Robel Campbell

Robel Campbell

Reverse Engineer, Exploit Developer OSEE,OSCE3,OSED,OSEP,OSWE, OSCE,OSCP,GREM

AWAE/OSWE Review

3 minute read

image

After a bit of a hiatus from studying for certifications, I became interested in the new certification bundle by Offensive Security. The new OSCE3 is obtained by passing OSWE, OSEP, and OSED. I am already an OSCE but it’s outdated now and I felt the need to get the new one since I like to stay relevant and I’m up for the challenge.

image

Fortunately, my employer paid for the bundle and I decided to start with AWAE (Advanced Web Attacks and Exploitation) which comes with an exam voucher for the OSWE (Offensive Security Web Expert).

At this time in my career I had a pretty solid foundation in web application hacking through bug bounties, however, I felt that I needed a more in-depth understanding and I wanted more experience in white box testing i.e source code review. AWAE takes the white box approach to hacking a web application and takes it from authentication bypass to remote code execution.

Prep

Before starting the course, I used Z-r0crypt’s blog which has a solid listing of resources to go over before and after the course.

The Course

I felt the course was well put together. It provided clear and concise instructions and explanations on the approach to white box testing. I have read other reviews that expressed a desire for more instruction on how to find vulnerabilities rather than just exploiting them but I felt the way the course approached each case study was sufficient enough in developing my own methods.

There is no need for me to dive into what the course teaches as anyone can tell by reading the syllabus.

In all, it took me about 3 weeks to get through the material with a full-time job, wife, 22-month-year-old and having another baby in the middle of it. This was just my experience and I am by no means claiming this can be achieved by anyone.

The Exam

My original plan for the exam was to casually take it to get a feel for it and not worry about failing. Since having a new baby, I knew it would be darn near impossible to take a 48-hour exam, however, my wife’s mother stayed with us for a week and I was able to “get away” for a couple days (I promise I am a good father). Moving on…

I was presented with a couple of target web applications and specific instructions on how to obtain the full amount of points for each. The first target wasn’t too bad but still took me about 12 hours to finish. (NOTE: Make sure you are taking all your notes as you go) The second target was a bit of a different story and took me much longer to find the initial vulnerability. Eventually, I wrapped up all the points with at least 12 hours to spare. It was around 2:00 A.M. when I finished gathering all my screenshots and refining my notes. I wrote the report the next day. In all it was about 40 pages.

Tips

  • Stacktrac3’s blog has some good nuggets for what to look for and how to go about doing it. You should think about what it is you are trying to accomplish and focus on the code that handles that functionality.

  • You do not have to venture out much for techniques, as everything you need to pass the exam is in the course material. Just make sure you know one scripting language well and its web request library. This leads me to my next point…

  • Make sure you take really good notes during the course and document/backup all of your proof-of-concept code. I used One Note for my note taking but recently started using Obsidian (using it for ETBD/OSEP right now) and I like it a lot better. I ran a script from my Windows host machine through WSL that copied all work files from my Kali instance, zipped it up and saved it on my One Drive using scp. This is just in case your Kali vm crashes and you lose all your work. Below is the script I made:

#!/bin/bash

while :
do
        scp -r kali@kali:~/awae "/<destination path>";
        tar -cvzf "/<destination path>/awae_zipped.gz" --remove-files "/<destination path>/awae";
        sleep 1h
done

Additional Resources

regex101

Python Requests Library

Security Knowledge Framework

SQL Injection Cheat Sheet

Blind SQL Injection

CVE-2016-2555

Conclusion

I know some reviews go into much more detail but I really just wanted to share a few tips and resources I used for this exam. I hope this was informative and helped someone with their studies.

If anyone needs more info, advice, or mentoring, please don’t hesitate to connect with me on LinkedIn and/or email me.

God bless

You May Also Enjoy

Windows PE Malware Analysis Part IV

8 minute read

Overview In Part III we learned how to use x32dbg and performed code analysis on our malicious specimen which uncovered several indicators of compromise. We ...

Windows PE Malware Analysis Part III

7 minute read

Overview In Part II we concluded our static analysis by becoming familiar with IDA Pro and using it to confirm one of our previous findings and to examine ob...

Windows PE Malware Analysis Part II

12 minute read

Overview In Part I we conducted static analysis using basic tools and techniques on a malicious Windows portable executable and came up with several findings...

Windows PE Malware Analysis Part I

10 minute read

Introduction In this article I will be examining a Windows executable malware specimen. Based on a couple reports from automated malware sandboxes, the spec...