Signing up

In August 2023, I saw Sincon announce that it would be bringing the AWE to Singapore as part of its training lineup for Sincon 2024. The trainers would be Morten Schenk and Alexandru Uifalvi, who authored the updated course. While I always knew this was the apex of Offsec’s offerings, I’d never planned to do it, as vulnerability research wasn’t part of my long-term plans. Factoring in the exorbitant cost and travel fees associated with attending the live training typically at Blackhat USA, it seemed a low-value proposition.

At this point, I’d completed OffSec’s 300-level certifications a year earlier, and was struggling to find the same level of technical challenges delivered in a structured format. Feeling stuck with little sense of forward momentum, I made a snap decision and within hours, was signed up.

Preparation

The syllabus at the time had 5 main topics:

1. x64 custom shellcode creation
2. VMWare Workstation Guest-to-Host Escape
3. Microsoft Edge Type Confusion
4. Driver Callback Overwrite
5. Unsanitized User-mode Callback

I was fairly confident with shellcode creation and C at that point - at least compared to 2022 when I posted the vulnerable C program Satra Academy, which I now consider to be a true crime against programming. Still, I wanted to get more experience tying that in with Windows Internals. I’d known of trainsec for a while, where Pavel Yosifovich, (a true master of his craft and great teacher), offers Windows Internals related courses. I used the black friday deal to get the below courses and worked on them in this order. I highly recommend them all, especially Kernel Programming.

1. Windows System Programming 1
2. Windows System Programming 2
3. Windows System Programming 3
4. Mastering WinDbg
5. Windows Kernel Programming 1
6. Windows Kernel Programming 2

I also tried to wrap my head around the bug classes mentioned in the syllabus:

• https://www.youtube.com/offbyonesecurity has some deep dive videos on some of these bug classes.
• https://connormcgarr.github.io/state-of-exploit-development-part-1/ - Connor Mcgarr puts out some excellent content, but parts 1 and 2 of this post provide a great overview on exploit development.

Live Training

I was eager for the training to start, especially after attending Sincon2024 2 days prior where I got to meet and talk to some really smart folks.

The standout on Day 1 for me were the interesting introduction slides which gave us a feel of what to expect. Most topics were fairly OK, but we’d been warned this would be the easiest day.

Day 2 - Had an emergency in the morning and had to step away until after lunch, missing Edge Type Confusion which was the toughest topic to grasp. I found some others faced their own bad luck like illness, which is regrettable after all the effort to get there. (really, take care of your health in the weeks leading up to the training). I couldn’t revise in the evenings from this day forth, having to handle issues from that morning.

Day 3 - I’m starting to get lost, and only taking notes on key points now.

Day 4 - Ok, some kernel stuff i’m prepared for. By the end of day I was fairly lost again and fatigue was building.

Day 5 - Please make this end

This is an honest reflection of my state of mind during the live training but no reflection of the training itself. Both the instructors & material were excellent. When I got home on the last day, I was exhausted and questioning my choices, but I also knew that once I had the chance to sit down, dissect the material, and get some hands-on keyboard time, I would be fine.

My 2 cents for the live training:

• Don’t sweat it if you can’t follow every bit of whats going on. Everyone learns in different ways and live trainings may not be that for everyone (me included)
• Take notes on the thought process of the author e.g. why did the author choose to try x instead of y?
• The instructors drop lots of gems in bits and pieces that may not be in the material. Try to catch them and write them down
• Put together a skeleton for a playbook and get some rough notes in
• Get at least 8 hours of sleep, stay hydrated, be mindful of what you’re eating and drinking. 5 days of full focus is a long time
• Challenge coins are cool, but if you’re already struggling with the material, maybe don’t sacrifice sleep to get them

I have to add that Sincon/Offsec did their best to create a conducive learning atmosphere. Food, drinks, and caffeine were all sorted and of good quality.

Exam prep

Training ended in May 2024 and I dove into the material in July. I would read a chapter, write the code myself with detailed notes, and only referred to the book if I got stuck for some time. The Discord server was a great help at times. I did the easier extra miles but kept the tougher ones for the next iteration of this. I was done in Sep 2024, but started a new role in Oct and took a break.

In Jan 2025, I booked the exam for March and spent the next month rewriting the exploits from scratch, taking fresh notes to solidify my understanding. This time I did every extra mile. Still not confident after this, I decided to do a third round. This time, I could write the full exploits from scratch without referring to the material, and felt ready. By this point I’d built a good playbook which included reusable code, debugging commands, and useful offsets. The final week, I reworked the final extra mile in different ways - highly recommend that.

Overall, I feel if you can write the exploits from scratch independently, you should be ready for the exam.

Exam

This would be my 5th Offsec exam, so I had a routine by this point, although I’d never experienced a 72 hour one. I’d read the exam guide multiple times before this so I knew what to expect. I took breaks every 2 hours or so, and made sure to make good choices with food and rest throughout this time.

I agree with most other reviewers of the exam - it was challenging but fair, and truly understanding the course material should be sufficient to pass. A lot of effort clearly went into putting it together, and it definitely tested your creativity. I did not think external study material was required.

I submitted the report at 6pm on Day 4 and began the long wait. After months of prep and 4 days almost completely spent in a bubble, the job was done. I was feeling a little more than the usual post OffSec exam brain fog and fatigue, but an equal sense of achievement for following through with the plan.

I got the email saying I’d passed about 2 weeks after submission.

Will I actually put this knowledge to use? While vulnerability research is not in the cards, I can think of more than a few areas that will benefit my line of work. Is the benefit worth the cost? That’s a call everyone’s got to make for themselves.