Corelan Bootcamp Review

Time to relieve this blog and I think that a review of the Corelan Bootcamp training is the perfect occasion! I had in mind to try the OSCE certification and I felt I needed to go beyond just basic buffer overflows that you might come by with OSCP for example.

I've had the chance to attend this training at Hack in Paris in June 2018 and I will try to give as much insights as I can without telling too much (because of NDA). The overall training is exclusively dealing with the Windows Stack and associated vulnerabilities so nothing about heap exploitation (check the Advanced training for that).

First of all, when you register, you get couple of emails with prior exercices (to do at home) and important information about what to expect during the training. When we say “important” information, it is mostly when the course will start (usually one hour before all other courses) but also having the VMs properly working before coming to the course.

An NDA will have to be signed before starting the class (you can't do the class if you don't sign it), microphones (or any kind of recording devices) are totally forbidden.

Course-wise: Corelan trainings are extremely demanding and if you want to {enjoy,suffer,digest} it as much as you can, make sure you can fully disconnect from work and get your brain solely focused on the training. In term of logistics, try to take a hotel close-by so that you can go by walk to the training. That might sound silly but there were people living 1 hour away from the training room and when you leave at ~9pm in the evening and have to come back at 8am the next day, this gets even more intense.

Peter (@corelanc0d3r) is one of the best trainer I've ever met so far, mostly because of his pedagogy. Peter will never give you the solutions BUT will always answer your questions (even sometimes at 11pm on a Friday night, thanks!) by getting you in the right direction.

The course content is quite self explanatory and you will go through all this during 3 days (trust me, you will):

* The x86 environment
    System Architecture
    Windows Memory Management
    Registers
    Introduction to Assembly
    The stack
    Running 32bit applications on a 64bit OS (wow64)
* The exploit development lab environment
    Setting up the exploit developer lab
    Using debuggers and debugger plugins to gather primitives
* Stack Buffer Overflows
    Stack Buffers
    Functions
    Saved return pointer overwrites
    Stack cookies
    Structured Exception Handlers
    etc
* Egg hunters
    Using egghunters
    Egg hunters in a WoW64 environment
* Reliability++ & Reusability++
    Finding and avoiding bad characters
    Creative ways to deal with character set limitations
* Metasploit framework Exploit Modules
    Writing exploits for the Metasploit Framework
    Porting exploits to the Metasploit Framework
* ASLR
    Bypassing ASLR
* DEP
    Bypassing NX/DEP
    Return Oriented Programming / Code Reuse (ROP) 

In few words, you will basically go from zero to writing ROP chains on the third day but expect couple of headaches. Some exploit development experience (even on Linux) is a big plus so feel free to practice. If you prefer to focus on Windows (such as the Bootcamp training), check out the vulnserver.exe project and try different commands and not just the TRUN one ;-)

The training is combined with a LOT of pratical exercices where Peter will test your skills and make sure that you understood it all. Be ready to use absolutely ZERO NOP instruction during the whole course and if you do, get your arguments ready because Peter already has his own :)

If you're wondering if the training is outdated? The answer is simple: NO. You still need to understand the basics in order to fully get what mitigation is for, and how to tackle it. Moreover, who said Buffer overflows were dead :) ? https://blog.zimperium.com/whatsapp-buffer-overflow-vulnerability-under-the-scope/.

After the training, Peter will add you in a Slack channel he created with all the other students (prior to this, there {was/still is} a forum) where you will be able to discuss with other students and that's pretty important!

To conclude this review, I think that the Bootcamp training is worth every penny and literally one of the best training I've ever had. Peter is a very good trainer willing to you give most of the knowledge he learnt (either during the training and/or after). I attended Corelan Advanced in June 2019 at Hack in Paris and guess what? 4 out of the ~20 students were at the previous Bootcamp session… :)