OSWE Exam review “2020” + Notes & Gifts inside!

At least there is no XXE now (I guess I’ve seen it in previous AWAE public pdfs)

Some boxes to practice with

@s0j0hn said:
Some boxes to practice with
NetSecFocus Trophy Room - Google Drive

These boxes are for OSCP, not OSWE.
You may mention them in my OSCP review.

Type your comment> @21y4d said:

@s0j0hn said:
Some boxes to practice with
NetSecFocus Trophy Room - Google Drive

These boxes are for OSCP, not OSWE.
You may mention them in my OSCP review.

There is a tab for OSWE at the top

@s0j0hn said:
Type your comment> @21y4d said:

(Quote)
There is a tab for OSWE at the top

Oh, I see… Yeah, some of them are the same boxes mentioned above.

I must mention that they contain parts that might be useful for OSWE, but unfortunately I couldn’t find any with whitebox testing vectors.

Hopefully sourceCode will be dedicated for this area, once it goes live.

Thanks for sharing

Thanks for this detailed review. I am rather interested in this exam, since it would be a good fit for my day job as a developer. Do you think/know if OSCP is required for this exam?

@dnperfors said:
Thanks for this detailed review. I am rather interested in this exam, since it would be a good fit for my day job as a developer. Do you think/know if OSCP is required for this exam?

You can definitely go directly to OSWE, since there are no prerequisite to this course. I think it would also be good for you, since OSWE is also aimed towards developers.

However, I must note that OSWE is an advanced course, so you must have good knowledge in web exploitation. If you do take and pass OSCP, and then complete the areas I mentioned in the study plan above, then you are good to go.

Thanks, I already planned to look at several boxes, including the ones mentioned in the link. After studying those, I can always decide whether or not I am confident enough to start…

If anyone took OSCE with any of “GXPN, OSEE, PACES”, I would love to hear your feedback on how to prioritize them, and which ones aren’t necessary.

Thank you so much for the detailed review, it’s probably the best one for the OSWE so far.

But I still have some questions, as you mentioned before that you took some courses in web development, and you did not go very deep in each, but after reading the whole review, it gives the implication that you have to be an expert in the mentioned languages, or at least called a developer in that certain language, that you can read and write anything. Is this true?
And can you please recommend any courses (URL’s) that helped you in learning those languages?

@ASD0 said:
Thank you so much for the detailed review, it’s probably the best one for the OSWE so far.

But I still have some questions, as you mentioned before that you took some courses in web development, and you did not go very deep in each, but after reading the whole review, it gives the implication that you have to be an expert in the mentioned languages, or at least called a developer in that certain language, that you can read and write anything. Is this true?
And can you please recommend any courses (URL’s) that helped you in learning those languages?

What I meant is that you wouldn’t have to become and expert in each language, but you have to be able to read it’s code, understand it’s web functionality, and be able to write some code in it, in case you have to modify any of the code. So you should be able to develop things in it, but by no means do you have to become an expert developer in each.

Other than the courses i mentioned above, you can either search YouTube for introductory courses, or you can take an web development course in that language from udemy.

For those interested, I have just done Smasher2, and I think the user part is an excellent example and practice for the OSWE exam.

Type your comment> @s0j0hn said:

Type your comment> @21y4d said:

@s0j0hn said:
Some boxes to practice with
NetSecFocus Trophy Room - Google Drive

These boxes are for OSCP, not OSWE.
You may mention them in my OSCP review.

There is a tab for OSWE at the top

Take a look at this on:

@21y4d May I ask your thoughts about it?

@klezNG said:
Type your comment> @s0j0hn said:

Type your comment> @21y4d said:

@s0j0hn said:
Some boxes to practice with
NetSecFocus Trophy Room - Google Drive

These boxes are for OSCP, not OSWE.
You may mention them in my OSCP review.

There is a tab for OSWE at the top

Take a look at this on:
https://klezvirus.github.io/

@21y4d May I ask your thoughts about it?

Thanks for sharing this.
As you mentioned, not many boxes are good for white-box testing and preparing for OSWE and OSCE. Even the practice material I mentioned above is only for practicing for a certain type of vulnerability after you fully owned the box and have access to their source code.

This is why I hope sourceCode will be a unique box and a good addition to HTB, whenever it gets released.

@21y4d Thanks for the excellent review.

Could you provide some resources (books, CTFs?) for practicing code review of large code base? How one should approach the code review and what should be the methodology.

@roguesecurity said:
@21y4d Thanks for the excellent review.

Could you provide some resources (books, CTFs?) for practicing code review of large code base? How one should approach the code review and what should be the methodology.

Honestly, this was one of the difficult parts of OSWE, and eventually I had to go through real web apps in each language, and find my way around each language, and how to quickly identify each type of vulnberabilities, both in linux and windows.

There’s one reference that might be good, chapter 19 in the Web Application Hacker’s Handbook. But I think you must practice this for each language, and find your way around it.

I’m sure more experienced developers in each language would have much more efficient ways of going through the code, but I didn’t find anything useful, so I had to come up with my own way.

For those interested, above I mentioned that HTB has not practice for .net deserialization.
The recently retired “json” box has one, though very basic, but is a good practice nonetheless.

Update 3:
Another good command injection practice is machine “Obscurity”.
Though it is a basic injection, it is a good exercise to start with.

All updates to OSWE study guide:
-Auth bypass, on box “Smasher2”
-.net deserialization, on box “Json”
-command injection, on box “Obscurity”

That was an excelent review, many thanks! As an actual AWAE student I am feeling that dotnet is a weak of mine. I need to improve my dotnet code review skills and mainly understand how dotnet url mappings work. If you have any reference to suggest me it would be very appreciated. I have not found a good free content about it yet. I am also waiting to ur box release so I can practice more. Congratslilations!

@bansheepk said:
That was an excelent review, many thanks! As an actual AWAE student I am feeling that dotnet is a weak of mine. I need to improve my dotnet code review skills and mainly understand how dotnet url mappings work. If you have any reference to suggest me it would be very appreciated. I have not found a good free content about it yet. I am also waiting to ur box release so I can practice more. Congratslilations!

Thank you…

If you meant general code review, there’s one reference that might be good, chapter 19 in the Web Application Hacker’s Handbook.

However, you would still have to practice going through huge code “I’m talking hundreds of thousands of lines”, and find techniques to quickly identify what you are looking for.

As for .Net, I suggest watching these two videos about C# from Mosh:

Once you have a general understanding of the language and how its web apps are build, you should be able to understand the code flow and functionality, and can start practicing code review.