WarLord Posted January 13, 2019 Report Posted January 13, 2019 https://www.jollyfrogs.com/osee-awestralia-2018-preparations/OSEE - AWEstralia 2018 preparationsLiving in Australia, the total cost of attending the AWE training in Vegas, including flights and hotel would exceed AUD 10,000$. So instead I decided to ask the Offensive Security trainers if they wanted to come and deliver the AWE training in my home town of Brisbane, Australia. I was able to rally together a few large companies interested in participating in the training. We now have over 25 interested people - enough for Offensive Security to come to Brisbane and host the training right here in Australia! Since the training is called Advanced Windows Exploitation (AWE), we call the training AWEstralia 2018 - it will be a lot of fun! This post is to help myself and other participants prepare for the AWE exam. Many thanks to Alpine for helping put together this guide. This guide was written based on existing AWE (OSEE) reviews and the official AWE syllabus topics. We're in the preparation stages now - lots of learning and finding good resources to prepare for the onslaught of AWE. Offensive Security has not yet confirmed a date for 2018 but we expect them to confirm very soon. The date will be around May 2018 and the course will be held in Brisbane Australia. If you'd like to join us, please contact me on TheFrog at jollyfrogs -dot -com. WinDBG usage AWE students are expected to know how to use the WinDBG debugger WinDBG general information: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/ WinDBG configuration: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windows-debugging WinDBG configuration in VMWare: http://silverstr.ufies.org/lotr0/windbg-vmware.html WinDBG configuration in VirtualBox: https://hshrzd.wordpress.com/2017/05/28/starting-with-windows-kernel-exploitation-part-1-setting-up-the-lab/ WinDBG Lab: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debug-universal-drivers---step-by-step-lab--echo-kernel-mode- WinDBG Useful commands reference: https://briolidz.wordpress.com/2013/11/17/windbg-some-debugging-commands/ Module 0x01 Custom Shellcode Creationhttp://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.htmlhttp://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.htmlSLAE32 and SLAE64 discount codehttps://www.fuzzysecurity.com/tutorials/expDev/6.htmlhttps://blahcat.github.io/2017/08/14/a-primer-to-windows-x64-shellcoding/The Shellcoder's Handbookhttp://sh3llc0d3r.com/windows-reverse-shell-shellcode-ii/http://blog.harmonysecurity.com/2009/06/retrieving-kernel32s-base-address.htmlhttp://nagareshwar.securityxploded.com/2013/09/21/using-peb-to-get-base-address-of-kernelbase-dll/http://www.rohitab.com/discuss/topic/38717-quick-tutorial-finding-kernel32-base-and-walking-its-export-table/http://www.hick.org/code/skape/papers/win32-shellcode.pdfhttp://expdev-kiuhnm.rhcloud.com/2015/05/22/shellcode/https://www.offensive-security.com/vulndev/fldbg-a-pykd-script-to-debug-flashplayer/https://exploit.courses/files/bfh2017/day6/0x60_WindowsExploiting.pdfhttps://secure2.sophos.com/de-de/medialibrary/PDFs/other/Comprehensive-Exploit-Prevention.ashx Module 0x02 DEP/ASLR/EMET Bypass and Sandbox Escape via Flash HeapSprayhttps://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/https://www.offensive-security.com/vulndev/disarming-emet-v5-0/https://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/https://www.blackhat.com/presentations/bh-europe-07/Sotirov/Whitepaper/bh-eu-07-sotirov-WP.pdfhttps://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/https://www.fuzzysecurity.com/tutorials/expDev/8.htmlhttps://www.fuzzysecurity.com/tutorials/expDev/11.htmlhttps://www.corelan.be/index.php/2016/07/05/windows-10-x86wow64-userland-heap/https://www.corelan.be/index.php/2013/01/18/heap-layout-visualization-with-mona-py-and-windbg/https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/http://gsec.hitb.org/sg2016/sessions/look-mom-i-dont-use-shellcode-a-browser-exploitation-case-study-for-internet-explorer-11/https://github.com/shellphish/how2heaphttps://0x00sec.org/t/heap-exploitation-abusing-use-after-free/3580http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-1/http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-2/http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-use-free-bug/https://sites.google.com/site/zerodayresearch/smashing_the_heap_with_vector_Li.pdfhttp://blog.morphisec.com/exploit-bypass-emet-cve-2015-2545http://casual-scrutiny.blogspot.sg/2015/01/simple-emet-eaf-bypass.html Module 0x03 32-bit Kernel Driver Exploitationhttps://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/https://github.com/hacksysteam/HackSysExtremeVulnerableDriverhttps://theevilbit.blogspot.sg/2017/09/pool-spraying-fun-part-1.htmlhttps://theevilbit.blogspot.in/2017/09/windows-kernel-pool-spraying-fun-part-2.htmlhttps://theevilbit.blogspot.in/2017/09/windows-kernel-pool-spraying-fun-part-3.htmlhttps://www.fuzzysecurity.com/tutorials/expDev/14.htmlhttps://www.fuzzysecurity.com/tutorials/expDev/15.htmlhttps://www.fuzzysecurity.com/tutorials/expDev/19.htmlhttps://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/https://glennmcgui.re/introduction-to-windows-kernel-exploitation-pt-1/https://glennmcgui.re/introduction-to-windows-kernel-driver-exploitation-pt-2/http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.htmlhttps://github.com/hatRiot/token-privhttps://rootkits.xyz/blog/2017/06/kernel-setting-up/https://rootkits.xyz/blog/2017/08/kernel-stack-overflow/https://rootkits.xyz/blog/2017/09/kernel-write-what-where/ Module 0x04 64-bit Kernel Driver Exploitationhttp://trackwatch.com/windows-kernel-pool-spraying/https://blahcat.github.io/2017/08/31/arbitrary-write-primitive-in-windows-kernel-hevd/ 3 2 Quote
