For the past few months, I have been preparing for the Advanced Windows Exploitation (AWE) training at one of Asia’s most popular hacker conferences, Black Hat Asia 2019. AWE is one of the training organized by Offensive Security LLC, a Kali Linux distro maker (formerly Backtrack) and the Exploit-DB website (www.exploit-db.com).
After waiting for approximately 5 years, AWE was finally held in the Asian region (AWE is usually held in the European and American regions only). I, without hesitation, was immediately registering when in early January 2019, Black Hat Asia team revealed a list of training to be held and AWE from Offensive Security was on the list.
The training was held on March 26-29, 2019 at Marina Bay Sands Singapore. The following stories are my review of the training.
The first day, we as trainees, who filled the training room, were presented with material on how to bypass NX and ASLR in the exploit development process. Morten Schenk explained how to exploit vulnerabilities in Adobe Flash. This process includes how to get read/write primitives, ASLR bypass with the ‘memory leaking’ method, then bypass NX/DEP using ROP technique. On this first day, to be honest, I can only take 40% of the material because of the compact information provided.
The second day of the training continued the rest of the discussion that had not been completed on the first day, namely by bypassing Adobe Flash sandbox and WDEG (Windows Defender Exploit Guard) in Windows 10 Fall Creators Update (as a replacement for EMET that had expired). On this second day, we also immediately changed the case study of a vulnerability in Microsoft Edge. In this case study, we were dealing with a Type Confusion vulnerability that was discovered by the Google Project Zero team and made it exploited. The exploitation process began by analyzing the proof of concept, looking for a way on how to get primitive read/write, bypassing ASLR by ‘leaking the function pointer.’ inside Microsoft Edge.
On the third day, the discussion was even more brutal when we’re dealing with several protections in Windows 10. Morten explained well how to bypass the CFG (Control Flow Guard) and ACG (Arbitrary Code Guard). After successfully bypassing all of these protections, then ROP-based techniques can be used to gain code execution.
The fourth day, we were presented with how memory paging at Intel works, SMEP (Supervisor Mode Access Prevention), how the token privilege works and their relationship with the kernel exploitation.
Alexandru ‘sickness’ Uivalvi explained a very good material using a case study of a vulnerable Windows driver and exploited them under a least privilege user. The ultimate goal of the exploitation is to gain access to NT AUTHORITY\SYSTEM.
I filled out the exam preparation by repeating all the discussion material in the module and doing all the training exercises given. Some exploits that discuss driver exploit:
- Windows Kernel Exploitation 101: Exploiting CVE-2014-4113
- Microsoft Windows (x86) – ‘afd.sys’ Local Privilege Escalation (MS11-046)
- HackSys Extreme Vulnerable Windows Driver
Some materials and references that discuss Adobe Flash and bypass Windows protections:
- Common WinDbg Commands (Thematically Grouped)
- Discover Flash Player Zero-day Attacks In The Wild From Big Data
- Fldbg, a Pykd Script to Debug FlashPlayer
- Bypassing Mitigations by Attacking JIT Server in Microsoft Edge
- Back to Basics or Bypassing Control Flow Guard with Structured Exception Handler
As well as several references given by the instructor during the course (I can’t share it here due to possibility of violating legal and agreement against Offensive Security LLC)
About the Exam
The time for the AWE exam is 71 hours 45 minutes; I am sure the Offsec team has well calculated the time provided.
Exam questions consist of only 2 target machines and 2 debugging machines. Unlike the OSCP and OSCE exams (which I got it pretty fast in couple of hours), I just got ‘click’ after 18 hours, really a waste of time. The toughest challenge was finished on the third day when the remaining time is 12 hours left. The second challenge is completed 1 hour before the exam time is over. I use the remaining one hour to review all the work.
The results of the exam were notified via e-mail 3 days later and I passed. I was entitled to OSEE certification, yeay!
At the end of the training, Alexandru and Morten shared that only around 30% of participants usually took the exam to achieve OSEE certification. I tried to complete the entire AWE training series, which was intended to get OSEE certification, the highest certification from Offensive Security.
AWE training is the most brutal technical training I have ever participated in, to be honest, I am very fortunate to be able to take part in this training. Thanks to Alexandru ‘sickness’ Uivalvi and Morten Schenk for the training.