For the past few months, I have been preparing for the Advanced Windows Exploitation (AWE) training at one of Asia’s most popular hacker conferences, Black Hat Asia 2019. AWE is one of the training organized by Offensive Security LLC, a Kali Linux distro maker (formerly Backtrack) and the Exploit-DB website (www.exploit-db.com).

After waiting for approximately 5 years, AWE was finally held in the Asian region (AWE is usually held in the European and American regions only). I, without hesitation, was immediately registering when in early January 2019, Black Hat Asia team revealed a list of training to be held and AWE from Offensive Security was on the list.

The training was held on March 26-29, 2019 at Marina Bay Sands Singapore. The following stories are my review of the training.

The first day, we as trainees, who filled the training room, were presented with material on how to bypass NX and ASLR in the exploit development process. Morten Schenk explained how to exploit vulnerabilities in Adobe Flash. This process includes how to get read/write primitives, ASLR bypass with the ‘memory leaking’ method, then bypass NX/DEP using ROP technique. On this first day, to be honest, I can only take 40% of the material because of the compact information provided.

The second day of the training continued the rest of the discussion that had not been completed on the first day, namely by bypassing Adobe Flash sandbox and WDEG (Windows Defender Exploit Guard) in Windows 10 Fall Creators Update (as a replacement for EMET that had expired). On this second day, we also immediately changed the case study of a vulnerability in Microsoft Edge. In this case study, we were dealing with a Type Confusion vulnerability that was discovered by the Google Project Zero team and made it exploited. The exploitation process began by analyzing the proof of concept, looking for a way on how to get primitive read/write, bypassing ASLR by ‘leaking the function pointer.’ inside Microsoft Edge.

On the third day, the discussion was even more brutal when we’re dealing with several protections in Windows 10. Morten explained well how to bypass the CFG (Control Flow Guard) and ACG (Arbitrary Code Guard). After successfully bypassing all of these protections, then ROP-based techniques can be used to gain code execution.

The fourth day, we were presented with how memory paging at Intel works, SMEP (Supervisor Mode Access Prevention), how the token privilege works and their relationship with the kernel exploitation.
Alexandru ‘sickness’ Uivalvi explained a very good material using a case study of a vulnerable Windows driver and exploited them under a least privilege user. The ultimate goal of the exploitation is to gain access to NT AUTHORITY\SYSTEM.

Pre-Exam Preparation

I filled out the exam preparation by repeating all the discussion material in the module and doing all the training exercises given. Some exploits that discuss driver exploit:

Some materials and references that discuss Adobe Flash and bypass Windows protections:

As well as several references given by the instructor during the course (I can’t share it here due to possibility of violating legal and agreement against Offensive Security LLC)

About the Exam

The time for the AWE exam is 71 hours 45 minutes; I am sure the Offsec team has well calculated the time provided.
Exam questions consist of only 2 target machines and 2 debugging machines. Unlike the OSCP and OSCE exams (which I got it pretty fast in couple of hours), I just got ‘click’ after 18 hours, really a waste of time. The toughest challenge was finished on the third day when the remaining time is 12 hours left. The second challenge is completed 1 hour before the exam time is over. I use the remaining one hour to review all the work.

The results of the exam were notified via e-mail 3 days later and I passed. I was entitled to OSEE certification, yeay!

Conclusion

At the end of the training, Alexandru and Morten shared that only around 30% of participants usually took the exam to achieve OSEE certification. I tried to complete the entire AWE training series, which was intended to get OSEE certification, the highest certification from Offensive Security.

AWE training is the most brutal technical training I have ever participated in, to be honest, I am very fortunate to be able to take part in this training. Thanks to Alexandru ‘sickness’ Uivalvi and Morten Schenk for the training.

AWE training at Black Hat Asia 2019

About the Author modpr0be

Posisi saya saat ini sebagai direktur dan pemilik PT Spentera, sebuah perusahaan yang fokus dalam bidang penetration test, incident response, intrusion analysis and forensic investigation. Saya sering memberikan konsultasi tentang strategi keamanan kepada investor, mitra, dan pelanggan. Saya juga memberikan materi dalam bentuk pelatihan dan kontribusi komunitas dalam bentuk seminar, workshop, dan diskusi dengan berbagai topik seperti teknik peretasan, teknik eksploitasi, dan analisis intrusi. Saya juga berkontribusi untuk repositori eksploit Metasploit Framework sebagai pengembang kode eksploit. Saat ini saya memegang sertifikasi dari Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), ISO/IEC ISMS 27001: 2013 Lead Auditor/Auditor, GIAC Certified Intrusion Analyst (GCIA), dan Offensive Security Exploitation Expert (OSEE). Jika ingin menghubungi saya dapat melalui email di tom at spentera dot id.

Tinggalkan Balasan

Please log in using one of these methods to post your comment:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout /  Ubah )

Foto Google

You are commenting using your Google account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d blogger menyukai ini: