In this blog post, we speak with Óscar Uribe, one of our Security
Analysts, who will complete two years with
Fluid Attacks. We
congratulate him for his achievement by obtaining The Offensive
Security Exploit Developer (OSED) certification.
The OSED is a certificate granted by Offensive Security. Having the OSED ensures that the person has "the skills and expertise necessary to bypass basic Windows security mitigations using custom exploits." In this light, OSED is an intermediate exploit development cert. To obtain it, the person must do a test that starts "with basic buffer overflow attacks and builds into learning the skills needed to crack the critical security mitigations protecting enterprises."
Now, considering this context, let us talk with Óscar to know more about the certification, the exam and how he studied for it.
On the Offensive Security page, they recommend taking the EXP-301 course. Did you take it to prepare yourself for the exam?
- Yes, it is necessary to take the course in order to obtain the certification.
Did you think the EXP-301 course was enough as a preparation course?
The course met my expectations. All the issues are explained in great detail. The course begins by explaining basic topics and as it progresses, it goes deeper and deeper into new techniques.
When you do the course, you have access to a laboratory where you can put into practice and reinforce the knowledge that you have obtained.
What does the Windows User Mode Exploit Development course consist of? Why did you decide to take it?
The course is aimed at exploiting vulnerabilities in Windows operating systems. It focuses, mainly, on memory corruption vulnerabilities such as Buffers Overflows and techniques for bypassing security mitigations.
I decided to do the course because I am very passionate about things at a low level within operating systems. I want to understand how a program works and how it can be abused by an attacker to compromise a system.
The exam takes 47 hours and 45 minutes plus 24 hours to submit the documentation. How to be prepared for such a long exam?
Usually, Offensive Security certifications are very long. That means you always must be prepared for a long day. So it is important to take breaks from time to time to have a clear mind and not feel so exhausted.
During the preparation, I had long study days trying to simulate how the exam would be. This helped me to be prepared.
How did you manage the time they gave you?
I divided the 48 hours into equal parts. This is the time I set out to use at most for each exercise. And I established that I would move on to the next exercise in the event that I ran out of time.
Once the exam began, I dedicated myself to understanding what they asked me to do in each exercise and what requirements I should take into account for the documentation.
During the exam, every two hours, I took a small break to clear my mind. It is important to take these short breaks so you don’t feel so exhausted with each exercise. You also have to take hours to sleep because the day is very long and the time you have scheduled is enough to perform the exercises and get rest.
The exam asks you to be familiar with debuggers (ImmunityDBG, OllyDBG), basic 32-bit exploitation concepts and to be comfortable with Python 3. Do you think they are sufficient requirements, or would you add some other skills to be prepared for the exam?
The course begins by explaining the 32-bit architecture. Then Offensive Security explains how WinDbg, the used debugger, works. If you’re familiar with these concepts, it will allow you to better understand and move faster during this part.
On top of that, it would be valuable to understand how a Buffer Overflow works. And finally, it would be nice to have a basic knowledge of Reverse Engineering.
Tell us a bit about your experience at the time of the exam. How did you feel before and during the exam?
Before the exam, I was a little nervous because I don’t have much experience doing Reverse Engineering, which is an essential part of the exam. But it is also important to clarify that the course material is sufficient to pass the certification.
The exam is a roller coaster of emotions. There are moments when you feel bad because you have not advanced for a while, but then you find something that you had missed and allows you to move forward. When that happens, you get a boost of encouragement and confidence to continue with the exam.
How were your preparation days?
- The course lasted two months in which I had access to the laboratory. During this period, I studied every day from 2 to 4 hours after work. When this time ended, I started studying by replicating my own exploits in ExploitDB. After that, I continued with a routine like the previous one: two to four hours of work.
Did the pandemic change anything about your presentation of this exam compared to others you’ve taken?
- No. Every certification that I have presented has been during the pandemic, so there is no change. On the contrary, I think the pandemic gave me more time to study.
What was the hardest part of the exam? And how did you respond to that?
- For me, the most challenging thing about the exam was the part of finding the vulnerabilities using Reverse Engineering. Since I knew it would be difficult, I practiced a lot of how to reverse applications with already known vulnerabilities.
Will you have to take any certificate renewal exams?
- No, none of the Offensive Security certifications expire. It is enough to get them once.
Any tips for preparing for this particular exam?
- I would recommend that before starting the course, you study Reverse Engineering, Buffer Overflows and techniques to exploit them. Because the better these topics are understood, the better your performance will be during the exam and the course.
What’s next after this certification?
Thank you so much, Oscar, for your time in sharing your experience with the OSED certification.
Fluid Attacks are very proud of Oscar's achievement!
We do not stop in our mission
to offer the best red team to our clients.
That's why we are constantly facing new challenges
and strengthening our ethical hacking
If you want to know more about the certifications that the members of our red team have obtained, you can follow this link.
Contact us if you want our red team to search for complex vulnerabilities in your software. Or enjoy our offer now of a 21-day free trial of security testing with our automated tools. You can upgrade at any time to include red team operations.
Recommended blog posts
You might be interested in the following related posts.
Definition, implementation, importance and alternatives
Keep tabs on this proposal from the Biden-Harris Admin
Vulnerability scanning and pentesting for a safer web
Definitions, classifications and pros and cons
Is your security testing covering the right risks?
How this process works and what benefits come with it
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting