As per normal, I will write my reflection in English first, and then in Chinese once I have time. (in the near future, I promise)
I started OSWE exam on 9am, 1/16/2021, and submitted my exam report on 5pm, 1/17/2021, and got email informing me that I have passed the exam on 5pm, 1/18/2021. They took only one day, compared to my OSCP/OSCE timeline, that is a really big improvement.
Long story short, I purchased the AWAE course with one month lab on October 29th at the price of 1400 USD, and offsec started AWAE sale on November 23th at the price of 999 USD… SAD
Anyway, I scheduled my course to start right after my last final exam of the semester so that I would have a full one month for full-time preparation, which turned out to be just enough for me.
I started my AWAE course on 6th December, and then I went straight to watch the videos. After watching the videos for one module, I will try to follow the videos and try out in lab. For every module, I spent 2 days on average, some modules might take less/more time. For example, .net, I spent around 4-5 days to understand the deserialization and its exploitation techniques, and for atmail/atutor module, I spent 1 day for each module since I already had some prior knowledge on PHP.
Attempting every extramile is strongly encouraged, but if you find yourself completely clueless, you might want to check out in the forums to take a look at the pitiful number of forum threads, or posting questions in the rocketchat app(it is a community chatting platform where you can connect, collaborate, and chat with other students and the Offsec staff, which is much more active and responsive than the offsec forum).
If you still couldn’t solve it, should just let it go. You will realize let it go mindset might be critical in your later OSWE exam, otherwise, you might be too easy to be trapped in the rabbit hole.
Being familiar with one scripting language(preferably python in my opinion) is really important. At least, you should be familiar with one of the http request handling libraries. Requests for python. Being able to craft out POCs/exploits is important, especially in OSWE exam, when you have limited time, so you need to write some scripts to verify your guessing. But if you attempt all the exercises in the AWAE courses, including the extramiles, you should have just enough practice for it. You will be provided with all the scripts showed in the course material, but you can still write your own, to deepen your understanding on the concepts and techniques.
There are a lot of resources online, just google OSWE preparation, you will find a bunch of them, but bookmarking all of them does not guarantee you a pass in the exam.
At first, I didn’t plan to take the exam right after my lab ended, simply because I felt that I need more practice. My lab ends on 6th Jan, and my internship starts on 11th Jan. And after two days of internship, I realized that practicing more for OSWE is not realistic for me as I don’t have much time, and I would probably forgot all I’ve learned in AWAE course. So I quickly booked the nearest exam slot which is possible for me to take, which is on 9am 16th Jan.
I am not sure what I can share about the exam, so I will just recall what I experienced on the actual OSWE.
I started off with the machine that I think I am more confident with, but could not get anything out of it in the first four hours, none. So I decided to have my lunch and take a hour break. After the break, I continued to work on that machine, and still could not find a way of bypassing. I tried everything, I looked up the github commit history of the third library which provides the defence mechanism, hoping to find any security related issue, I even dig the php source code(the one written in C) and hoping to find any slight loophole which allow me to bypass that very restriction, but none. I was able to find all the other vulnerabilities leading to RCE, after the stage of authentication bypass, but I could not find the vulnerability for auth bypass.(for
A -> B -> C -> D, I have found
B -> C -> D, but I am missing
A -> B which makes my finding on
B -> C -> D pointless)
I finally gave up on that, and decided to take a look at the other machine after 7 hours of empty-hand. I was a bit panic and felt regret to take the exam so recklessly. However, the other machine was quite easy for me, and I was able to spot all the vulnerabilities I need, and I got a shell from my target machine in 2 hours. I finished writing the full-chain automated exploit scripts in another hour.
With 50 points in my hand, I decided to have my dinner and rest for a while. My brain was drained. I sit back in front of the camera at 9pm and work on my first machine.
I decided to revert my debugging machine(I have added numerous
ver_dump statement for debugging purposes), read through the code in every file, and skip the part which I was trying to bypass initially, assuming it is a rabbit hole. I finally managed to find a possible loophole, and a few lines of POC proved my guess. After that, I decided to disconnected from vpn and go to sleep first since I have found all I need, and I am sure that I can solve this machine in few hours.
I woke up early (around 7am?) in the next day and continue working on my first machine. I got a shell on the target machine in one hour and finished writing the full-chain automated exploit scripts in another hour. After I solved all the two machines, I decided to take my breakfast, and take a rest on the sofa for few hours first. I sit back in front the the camera after lunch and started to write my exam report. I completed my exam report at 5pm.
And I got email from offsec telling me that I have got my OSWE after another 24 hours, which signifies the end of my OSWE journey.
I had a little code auditing experience beforehand, and I am not sure how applicable the skills I learned in this course is for the actual work since I have never done source code review jobs in my actual work. But I hope it is useful.
Offsec has decided to make the AWAE/OSWE sales price permanent.(which they claimed to make the web app security training affordable) However, they have stripped the option of the course with one-month lab, which I think is just enough for me(doing preparation in full-time manner)
You can check the current price at https://www.offensive-security.com/awae-oswe/
And the sales price during December at https://web.archive.org/web/20201213072739/https://www.offensive-security.com/awae-oswe/
I don’t have money/time for any more offsec certificates, in the foreseeable future. (Unless anyone is willing to sponsor me to do it, either for OSEP/OSED)
There are no hints/tips for people intending to take AWAE/OSWE, as I myself didn’t prepare well for it. All I can suggest is simply
个人认为 熟悉/熟练掌握 一门脚本语言 对这门课而言很重要。（python yyds）然后，你得对处理http请求的相关库熟练运用。（比如说python的requests库）可以快速的写出一个PoC 来验证自己的想法很重要，特别是在OSWE那种时间有限的情况下，你要是一直卡在写PoC上的话，多半心态也会崩。如果你做了AWAE课程里的包括extramiles的所有练习的话，你就练得差不多了。实际上这门课程视频里用到的脚本，他都会提供给你，当然你也可以选择不用，自己写一份自己的当做练习。
A -> B -> C -> D，我相当于找到了
B -> C -> D，可我偏偏找不到
A -> B，那我找到的
B -> C -> D都没卵用）