Offensive Security macOS Researcher (OSMR) — EXP-312 Course & Exam Review
Intro
I’ve been doing some coding since Jan 2021 and not really pay attention to any news in the InfoSec training & certification world, so I was really surprised when my friend in early Dec 2021 told me that Offensive Security released a new course and certification for macOS. After getting that news, I submit a request to my current employer to enroll in this training and got approved in mid Jan 2022.
What is EXP-312?
According to Offensive Security’s own website:
macOS Control Bypasses (EXP-312) is Offensive-Security’s first macOS security course. It’s an offensive logical exploit development course for macOS, focusing on local privilege escalation and bypassing the operating system’s defenses.
EXP-312 is an advanced course that teaches the skills necessary to bypass security controls implemented by macOS, and exploit logic vulnerabilities to perform privilege escalation on macOS systems.
In this course, the main focus was to teach the student how to bypass logical protection employed by the application/system like abusing vulnerable XPC services, bypassing Apple’s own Transparency, Consent, and Control (TCC) protection, etc. You can read more about it here. Since the main focus was a logic bypass, the course didn’t touch anything related to the memory corruption bug.
Pre-requisite of EXP-312
I can honestly say the only pre-requisite you need to have is being comfortable in reading C code and the willingness to learn. Coming from an iOS app pen-testing background, I’m already used to doing several things that they teach in the course. So I don’t really know what it’s like for someone with 0 experience in the Apple platform to enroll in this course. But, in my opinion, Offensive Security deserves a thumbs up at writing the course’s contents. They didn’t assume the student’s understanding of every topic. They thoroughly teach why something is the way it is. But, if you are still not comfortable “to enroll for this” course without any preparation, here are something that might help you get comfortable:
- Fundamental C Programming
- Fundamental ASM x86
- Fundamental Objective-C Programming
Everything else (including ASM & Objective C topic) will be covered in the course itself, don’t sweat much about it 😉.
Course Experience
The course is fun to follow with exercises and extra mile challenges here and there. They teach every topic with great detail while maintaining an easy-to-follow explanation. To follow this course, you don’t need a Mac machine. Offensive Security will provide us our own virtual machine that we can access via SSH / VNC. For the reverse engineering part, they use Hopper Disassembler. While you can use whatever tools you want when working on your own / following the course, you will not be able to use any other tools during the exam. Some people might hate it, but in my opinion, Hopper is a reverse engineering tool designed for Apple products. Hopper also has a killer decompiler feature at an affordable cost of a $99 perpetual licence with 1-year support.
Exam Experience
The exam will have 4 challenges consists of:
- 2 challenges, each worth 30 points.
- 2 challenges, each worth 10 points.
And you will need 70 points to pass the exam. The exam was proctored by the Offensive Security team and we were given 47 hours and 45 minutes (almost 2 days) to solve the challenges and an additional 24 hours to write and submit the exam report.
I booked April 13, 2022, 7:00 AM BST as my exam date and time, and here’s the timeline:
6:00 AM: I woke up and took a shower.
6:30 AM: Preparing tea for my daily dose of caffeine.
6:50 AM: Login to the proctoring system where I perform an identity check and environment check as a part of the exam’s pre-requisite.
7:05 AM: Got my VPN credentials, but the link is broken 😢.
8:00 AM: Finally connected to the VPN.
8:10 AM: Finished reading & understanding all challenges and pick my first 30 points target.
8:30 AM: Found the vulnerability, prepped the exploit plan, and started to code the exploit.
8:45 AM: Exploit failed 😢. Starting to debug why it failed.
11:59 AM: Getting frustrated and decided to take a nap for an hour.
02:35 PM: Woke up from “an hour” nap 😆.
02:38 PM: Revisited the bug, realise my stupid mistake. Worked on a fix on the exploit code.
02:51 PM: Got my first 30 points, continue to the next 30 points challenge.
02:54 PM: Got my second 30 points, continue to the next 10 points challenge.
04:00 PM: Took a 1-hour break for breakfast.
05:23 PM: Giving up on the current 10 points challenge, switched to another 10 points challenge.
05:26 PM: Got my 10 points, and 70 points passing grade was achieved.
08:00 PM: Report was submitted to the Offensive Security.
And after patiently waiting for 3 days, I got this email from Offensive Security saying that I passed the exam 🍻 :
Retrospective
I’m glad that I took this course. It widened my knowledge of macOS security and makes me a better pen-tester. My only reservation about this course is the price, it might be too expensive for some people. But if you had the means and you love to do security research in the Apple ecosystem/love to learn security in general, I’d say it’s super worth it to take the course.
For the exam, it’s super important to not let stress take the best out of you. If you are stressed, just take a break. Offensive Security gave us almost 48 hours to do the exam so that we have time to take a break and rest.
And the best way to prepare for the exam is to practice everything the course taught, and do those exercises and extra mile challenges.
Kudos to Offensive Security and Csaba (EXP-312 Lead Content Developer) for the great and fun course, can’t wait for EXP-412 🍻
