For the past few months, I have been preparing for the Advanced Windows Exploitation (AWE) training at one of Asia’s most popular hacker conferences, Black Hat Asia 2019. AWE is one of the training organized by Offensive Security LLC, a Kali Linux distro maker (formerly Backtrack) and the Exploit-DB website (www.exploit-db.com).
After a wait of approximately five years, AWE was finally held in Asia (traditionally, AWE is only held in Europe and America). Without hesitation, I registered immediately when, in early January 2019, the Black Hat Asia team revealed the list of training sessions, which included AWE from Offensive Security.
The training occurred from March 26 to 29, 2019, at Marina Bay Sands, Singapore. The following is my review of the training experience.
On the first day, the training room was filled with eager trainees, and we were presented with material on how to bypass NX and ASLR in the exploit development process. Morten Schenk explained how to exploit vulnerabilities in Adobe Flash, including obtaining read/write primitives, bypassing ASLR with the ‘memory leaking’ method, and bypassing NX/DEP using ROP techniques. To be honest, I could only absorb about 40% of the material due to the dense information provided.
The second day continued the discussion from the first day, focusing on bypassing the Adobe Flash sandbox and WDEG (Windows Defender Exploit Guard) in Windows 10 Fall Creators Update (as a replacement for the expired EMET). We also switched to a case study involving a vulnerability in Microsoft Edge, specifically a Type Confusion vulnerability discovered by the Google Project Zero team. The exploitation process began with analyzing the proof of concept, finding a way to obtain primitive read/write access, and bypassing ASLR by ‘leaking the function pointer’ inside Microsoft Edge.
The third day’s discussion became even more intense as we tackled several protections in Windows 10. Morten explained how to bypass CFG (Control Flow Guard) and ACG (Arbitrary Code Guard). After successfully bypassing these protections, we used ROP-based techniques to gain code execution.
On the fourth day, we learned about how memory paging works in Intel processors, Supervisor Mode Execution Prevention (SMEP), how token privileges work, and their relationship with kernel exploitation. Alexandru ‘sickness’ Uivalvi presented a detailed case study of a vulnerable Windows driver and demonstrated how to exploit it under a least privileged user. The ultimate goal of the exploitation was to gain access to NT AUTHORITY\SYSTEM.
Pre-Exam Preparation
I filled out my exam preparation by reviewing all the discussion materials in the module and completing all the training exercises. Some of the exploits discussed included:
- Windows Kernel Exploitation 101: Exploiting CVE-2014-4113
- Microsoft Windows (x86) – ‘afd.sys’ Local Privilege Escalation (MS11-046)
In addition, I studied various materials and references related to Adobe Flash and bypassing Windows protections, such as:
- Common WinDbg Commands (Thematically Grouped)
- Discover Flash Player Zero-day Attacks In The Wild From Big Data
- Fldbg, a Pykd Script to Debug FlashPlayer
- Bypassing Mitigations by Attacking JIT Server in Microsoft Edge
- Back to Basics or Bypassing Control Flow Guard with Structured Exception Handler
Furthermore, the instructor provided several other references during the course, which I cannot share here due to the possibility of violating the legal agreement with Offensive Security LLC.
About the Exam
The AWE exam lasted for 71 hours and 45 minutes. I’m confident that the Offsec team calculated the time allocation meticulously.
The exam comprised only 2 target machines and 2 debugging machines. According to my OSCP and OSCE exams, which I completed quickly (within a few hours), I struggled for 18 hours before everything ‘clicked,’ making me feel like I wasted a significant amount of time during this AWE exam. The most challenging task was completed by the end of the third day, leaving me with 12 hours remaining. I completed the second challenge just 1 hour before the exam concluded and utilized the remaining hour to review all my work.
Three days later, I received an email notifying me that I had passed the exam. I was thrilled to earn the OSEE certification!
Conclusion
At the conclusion of the training, Alexandru and Morten shared that typically, only around 30% of participants attempt the exam to achieve OSEE certification. My goal was to complete the entire AWE training series, aiming for the prestigious OSEE certification, the highest certification from Offensive Security.
The AWE training was, without a doubt, the most challenging technical training I have ever undertaken. I consider myself fortunate to have had the opportunity to participate in such rigorous training. I sincerely thank Alexandru ‘sickness’ Uivalvi and Morten Schenk for their exceptional training.
