Pentester Diaries Ep.10: Journey into Reverse Engineering and Exploit Development
On this episode of Pentest Diaries, we had an opportunity to chat with another brilliant Cobalt Core member, Andreea Druga. Our topic revolved around reverse engineering and exploit development! This area of security is for the dedicated and curious - considering it is a deep dive into observing low level code and discovering critical flaws. Then what else? Craft an exploit of course!
That’s still vague, so let’s JMP into this conversation with Andreea to uncover more details about how she started this adventure!
Check out the video podcast on our YouTube channel:
First, let's talk a little about our guest. Andreea Druga is a Core member who has been testing with Cobalt since 2018. Anyone can start digging into reverse engineering, but it is eye-opening to see how much experience Andreea has accumulated before exploring this subject.
Andreea began by elaborating on her experience stating, “I started off with a Master’s Degree in IT and Security. Then, afterwards, got an internship in a security operations center department - and there I worked on the blue team side of things. I’ve worked with various tools such as intrusion detection and protection systems, anti-virus/virus endpoint detection tools, and SIEM.
After two-and-a-half years there, I switched over to the pentest side of things and got the chance to get into the attacker’s mindset.”
A security first mindset is great to have for a pentester. The ability to understand how walls built to defend are stacked, gives them the advantage of maneuvering around - or even breaking those walls down.
We also talked about starting points. What brings curious minds to such a unique area of security? From the professionals I’ve talked to, reverse engineering and exploit development are labors of love. Naturally, I wanted to know what brought Andreea to this path in the first place.
Andreea explained, “The first time, I got acquainted with the Assembly Language - actually, was at University. I had a course called ‘Anti-virus and Virus and Virus Technologies.’ There, the teacher explained to us all about Assembly, registers (operations that can be made on them), debuggers, assemblers, and all of that!
Afterwards, my interests started to slowly build up, because when working in the security operations center (SOC) where we often encountered various types of malware. So, I was really curious and wanted to dive in deeper to get to the bottom of it.”
Reversing and Exploit Dev Tools
We moved on to tools of the trade. Mainly, the consoles reverse engineers use to observe changes in application states.
Andreea gave us her use case with these tools stating, “I’ve been using Immunity debugger and OllyDbg. Also, Ghidra and a little bit of Ida - let’s talk about reverse engineering and exploit development, and how I’ve been combining them into my pentesting activities. The first time I did an exploit was during the OSCP, I did an exploit for a buffer overflow vulnerability.
Andreea elaborated more about her learnings during an OSCP course, stating “...For the buffer overflow, how you send in the malformed input, how you’re loading your vulnerable program into the immunity debugger and watch it crash to see what happens in the registers - seeing that the EIP register is being overwritten with your input. Then you’re trying to find this JMP ESP address you’re going to place your shellcode in there."
So, now you're getting an idea of how involved this process is, right? If none of this really makes sense now, Andreea recommends something a little later that should help.
The crux of any undertaking like reverse engineering is having to balance your focus. Scripting unnecessary tasks helps eliminate repetitive actions, and allows users the spare time to focus on more critical parts of a job. So, I wondered if she might use this in these fields.
Andreea explained, “I’m always working with Kali for exploit development. Like, I am using python to write the scripts. I’ve been using Ollydbg and immunity debugger, that basically allow us to view and change the running state of a program. Whereas, the dissemblers are transforming the machine code into a human readable presentation.
For scripting, I’ve been mainly using python for the OSCP and OSCE. During assessments I am also using python as well. But, It really depends on the assessment and how many hours we have.”
Learning Reverse Engineering and Exploit Dev
My favorite part of these conversations involves learning materials. Professionals always have a variety of endorsements that are more helpful than a superficial Google search (or preferred web browser of choice). It involves knowledge that is tested and proven useful. So, I asked Andreea what she recommended.
"I’ve been using the Corellium cyber security research, FuzzySecurity also has some great tutorials, MalwareUnicorn has this reverse engineering 101 course, and for our exploitation I highly recommend Azeria Labs - they are so good."
She continued, "As for the certification, basically OSCP will teach you how to exploit the buffer overflow that we talked about earlier. Then I’d use the OSCE to learn more about exploit development. I know they retired the Cracking the Perimeter course last year, but they’ve introduced this advanced exploit development and anti-virus evasion - so, I really recommend this one."
She also expanded on areas to gamify your experience stating, “I would also recommend playing various CTF (Capture the Flag) challenges like the ones from Crackmes, or like ctftime, or Real World CTF."
This conversation is hard to track in this blog alone. The process of reverse engineering and exploit development is definitely something to behold. I'd recommend checking out some of these resources, or listening in to the podcast for more detailed explanations!
Again, I want to thank Andreea Druga for wrapping up our last episode of the season!