OSED certification obtained. How is it and is it worth it?

On January 28, 2023, at 6:45 AM in the morning I sat down for my OSED exam… what a journey it was.

The course

OSED course is good, but by far not the best Offensive Security course. It focuses on the exploit development part from the old OSCE course, and it shares with it some of it’s weaknesses. In a world where 64 bit is now the norm, and where most software is actually compiled with SafeSEH or other stack protections, some parts of the course will feel a bit outdated.

However, it’s fair to say that the concepts are still valid and that the course does a great job in guiding the student through the whole exploitation process in several different scenarios. There is also some undeniable satisfaction the comes when seeing your own ROP chain actually working out and delivering a reverse shell.

From the material point of view, it shares a lot with the old OSCE course, with the only big addition being the DEP bypass section and the format string vulnerabilities. There’s a lot of focus on reverse engineering, and the course here does what it can, i.e. giving the student a good overview of what are the tools available, the goals and a general strategy. However, reverse engineering is a such a complicated process that it’s not something that can be learnt from a course. If you ask me “I give you a vulnerable binary and a PoC exploit, can you make a ROP chain?”, I answer “Yes”. If you ask “Can you reverse engineer this binary?”, I answer “Yeah… let me see… can try!”.

Some interesting topics from the old OSCE certification are instead missing: the manual shellcode encoding and the backdooring of PEs. I found those two topics from old OSCE quite interesting, and fun, and seems that now they are gone from the Offensive Security catalog.

The exam

The exam is at the same time incredibly easy and incredibly stressful. It’s made of 3 exercise, revolving around exploit development, custom shellcode development and reverse engineering. The exam has a total of a 100 points and the exercise are worth 30/30/40 points each. This means that if you complete the two exercise for 30 points, you already have enough to pass and can attempt the third exercise just for fun.

And in my experience, the two exercise for 30 points are incredibly easy, almost educational. To use again the example I used before, they both fall into the category of exercises that you know you can do them while you read them. Like, you learnt these stuffs, there cannot be any surprise, rabbit holes, moments of not knowing if you have to go deeper or change approach… they are piece of cakes. It took me about 5 hours each to complete them, so before the end of the first day I knew I had enough point to pass the exam.

And then, I started the reverse engineering challenge. It was a wild ride, with opcodes I had never seen before, customized protocol, customized checksum calculation, and so on. I managed to reverse engineer the protocol, to find an ASLR bypass and a DoS vulnerability caused by an access violation… but I couldn’t find a memory corruption that would give me control of EIP.

I spent the first evening and the whole second day working on this exercise, but every path that I tried seemed to have some blocker that was outside of my control. And the more tired I was getting, the more I realized that my chances of figuring out what was I missing (in which one of the many paths I had already tried?) were decreasing with time.

Anyway, I went to work the next morning and started writing my report around 5:30 PM… and finished at 2:20 AM. I swore to myself that if I didn’t pass, I would not try this one again. Attempting to complete it at all costs, even if it wasn’t needed, was physically and mentally exhausting.

How to prepare for it?

Go on exploit-db and search for binary exploits that have attached software. Enable DEP using system settings and develop ROP chain as if there is no tomorrow. Feel brave? Reverse engineer the application yourself. Have a look at available shellcode in msfvenom, get ideas about possible shellcode and try to make your own that achieves the same result. Some ideas? Write a first stage shellcode that connects back to your machine, receives more shellcode and executes it. Make shellcode to execute system commands. And make sure that your shellcode is always null free and position independent. And, of course, do all the extra miles and challenges in the course. Many of them are not there just to waste your time, but they are there to help you with research and preparation for the exam. This, seems to me, is a constant of all Offensive Security courses. Do not ignore them!

Is it worth it?

Overall I would say OSED is worth it. It’s good knowledge, it’s fun and the technicalities of it are quite interesting if you like these stuffs. It’s challenging and will push you to be creative. But if you are looking for something that can be immediately impactful on your day to day work, then probably this should not be your first choice.

If you don’t have the other certifications, I would recommend to do OSWE and OSEP first. The first gives you a very good, up-to-date, knowledge of web application vulnerabilities and also, to some extent, web development. The second it’s very good for red teaming, but also gives you an attitude towards bulding your own tools to evade detection (and, absurdly, this can be handy when your employer has too many restrictions about what tools you can use, while also requiring you to do stuffs for which you need those tools).

What next?

A break. I deserve it.