Jump to content
WarLord

Free Offsec AWE Self Study

Recommended Posts

https://www.jollyfrogs.com/osee-awestralia-2018-preparations/
OSEE - AWEstralia 2018 preparations


Living in Australia, the total cost of attending the AWE training in Vegas, including flights and hotel would exceed AUD 10,000$. So instead I decided to ask the Offensive Security trainers if they wanted to come and deliver the AWE training in my home town of Brisbane, Australia. I was able to rally together a few large companies interested in participating in the training. We now have over 25 interested people - enough for Offensive Security to come to Brisbane and host the training right here in Australia!
Since the training is called Advanced Windows Exploitation (AWE), we call the training AWEstralia 2018 - it will be a lot of fun!
This post is to help myself and other participants prepare for the AWE exam. Many thanks to Alpine for helping put together this guide. This guide was written based on existing AWE (OSEE) reviews and the official AWE syllabus topics.
We're in the preparation stages now - lots of learning and finding good resources to prepare for the onslaught of AWE. Offensive Security has not yet confirmed a date for 2018 but we expect them to confirm very soon. The date will be around May 2018 and the course will be held in Brisbane Australia. If you'd like to join us, please contact me on TheFrog at jollyfrogs -dot -com.

WinDBG usage

AWE students are expected to know how to use the WinDBG debugger
WinDBG general information: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/
WinDBG configuration: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windows-debugging
WinDBG configuration in VMWare: http://silverstr.ufies.org/lotr0/windbg-vmware.html
WinDBG configuration in VirtualBox: https://hshrzd.wordpress.com/2017/05/28/starting-with-windows-kernel-exploitation-part-1-setting-up-the-lab/
WinDBG Lab: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debug-universal-drivers---step-by-step-lab--echo-kernel-mode-
WinDBG Useful commands reference: https://briolidz.wordpress.com/2013/11/17/windbg-some-debugging-commands/
Module 0x01 Custom Shellcode Creation

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html
http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html
SLAE32 and SLAE64 discount code
https://www.fuzzysecurity.com/tutorials/expDev/6.html
https://blahcat.github.io/2017/08/14/a-primer-to-windows-x64-shellcoding/
The Shellcoder's Handbook
http://sh3llc0d3r.com/windows-reverse-shell-shellcode-ii/
http://blog.harmonysecurity.com/2009/06/retrieving-kernel32s-base-address.html
http://nagareshwar.securityxploded.com/2013/09/21/using-peb-to-get-base-address-of-kernelbase-dll/
http://www.rohitab.com/discuss/topic/38717-quick-tutorial-finding-kernel32-base-and-walking-its-export-table/
http://www.hick.org/code/skape/papers/win32-shellcode.pdf
http://expdev-kiuhnm.rhcloud.com/2015/05/22/shellcode/
https://www.offensive-security.com/vulndev/fldbg-a-pykd-script-to-debug-flashplayer/
https://exploit.courses/files/bfh2017/day6/0x60_WindowsExploiting.pdf
https://secure2.sophos.com/de-de/medialibrary/PDFs/other/Comprehensive-Exploit-Prevention.ashx
Module 0x02 DEP/ASLR/EMET Bypass and Sandbox Escape via Flash HeapSpray

https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/
https://www.offensive-security.com/vulndev/disarming-emet-v5-0/
https://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/
https://www.blackhat.com/presentations/bh-europe-07/Sotirov/Whitepaper/bh-eu-07-sotirov-WP.pdf
https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
https://www.fuzzysecurity.com/tutorials/expDev/8.html
https://www.fuzzysecurity.com/tutorials/expDev/11.html
https://www.corelan.be/index.php/2016/07/05/windows-10-x86wow64-userland-heap/
https://www.corelan.be/index.php/2013/01/18/heap-layout-visualization-with-mona-py-and-windbg/
https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/
http://gsec.hitb.org/sg2016/sessions/look-mom-i-dont-use-shellcode-a-browser-exploitation-case-study-for-internet-explorer-11/
https://github.com/shellphish/how2heap
https://0x00sec.org/t/heap-exploitation-abusing-use-after-free/3580
http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-1/
http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-2/
http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-use-free-bug/
https://sites.google.com/site/zerodayresearch/smashing_the_heap_with_vector_Li.pdf
http://blog.morphisec.com/exploit-bypass-emet-cve-2015-2545
http://casual-scrutiny.blogspot.sg/2015/01/simple-emet-eaf-bypass.html
Module 0x03 32-bit Kernel Driver Exploitation

https://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/
https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
https://theevilbit.blogspot.sg/2017/09/pool-spraying-fun-part-1.html
https://theevilbit.blogspot.in/2017/09/windows-kernel-pool-spraying-fun-part-2.html
https://theevilbit.blogspot.in/2017/09/windows-kernel-pool-spraying-fun-part-3.html
https://www.fuzzysecurity.com/tutorials/expDev/14.html
https://www.fuzzysecurity.com/tutorials/expDev/15.html
https://www.fuzzysecurity.com/tutorials/expDev/19.html
https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/
https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/
https://glennmcgui.re/introduction-to-windows-kernel-exploitation-pt-1/
https://glennmcgui.re/introduction-to-windows-kernel-driver-exploitation-pt-2/
http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html
https://github.com/hatRiot/token-priv
https://rootkits.xyz/blog/2017/06/kernel-setting-up/
https://rootkits.xyz/blog/2017/08/kernel-stack-overflow/
https://rootkits.xyz/blog/2017/09/kernel-write-what-where/
Module 0x04 64-bit Kernel Driver Exploitation

http://trackwatch.com/windows-kernel-pool-spraying/
https://blahcat.github.io/2017/08/31/arbitrary-write-primitive-in-windows-kernel-hevd/

  • Thanks 3
  • Upvote 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...