienced with it already then you're in a good spot and now let's take a look at some of the discord questions prior to paying for the course what areas we should what are areas that we should study or focus on to prepare better or the labs of the offensive security material so one thing that i think is actually super important um and is going to be necessary more and more is and it's included in the prerequisites or like the suggested things for the course is some familiarity with the assembly language or instructions like push and pop and how the stack works or the order that you might end up calling things like calling conventions right how you would display or lay things out in kind of in memory if you end up where you invoke a function etc uh basically just the gist of what registers are what registers you could use how you can manipulate them and how you can work with them what the bytes are knob sleds obviously etc um if you are not familiar with that um i think it's security tube or i guess like pen tester academy now they had one that's like introduction to x86 assembly and stuff like that uh that will help offer a primer for that sort of thing but when you get into shell coating when you get into custom shell coating or when you're doing just stuff with rop it's totally necessary to just have a better handle on what all those gadgets instructions what all those op codes really do so being familiar with assembly is certainly something that i would recommend getting familiar with how in depth are the topics regarding writing custom shell code and what do they entail so the custom shell coding section is super cool in my opinion uh you do end up just staging a reverse shell setup between like the ws2 underscore 32 dll so you can call in functions like wsa socket like connect and setup um and then end up invoking a command prompt and sending that back to yourself uh and then it's like figuring out how to make that position independent shell code like it doesn't matter where it gets end up being loaded in or worked with and it's null by free or it's avoiding bad characters and you use some super cool procedures to be able to hunt down and find functions that you need in these libraries that you might end up working with uh i think that gets in depth like in depth enough that you've got the prowess to call whatever function or do whatever you want in windows shell coding it's just kind of a matter of putting the puzzle pieces together that's what that entails and that's how in-depth it gets if you want to take a look more i would really recommend checking out the syllabus or just getting started with the course uh i had never seen that depth and coverage for teaching shell coding or custom shell coding before and that was super cool because like before i took this course before i got started with this the whole idea of writing your own shell code sounded so advanced you know it sounded like the the dark arts it sounded like black magic it's like whoa you got to be uber leaked to write shell code um but i think like hey that that gave me enough of a solid footing that i could tinker with this i could play with this i could do this more and i want to now so maybe that is a is a fine takeaway um but yeah take a look take a look at the course syllabus and maybe start to play with it you're on your own were there any exploits you had to create that were for well-known vulnerabilities or they're mostly not very well known things that you had to figure out yourself uh they will be things that you need to figure out yourself you're not going to be pulling an off-the-shelf exploit script for what you end up working with uh it's stuff that you gotta build it's not something you can just kind of rip off from exploit db or find online what are some recommendations for practicing anything on hack the box or try hack me that would be beneficial like there is for oscp yeah yeah yeah actually definitely in my osce video back in the old and cracking the perimeter days um i mentioned vuln server like i think it's stephen bradshaw and if you go to his github he he hosts a phone server which is a vulnerable windows application and it has a bunch of functions that you would be able to find a vulnerability and exploit them and take advantage of the program that way i've showcased like the trun function even on on this channel there's a youtube video for that with just a classic stack baseball for overflow and there are other things for structured exception handlers and there are other things for different kinds of bad bytes usage etc and there are tons of great resources out there online uh conor mcgarr forgive me if i'm butchering your name conor um he has a fantastic blog that showcases a ton of great stuff in this regard uh and i actually ended up using it for for some things so read through his stuff uh there are plenty of others and i might be able to list them more if we were to talk offline but what i'm thinking of is phone server phone server works great for giving you the frame of a windows server to exploit through a socket if you were to just run that program and then enable dep like enable the data execution prevention then you've added another another difficulty or another hurdle for you to jump over because now your stacked base buffer overflow is going to have to you know jump through some hoops and hurdles trying to find a code cave or maybe using an egg hunter or going through the procedure for rop and writing shell code to match whatever bad bytes it might be in front of you can set your own restrictions but just simply trying and adding those security mitigations like depp and aslr even if it's a simple thing like phone server that can stretch and that can help you prepare honestly i feel like i just have to say go do phone server but turn on those security protections and then practice play with them what would you consider to be the most difficult course out of the osce iii bundle and why uh so i i touched on this earlier when i was talking about oswe and osce those are totally different reasons right and i feel like i am stronger at web exploitation and analysis than i am at like low level binary exploitation so maybe it's just a personal thing maybe it's totally subjective um i think now that i had i was grappling more with os ed for the exploit developer um because it was just a mental bend like a whirlwind um oswe was a different challenge because of that needle in the haystack that i was referring to earlier um it might totally be subjective on you what you feel like you're strong at what you feel like you're good at or what you're interested in uh but oh said was a tough point for me the exploit developer was tough for me and i feel like i had to prepare and pour myself into it and i didn't feel like i was able to do that enough but so then i try to cram and try to do it that's what you got to do invest the time because reverse engineering takes a long time figuring out the process of the exploits takes a long time uh when i still feel like i i could do more and i want to do more i i feel like i have some cognitive dissonance and maybe that's very visible in how i'm saying this right now and that i didn't feel like i put in enough time but my advice is to put in more time i realize that sounds so stupid but it's necessary and i feel like i did enough but i could do more and if i were to give the advice to people to get them prepared and get them ready it's do more prepare more invest more time yeah crappy answer for that one sorry tobu what level do you feel people should be at before they begin the course is this something that a dedicated student fresh out of college could complete so my answer to that is again yes if you go through the course and it will get you set up but if you put in more time and dedicate and practice and do your homework you can do it if you're a student fresh out of college that shouldn't be a detractor that should never be a stumbling block in your mind if you're a student fresh out of college dude you've got the world in front of you you do whatever you want man what was the most challenging part of the course or the exam and what did you enjoy most about the course oh sorry i skipped toby's question let me let me bounce back to it what was the most challenging part of the course of the exam the curveballs the curveball that i that i suggested um let me let me i guess preface that and put that in in one way when i had the exam tasks in the assignment in front of me i you know you immediately have like your first impression of like oh that looks doable or oh that looks hard or oh i don't know if i could solve that um the first one that i wanted to tackle i thought this is going to be the easy one this is going to be the one okay cool it's comfortable and i thought oh maybe this other one or maybe the other couples they're they're going to be harder they're going to be much more difficult for me to work through i was wrong so that first one that i thought um this will be this will be smooth maybe i could do this you know this is this is possible that threw a curve ball at me and the one that i thought would be easier would turn out to be harder and the one that i thought would be harder was easier than that one that i thought would be easy you know that you know that was just kind of a swift kick in the pants i guess that that was the challenging thing i was like oh man i felt really confident now i'm like i'm trying to rework this thing in my mind what did you enjoy most about the course exactly that i i the kurt those troubleshooting and debugging moments are the things that felt the most fun because it's like there's a wall in front of me there's a problem and i need to solve it what clever and creative things can i do to get around that and that's the whole mindset right for exploit developing and and getting bypassing these security mitigations like dep and aslr but it's like oh can i do that what clever things can i do with rop in the registers what clever things can i do with the shell code to avoid these bad bytes what do i need to do for my aslr like leak to be able to find memory addresses that i could still like automatically work through those were all very cool and very fun maybe the most enjoyable thing is knowing that you were struggling and then persevering and achieving past that i think yeah yeah what was the main thing that kept you running through this course was it motivation or drive or something else whoa that's a super good question um the main thing that kept me running the main thing that kept me running was the was the deadline like the fact that i scheduled my exam uh and i was like i need to do this um and because i knew this this is a different angle so forgive me the motivation that i wanted to pursue it the motivation that i wanted going to go all over the place for this answer i'm super sorry uh yes there was motivation because i wanted to learn more i wanted to practice and i wanted to play with it and it was so cool like you feel like a stinking ninja when you're doing binary exploitation reverse engineering that was enjoyable and fun and i wanted to keep doing more like i wanted to get through the course so i could play so i could make those neat tools so i could practice and carve out my arsenal of things that i could do uh and then the deadline like the smack in the face dude i need to get good at this before it's it's showtime and then here's the interesting perspective that might not be applicable to everyone um in a weird way it's the content creator influencer portion where it's like shoot i [Music] i've told my friends the community some folks like yeah i'm taking osed i've got my test coming up it's my test this weekend i said it on the offset webinar it's like oh people are going to ask me how it went and what if i failed and i was like i'm gonna fail i'm gonna fail this test and it was in my mind like i was replaying what would happen when i had to make a video that said like yeah i didn't pass because like i could not make a video just sweep it under the rug you know or do a blog or article or something or i could uh you know or i could just kind of come come up front in the spotlight and say like yeah i missed the mark on this one and i was thinking maybe that's a good thing maybe that's maybe that maybe it'll be people will think john you're not a robot um so that that was an an element to it was like i didn't want to come out to everyone else and be like ah a tail between my legs yeah i failed so bummer and i and i said like oh earlier when i had the mentality like it doesn't matter i'll take it again i'll hit it harder next time there's that but there's also like the bummer like dang uh i'm sad that i didn't get it so i i struggle with that cognitive dissonance i guess um how good is the content from a learning perspective compared to osep it is good it is very good i have always said and i said it in the offensive security webinar that i really really like hands-on learning and practical application-based showcase and demonstration-based learning what i love love love love about offensive security stuff is that the videos are videos like it's a raw screen capture it's like a screencast it's what i do on my channel because you as the viewer get to see everything you get to see what happens where and how and what you type in and what you click on there's nothing that is left up out of your mind because you saw it happen so i really like that in how offensive security presents their courses and their in their training material so how good is the content from the learning perspective i think it's great compared to osep they're both cream of the crop i think looking this is actually a hilarious thing if you look at the book like the pdf version from the original version of oscp or the original version of osce if you go way way back the cracking the perimeter book in pdf was it like a hundred pages maybe i might be getting that wrong or like 80 pages i have no idea but it was a significant amount smaller than what we see for the course pdf and the book for osep and osed like there are like 600 pages 800 pages or whatever but an extreme amount more than what it was back in those older smaller renditions of these courses i think that the new things that offensive security has been bringing out have just been stellar in my opinion you know just my thoughts what would be the pathway for oscp certified to prepare for osep do it why did you go with this course and what was your strategy for doing the certification congrats thanks man um why did you go with this course i i just want to learn stuff man i just i i i like people think i might be crazy like i might i might genuinely be crazy and i've been talking for hours on this thing um i like training that's hands-on and practical so certifications as stupid as i look like i'm such a dumbo when i have so many stinking worthless letters strapped to my name oh i took x certification why certification's easier it's not it's not for like the street cred or the something to slap on the resume it's just because it's genuinely it's generally presenting a new challenge to me and it's like showcasing technology and software and hardware and techniques and tradecraft uh adversarial work or defensive work that i haven't seen before it's just exposing me to new things so even if like oh said exactly oh said specifically i don't do binary exploitation for my day job i don't do strict hardcore reverse engineering in ida for what i do for a living i just want to know more so i can better understand the rest of everything that happens i i don't know i just feel like it helps me makes me be a better more well-rounded cyber security dude i was gonna say cyber security professional but we all know that's not true so what was your strategy for doing the certification speed run i talk a lot about that mentality that philosophy and then i've go guns blazing it's a cannonball approach to just take one certification after the next it's just because it keeps me growing it keeps me learning it keeps me with it and in it maybe that's crazy to some people and i'm sure it is and i've i've found the flaws and the weaknesses myself but i know that there's a lot that i want to do so my strategy for doing the certification crank through the course material watch every single video take notes on as much as i can then tooling and preparation everything that i've already showcased in this video so i think that's it yeah yeah those are all the questions from from discord uh i'd be happy to take any other questions again if anyone wants to reach out don't be a stranger hit me up discord twitter linkedin here in the youtube comments whatever uh you can track me down right cyber stalk me uh and i got red hair so i should be pretty easy to find right i'm just kidding all right well hey this turned into a heck of a lot longer video than i expected it to be uh that's totally my fault for just rambling on about the questions um i i hope that this was valuable for you um if it if i'm making a review video for this certification for this course for this whole curriculum for offensive security exploit developer look this gets my thumbs up i was really pleased and just so happy that i was able to push through it and persevere personally to solve this to to pass the exam but i do feel like i learned a lot and between shell coding and rop and reverse engineering and aslr and format strings there's a lot in this course that i wanted to get more familiar with and i feel like i really did while going through this so uh kudos to you offensive security because i know you're listening in i know you're still here thank you for putting out such a stellar course and uh i don't know letting me try my hand at it given the old college try for anyone listening in that's thinking about going after the certification do it don't hold yourself back from it it's totally doable it's totally achievable if a stupid kiddo like me could do it i know you can too so thanks so much for all your support everyone that was really sweet to kind of see all the love uh after i got the good word but seriously excellent course you should try it study for it prep take notes do all the right things and uh i hope that some of my advice here or suggestions might be worthwhile to you but your mileage may vary you know chat with other folks i'm not going to be the single source of truth by any means i hope that this stands as one thing uh one snippet of uh testimonial or thoughts or i don't know i ideas for osce and the exp 301 course so thanks so much for watching everybody thanks so much for listening thanks for bearing with me sticking all the way to the end if you did happen to watch this whole thing you're the best uh if you don't mind doing those youtube algorithm things you know it super helps out the channel i'd love if you could like the video maybe leave a comment maybe subscribe and maybe you hopefully we can get more uh really cool stuff out and stuff that can send the same value as this if it did sensor thanks so much for watching everybody i love you i'll see you soon [Music] [Music] with you

Info

Channel: John Hammond

Views: 29,978

Rating: undefined out of 5

Keywords:

Id: NAe6f1_XG6Q

Channel Id: undefined

Length: 58min 56sec (3536 seconds)

Published: Sun Jun 20 2021