Please read this entire document carefully before beginning your exam!
This guide explains the objectives of the Offensive Security macOS Researcher (OSMR) certification exam. Section 1 describes the requirements for the exam, Section 2 provides important information and suggestions, and Section 3 contains instructions for submitting your completed exam.
The OSMR certification exam is comprised of four tasks related to exploit development or security control bypasses that must be solved.
You have 47 hours and 45 minutes to complete the exam.
This means that if your exam begins at 09:00 GMT, your exam will end at 08:45 GMT two days later.
Once the exam is finished, you will have another 24 hours to send your documentation to the Offensive Security Challenges Department. Details on how to submit your files are provided below.
All OSMR exams are proctored.
Please make sure to read the proctoring tool student manual and the proctoring FAQ.
The exam consists of four tasks, which will test the topics covered in the syllabus, including reverse engineering to discover vulnerabilities, crafting exploits that bypass security mitigations, and creating custom shellcode.
Once you've developed a working exploit against a designated target machine, you will need to obtain a shell. From the shell, you must retrieve a proof.txt file.
Specific instructions for each task will be located in your Exam Control Panel, which will become available to you once your exam begins.
You are required to write a report describing your vulnerability discovery and exploitation process for each task you solve.
Your report must document all of the steps you perform. Your documentation should be thorough enough that your attacks can be replicated step-by-step by a technically-competent reader.
The documentation requirements are very strict; failure to provide sufficient documentation will result in reduced or zero points being awarded. Please note that once your exam and lab report is submitted, your submission is final. You will not be allowed to send additional screenshots or information, nor will we request such.
Tasks that require an exploit to be created will include an associated target machine running a copy of the vulnerable software.
You must use your developed exploit to compromise the target machine and retrieve the proof file.
The target machine contains several proof files as some exploits depend on each other. You must submit all proof files in your control panel by including a screenshot with your documentation. Failure to provide the appropriate proof files in a screenshot will result in zero points being awarded for the task.
The only accepted way to provide the contents of the proof files is in a remote interactive shell on the target machine with the cat command from their original location.
Obtaining the contents of the proof files in any other way will result in zero points for the target machine.
The exam control panel contains a section to submit your proof files. The contents of the proof.txt files obtained from your exam machines must be submitted in the control panel before your exam has ended.
Each proof.txt must be shown in a screenshot that includes the contents of the file, as well as the IP address of the target obtained using ifconfig. An example of this is shown below:
You cannot use any penetration testing framework software during the exam, regardless if it's open source or commercial, including frameworks such as Meterpreter, Apfell, or Mythic. In addition, reverse engineering must be performed with Hopper and lldb as taught in the course. Alternative disassemblers such as Ghidra, R2 or IDA are not allowed.
All code to solve the four tasks must be written in C, Objective-C, zsh (shell) or Python3.
These restrictions are both to facilitate a fair and balanced exam, and to enable proper grading.
In an effort to keep the exam experience equal for all students, we request that you do not reveal the software being exploited in the OSMR exam, or share any exploitation steps and code publicly.
Downloading any applications or source code from the exam environment to your local machine unless specifically allowed is strictly forbidden.
Your connection to the exam is to be done with Kali Linux using OpenVPN. We are unable to provide any VPN connectivity support if you choose to use another setup. Your exam connection pack and details will be sent by email no sooner than the exact start time of your exam.
1) Download the exam-connection.tar.bz2 file from the link provided in the exam email to your Kali machine.
2) Extract the file:
kali@kali:~$ tar xvfj exam-connection.tar.bz2 OS-XXXXX-OSMR.ovpn
3) Initiate a connection to the exam lab with OpenVPN:
kali@kali:~$ sudo openvpn OS-XXXXX-OSMR.ovpn
4) Enter the username and password provided in the exam email to authenticate to the VPN:
kali@kali:~$ sudo openvpn OS-XXXXX-OSMR.ovpn OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 1 2014 Enter Auth Username: OS-XXXXX Enter Auth Password: XXXXXXXXXX Thu Mar 18 21:22:06 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Thu Mar 18 21:22:06 2016 LZO compression initialized Thu Mar 18 21:22:06 2016 UDPv4 link local: [undef] Thu Mar 18 21:22:06 2016 UDPv4 link remote: x.x.x.x:1194 Thu Mar 18 WARNING: this configuration may cache passwords in memory Thu Mar 18 [127.0.0.1] Peer Connection Initiated with x.x.x.x:1194 Thu Mar 18 21:22:07 2016 TUN/TAP device tap0 opened Thu Mar 18 /sbin/ifconfig tap0 192.168.xx.xx netmask 255.255.254.0 mtu 1500 Thu Mar 18 21:22:07 2016 Initialization Sequence Completed
The exam control panel is available via a link provided in your exam email. Through the exam control panel you will be able to:
- Submit proof files
- Revert target machines
- View specific target objectives and point values
You have a limit of 50 reverts. This limit can be reset once during the exam. All of the machines will have been freshly reverted at the start of your exam, so you will not be required to revert the machines when you begin.
Please wait patiently for a machine to revert and only click the button once per attempt. Reverting a target machine will cause it to return to its original state, and any changes you have made to the machine will be lost.
- The order in which the exam tasks are documented inside your exam report is the same order in which they will be graded and valued.
- Points will only be awarded for full completion of a task.
- Each task has a specific set of objectives that must be met in order to receive full points.
- You must obtain a minimum score of 70 points out of a possible 80 points to pass the exam.
You will receive no points for a specific assignment if you:
- Use a restricted tool
- Fail to provide the proof.txt file contents in both the control panel and in a screenshot
Ideally, one of the following templates should be used for the penetration test report:
You may opt to use your own template as long as the information is presented in a structured, professional manner and follows all other requirements outlined above.
This subsection of the exam guide documents what you should do in case you are unable to complete your exam due to severe external factors. Please make sure to read and understand it carefully.
The exam lab is a dedicated environment with no students connected other than yourself. The total allotted time of 47 hours and 45 minutes does take life and its situations into consideration:
- You are expected to take rest breaks, eat, drink and sleep.
- You are also expected to have a contingency plan in the event that there is an issue outside your control. (e.g. make sure you have access to a backup Internet connection)
If you have a legitimate issue, please send an email with your OSID to "challenges AT offensive-security DOT com" immediately. Make sure to include all the necessary details and supporting information such as a letter from your power company, ISP or any other relevant documentation.
Please note we are only able to extend the lab time if the issues were present on our side, and only when the exam subnet is not immediately in use by another student following your exam. In the event of an issue on our side and the exam subnet is scheduled immediately following your exam, we will provide a free exam retake attempt. We work very hard to ensure our environments are highly available and issues are extremely rare.
If you encounter any connectivity problems with the VPN or target machines, inform us immediately. The preferred method of contact is by emailing "help AT offensive-security DOT com".
Please note that we will not be able to assist with or give hints on any exam objectives, and we will only be available to help resolve technical problems during the exam.
All questions related to the exam documentation and submission, or other non-technical exam related issues should be sent to "challenges AT offensive-security DOT com". The live chat administrators will NOT BE ABLE TO HELP you with exam-related queries, unless you are having technical issues with the VPN connection or exam environment.
- Your exam report is in PDF format
- You have used the following format for the PDF file name "OSMR-OS-XXXXX-Exam-Report.pdf", providing your OSID in place of "OS-XXXXX"
- You have provided any necessary code for assignments in separate files which must be in the following extensions:
- You have used the following format for the file names for each assignment with the appropriate file extension:
- Your PDF and code files have been archived in a .7z file (Please do NOT archive it with a password)
- You have used the following format for the .7z file name "OSMR-OS-XXXXX-Exam-Report.7z", in which "OS-XXXXX" is your OSID
- You have made sure that your archive is not more than 300MB and the extracted files are not more than 400MB
- You have uploaded your .7z file to https://upload.offsec.com
Note that the filename is case sensitive. Students must submit their exam file following the exact filename format structure above. If your file does not follow the exact filename format and structure, the application will not accept it.
The following subsections provide details on each of these requirements.
You exam report must be submitted in PDF format archived into a .7z file, along with the proof of concept files.
If you submit your report in any other file format, we will not request or remind you to send a PDF report archived into a .7z file and your exam report will not be scored.
Before submitting your exam report, please review the PDF document to ensure the format and content appear as it did in your original edition document and that there are no formatting errors.
After uploading your exam file to upload.offsec.com, the site will provide you with the MD5 hash of your uploaded file.
Please make sure to verify that you have uploaded your report correctly by checking and comparing the MD5 hashes of your uploaded exam file and your local file.
If the values do not match, that means your file did not upload successfully. Click on "Select a new file" and upload your archive again.
root@kali:~# md5sum OSMR-OS-XXXXX-Exam-Report.7z
Please do not archive your .7z and PDF(s) files with a password. Our system will not accept password-protected files.
You must submit your documentation in a .7z file.
root@kali:~# 7z a OSMR-OS-XXXXX-Exam-Report.7z OSMR-OS-XXXXX-Exam-Report.pdf assignment1.sh assignment2.c assignment3.m assignment4.c
7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Updating archive OSMR-OS-XXXXX-Exam-Report.7z
Everything is Ok
Please submit your .7z file via https://upload.offsec.com within 24 hours of completion of the exam and follow the provided instructions in order to upload your archived exam report.
The size limit for extracted files is 400MB and the archive is 300MB. If the size constraints are not met, you would not be able to upload your archive. If you are unable to meet the size constraints, we suggest looking at ways to reduce your file size using techniques such as image compression.
After the file has been uploaded, you will be presented with a "Submit File" button displaying an MD5 hash of your exam report. Make sure to click the "Submit File" button after verifying your MD5 hash to submit your files successfully.
If you do not upload your exam-report via https://upload.offsec.com , it will not be graded.
Once the report is uploaded successfully, a confirmation email will be sent immediately acknowledging the receipt. If you have not received the email, please ensure that you uploaded your report and clicked the Submit File button on the final page of https://upload.offsec.com after verifying your MD5 hash. We also recommend you to check your email spam and junk folders in case the confirmation email has been flagged as spam.
In the unlikely event that we require additional clarification on your exam report, we will contact you via email. You must submit the requested information within 24 hours from the time we have requested it.
You will receive an email with your certification exam results (pass/fail) within ten (10) business days after submitting your documentation. Please note that we do not provide the exam score or solutions to the exam targets.