SEC760 - Mini Review and thoughts

I took the SEC760 - Advanced Exploit Development for Penetration Testers SANS course and wanted to share my quick thoughts on it. First and foremost, if you take the course, I would highly recommend taking the On Demand version vs the on-person course. Some of the material, especially on DAY5 will definitely take more than a day to go over unless you already have some pretty solid knowledge around Windows Kernel development. I had been reading the amazing "Rootkits: Subverting the Windows Kernel" from James Butler and Greg Hoglund (it's old and some concept are a bit out-dated and pre patch-guard/SMEP but it's still a must read if you're interested in kernel hooking/cheating/rootkits etc.) and I still found that following along was a bit hard and required me to re-watch some of the debugging videos.

Overall, my review is pretty similar to [VoidSec's](https://voidsec.com/sans-sec760-advanced-exploit-development-for-penetration-testers-review/) but I don't know if I'd be as harsh as giving this a 2.5/5; mostly because the day5 content is awesome and the other stuff is pretty interesting. My day by day review:

Day 1 – Exploit Mitigations and Reversing with IDA

This section should just be skipped. I feel like anyone taking this kind of course should know how to use IDA and read documentation.

Day 2 – Linux Application Exploitation

That section was kind of cool but should really just be it's own course. I don't really give crap about heap tcache exploitation on Linux when the rest of the course is more focused on Windows exploit development. Maybe they can keep these in SEC660 ; I haven't taken that course so I wouldn't really know

Day 3 - Advanced Fuzzing Really cool but maybe needs an extra day? Also, another GUI target would be nice; NitroPDF is pretty easy to just make headless. It'd be interesting to deal with harder to fuzz targets and see common work-arounds.

Day 4 – Patch Diffing, One-Day Exploits and Windows Kernel Internals

Totally agree with VoidSec on this one. The patch diffing is really old and was using the old windows patch format. Now these come in .msu files where you apply a delta patch. I didn't have the right windows build to follow along so I ended up looking at the more recent MS14-006 grabbing two tcp.sys I found on winbindex to get the point of the exercise

Day 5 – Windows Kernel Debugging and Exploitation

This is just awesome and is the crux of the course in my opinion. Actually felt like I was hacking stuff trying to write my own exploits. They kind of vaguely mention it during the videos but I would stress it further, I recommend students try approaches that the instructor final exploits don't have.

For example, parsing ntoskrnl.exe PE file to get export offsets instead of doing a LoadLibraryA on ntoskrnl into a user mode process. Or the method I used to get the kernel base for exploit 2: Read KPCR → read IDT base → read an IDT entry (ISR pointer) → scan backwards from that function until you find a PE header (MZ) and verify PE\0\0.

versus the SANS SEC760: approach: KPCR → CurrentThread → function pointer → symbol math or signature scan My approach was a bit less stable but worked nevertheless and was a good exercise. Voidsec suggests a couple of courses that offer similar content to this course. I wanted to add the WinKern challenges on root-me.org to the list. These are pretty good to make sure you have a good grasp on the Day5 content.

Ctf - DAY6

I'm still busy doing it as I write this. It's fun so far but the VMs are a bit annoying; no internet connectivity on the ubuntu box and I couldn't copy paste buffers or download files to my host. Another hurdle I had was that I was missing the mshtml.dll file which is needed for one of the challenges (the labs were erroring when I tried downloading it). I got super quick support from SANS to grab it. The hash in case any reader needs the file: A08F8F5FB123B34B765BB00F1B9B24C48EA496B667FAC32F61D74CD667B29EF0

They also explained that you can apparently copy-paste text from host2VM using the little lightining icon top left of the VM labs. The windows VM also has connectivity so you can powershell open a port on windows, nc from ubuntu and send base64 files that way that you then upload to whatever.

Not sure I'll have time to fully finish the ctf before the labs expire but it's been fun so far! The difficulty rankings are a bit weird; some of the medium heap exploitation challenges definitely felt harder than some hard/extreme ones. Maybe because I'm just more used to reversing than I am at heap exploitation tricks?

Recommendations

Overall, if you're fortunate enough to take the course through your employer, do it. It's got some great take-aways and you'll have the opportunity to apply everything during the ctf. Root-me also has some great complimentary challenges including a really cool Winkern64 challenge series where you exploit some windows drivers on a vm over ssh. For the overall SANS course, I would suggest course authors to do the following: Remove the Day1 content. Move Day2 into SEC660 or get rid of it. Update Day4 to a newer exploit and maybe provide tcp.sys versions to diff in the day4 folder. Expand Day 3 and Day5 on Day1 and Day2 that we've just managed to clear.