OSWE Exam review “2020” + Notes & Gifts inside!

Update 3:
Another good command injection practice is machine “Obscurity”.
Though it is a basic injection, it is a good exercise to start with.

All updates to OSWE study guide:
-Auth bypass, on box “Smasher2”
-.net deserialization, on box “Json”
-command injection, on box “Obscurity”

That was an excelent review, many thanks! As an actual AWAE student I am feeling that dotnet is a weak of mine. I need to improve my dotnet code review skills and mainly understand how dotnet url mappings work. If you have any reference to suggest me it would be very appreciated. I have not found a good free content about it yet. I am also waiting to ur box release so I can practice more. Congratslilations!

@bansheepk said:
That was an excelent review, many thanks! As an actual AWAE student I am feeling that dotnet is a weak of mine. I need to improve my dotnet code review skills and mainly understand how dotnet url mappings work. If you have any reference to suggest me it would be very appreciated. I have not found a good free content about it yet. I am also waiting to ur box release so I can practice more. Congratslilations!

Thank you…

If you meant general code review, there’s one reference that might be good, chapter 19 in the Web Application Hacker’s Handbook.

However, you would still have to practice going through huge code “I’m talking hundreds of thousands of lines”, and find techniques to quickly identify what you are looking for.

As for .Net, I suggest watching these two videos about C# from Mosh:

Once you have a general understanding of the language and how its web apps are build, you should be able to understand the code flow and functionality, and can start practicing code review.

@yb4Iym8f88 said:
Good news everyone! Now we cannot record videos during an exam to make our life easier. Time to invent screenshot maker.
Is there any automated tool for screenshot? At least smth that puts all screenshots taken in predefined folder w/o asking and distracting… Or maybe by timer, i.e takes a sshot every 5 seconds.

That’s terrible!
Recording a video makes your life way easier to take proper screenshots. Otherwise, you would have finish early to be able to ensure you took enough screenshots.

One thing that definitely made my life easier was using cherry tree, and with oswe it’s a must.

@21y4d Rezzing a deadish thread just to give you a second data point on the Sec+/CISSP question. I agree with @squirrelpizza.

he Security+ cert really just exists as a checkbox for the DoD8570 requirements, and it’s a relatively low level checkbox as well. Just from reading your posts and knowing that your skill set in this field is far above my own, the Sec+ would be a waste for you. If you were set on a CompTIA cert I would look at the CySA+ or CASP+.

I can’t speak to the contents of the CISSP, but I can say that it seems to be a vastly more preferred cert. The only people at my workplace who get the CASP+ are people who have a stacked rack of CompTIA certs and want to renew them all. Everyone else I know pretty much goes for the CISSP.

The only exception to that would be if you wanted to get in working for the DoD or a contractor. Since the CEH is an absolute joke, getting the CySA+ would get you covered for any “Cyber Security Service Provider” (CSSP) classed position outside of management. If you were heading that route, the CASP+ would probably be a better option that the CISSP, because renewing the CASP+, your IAT Level III cert, would also renew the CSSP role specific cert, the CySA+.

Here’s the 8570 cert table: https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/

For any regular corporate environment I would guess the CISSP would be the much better option.

@borari said:
@21y4d Rezzing a deadish thread just to give you a second data point on the Sec+/CISSP question. I agree with @squirrelpizza.

he Security+ cert really just exists as a checkbox for the DoD8570 requirements, and it’s a relatively low level checkbox as well. Just from reading your posts and knowing that your skill set in this field is far above my own, the Sec+ would be a waste for you. If you were set on a CompTIA cert I would look at the CySA+ or CASP+.

I can’t speak to the contents of the CISSP, but I can say that it seems to be a vastly more preferred cert. The only people at my workplace who get the CASP+ are people who have a stacked rack of CompTIA certs and want to renew them all. Everyone else I know pretty much goes for the CISSP.

The only exception to that would be if you wanted to get in working for the DoD or a contractor. Since the CEH is an absolute joke, getting the CySA+ would get you covered for any “Cyber Security Service Provider” (CSSP) classed position outside of management. If you were heading that route, the CASP+ would probably be a better option that the CISSP, because renewing the CASP+, your IAT Level III cert, would also renew the CSSP role specific cert, the CySA+.

Here’s the 8570 cert table: https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/

For any regular corporate environment I would guess the CISSP would be the much better option.

Thanks a lot for the input, much appreciated.
This about sums up what I came to conclude when comparing the two certs :slight_smile:

Type your comment> @21y4d said:

Future Plans

I’ve been working on OSWE for quite some time, and have some ideas for my next step. Eventually, I’m thinking about going deep into OS/Binary exploitation, with: PACES, GXPN, OSCE, and OSEE. If anyone took OSCE and any of the others “GXPN, OSEE, PACES”, I would love to hear your feedback on how to prioritize them.

Hi,
what is PACES? my google-fu must be lacking because i can’t seem to find anything about it.

@Zwm8e said:
Type your comment> @21y4d said:

(Quote)
Hi,
what is PACES? my google-fu must be lacking because i can’t seem to find anything about it.

It is the newest red team lab from Pentester Academy. The certificate is not that useful, but the lab seems to be excellent for domain exploitation, and the courses are excellent as well.

Many thanks for the review! I’m considering to take AWAE myself and any thoughts from people who have done it are useful in assessing whether it is worth the effort.

So far I have OSCE, OSCP, CISSP and ISO27001 LI. It sounds like AWAE is structured pretty much the same as CTP (the course that leads to OSCE). You probably won’t be as impressed about the up-to-dateness of the materials on CTP, but I felt it gave me a great starting point to get into exploit development. Like AWAE it won’t be hugely useful if you mostly do black-box engagements and don’t have much time allocated for exploit development, but it at least teaches you hands-on the basics of the exploit development part.

CISSP is great for getting basic understanding and big picture of pretty much every domain in information security from regulation to physical access controls. There’s a saying that the knowledge of a CISSP is “mile wide, but only inch deep”, which has truth in it. It can give perspective on business risk management to a pentester and help communicate the risks better, but in practice it’s most beneficial for non-pentesting security auditors, ISMS consultants and security managers. I did the exam few years ago and it has most likely changed from what it used to be, but I dare to say it will be much less of an effort than the offsec certs you have done. Of course requires different type of capability to learn (less hands-on and more about understanding what you have read and what is exactly being asked).

Commenting so that I can easily come back to this post in the future if/when I decide to get my OSWE. Love your reviews, thank you!

@21y4d Fantastic guide. This is spot on. I finished my AWAE exam a few weeks ago and this is some great advice.

For @d1ss0 The AWAE (OSWE) is a very difficult exam. It is a departure from the “normal” exams. I have OSCP, OSCE, GXPEN (and now OSWE). OSCP,OSCE and to some extent GXPEN are very “exploit” focused. You’re writing code or running exploit code generally based on a well known exploit or misconfiguration.

This exam there are no exploit-db searches that will help you find the issues with the code. You really need to understand how the applications/websites they give you work. Follow the flow and then identify potential issues to exploit. In all cases (the course and exam) you’re given the code (or can determine where to get it). The trick is to distill what may be 10’s of thousands of lines of code and hundreds of linked libraries into a high probability targets of opportunity. Then examine those.

A few (hopefully helpful) hints:

  • Dont get tunnel vision. There is a lot of code to look at try to not get fixated on one part.
  • Keep in mind this is NOT OSCP or HTB. You’re not always looking to get admin and rule the world. Sometimes you can achieve the goal with with you have.

Gridith

@d1ss0 said:
Many thanks for the review! I’m considering to take AWAE myself and any thoughts from people who have done it are useful in assessing whether it is worth the effort.

So far I have OSCE, OSCP, CISSP and ISO27001 LI. It sounds like AWAE is structured pretty much the same as CTP (the course that leads to OSCE). You probably won’t be as impressed about the up-to-dateness of the materials on CTP, but I felt it gave me a great starting point to get into exploit development. Like AWAE it won’t be hugely useful if you mostly do black-box engagements and don’t have much time allocated for exploit development, but it at least teaches you hands-on the basics of the exploit development part.

CISSP is great for getting basic understanding and big picture of pretty much every domain in information security from regulation to physical access controls. There’s a saying that the knowledge of a CISSP is “mile wide, but only inch deep”, which has truth in it. It can give perspective on business risk management to a pentester and help communicate the risks better, but in practice it’s most beneficial for non-pentesting security auditors, ISMS consultants and security managers. I did the exam few years ago and it has most likely changed from what it used to be, but I dare to say it will be much less of an effort than the offsec certs you have done. Of course requires different type of capability to learn (less hands-on and more about understanding what you have read and what is exactly being asked).

Thanks for the info on CISSP. It seems like CISSP is the way to go, but since I’m more focused on red-teaming, I fear it might take a lot of my time on something that might not be directly useful for my work. I think it will definitely be useful for the future, though.

And as for CTP, that’s why I’m postponing it for now. I have been practicing advanced exploit development lately, including advanced heap and kernel exploitation, which are taught in OSEE.
From What I see in the CTP syllabus, it seems very outdated, and it might be better to way for a new update for the course, similar to the OSCP one.
Now both OSWE and OSCP are 2019+, I assume this should be the one to be updated next.

@Gridith said:
@21y4d Fantastic guide. This is spot on. I finished my AWAE exam a few weeks ago and this is some great advice.

For @d1ss0 The AWAE (OSWE) is a very difficult exam. It is a departure from the “normal” exams. I have OSCP, OSCE, GXPEN (and now OSWE). OSCP,OSCE and to some extent GXPEN are very “exploit” focused. You’re writing code or running exploit code generally based on a well known exploit or misconfiguration.

This exam there are no exploit-db searches that will help you find the issues with the code. You really need to understand how the applications/websites they give you work. Follow the flow and then identify potential issues to exploit. In all cases (the course and exam) you’re given the code (or can determine where to get it). The trick is to distill what may be 10’s of thousands of lines of code and hundreds of linked libraries into a high probability targets of opportunity. Then examine those.

A few (hopefully helpful) hints:

  • Dont get tunnel vision. There is a lot of code to look at try to not get fixated on one part.
  • Keep in mind this is NOT OSCP or HTB. You’re not always looking to get admin and rule the world. Sometimes you can achieve the goal with with you have.

Gridith

Excellent comment!

This is a great writeup. Just started my OSWE labs a couple of days ago and not really sure how to approach it from a learning perspective but your post has helped tremendously. Thanks for this 21y4d!

Is the “sourceCode” box approved yet? Can we get an ETA on that?

Thanks for the lot of useful information. Waiting for your sourceCode box, this will be really useful.

@gLpona @Mouna

sourceCode was submitted 7 months ago, and almost all current live boxes were submitted after it, not to mention the unreleased ones.

I know many of you are looking for sourceCode to practice for OSWE, but it’s completely out of my hand, and it’s up to HTB to decide when to review it.

I am very confident that once it gets reviewed, it’ll be accepted, but Insane boxes tend to be delayed due to their complexity.

You can shout out to @egotisticalSW if you want to urge HTB to release it soon.

Type your comment> @21y4d said:

@bansheepk said:
That was an excelent review, many thanks! As an actual AWAE student I am feeling that dotnet is a weak of mine. I need to improve my dotnet code review skills and mainly understand how dotnet url mappings work. If you have any reference to suggest me it would be very appreciated. I have not found a good free content about it yet. I am also waiting to ur box release so I can practice more. Congratslilations!

Thank you…

If you meant general code review, there’s one reference that might be good, chapter 19 in the Web Application Hacker’s Handbook.

However, you would still have to practice going through huge code “I’m talking hundreds of thousands of lines”, and find techniques to quickly identify what you are looking for.

As for .Net, I suggest watching these two videos about C# from Mosh:
https://youtu.be/gfkTfcpWqAY
https://youtu.be/E7Voso411Vs

Once you have a general understanding of the language and how its web apps are build, you should be able to understand the code flow and functionality, and can start practicing code review.

Did you feel the 1 hr demos were enough or is the full udemy course a “must know”?

It’s a wonderful description. Thanks ?

@imag1ne it depends on your knowledge of programming languages and C in general. The udemy course would be for those who want to start developing in C#, while you only want to be able to read and fully understand the code, how it works, and identify potential issues.