Once again I am victorious! Being completely transparent, passing that exam was hard – there were periods that totally made me doubt myself. During these times all the blogs you’ve read about people failing multiple time begins to resonate with you. Thoughts such as “who the hell do I think I am to not experience the same” start to creep up. Many people assume since I have a number of certificates that maybe the process is somewhat trivial or that I’m some super smart genius. That is 100% false. It’s a grind, a fight and a constant mental battle. The only difference for me is I have been through so many battles that I can more easily block out the noise, not let it totally consume me and rely on previous successes for confidence. This still takes effort though.
Before we start, there is no way I can provide better information on how to pass the exam than what’s already publicly available. That’s all included in the bookmark section. If you don’t care about the journey feel free to skip to the exam & methodology sections. I never try to give the best because best is subjective, relative and in most aspects I’m still a student. I attempt to provide what I felt was missing from most blogs I read when attempting to study. The context – the thoughts, feelings, emotions and situational metadata most authors never include. So let’s begin with that.
I never pursue certificates for job promotion, advancement or anything besides enhancing my personal knowledge. Therefore it’s never any pressure on me. Besides the kind that’s self injected. It’s all for the love of learning security and its related disciplines. So If you’re the type who brute forces exams and doesn’t really care about the knowledge gain you’re probably not going to like it here. You’ll get (some) technical details sure, but it won’t be an exam dump thanks-goodbye post. That’s not the point. There’s nothing wrong with trying to put yourself in a better position but you should be driven solely by passion. That behavior waters our field down – you’ll meet folks with certificates abc-xyz who can’t think or speak beyond basics. To each’s own.
Why Go After OSWE
What makes a man go after any certificate it seemed like beautiful pain. I hope no one has forgotten that I obtained CISSP at the beginning of the year, Certified Cloud Practitioner, Certified Solutions Architect, and Security Specialty AWS certificates towards beginning of the summer. I didn’t plan on any of this I just identify areas where I’m weak and find the best certificates to try to bridge the gap. I couldn’t take it anymore in June, after aimlessly doing nothing for a whole week. I justified purchasing a new course as a birthday gift to myself how pitiful I know.
I don’t perform any exploit development, penetration testing or malware reversing for work (90% of this blog). I learn them for fun and to understand the more difficult domains of security. Work is mainly Application Security – so this was one of the rare times I found a certificate that actually aligned directly with what I do day-to-day. That’s not to say that those topics don’t contribute to me having a more intimate comprehensive understanding of security because they do.
I knew the course was mainly source-code review. I thought this was AWESOME since there’s not many white-box based courses vs. 1-million black-box counterparts. I figured because of this a large majority of folks would wash this course and certificate down the drain. Folks want to use their tools and get root If you’re a security professional and you run from source-code I can’t take you serious. If you can only leverage tools written by others and not develop your own you’re going to severely limit yourself. That’s one thing, maybe more important for web application security professionals – the vulnerabilities occur in the source-code they just manifest themselves in the applications, the exploits that take advantage of the vulnerabilities need to be developed in some source language. The point is we all need to be comfortable and at-home at the source level. We’re more valuable to our teams, developers and the organizations we defend.
You need to register for the course well before you anticipate starting. The slots fill up pretty fast. The same goes for registering for the exam. I registered on June 29th and the first available lab date was July 11th which I accepted and anxiously awaited. I decided to do 90-days of lab time since I already did the other certificates I planned to slow roll this one and if possible, pass the exam by end of year.
If you are not familiar with Offensive Security courses at the exact time your lab is set to begin you’ll receive an email with your VPN credentials, course PDF, and a link to download the videos that go alongside the PDF. Some people are religious about the order in which they prepare whether it’s video first, PDF first. Personally for me I watch the videos for the entire module once and then replicate using the PDF as reference, if needed. Since the videos tend to be more verbose.
Along with the materials, once connected to VPN you get your Control Panel to revert machines. Unique to this course, you’re provided with a WIKI. It contains the list of machines in your lab, their IP addresses and credentials. In addition to that you’re provided with skeleton code for most of the exploits throughout the different modules. Thanks offsec! I would recommend you write it all out by hand and never touch these.
I start the lab and 5 days later guess what? The course gets updated! I get an additional 30 days of lab time for free. Talk about positive vibes!
Prior To Upgrade
The PDF was 267 pages, the videos and included 6 modules.
After The Upgrade
The bulked-up PDF was now 412 pages, included the original 6 modules, 3 additional lab machines with more modern vulnerabilities and exploitation techniques, and 3 machines with no solution purely provided for exam preparation. Of the new 3 lab machines 2 were white-box and 1 was black-box. That’s slightly incredible to receive seemingly 50% more content essentially On the house. I welcomed it with open arms.
Throughout the lab you’ll become one with all sorts of SQLi’s – union-based, time-based, boolean-based, mysql flavor, postgres flavor. Authentication bypasses using session hijacking & session riding will become natural, XXE’s, SSTI’s, deserialization, file upload bypasses and others. You’ll find a variety of languages including Java, PHP, Node.js, Python, C# and Web Frameworks to analyze and get comfortable with. For the compiled languages you’ll learn techniques to recover the original source-code. They’ll drill the importance of database query logging and how to set it up with the many databases throughout the course.
The difference in this course is the perspective and mindset to which you approach finding the vulnerabilities. They’re all impossible to discover purely from a black-box perspective, you won’t be throwing a vulnerability scanner at any of these boxes to find anything, sqlmap will not work (not allowed in exam anyway)! Run nikto, gobuster (or any other kali tool) if you want but it’s useless. You need a healthy combination of brainwork, understanding sources to sinks, routes and controllers. Become comfortable understanding code flow and lots of it. Following the lab guide and videos there are still modules that take multiple days to grasp and over a week to replicate. It’s a marathon not a sprint.
Losing Steam and Yolo’ing It
I was super motivated initially (month 1) putting in like 3-4 hours weekdays and 8+ on weekends. Life happens and you naturally start to lose steam. That’s why I typically troll Reddit for Discord groups with others studying for same or similar certificates. Because you’re not always going to be motivated and having others locked-in keeps you accountable and in the game. There will always be folks to bounce ideas off of, rant and cry to. Probably the most special part is just having friend across the globe that love the same thing as you. Once you have enough friends it’ll be impossible to slack because you’ll have friends in all time zones during breakfast, lunch, dinner and while you sleep to exchange knowledge with. Greetz to all my boys in the Discord server mentioned below.
Towards the beginning of October (month 3) I found myself skipping the lab completely for 3-4 days at a time. It was easier to to say whatever. My original exam date was October 30th and I felt like this exam was consuming me way too much and I was in the lab for way too long. I developed my methodology discussed below, rescheduled the exam for a week earlier 10/24 at 10:00 EST.
I had completed the entire lab twice (excluding the 1 black-box machine from the updated materials) I honestly watched the videos 3 times and still didn’t really grasp how I would have been able to achieve such madness start to finish and wrote it off as not needed. The 2nd time through the lab I took detailed notes – what were the high level steps to achieve authentication bypasses, what did I exploit to get RCEs, what was the syntax of the commands I used, what did I screw up on or miss that I should be on the lookout for if I come across similar situation. Lots of times I make snarky comments reminding myself how much of an idiot I am. It helps make things stick.
2 Weeks Before Exam
During the last 2 weeks I decided to give the 3 boxes without solutions a shot. It was a fight (struggle) but I managed to get RCE on both maybe in like a week and a half. I can remember going an entire weekend stuck and making no progress on one. Those were hard but it’s a shift in your mindset. You gain this fake confidence in the lab since you can simply look at the PDF & videos and you say to yourself , “I knew that or I would have been able to figure that out”. With no solutions your are on your own and at the mercy of your own brain. Again, like the black-box from the lab the black-box with no solutions was a brain fu*k. I got the authentication bypass but didn’t want to waste my remaining time on a exam for source-code review worrying about wicked black-box exploits. Not sure why they included these – I guess it’s to supplement those who don’t have experience analyzing from black-box perspective since in white-box you tend to leverage both. You see an input field or parameter that looks suspicious, find the method in the source-code responsible for processing that input then follow it to see if it’s sanitized or used in an unsafe way. If those black-box boxes (say that a few times fast) don’t make you sweat – you’re much more 1337 than I am!
Enter The Exam
I have been working on my zin a bunch lately. I spend absolutely zero energy on events I can’t control (weather, politics, someone’s thoughts of me, etc). I spend majority of my energy on things I have full control of (thoughts, discipline, being thankful, positive outlook). Finally there’s things that I don’t control fully but have some control of (certification exams). For these I shift my goal not to passing but giving my absolute max, trying my best and if I come up short I still achieve my goal. This reduces negative emotions like anxiety and regret.
So it is the Friday evening before the exam and I’m pumped. I’m excited to have a chance to perform. I really only judge myself when I’m facing challenging situations. It’s when your back is against the wall that determines your resiliency not when things are rosy. I’m a little nervous for the unknown, the shock factor. My only hope was that when I gained access to the exam that it didn’t feel like I had been studying for a different certification.
Day1 – 04:30 a.m – I get out the bed since my mind has been racing for a half hour already. I watched the lab videos of exercises I thought were relevant. Ensured my notes were organized once more and wrote myself some positive notes in size 50 font bolded. The time was dragging but I used it wisely. My fear at this point is that I’m going to get sleepy during the day since I woke up so early, but so be it.
Day1 – 09:45 a.m – I sign into the proctoring software, verify my credentials, display my workspace, and share my screens. I can’t provide specific details here but after connecting to the exam VPN I was provided 2 web application and their source-code. The Control Panel provided details and instructions on how to access each, the point breakdown and what constituted successful compromise. The proctor has no audio, you’re able to communicate with them via chat and your webcam is on at all times. I had been through the exam guide and proctoring manual maybe 15 times before this moment. You definitely don’t want to have IT issues the day of your exam.
Day1 – 10:00 a.m – I’m off to the races. I went to the homepage of the first application to see what type of application it was then directly to the source-code. My brain is firing on all cylinders but there’s a LOT of code. Connect the dots. I got the authentication bypass at 18:53. At this point I’m thinking, “Damn I might fail this based off running out of time”.
Box-1 Authentication Bypass Complete (8hours 53 Minutes)
Did I mention I had PRK eye surgery a week before the exam? It’s like the precursor to LASIK but more stable and permanent. This is significant since folks typically want to know how often you took breaks. I was taking medicated eye drops every 4 hours, rewetting drops every hour, and every half hour I’d have to look away for at least a minute to focus on objects far away so I didn’t hurt the recovery of my eyes. I took one break of 30 minutes to eat in that time to get the first authentication bypass.
Day1 – 10:00p.m – Things are hazy and waking up so early is beating me up right now. I know exactly what I have to do and I’m trying but it just won’t work. I’m making stupid scripting mistakes and wasting time on silly things being tired. I take a small break and promise myself I will go to sleep if I can get the RCE.
Day2 – 12:00a.m – I get the RCE and fulfill my promise. I feel okay now since I think I started with the tougher application and it took me around 14 hours start to finish. Off to sleep.
Box-1 RCE Complete (14 hour 15 minutes)
Day2 – 04:00a.m – What is up with me and 4 am but anyway that 4 hours felt marvelous and I felt like a tiger waking up! Very motivated. I put on the tea kettle to make myself some ginger tea, notify the proctor I’m back sit back down and lock back in.
Box-2 Authentication Bypass Complete (29 hours 53 minutes)
Day2 – 2:23p.m – I noticed the authentication bypass for this one in less than a half hour. Noticing it and pwning it are totally distinct things. I got the authentication bypass at 14:23. Yes. Imagine knowing what to do and it taking 9-10 hours. The good thing about the second box was I discovered the RCE while doing reconnaissance for the authentication bypass.
Box-2 RCE Complete (33 hours)
Day2 – 05:00p.m – RCE done! Although I have all the points now I also have a very important upcoming week at work and although I could wait until tomorrow (Monday) after work to write the report my exam time expires at 10am Monday. I take a break, eat dinner and start to write the report.
Writing The Report
Day2 – 7:00p.m – I had been taking screenshots throughout but I noticed how much I didn’t grab when I started to go through the sections of Offensive Security’s exam template. TRUST ME .. TRUST ME you do not want to get lazy on the report after you’ve done the exam because they will fail you without hesitation! There are plenty of horror stories. Myself being a former penetration tester and have gone through a couple Offensive Security certificates before I understand the level of granularity they expect you to provide.
Along with the proofs and screenshots you should include your methodology to achieve compromise along with your attack code. I provided everything, what I was thinking, vulnerable methods, pitfalls, and all the other (relevant) things firing off in your brain during a 48 exam.
Day3 – 12:00a.m – I proofread the report with glossy eyes 4 times, completed the process of uploading the exam reports. After I got the confirmation email I went to bed.
I had to wait an entire 5 days from Sunday night -> Friday to receive my results that I had achieved the OSWE certification
Everything I’m about to mention is taught and reiterated throughout the course. What’s the point? During the exam you’ll need to absorb and internalize tons of new information. A methodology is a general approach that you can refer to when you hit a snag.
If you don’t know how to debug you are dead. You cannot pass without understanding how to debug properly. In interpreted languages adding print statements. In compiled languages actually stepping over/in methods examining objects, properties and values. Leverage all the techniques taught throughout the course.
- Examine unauthenticated areas of the source-code first
- Leverage Visual Studio Code Remote SSH Extension
- Understand the launch_json files in Visual Studio Code
- Examine the routes to see all the endpoints. Understand the authorization applied to each
- Review the controllers to understand how user input is handled by the application
- If possible, always enable database query logging
- DnsSpy to decompile .NET, JDGui for Java
- After checking unauthenticated areas, focus on areas of the application that are likely to receive less attention
- Investigate how sanitization of user input is performed. Is it done using a trusted, opensource library, or is a custom solution in place
- When auditing realize which code you can reach regardless of conditionals, loop
Potential Authentication Bypass Techniques
- Can we create a user account
- Can we leak hashed passwords, reset tokens an other information to aid in authentication bypass
- Broken Authentication
- Does authentication depend on private information that we can leak from DB using above
- Regular – Time Based – Boolean Based (examples and templates for each)
- PHP Type Juggling
- Reading Arbitrary Files w/ XXE
- XSS -> CSRF (Session Hijacking or Session Riding)
Potential Remote Command/Code Execution
- Code Injection (Eval – Node.js)
- Deserialization Bugs (Java .Net)
- Unrestricted File Upload
- User Defined Functions
- 3rd Party Frameworks & Libraries
- Client Side Attacks
- Reversing Authentication
- Brute Forcing Tokens
- JSP Web Shells
All the blogs that I used to study. Shoutout to all the authors! Thank you.
- GitHub – timip/OSWE: OSWE Preparation
- GitHub – wetw0rk/AWAE-PREP
- OSWE Exam review “2020” + Notes & Gifts inside! — Hack The Box :: Forums
- Nodejs RCE and a simple reverse shell
- How to exploit the DotNetNuke Cookie Deserialization – Pentest-Tools.com Blog
- Exploit CVE-2017-16088 – ༼ つ ◕_◕ ༽つ
- ManageEngine Applications Manager Deserialization Unauthenticated RCE · Application Security Blog
- GitHub – softwaresecured/secure-code-review-checklist: A starter secure code review checklist
- Mr. Me Blog
- PHP Dangerous function · rinku191/OSWE-prepration Wiki · GitHub
- SQL Injection and Postgres – An adventure to eventual RCE
- My AWAE / OSWE Experience | Dan Helton’s Blog
- Offensive Security Web Expert (OSWE) – Advanced Web Attacks and Exploitation – vesiluoma.com
- Deserialization – HackTricks
- POSTGRESQL CODE EXECUTION: UDF REVISITED | by AFINE | Aug, 2020 | Medium
Discord Server – https://discord.gg/EDsJkzz8tG
- Offensive Security provides you with everything you need to pass the exam but you will also learn new things during the exam
- I didn’t feel the pain folks were experiencing about latency. I did not touch their Kali instance
- Be ready to be rattled. Things aren’t in the regular places, named differently, paths are different. During the exam do not underestimate how much this can freak you out. Basic Terminal/Powershell System Administration knowledge is your friend – grep, find, writing regular expressions and locating processes
- Writing the POCs takes the most time since you need to script the entire exploit in one shot. Even with a developer background this took the most time. If Python is your language of choice be sure to know requests inside & out and in particular the session object!
- Setup local or remote debugging for each lab machine and script the entire exploitation in one shot. This means in one terminal
nc -nvlp <port>and in another
python main.py 192.168.1.1and you receive a shell
- Go through all the modules and where Offensive Security says, “after some time we zeroed in on this class” actually go through the entire result set and try to analyze it as if you didn’t know which class contained the vulnerability. In the course it’s easy to say, “Oh they only had 40 results I would been able to filter through those until it’s time to do that”
As long as I’m more knowledgeable than I was prior to starting the course I had a good time and positive experience. No course is perfect so I don’t knit-pick. Some things exceeded my expectation some didn’t. I would recommend the course since you can’t find any competing courses with the same focus. Thank you Offensive Security.
- Windows Kernel Programming by the awesome Pavel Yosifovich. I purchased this and really liked it but got caught up. I’m going to finish it this time!
- SANs 642 London December 2020 Shoutout to my boss! He kept a SANs voucher for me on ice which I graciously used the day after submitting my OSWE report #whatbreak
- I am waiting until the new Offensive Security Exploit Development course comes out early 2021. I’m more interested in that than the PEN-300 they just dropped.