OSWE Exam review “2020” + Notes & Gifts inside!

@d1ss0 said:
Many thanks for the review! I’m considering to take AWAE myself and any thoughts from people who have done it are useful in assessing whether it is worth the effort.

So far I have OSCE, OSCP, CISSP and ISO27001 LI. It sounds like AWAE is structured pretty much the same as CTP (the course that leads to OSCE). You probably won’t be as impressed about the up-to-dateness of the materials on CTP, but I felt it gave me a great starting point to get into exploit development. Like AWAE it won’t be hugely useful if you mostly do black-box engagements and don’t have much time allocated for exploit development, but it at least teaches you hands-on the basics of the exploit development part.

CISSP is great for getting basic understanding and big picture of pretty much every domain in information security from regulation to physical access controls. There’s a saying that the knowledge of a CISSP is “mile wide, but only inch deep”, which has truth in it. It can give perspective on business risk management to a pentester and help communicate the risks better, but in practice it’s most beneficial for non-pentesting security auditors, ISMS consultants and security managers. I did the exam few years ago and it has most likely changed from what it used to be, but I dare to say it will be much less of an effort than the offsec certs you have done. Of course requires different type of capability to learn (less hands-on and more about understanding what you have read and what is exactly being asked).

Thanks for the info on CISSP. It seems like CISSP is the way to go, but since I’m more focused on red-teaming, I fear it might take a lot of my time on something that might not be directly useful for my work. I think it will definitely be useful for the future, though.

And as for CTP, that’s why I’m postponing it for now. I have been practicing advanced exploit development lately, including advanced heap and kernel exploitation, which are taught in OSEE.
From What I see in the CTP syllabus, it seems very outdated, and it might be better to way for a new update for the course, similar to the OSCP one.
Now both OSWE and OSCP are 2019+, I assume this should be the one to be updated next.

@Gridith said:
@21y4d Fantastic guide. This is spot on. I finished my AWAE exam a few weeks ago and this is some great advice.

For @d1ss0 The AWAE (OSWE) is a very difficult exam. It is a departure from the “normal” exams. I have OSCP, OSCE, GXPEN (and now OSWE). OSCP,OSCE and to some extent GXPEN are very “exploit” focused. You’re writing code or running exploit code generally based on a well known exploit or misconfiguration.

This exam there are no exploit-db searches that will help you find the issues with the code. You really need to understand how the applications/websites they give you work. Follow the flow and then identify potential issues to exploit. In all cases (the course and exam) you’re given the code (or can determine where to get it). The trick is to distill what may be 10’s of thousands of lines of code and hundreds of linked libraries into a high probability targets of opportunity. Then examine those.

A few (hopefully helpful) hints:

  • Dont get tunnel vision. There is a lot of code to look at try to not get fixated on one part.
  • Keep in mind this is NOT OSCP or HTB. You’re not always looking to get admin and rule the world. Sometimes you can achieve the goal with with you have.

Gridith

Excellent comment!

This is a great writeup. Just started my OSWE labs a couple of days ago and not really sure how to approach it from a learning perspective but your post has helped tremendously. Thanks for this 21y4d!

Is the “sourceCode” box approved yet? Can we get an ETA on that?

Thanks for the lot of useful information. Waiting for your sourceCode box, this will be really useful.

@gLpona @Mouna

sourceCode was submitted 7 months ago, and almost all current live boxes were submitted after it, not to mention the unreleased ones.

I know many of you are looking for sourceCode to practice for OSWE, but it’s completely out of my hand, and it’s up to HTB to decide when to review it.

I am very confident that once it gets reviewed, it’ll be accepted, but Insane boxes tend to be delayed due to their complexity.

You can shout out to @egotisticalSW if you want to urge HTB to release it soon.

Type your comment> @21y4d said:

@bansheepk said:
That was an excelent review, many thanks! As an actual AWAE student I am feeling that dotnet is a weak of mine. I need to improve my dotnet code review skills and mainly understand how dotnet url mappings work. If you have any reference to suggest me it would be very appreciated. I have not found a good free content about it yet. I am also waiting to ur box release so I can practice more. Congratslilations!

Thank you…

If you meant general code review, there’s one reference that might be good, chapter 19 in the Web Application Hacker’s Handbook.

However, you would still have to practice going through huge code “I’m talking hundreds of thousands of lines”, and find techniques to quickly identify what you are looking for.

As for .Net, I suggest watching these two videos about C# from Mosh:
https://youtu.be/gfkTfcpWqAY
https://youtu.be/E7Voso411Vs

Once you have a general understanding of the language and how its web apps are build, you should be able to understand the code flow and functionality, and can start practicing code review.

Did you feel the 1 hr demos were enough or is the full udemy course a “must know”?

It’s a wonderful description. Thanks ?

@imag1ne it depends on your knowledge of programming languages and C in general. The udemy course would be for those who want to start developing in C#, while you only want to be able to read and fully understand the code, how it works, and identify potential issues.

I spent a long time waiting for a code review box, and your box was rejected, bad news

Hi @21y4d
Since the box is rejected, would you publish it on vulnhub or somewhere?
Or is there any other chance to try and re-submit it on HTB?

It would be nice to publish the box in a git repository or in vulnhub, if u do so, pleaso let me know @21y4d , I really need to practice my code review skills, I have finished my oswe exam a few minutes ago and failed by the third time, and I didnt just failed, I actually had 0pts, I looked “everything” but everything looked like very well defended, I couldnt find any vulnerability in none of the machines, if u provide me this chance to practice I would really appreciate.

it’s now september, @21y4d looking forward to the source code box! Possible to upload it anywhere else besides htb?

Type your comment> @NoPurposeInLfe said:

it’s now september, @21y4d looking forward to the source code box! Possible to upload it anywhere else besides htb?

+1

Type your comment> @NoPurposeInLfe said:

it’s now september, @21y4d looking forward to the source code box! Possible to upload it anywhere else besides htb?

+1

Great Stuff!! Thanks a ton!

I started this course AWAE today.
It looks like it will bring my programming skill to the next level as well as gaining more knowledge about web application vuln/exploitation.

@21y4d please let us know if you decided to upload the box on other websites (e.x vulnhub).

Type your comment> @GPLO said:

Thanks for this excellent information! Nowhere near that level of knowledge yet but it was interesting to read nonetheless. One small note: you might want put a small spoiler warning before the “Exam Preparation Plan” since you’re disclosing the attack vectors for some of the machines.

I posted this about 1.5 years ago. Just wanted to say that I have since earned my OSCP and OSWE :smile:

why i clicked in im now dizzy as f D:

@GPLO congrats!
so far no idea what techniques you ppl are talking about but yay i get a box list thanks for that!
(i think my brain is too smooth spoilers just slide right off, but for the same reason i can just check out forum thread on insane box and be amazed what’s out there)

this is a test