In this blog post, I summarise my experience taking the Offensive Security macOS Researcher (OSMR) course, including the main course content, study approach, and key takeaways.
Overview
EXP-312 is Offsec's latest exploit development course which teaches you how to find and exploit logic flaws in the macOS operating system. Since the original release of the course in 2021, the popularity of online training materials dedicated to macOS/iOS security has been growing rapidly, so this comes at a perfect time for anyone looking to skill up in this area.
Overall, it took me ~6 months of preparation, which got me through the material twice whilst completing most of the extra mile exercises. The course is only available through the annual Learn One or Learn Unlimited subscriptions; both of which give you ample time to get through each chapter at your own pace.
Disclaimer: If you're currently doing the course and are just looking for some advice, feel free to jump straight to the General tips section.
What do I need to know?
The following are the main pre-reqs I would recommend for getting a head start:
- Knowledge of core exploitation concepts such as those covered in the OSCP course
- Experience with high and low-level programming languages e.g., Python, C and Objective-C
- Familiarity with writing 64-bit assembly code
These are partially covered in the course content and at a good pace, so I wouldn't see inexperience in any of these as a deal breaker. I personally had only written 32-bit assembly code prior to starting, but the jump from 32 to 64-bit was easy enough to pick up. If you are looking for a place to get started with writing assembly, I would recommend the Pentester Academy Linux shellcoding courses. To get familiar with Objective-C, it's worth checking out Apple's own Programming With Objective C.
What will I learn?
For those new to macOS exploitation, the course starts with a decent foundational overview of the operating system and progresses into ways of bypassing its security controls. EXP-312 covers modern macOS exploitation from Catalina upwards.
The introductory modules start out with an overview of how macOS works, explaining the high-level architecture, the APFS file system, and common items like plist files and application bundles. It then moves on to cover areas like Mach-O files and macOS shellcoding, as well as a decent primer on Objective-C to bring you up to speed with the language. As with any programming language, building competence requires you to invest the time into writing code, so it's best to follow each module with your terminal open.
After the foundations are covered in the first four modules, the course details different types of macOS exploitation such as XPC attacks, macOS sandbox escapes, and bypassing Apple's TCC privacy controls. Around the time I started the course, two new chapters had also been added which cover exploiting Electron applications and the mount system call. A complete overview of the current syllabus can be found on the OffSec website.
In the final module of the course, a penetration testing approach is taken, in which the previously covered exploit chains and attack vectors are applied to targeting a live macOS system. This module was a favourite of mine, as it brings to life the concepts which were covered in previous chapters and demonstrates how you can apply the learnings to a live engagement. It is also a great opportunity to practice different techniques ahead of the exam, as the EXP-312 does not currently have challenge machines.
OSMR exam
The OSMR exam can be broken down as follows:
- 48-hour technical challenge
- 24-hour report time
- 4 x assignments worth 80 points total (2 x 30 points, 2 x 10 points)
- 70 points passing score
In my opinion, everything taught in the course modules and exercises is enough to pass. I would also recommend doing as many extra miles as possible to get in more exploit development practice and solidify the concepts learned. Offsec are known to throw the odd curve ball in their exams, so it's key to sharpen your approach before you start.
Overall, I felt the four exam assignments were very doable in the time given. During my attempt, I took screenshots as I went along and documented each exploitation step, which helped massively in pulling everything together for the report. For general notetaking, I used Obsidian and made individual notes for each exam assignment, as in the report you must document each assignment with distinct screenshots of your steps and the proof files. When it came to reporting, I used the standard Microsoft Word template available in the exam guide, however there are a few decent alternatives on GitHub which are also worth a try.
As a more general piece of advice, it helps to take plenty of breaks during the exam just to rest and think about your exploits away from the screen. In my case, it's usually during the down time that I find the solutions.
A couple of days after finishing the exam, I got the much-anticipated confirmation email through!
How are the labs?
The lab environment for EXP-312 consists of several macOS virtual machines running Big Sur and Catalina, which many of the exploits are based on, however most of the concepts learned can also be applied to later versions of macOS. From what I've heard, there are plans to release fresh content in future to specifically target more recent releases, such as Monterey and Ventura.
When working through the labs, I ended up using my own macOS device with Screen Sharing, which works like RDP for macOS. Alternatively, as a Kali or Windows user, you can use a VNC client such as tightvnc to connect to the machines. As a lot of the exploitation steps can be performed from a terminal, much of the course can be completed solely using SSH. That said, there are several modules and reverse engineering tools like Hopper which need a GUI.
The main purpose of the labs is to help the student to practice finding vulnerabilities and building exploits. An array of open-source and licensed tools, including Hopper Disassembler, Suspicious Package and MachOView are installed on each vm, along with plenty of vulnerable software to test them out on. I took my time getting comfortable with using each tool, but as a significant part of EXP-312 focuses on reverse engineering, most of my lab time was spent in Hopper. Overall I found Hopper nice to use, as the interface is generally easy to navigate, and the 'pseudo code' feature made a huge difference when reversing functions.
In general, the lab exercises tend to focus on writing exploits from the ground up with minimal dependencies. As such, exploitation frameworks and C2 platforms such as Metasploit and Mythic aren't covered and cannot be used during the exam. As a red teamer who uses Cobalt Strike for my day job, it was a welcome challenge to operate without the automation and general convenience that a C2 has to offer. Outside of the course, I am now keen to try out what I have learned with Mythic as this is said to be the current go-to C2 platform for anything macOS related.
Personal highlights
The XPC attacks chapter was probably my favourite in the entire course. This chapter covers XPC, Apple's primary IPC mechanism, and walks through four recent vulnerability case studies. The end-to-end exploit development process is demonstrated here in depth, starting with decompiling the XPC service binary in Hopper, reverse engineering its interface methods to discover vulnerabilities, and finally crafting a fully-fledged exploit in Objective-C. I found this approach to be useful and highly applicable to real-world security research, based on the sheer number of macOS applications which rely on XPC. If you wish to learn more about XPC after studying this chapter, I would highly recommend the Nullcon talk by EXP-312 creator Csaba Fitzl and Wojciech Reguła.
To tie the course together, the macOS Penetration Testing module follows a step-by-step guide on how to fully compromise a macOS host, starting from initial access, to performing local privilege escalation and finally loading an unsigned kernel extension to disable SIP. For added realism, the attack chain considers the victim's view following each exploit, and prioritises more opsec safe actions to help you operate under the radar. While the course sticks to a bare bones approach of doing this with netcat, the techniques can easily be applied to a red teaming scenario where the attack chain is shifted to a C2 platform.
General tips
In no particular order, the following is a list of general hints and tips I picked up whilst studying the EXP-312 course:
- Take complete notes on each chapter using Obsidian or your preferred notetaking tool. I ended up going over the course materials twice; once to familiarise myself with the concepts, and second to cover any gaps I missed the first-time round.
- Follow each module along with your terminal open. Whilst the copy-paste code in the Offsec training portal is helpful, I found the code easier to understand when I typed, compiled and debugged it myself.
- Set up a private GitHub repository to store all the exercise and extra mile code you write during the course.
- Write snippets of template code which you can refer to during the exam if needed. Keep these handy when writing new exploits, especially for XPC.
- Practice writing assembly and shellcoding by hand. I wrote some python helper scripts to automate this for bind shell, reverse shell and execve shellcode payloads. These are available on my GitHub.
- If you use Obsidian, install the Obsidian Tabs plugin. This helps you organise and quickly switch between your notes just like keeping tabs in a web browser.
- Complete all the exercises, and as many extra miles as you can before the exam.
- Read around the course material with papers and blog posts from other macOS researchers, starting with theevilbit's blog.
- If you use Sublime Text, check out the SublimeHighlight plugin, as it allows you to export your code to RTF with syntax highlighting. This works well for including your proof-of-concept exploit code in your report.
- Post on the EXP-312 Discord channel if you need help, or just want to share ideas. I learned a lot just from talking with other students who were working on the same exercises.
What's next?
The EXP-312 course has been a great starting point for growing my skillset in macOS exploitation. I would highly recommend this course to exploit developers looking to start their own independent macOS security research, or red teamers who wish to develop their expertise beyond Windows and Linux. For now, I'm excited to put what I've learned into practice and start doing macOS security research of my own, as there are still many bugs and vulnerabilities out there to find.