OSWE Exam review “2020” + Notes & Gifts inside!

Thank you so much for the detailed review, it’s probably the best one for the OSWE so far.

But I still have some questions, as you mentioned before that you took some courses in web development, and you did not go very deep in each, but after reading the whole review, it gives the implication that you have to be an expert in the mentioned languages, or at least called a developer in that certain language, that you can read and write anything. Is this true?
And can you please recommend any courses (URL’s) that helped you in learning those languages?

@ASD0 said:
Thank you so much for the detailed review, it’s probably the best one for the OSWE so far.

But I still have some questions, as you mentioned before that you took some courses in web development, and you did not go very deep in each, but after reading the whole review, it gives the implication that you have to be an expert in the mentioned languages, or at least called a developer in that certain language, that you can read and write anything. Is this true?
And can you please recommend any courses (URL’s) that helped you in learning those languages?

What I meant is that you wouldn’t have to become and expert in each language, but you have to be able to read it’s code, understand it’s web functionality, and be able to write some code in it, in case you have to modify any of the code. So you should be able to develop things in it, but by no means do you have to become an expert developer in each.

Other than the courses i mentioned above, you can either search YouTube for introductory courses, or you can take an web development course in that language from udemy.

For those interested, I have just done Smasher2, and I think the user part is an excellent example and practice for the OSWE exam.

Type your comment> @s0j0hn said:

Type your comment> @21y4d said:

@s0j0hn said:
Some boxes to practice with
NetSecFocus Trophy Room - Google Drive

These boxes are for OSCP, not OSWE.
You may mention them in my OSCP review.

There is a tab for OSWE at the top

Take a look at this on:

@21y4d May I ask your thoughts about it?

@klezNG said:
Type your comment> @s0j0hn said:

Type your comment> @21y4d said:

@s0j0hn said:
Some boxes to practice with
NetSecFocus Trophy Room - Google Drive

These boxes are for OSCP, not OSWE.
You may mention them in my OSCP review.

There is a tab for OSWE at the top

Take a look at this on:
https://klezvirus.github.io/

@21y4d May I ask your thoughts about it?

Thanks for sharing this.
As you mentioned, not many boxes are good for white-box testing and preparing for OSWE and OSCE. Even the practice material I mentioned above is only for practicing for a certain type of vulnerability after you fully owned the box and have access to their source code.

This is why I hope sourceCode will be a unique box and a good addition to HTB, whenever it gets released.

@21y4d Thanks for the excellent review.

Could you provide some resources (books, CTFs?) for practicing code review of large code base? How one should approach the code review and what should be the methodology.

@roguesecurity said:
@21y4d Thanks for the excellent review.

Could you provide some resources (books, CTFs?) for practicing code review of large code base? How one should approach the code review and what should be the methodology.

Honestly, this was one of the difficult parts of OSWE, and eventually I had to go through real web apps in each language, and find my way around each language, and how to quickly identify each type of vulnberabilities, both in linux and windows.

There’s one reference that might be good, chapter 19 in the Web Application Hacker’s Handbook. But I think you must practice this for each language, and find your way around it.

I’m sure more experienced developers in each language would have much more efficient ways of going through the code, but I didn’t find anything useful, so I had to come up with my own way.

For those interested, above I mentioned that HTB has not practice for .net deserialization.
The recently retired “json” box has one, though very basic, but is a good practice nonetheless.

Update 3:
Another good command injection practice is machine “Obscurity”.
Though it is a basic injection, it is a good exercise to start with.

All updates to OSWE study guide:
-Auth bypass, on box “Smasher2”
-.net deserialization, on box “Json”
-command injection, on box “Obscurity”

That was an excelent review, many thanks! As an actual AWAE student I am feeling that dotnet is a weak of mine. I need to improve my dotnet code review skills and mainly understand how dotnet url mappings work. If you have any reference to suggest me it would be very appreciated. I have not found a good free content about it yet. I am also waiting to ur box release so I can practice more. Congratslilations!

@bansheepk said:
That was an excelent review, many thanks! As an actual AWAE student I am feeling that dotnet is a weak of mine. I need to improve my dotnet code review skills and mainly understand how dotnet url mappings work. If you have any reference to suggest me it would be very appreciated. I have not found a good free content about it yet. I am also waiting to ur box release so I can practice more. Congratslilations!

Thank you…

If you meant general code review, there’s one reference that might be good, chapter 19 in the Web Application Hacker’s Handbook.

However, you would still have to practice going through huge code “I’m talking hundreds of thousands of lines”, and find techniques to quickly identify what you are looking for.

As for .Net, I suggest watching these two videos about C# from Mosh:

Once you have a general understanding of the language and how its web apps are build, you should be able to understand the code flow and functionality, and can start practicing code review.

@yb4Iym8f88 said:
Good news everyone! Now we cannot record videos during an exam to make our life easier. Time to invent screenshot maker.
Is there any automated tool for screenshot? At least smth that puts all screenshots taken in predefined folder w/o asking and distracting… Or maybe by timer, i.e takes a sshot every 5 seconds.

That’s terrible!
Recording a video makes your life way easier to take proper screenshots. Otherwise, you would have finish early to be able to ensure you took enough screenshots.

One thing that definitely made my life easier was using cherry tree, and with oswe it’s a must.

@21y4d Rezzing a deadish thread just to give you a second data point on the Sec+/CISSP question. I agree with @squirrelpizza.

he Security+ cert really just exists as a checkbox for the DoD8570 requirements, and it’s a relatively low level checkbox as well. Just from reading your posts and knowing that your skill set in this field is far above my own, the Sec+ would be a waste for you. If you were set on a CompTIA cert I would look at the CySA+ or CASP+.

I can’t speak to the contents of the CISSP, but I can say that it seems to be a vastly more preferred cert. The only people at my workplace who get the CASP+ are people who have a stacked rack of CompTIA certs and want to renew them all. Everyone else I know pretty much goes for the CISSP.

The only exception to that would be if you wanted to get in working for the DoD or a contractor. Since the CEH is an absolute joke, getting the CySA+ would get you covered for any “Cyber Security Service Provider” (CSSP) classed position outside of management. If you were heading that route, the CASP+ would probably be a better option that the CISSP, because renewing the CASP+, your IAT Level III cert, would also renew the CSSP role specific cert, the CySA+.

Here’s the 8570 cert table: https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/

For any regular corporate environment I would guess the CISSP would be the much better option.

@borari said:
@21y4d Rezzing a deadish thread just to give you a second data point on the Sec+/CISSP question. I agree with @squirrelpizza.

he Security+ cert really just exists as a checkbox for the DoD8570 requirements, and it’s a relatively low level checkbox as well. Just from reading your posts and knowing that your skill set in this field is far above my own, the Sec+ would be a waste for you. If you were set on a CompTIA cert I would look at the CySA+ or CASP+.

I can’t speak to the contents of the CISSP, but I can say that it seems to be a vastly more preferred cert. The only people at my workplace who get the CASP+ are people who have a stacked rack of CompTIA certs and want to renew them all. Everyone else I know pretty much goes for the CISSP.

The only exception to that would be if you wanted to get in working for the DoD or a contractor. Since the CEH is an absolute joke, getting the CySA+ would get you covered for any “Cyber Security Service Provider” (CSSP) classed position outside of management. If you were heading that route, the CASP+ would probably be a better option that the CISSP, because renewing the CASP+, your IAT Level III cert, would also renew the CSSP role specific cert, the CySA+.

Here’s the 8570 cert table: https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/

For any regular corporate environment I would guess the CISSP would be the much better option.

Thanks a lot for the input, much appreciated.
This about sums up what I came to conclude when comparing the two certs :slight_smile:

Type your comment> @21y4d said:

Future Plans

I’ve been working on OSWE for quite some time, and have some ideas for my next step. Eventually, I’m thinking about going deep into OS/Binary exploitation, with: PACES, GXPN, OSCE, and OSEE. If anyone took OSCE and any of the others “GXPN, OSEE, PACES”, I would love to hear your feedback on how to prioritize them.

Hi,
what is PACES? my google-fu must be lacking because i can’t seem to find anything about it.

@Zwm8e said:
Type your comment> @21y4d said:

(Quote)
Hi,
what is PACES? my google-fu must be lacking because i can’t seem to find anything about it.

It is the newest red team lab from Pentester Academy. The certificate is not that useful, but the lab seems to be excellent for domain exploitation, and the courses are excellent as well.

Many thanks for the review! I’m considering to take AWAE myself and any thoughts from people who have done it are useful in assessing whether it is worth the effort.

So far I have OSCE, OSCP, CISSP and ISO27001 LI. It sounds like AWAE is structured pretty much the same as CTP (the course that leads to OSCE). You probably won’t be as impressed about the up-to-dateness of the materials on CTP, but I felt it gave me a great starting point to get into exploit development. Like AWAE it won’t be hugely useful if you mostly do black-box engagements and don’t have much time allocated for exploit development, but it at least teaches you hands-on the basics of the exploit development part.

CISSP is great for getting basic understanding and big picture of pretty much every domain in information security from regulation to physical access controls. There’s a saying that the knowledge of a CISSP is “mile wide, but only inch deep”, which has truth in it. It can give perspective on business risk management to a pentester and help communicate the risks better, but in practice it’s most beneficial for non-pentesting security auditors, ISMS consultants and security managers. I did the exam few years ago and it has most likely changed from what it used to be, but I dare to say it will be much less of an effort than the offsec certs you have done. Of course requires different type of capability to learn (less hands-on and more about understanding what you have read and what is exactly being asked).

Commenting so that I can easily come back to this post in the future if/when I decide to get my OSWE. Love your reviews, thank you!

@21y4d Fantastic guide. This is spot on. I finished my AWAE exam a few weeks ago and this is some great advice.

For @d1ss0 The AWAE (OSWE) is a very difficult exam. It is a departure from the “normal” exams. I have OSCP, OSCE, GXPEN (and now OSWE). OSCP,OSCE and to some extent GXPEN are very “exploit” focused. You’re writing code or running exploit code generally based on a well known exploit or misconfiguration.

This exam there are no exploit-db searches that will help you find the issues with the code. You really need to understand how the applications/websites they give you work. Follow the flow and then identify potential issues to exploit. In all cases (the course and exam) you’re given the code (or can determine where to get it). The trick is to distill what may be 10’s of thousands of lines of code and hundreds of linked libraries into a high probability targets of opportunity. Then examine those.

A few (hopefully helpful) hints:

  • Dont get tunnel vision. There is a lot of code to look at try to not get fixated on one part.
  • Keep in mind this is NOT OSCP or HTB. You’re not always looking to get admin and rule the world. Sometimes you can achieve the goal with with you have.

Gridith

@d1ss0 said:
Many thanks for the review! I’m considering to take AWAE myself and any thoughts from people who have done it are useful in assessing whether it is worth the effort.

So far I have OSCE, OSCP, CISSP and ISO27001 LI. It sounds like AWAE is structured pretty much the same as CTP (the course that leads to OSCE). You probably won’t be as impressed about the up-to-dateness of the materials on CTP, but I felt it gave me a great starting point to get into exploit development. Like AWAE it won’t be hugely useful if you mostly do black-box engagements and don’t have much time allocated for exploit development, but it at least teaches you hands-on the basics of the exploit development part.

CISSP is great for getting basic understanding and big picture of pretty much every domain in information security from regulation to physical access controls. There’s a saying that the knowledge of a CISSP is “mile wide, but only inch deep”, which has truth in it. It can give perspective on business risk management to a pentester and help communicate the risks better, but in practice it’s most beneficial for non-pentesting security auditors, ISMS consultants and security managers. I did the exam few years ago and it has most likely changed from what it used to be, but I dare to say it will be much less of an effort than the offsec certs you have done. Of course requires different type of capability to learn (less hands-on and more about understanding what you have read and what is exactly being asked).

Thanks for the info on CISSP. It seems like CISSP is the way to go, but since I’m more focused on red-teaming, I fear it might take a lot of my time on something that might not be directly useful for my work. I think it will definitely be useful for the future, though.

And as for CTP, that’s why I’m postponing it for now. I have been practicing advanced exploit development lately, including advanced heap and kernel exploitation, which are taught in OSEE.
From What I see in the CTP syllabus, it seems very outdated, and it might be better to way for a new update for the course, similar to the OSCP one.
Now both OSWE and OSCP are 2019+, I assume this should be the one to be updated next.