Corelan vs ‘The must have certification’ (a.k.a Offensive Security – OSCP): Corelan Expert Windows Stack Exploitation – by Peter Van Eeckhoutt
Intro
To begin, let me start by providing some context for the title of this article.
On January 31st, just three months after I achieved my OSCP certification, my Offensive Security subscription—costing roughly US$5999/annum—was unexpectedly suspended without any prior warnings or alerts.
I am grateful for the tremendous support during the arduous three-month 'investigation' that culminated in a 'lifetime ban' from Offensive Security, although I retain my certification. (thanks, I suppose?). Devastating as it was, I must continue what I’ve set out to achieve. Becoming the best, in my own rights. ?
It's ultimately their decision, and I respect that. Will I continue to appeal? Honestly, no, after all it was my oversight.
Despite all, upon deep reflection, the truth is that assumed status of OffSec is not as unassailable as it seems. The rapid evolution of technology and cybersecurity world has left much of their material outdated and largely irrelevant—today, their greatest strength appears to be their marketing prowess, not their educational content ever since the OG founders of the company has left.
My experience with Offensive Security.
For more details on my experiences with Offensive Security, feel free to explore my medium post here: TLDR: I got lifetime banned from Offensive Security. What's next? Is my goal and dream over? Maybe.
The judgement is yours to make.
So yes, with the stat padding mindset out of the picture. What’s next? Time will tell. And Iwnl. #Westbrook
My Review of Corelan
With that, this brings me to what I really want to talk to you about today. The chain of unfortunate events that leads to the spur of adrenaline & ‘impulsive decisions’; to the best 5 days of my Cyber Sec journey!
Well {spoiler}, I made a spontaneous decision to fly for ….
Why choose Corelan over the corporate giants
For many of us that first started out in Cyber. I was so accustomed to convenience of “on-demand learning”. Dipping into basic of our passion and learning at our own pace.
So naturally the first big question is.
Followed by,
2. “Will my investment of time & money spent travelling to Belgium be worth it?”
Short Answer to these questions: Hell yeah! (SC316)
The Cybersecurity Training Scene
In fact, there’s abundance of leaked resources out in the wild, consolidated by a certain Iranian team, if PDFs and Videos is all you think you need. Mirroring, some profit-focused provider, who priorities earning over comprehensive well-being of learners.
(Disclaimer; I am not encouraging piracy, what you choose to do is your choice. its just a known fact.)
Truth is, this misguided perspective also highlights a pervasive issue within the Cyber industry. Where certifications are often perceived by human resources as actual skills, diminishing authentic competencies, passion and potential of truly skilled individuals. All while, encouraging some to blindly pursue these certifications primarily for the prospect of higher salaries.
Unfortunately, the above applies to many of the mislead newcomers into believing some absurdly overpriced certifications are the only path forward, me included.
For instance, here's one of the pretty popular "Security Roadmap” out there by – Paul Jerimy https://pauljerimy.com/security-certification-roadmap/
(I really like the idea of it, but now, I see how it could be detrimental to our mindset too, anyhow, it’s subjective and the level of difficulties & substances of the trainings can only be rated by you and yourself.)
In retrospect, the real OGs in our field started by exploring through trial and error, thinking outside the box, and hacking systems driven by sheer passion.
In fact, this is why our industry even exist, Imo. I sincerely hope this misconception will be balanced out over time, but for now, I’m not too hopeful. Strong recognise the strong.
Value for money.
Alright enough of the rants and lets back on the today’s subject, Corelan Expert Stack Exploitation and why I highly recommend Peter’s class over some of his competitors.
For one it’s reasonably priced considering the 20 years of condensed exploitation knowledge Peter has self-developed. And its very apparent, Peter’s focused is knowledge transfer for the passionate and hungry new generation and not merely profiting off learners. Otherwise, he would have not chosen the closed-sourced, in-person and even time-consuming route to guide and inspire his students.
My Summary Overview:
In total, we spent approximately a total of around 32 hours of training together, excluding homework time, where we brought the labs home to finish.
Minus maybe around 7hours of self-study time, we average around 11hours a day approximately together. Insane huh.
The Boot Camp
(D - 1) April 16th, 2024, Tuesday.
Finally, after some 16hours+ marathon of travel+flight time, I’m here, BRUSSEL!
First Impression? FRESH AIR~~~! The weather’s perfect! After a quick smoke, it’s time to head out to my AirBnB Apartment by train. Pro-tip: Always print out all yours travel documents, it’ll come in handy especially when your mobile data is moving at snail’s pace.
The Tourist
In true character, showcasing my legendary knack for minor mishaps, I managed to disembark at the Mechelen Main Station instead of Mechelen – Nekkerspoel (one stop earlier than the intended destination). The difference being 40mins of 20kgs luggage pull vs 10mins breeze walk to my apartment. Well, it was a good workout for the day at least
I spent most of my first day exploring and marveling at the stunning European architect and quaint town of Mechelen. First visting Saint Rumbold’s Cathedral, to get a good prayer in before the training begins (what breath taking interior). Before indulging at Beastie Burger Dinner, introducing me the ‘Terminator’ – Burger marked with 3x ?? spiciness level. Hmm… maybe because I’m Asian, but nonetheless, VERY shiok.
With my stomach filled, it’s time to retreat to my apartment and prepare for Corelan’s bootcamp the next day. Revisiting some of Sekt0r7 Malware Development Essential materials and turned in by 9pm, heeding Peter’s advice. I’m glad followed it.
(D Day) April 17th, 2024, Wednesday.
Still feeling a little jetlagged, my alarm went off at 6am. Excited for Day 1, I got on my trusty ‘Thompson Bicycle’ so kindly procured by my AirBnB host… and here we go, heading towards Novotel @ Mechelen, where the “Hell week Boot Camp” begins. We begin at approximately 830am where the 5 other “Zai Kias” (the slang Singaporean used for insanely skilled individuals) scattered from all around the globe gathers, and lo and behold, Peter Sensei.
setting the ground rules:
Of course, we begin the class with signed NDA, after all, there’s a reason why all these techniques we’re about to learn are only available through in-person training with Peter, and not ‘on-demand’. What I really like about this is the openness and thorough understanding between Corelan Team and ourselves on our ethical responsibilities for the knowledge we’re about to acquired, that are not just hidden behind little scribes of T&Cs you’ll usually just ‘agree’ on online. I know… I know, you should read it.
We then kicked off with personal introductions, each d sharing our professional backgrounds, and more importantly the unique motivation behind what brought us all here. To add dynamic twist for a conducive learning environment, we unanimously agreed to incorporate a unique challenge: to do X numbers of push-ups for any phone dared to disrupt the class, for tardy returns from our breaks and unscheduled class departures. Tribute to solidarity, ‘one for all, all for one.’
X86 Windows Sys Architecture, Userland, Kernel, Registers and ASM
We started off with an introduction to unravelling x86 System Architecture, from Microsoft Windows OS userland (ring 3) right down to Kernel Internals (Ring 0) and how it interacts with the hardware, with the focus heavy on CPUs. Laying the groundwork for knowledge required to exploit Microsoft’s x86 Windows Systems.
Then came the transition from CPU registers, ASM (Assembly Language) to Opcode in Metasm.
At this point, I thought I’ll manage the class with ease. Well, my confidence was short-lived.
Things escalated from 0 to 100 real quick.
We were thrust into ASM labs, that demanded out of the box thinking, crafting compact, null-byte free opcodes in Metasm, all while adhering to the ‘x’ requirements set out by the lab exercise (for a good reason).
The deep dive into x86 Windows stack exploitation only went deeper from this point on, and it’s clear we’re never really going to come back to the surface anytime soon.
Somewhere between the 6th – 7th hours into the training, I really started begin to question my life choices and if I am technically proficient enough to call myself a Cybersecurity Professional.
Good exploit writing practices
On a lighter note, the mantra “if people tell/teach you to use NOPs (without clear reason), run away as fast as you can, as far as you can.” Really cracks me up, because it quietly reaffirmed my choice for choosing Corelan and moving away from mainstream options was right.
For the bulk and rest of the class, we delve into the tools Immunity Debugger and mona.py –remarkable creation written by Peter himself, if you’d like to know more about the tools you can find it here https://github.com/corelan/mona.
Stack Buffer Overflow & SEH Overwrite
Using these tools, we began our official introduction to Stack Buffer Overflow, exploring how we can “smash and manipulate the stack, through combination of techniques like SEH Overwrites, Function pointers, and SafeSEH (SRP) Overwrite.
Lab time:
The first objective was to trigger a stack buffer overflow, analysing SRP behaviour, ESP register and RETN and come up with a creative strategy to achieve the ‘win’ – code execution.
We finish off the day with homework assignment centred on CVE 20XX-XXXX, objective was to use SBO to gain EIP control and obviously, shell code execution. The exploit, of course requires application of knowledge we had acquired through the day. This included appropriate use of NOP sleds with surgical precision. All to ensure our exploit executes reliably.
Well, with all that said. We officially ended day 1 of the bootcamp at….
(D+2) April 18th, Thursday
BAD Chars
Kicking off from where we left with SEH & lab assignment, we then dove into the realm of ‘Bad Chars’. Most notably, on how bad characters can lead to shellcode corruptions. Once again, with a little help using mona.py to identify these problematic chars. We then moved on to cleaning and employing effective shellcode via the Metasploit framework.
Egg Hunters! ??
Then, we tackled my personal favourite – Egg Hunters! Originally brainchild of Matt Miller (@epakskape). Hm…. To sum it up for those who are new to the concept of Egg Hunters, it’s kinda like the Houdini of exploit writing, Egg Hunter magically loops the stack memory space to locate the shellcode. Though the original Egg Hunter had become obsolete … the good news is Peter developed a new rendition of the technique that works around the security mitigations. Zai kia.
If you’d like to read up more on the technical documentation of Egg Hunters, you can find a article published by Corelan team here: https://www.corelan.be/index.php/2019/04/23/windows-10-egghunter/
Lab time:
The aim was to get a real world feel for exploit development process, not to get tangled MS security mechanisms, therefore we selected a straightforward application for our lab exercise, an ‘educational platform application’.
With custom scripts prepped by Corelan team, we witnessed first hand the rebirth of Egg Hunters… then just few moments later… ‘aha, Shell’. ?Bloody magical.
Truth is I’m still piecing together how all this works. But the homework I’m taking back with me to Singapore, will at least keep my mind entertained for the rest of the year.
Before I knew it, we have reached the end of the class… didn’t even bother looking at the clock at this time. My brain cells were packed full of exploit development techniques. Honestly, felt overwhelmed at this point, but I guess that’s the nature of the beast right, LOL.
Finally, we wrapped up the day with homework. Goal is to apply knowledge we learnt on MSF and Egg Hunters to tackle an older web hosting app, that could still be active out there? Anyhow, a practical opportunity to test what we’ve learnt in a real-world scenario.
By the time training ends, it was so late it alarmed my AirBnB host, being concern of my safety lol.
(D+3, the last) April 18th, 2024, Tuesday.
The Final Day: Mastering Advanced Exploit Techniques
Into the last day of our intensive training, with anticipation on the challenge of mastering some of the most advanced exploit techniques in cybersecurity.
Our focus was on overcoming key security mechanisms in Windows x86 systems— Viz, bypassing ASLR and DEP through a meticulously crafted ROP chain.
ROP Chaining Mastery
The day's sessions were dedicated to ROP chaining, a critical skill for any serious exploit developer. This technique involves constructing a chain of snippets of existing code already present in a system’s memory—called "gadgets"—to execute arbitrary operations. It’s like assembling a puzzle, where each piece is a snippet of code that, when aligned correctly, forms a picture that the system didn't intend to display.
Peter introduced us to two unique ROP techniques that leveraged vulnerabilities within the x86 architecture. These methodologies are not just theoretical; they are battle-tested approaches refined through decades of real-world application and research by Corelan team.
Live Application: Network Analyzer CVE Exploitation Lab
The highlight of the day was the hands-on lab, where we applied our accumulated knowledge to a famous CVE affecting a Network Analyzer. The exercise involved causing memory corruptions and then with surgical precision to pivot and gain control of the shell using the ROP techniques imparted. This challenge required us to synthesize all of our learning from the Corelan Stack Exploitation course to execute a successful exploit.
For those curious about the intricacies of the techniques we explored, Peter has extensively documented his research and findings on the Corelan website over the past two decades. Check it out if your brain can handle.
Reflection
Here's a summary of my key takeaways and reflections from the past months, including what I've learned from Corelan's training:
Corelan Expert Windows Stack Exploitation:
?? X86 Stack Architecture - Explored the structure and vulnerabilities of the x86 stack architecture, crucial for understanding how to manipulate and exploit Windows systems effectively.
?? Stack Overflow vs. Stack Buffer Overflow - Differences and implications of these common vulnerabilities explored within application security.
?? ASM & Registers (Assembly Language) - ?Explored fundamental concepts of assembly language and registers, essential for understanding low-level software operations and exploit writing.
?? Egg Hunter (Omelette Hunter) - Detailed examination of techniques for locating shellcode in memory, particularly in restricted environments.
?? Writing Exploits for Metasploit Framework (MSF) - Practical sessions on developing and integrating exploits into the MSF, enhancing both learning and application of exploit development.
?? SEH (Structured Exception Handling) Overwrite - Practiced tactics for exploiting SEH overwrites, a critical technique in bypassing standard security measures in Windows environments.
?? ASLR (Address Space Layout Randomization) Bypass - Demonstrated techniques to circumvent ASLR, pivotal for successful exploitation under fortified security conditions.
?? DEP (Data Execution Prevention) Bypass - Explored strategies to overcome DEP restrictions, essential for executing arbitrary code on protected systems.
?? ROP Chains (Return-Oriented Programming Chains) - Delved into creating ROP chains to execute arbitrary code sequences without the need for new code, essential for modern exploitation techniques.
?? Practical Application and Labs - Applied learning in labs with real-world applications like Network Analyzer CVE exploitation, emphasizing the practical implementation of theoretical knowledge.
And the Mandatory Hackers Group Photo ??
Beyond Conventional Training: My Take on Advancing Cybersecurity Expertise
Let’s pivot back to the topic of self-development (for the big brains)—specifically for those who thrive on intellectual challenges. While I cannot comment on other cybersecurity training that I have not participated. I am compelled to highlight the unparalleled quality of Corelan's training in comparison to some of the other “on-demand” training options out there.
Peter's proprietary TTPs in Windows Stack/Heap Exploitation stand out significantly.
Why?
As of the date of this article, Corelan’s upcoming Heap Exploitation class features the only technique I'm aware of that has successfully bypassed the modern security mechanisms of Windows 11 x64.
This breakthrough underscores not only the advanced level of Peter’s proprietary hacking knowledge imparted in our trainings, but also demonstrates its effectiveness in real-world adversarial attacks targeting organizational Microsoft Windows defences — the operating system (OS) predominantly used by 72% of organizations, as reported by Statica.
In comparisons,
While my access is now restricted/limited. It’s clear that most of the “on-demand” materials/models are outdated & obsolete, and pre-dominantly … profit-driven.
(often repackaging publicly available knowledge). For one I can say most of the OSCP/OSEP evasions technique I’ve picked up are not practical nor working in real-world environments anymore. They’re more of a good to know basis/fundamentals.
Many of us value practical, real-world experiences and solving technical problems, not just accolades.
For instance, J, a Red Teamer at one of the largest Dutch firms, shared some enlightening stories:
With all that said, I look forward to hearing more what you think on this topic and if there’s any other interesting area we can discuss as a community. So please feel free drop me an e-mail @[email protected]
Fun fact, we will also be launching a podcast channel on topic relating to Cyber soon!
Other recommendations:
Well, my flight home’s touching down now. Till next time!
"Source: Statista. (2024). Global market share of Microsoft Windows."
Student at asd
10 个月The part on egghunters are wrong, it does not just look through the stack space but actually the entire VAS of the process. And it is also not magical lmao, it uses an algorithm to iterate through the memory and compare whatever that particular section of memory is pointing to to to the egg you are finding.
Creative Director at 1MCGroup Pte Ltd | Networking Coaching | Events Management | Podcast
10 个月Wow.
Singapore’s #1 Peak Performance Coach | Transforming Busy Professionals into Leaner, Sharper, High Achievers
10 个月Amazing!