Offensive Security Web Expert

My experience with the AWAE course and the OSWE exam

6 min read - 1079 words

Introduction

I passed the Offensive Security Web Expert exam in July 2020. Now, I would like to share my thoughts.

The Offensive Security Web Expert (OSWE) is the companion certification for the Advanced Web Attacks and Exploitation (AWAE) course. Previously, this was only available as on-site training during Black Hat in Las Vegas. Since 2019 this training is also available online.

An Overview of AWAE

For the AWAE I had 30 days of lab time. However, during the lab time was not able to take time to actually work on the lab. So, the lab time expired without me working much with the available machines.

However, I read the documentation and skimmed through the code base. Also, I did not complete the Bonus Exercises. The days before my exam I was a bit anxious.

Preparation

Have a basic understanding of programming languages, such as, PHP, Java, .NET, JavaScript. You should be able to navigate code comfortably and understand dependencies. The idea is to get a good overview and understand the underlying execution flow.

Furthermore, you should familiarize yourself with the OWASP Top Ten Web Application Security Risks. Each risk might have a different manifestation in different programming languages. With this knowledge it will be a piece of cake to identify a vulnerable code.

Consequently, familiarize yourself with auditing large code bases. Identify potential vulnerable functions can be as simple as a grep command.

Finally, you should be able to code a working exploit. Stick to your preferred scripting language. If you have the time, prepare a working template. With a good template up your sleeve you can concentrate on more important stuff during the exam.

Prior exam considerations

The first available slot for my exam was more than two months in the future. The start time was 3 am local time. Luckily, a few days prior to my exam a slot with a more reasonable start time just the following day was available. For the exam the student has got 48 hours to complete the tasks. Everything you can prepare prior to the exam frees up more time to work on the actual exam.

You will not be allowed to utilize automated tools. Consequently, sqlmap is not allowed to exploit an SQL injection. However, you might want to prepare your own tools for the exam. In the end, it’s all about efficiency.

During the exam do not forget to take breaks. Simply having a glass of water and stretching a bit worked quite well to loosen up. I tried to take a brief break every hour during the day. This way I was able to productively work for the next hour.

Also, if you are stuck with a certain point try to step back. Maybe work on another exam machine. Take a walk or a brief nap.

OSWE exam time

Basically, I started with mapping all the application paths. Creating a test account on the development machine might be necessary. With access to the database this is straight forward.

The initial application mapping quickly revealed an authenticated vulnerability on the exam machines. Exploiting those would provide access to the underlying server. However, they required a certain privilege level in the application. Consequently, the initial attack vector was also quite obvious.

Identifying the initial attack vector was not so straight forward. Based on the underlying programming language I was chasing a red herring for one machine. After realizing the dead-end situation, I switched to work on the other machine.

The underlying authentication bypass was easily identified. It also required a bit of coding, which was great to clear my mind. So, after finishing the exploit I was able to continue work on the other machine.

Taking a step back and reiterating the initial vulnerability discovery phase should prove to be the right idea. Initially, I had ignored a vulnerable function, because it did not seem to be reachable code. This assumption was quite wrong actually. Based on these new insights a working proof of concept was coded easily. Both exploits worked and I had about 12 hours of lab time left. I was relaxed and able to take a good sleep before finalizing the exploit code.

The next morning after resetting the machines the exploit for one system did not work anymore. After a brief period of panic and headless chicken mode my brain started working normally again. By that time, I was totally awake again. After some debugging, I figured out the underlying issue. Basically, a precondition had to be met that was not fulfilled on the newly reset machine. With the updated proof of concept code, the precondition could be fulfilled automatically.

After 48 hours I had discovered all the flags and cleaned up the proof of concept exploits. I pulled together the evidence to write the documentation and sent the documentation package shortly afterwards. As the instructions are quite detailed, I checked twice to correctly follow the defined steps.

After a few days I received a confirmation in my inbox:

We are happy to inform you that you have successfully completed the Advanced Web Attacks and Exploitation certification exam and have obtained your Offensive Security Web Expert (OSWE) certification.

Try Harder!

Personal Remarks

How difficult was the course?

Not very. Identifying the vulnerabilities was quite straight forward. However, I spent a few hours chasing a red herring.

What would you do differently?

I would definitely work on the lab. Also, I had to code some things during the exam. These could have easily been prepared prior to the exam.

Anything else?

I had a very slow RDP connection to the development machine. The lag sometimes reached up to 2 seconds. So, it was partially impossible to work with the system. As opposed to SSH access, which did not show any significant delay.

Would I take the course again?

Absolutely! The focus here is definitely on white-box testing. Being able to exploit a web application based on deep understanding of the source code in a strictly limited time frame.

What advice would you give?

Try harder!

References

PHP

SQL Injection

Deserialization

Exploitable Functions

Further References/Reviews