8-bit video game blocks with pixel art of the Learn One and Learn Enterprise logos

Level up your training with limited-time offers - Discounts for Individuals and Enterprise

Blog

Community Spotlight

Mar 7, 2022

A Student Mentor’s EXP-312 and OSMR Learning Experience

EXP-312 is a logical exploit development course for macOS. An OffSec Student Mentor shared details about his EXP-312 experience and the OSMR exam.

0 min read

Intro

Over the past few months, including a little before release, I’ve been studying the EXP-312 materials and preparing for the soon to be released OSMR Exam. For those who aren’t aware, the initial process of learning and familiarizing with a particular course as a Student Mentor is much the same as the average student: We review the material ourselves, we do the exercises, and we prepare to take the exam the same way that everyone else does, proctor and all.

What is EXP-312?

EXP-312 is a course covering macOS logical exploitation. What I mean by this is that the course isn’t focused on memory corruption exploits such as buffer overflows and similar topics. Instead, the course is focused on macOS operating system concepts and security controls, and how to bypass and exploit them.

What Should I Know Prior to the Course?

A lot of the knowledge required to do the course is in the course itself. That said, there are a few things that you should probably know prior to attempting the course:

  • Familiarity with using or administering macOS or Unix-based operating systems (Linux, BSD, etc.).
  • Comfort reading and writing C code.
  • Exploitation and debugging concepts.
  • Knowledge of scripting languages like Python and Bash.

This is the bare minimum knowledge, otherwise you’ll probably have a much harder time with the materials than necessary.
Some concepts that would be helpful as well, but aren’t really required prior to the course are:

  • Knowledge of Objective-C concepts and libraries.
  • Ability to read and write assembly.

The most important thing to bring, though, is a willingness to learn and put in the time to understand the ideas and topics presented.

I want to preface the rest of this discussion by stating that this course covers some heavy topics. Be ready to read developer documentation, it will be your friend.

Explore EXP-312

My Prep Before the Course

The topic of macOS, in regards to security, is not as popular as other operating systems like Windows and Linux. I normally chalked this up to a general disdain for the operating system from the wider tech community. I’ve seen this manifest as a dislike for its much more closed-source nature compared to Linux and the difficulty of mass-managing a fleet of devices compared to Windows. I’ve even heard a fellow security professional refer to it as a “Fisher-Price” operating system due to it’s design philosophy.

I had worked with Apple devices previously due to their popularity in BYOD environments and among some user groups, but didn’t have that deep of a knowledge of the OS itself. I had built some scripts for automated management of them, but really only saw them as more Linux computers with some quirks. I didn’t dislike the OS, but I wasn’t a huge fan.

All of this is to say that I knew pretty much nothing about macOS beyond the basic BSD features in the OS.

Prior to jumping into this course, I had just finished PEN-300 and passed my OSEP certification, and my initial plan was to work through EXP-301 next. We had a new course in the works, though, and Topics were being completed and needed to be reviewed.

It sounded just as interesting as EXP-301 at the time, so I decided to volunteer to take the dive on this uncharted territory that was a new course on a subject that I knew very little about. I’d never really been able to seek out training on macOS before. I really only saw it as another Unix OS with a pretty coat of paint over it.

I was very wrong.

Going Through the Course

My approach to studying a new course is to follow along from the beginning. I know some people like to read everything first and then go back through while following along, but I find following along from the beginning helps with making the material sink in, at least for me. This course covers some very tough subjects and involves a lot of low level coding, so if you are able to read along without typing out the code you’re reading, more power to you!

The course takes a from-the-ground up approach in explaining everything. It starts with some basics about the operating system, how the file system is structured, some OS specific file security features, the way executables are structured. There’s also a quick primer on Objective-C, Apple’s superset language on top of basic C. The course then builds on these topics to explain further OS specific features and attacks, such as dylib injection, XPC attacks, symlink and hardlink attacks, TCC bypasses, and even gets into some kernel related subjects!

Each Topic covers real-world case studies and breaks down real CVE’s that relate to the subject matter at hand. This is one of my favorite things about the course, because all of the CVE’s are pretty recent and provide a real-world analog to what the course is getting across.

Something that I would like to see in the future would be the addition of challenge machines that can be used to practice the Topics learned from the course. That said, I don’t think that challenge machines are required, as there’s more than enough meat in the course to keep you occupied and challenged without them. The structure of the materials facilitates a similar feeling to completing challenges, by having you take some basic ideas from following along and then working on expanding upon the ideas yourself.

To reiterate: this course has some tough concepts. I spent roughly 125 hours in total on the materials when I was initially going through all of the Topics to understand everything presented, and I think it was well worth it to take this amount of time. After this, I spent about another 40 hours reviewing points I thought might be important to flesh out in my notes. In total, this comes out to roughly 165 hours total on the materials before I sat for the exam.

Preparing for the OSMR Exam

As mentioned before, there are no standalone challenges (yet) to work through and own. Normally, you can guess that the exam will be similar to the challenges, just harder, but we can’t do that here.
To add on to that, this exam is entirely new. How does someone prepare for an exam no one has taken before? Normally there’s at least a bit of an idea of what you might expect from other students’ blogs on their own preparation, but that would obviously be absent in this case.

That said, my approach to studying and preparing was mainly focused on gaining enough of an understanding of the concepts to be able to reproduce the various CVE’s without needing to follow along with the course. To add on to this, there is usually an additional exercise or two associated with these CVE breakdowns that goes beyond the Proof of Concept displayed in the course.

DO. THESE. EXERCISES!

In retrospect, these were probably the biggest help in my preparation. While it’s nice to follow along and get an idea of the process of reversing these vulnerabilities, actually putting it into practice solidifies the topics more effectively. There obviously won’t be walkthroughs when you’re doing the test, so getting to the point that you don’t need to rely on them to identify vulnerabilities is important.

Try to also identify weak points in your comprehension of the materials and focus on building up your understanding. Something I was having difficulties with at the start was some of the content that involved a lot of Objective-C. I did a little bit of additional work on getting a basic working knowledge of the language, and while I am by no means an expert or even proficient with it, taking the time to make sure I grasped the general structure of the code went a long way to helping me understand what I was reading.

Expanding on this, I’d recommend typing the code and commands as you are following along. While the Offsec Training Library provides a convenient way to copy commands to your clipboard, typing out the commands yourself helps them sink in so that you don’t have to go back and reference them as much.

Outside of that, I’d reiterate that students should try taking as much time with the materials as possible. This is a marathon, not a sprint, and if you don’t take the proper time to really understand the concepts presented, you might miss something crucial. Take notes! I use Notion, but Obsidian, OneNote, Joplin, CherryTree etc. are all great note taking apps that help provide logical structure to your notes. There’s not really an answer to the best way to take notes, as long as the structure is logical to you and you can easily navigate to relevant items.

The Exam

As Student Mentors, our exam experience is also the same as every other student’s: same proctoring requirements, same time constraints, same reporting requirements. Here are some notes about this exam:

  • The exam is 47 hours and 45 minutes long, with an additional 24 hours to submit the exam report.
  • The exam has a maximum of 80 points and requires 70 points to pass.
  • There are 4 tasks in the exam, 2 of which are mandatory, so you’ll need to complete 3 total tasks. The mandatory tasks will be evident based on the assigned point values in the control panel.
  • No C2 frameworks like Metasploit or Mythic are permitted, even if they’re FOSS.
  • You have to use Hopper and LLDB for any tasks that would require their capabilities, no other debuggers or disassemblers/decompilers are allowed (you’ll be provided with a machine with Hopper, so you won’t have to buy it).

Going into the exam, I did not expect to pass on my first go at it. Mainly because I had no idea what to expect, and also because I was incredibly nervous in general about the exam. But, with the release of the exam around the corner and a need to have people that can support it, I got my coffee and dived in.

I can’t talk too much about what was specifically in the exam itself, but it was a bit different of a setup from pretty much any of the other exams, at least in the way the targets are structured. I decided to try to go for the high value tasks first in hopes of getting them done early so that I’d feel better about the lower value tasks.

And… It took me 20 hours of exam time to see my first flag.

Granted, I had gotten a full night’s sleep during that time, had some food (and unhealthy amounts of coffee), and was taking regular breaks every couple hours at least. A mistake I see a lot of people make is not taking enough breaks and trying to stay up for the full duration of the exam. THIS IS A HUGE MISTAKE. For any of the exams, really. Especially for the 48 hour ones. PLEASE sleep and take breaks. You’re given that amount of time so that you can do so.

“A mistake I see a lot of people make is not taking enough breaks and trying to stay up for the full duration of the exam. THIS IS A HUGE MISTAKE. For any of the exams, really. Especially for the 48 hour ones. PLEASE sleep and take breaks. You’re given that amount of time so that you can do so.”

Most of my best ideas and solutions have been found right after waking up or while I’m away from the screen, this exam was no different. I found the solution to the issues I was having with the first assignment within an hour of sitting back down at my screen after sleeping. I find that staring at a problem for hours and trying to force out a solution is much less effective than just walking away for a bit to get a breather, then come back with a fresh perspective on the issue.

I also did not expect what I did to work at all; there’s now a video of me almost jumping out of my chair in shock that my exploit worked.

Jump out of chair

Dramatization: Not actual footage

After that, I found the remainder of the points required to pass by around the 34-hour mark. At that point, I went and got some sleep and then tried to go for the last assignment but was unable to finish it in the allotted time, unfortunately. I had met the point requirements though, and I was able to complete and send off my report.

A while later, I got confirmation that I passed!

A Retrospective on My Experience

I greatly enjoyed this course. I love the feeling of learning about subjects that are essentially completely foreign to me, and this was no different. Everything was structured in a manner that facilitated an understanding of each Topic without too much background knowledge needed. As someone that knew very little about macOS prior to this course, I can say that you don’t need to be particularly familiar with it either. As long as you’re familiar with Unix/Linux/BSD and are comfortable with the C language, you’ll be fine.

Looking back, like I mentioned already, the most helpful prep for me was definitely the course exercises that were not strictly following along with the materials. Taking some extra time to familiarize myself with Objective-C was also a huge help.

My only real wish is for the addition of challenge machines in the future. They aren’t entirely necessary given the structure of the materials, but it would be loads of fun to be able to own more machines with this new skillset.

Closing Thoughts

I’m really happy I decided to go with this course over EXP-301 first. While I fully intend to do that one next, I feel like I gained a lot of helpful, practical knowledge from this course. With the expanding popularity of desktop operating systems that aren’t Windows, I feel like the skills taken away from this course will only become more relevant.

I want to give massive kudos to Csaba Fitzl for writing such an informative course, and for giving a greatly enjoyable challenge with the exam. (Here’s to hoping for an EXP-412).

whoami


About the Author

I’m Waffle, and I am a massive computer security nerd. I’ve been interested in security from a fairly young age and have been non-stop learning about it and engaging with related topics for almost a decade now. I’ve been a professional in the industry for about 5 years now, which includes work administering Windows and Linux systems, administering networking devices, and security and compliance. I have previously obtained OSCP and OSEP certifications. One of my favorite things to do is share my knowledge and help others learn about security and how to get started, to the point that I decided to make it my job!