As per normal, I will write my reflection in English first, and then in Chinese once I have time. (in the near future, I promise)

I started OSWE exam on 9am, 1/16/2021, and submitted my exam report on 5pm, 1/17/2021, and got email informing me that I have passed the exam on 5pm, 1/18/2021. They took only one day, compared to my OSCP/OSCE timeline, that is a really big improvement.

Background

Long story short, I purchased the AWAE course with one month lab on October 29th at the price of 1400 USD, and offsec started AWAE sale on November 23th at the price of 999 USD… SAD

Anyway, I scheduled my course to start right after my last final exam of the semester so that I would have a full one month for full-time preparation, which turned out to be just enough for me.

Preparation

I started my AWAE course on 6th December, and then I went straight to watch the videos. After watching the videos for one module, I will try to follow the videos and try out in lab. For every module, I spent 2 days on average, some modules might take less/more time. For example, .net, I spent around 4-5 days to understand the deserialization and its exploitation techniques, and for atmail/atutor module, I spent 1 day for each module since I already had some prior knowledge on PHP.

Attempting every extramile is strongly encouraged, but if you find yourself completely clueless, you might want to check out in the forums to take a look at the pitiful number of forum threads, or posting questions in the rocketchat app(it is a community chatting platform where you can connect, collaborate, and chat with other students and the Offsec staff, which is much more active and responsive than the offsec forum).

If you still couldn’t solve it, should just let it go. You will realize let it go mindset might be critical in your later OSWE exam, otherwise, you might be too easy to be trapped in the rabbit hole.

Being familiar with one scripting language(preferably python in my opinion) is really important. At least, you should be familiar with one of the http request handling libraries. Requests for python. Being able to craft out POCs/exploits is important, especially in OSWE exam, when you have limited time, so you need to write some scripts to verify your guessing. But if you attempt all the exercises in the AWAE courses, including the extramiles, you should have just enough practice for it. You will be provided with all the scripts showed in the course material, but you can still write your own, to deepen your understanding on the concepts and techniques.

There are a lot of resources online, just google OSWE preparation, you will find a bunch of them, but bookmarking all of them does not guarantee you a pass in the exam.

Examination

At first, I didn’t plan to take the exam right after my lab ended, simply because I felt that I need more practice. My lab ends on 6th Jan, and my internship starts on 11th Jan. And after two days of internship, I realized that practicing more for OSWE is not realistic for me as I don’t have much time, and I would probably forgot all I’ve learned in AWAE course. So I quickly booked the nearest exam slot which is possible for me to take, which is on 9am 16th Jan.

I am not sure what I can share about the exam, so I will just recall what I experienced on the actual OSWE.

I started off with the machine that I think I am more confident with, but could not get anything out of it in the first four hours, none. So I decided to have my lunch and take a hour break. After the break, I continued to work on that machine, and still could not find a way of bypassing. I tried everything, I looked up the github commit history of the third library which provides the defence mechanism, hoping to find any security related issue, I even dig the php source code(the one written in C) and hoping to find any slight loophole which allow me to bypass that very restriction, but none. I was able to find all the other vulnerabilities leading to RCE, after the stage of authentication bypass, but I could not find the vulnerability for auth bypass.(for A -> B -> C -> D, I have found B -> C -> D, but I am missing A -> B which makes my finding on B -> C -> D pointless)

I finally gave up on that, and decided to take a look at the other machine after 7 hours of empty-hand. I was a bit panic and felt regret to take the exam so recklessly. However, the other machine was quite easy for me, and I was able to spot all the vulnerabilities I need, and I got a shell from my target machine in 2 hours. I finished writing the full-chain automated exploit scripts in another hour.

With 50 points in my hand, I decided to have my dinner and rest for a while. My brain was drained. I sit back in front of the camera at 9pm and work on my first machine.

I decided to revert my debugging machine(I have added numerous ver_dump statement for debugging purposes), read through the code in every file, and skip the part which I was trying to bypass initially, assuming it is a rabbit hole. I finally managed to find a possible loophole, and a few lines of POC proved my guess. After that, I decided to disconnected from vpn and go to sleep first since I have found all I need, and I am sure that I can solve this machine in few hours.

I woke up early (around 7am?) in the next day and continue working on my first machine. I got a shell on the target machine in one hour and finished writing the full-chain automated exploit scripts in another hour. After I solved all the two machines, I decided to take my breakfast, and take a rest on the sofa for few hours first. I sit back in front the the camera after lunch and started to write my exam report. I completed my exam report at 5pm.

And I got email from offsec telling me that I have got my OSWE after another 24 hours, which signifies the end of my OSWE journey.

Self Reflection

I had a little code auditing experience beforehand, and I am not sure how applicable the skills I learned in this course is for the actual work since I have never done source code review jobs in my actual work. But I hope it is useful.

Offsec has decided to make the AWAE/OSWE sales price permanent.(which they claimed to make the web app security training affordable) However, they have stripped the option of the course with one-month lab, which I think is just enough for me(doing preparation in full-time manner)

image-20210123145616009

You can check the current price at https://www.offensive-security.com/awae-oswe/

image-20210123145804765

And the sales price during December at https://web.archive.org/web/20201213072739/https://www.offensive-security.com/awae-oswe/

image-20210123145836486

I don’t have money/time for any more offsec certificates, in the foreseeable future. (Unless anyone is willing to sponsor me to do it, either for OSEP/OSED)

There are no hints/tips for people intending to take AWAE/OSWE, as I myself didn’t prepare well for it. All I can suggest is simply

Try harder

2021年一月24日更新

我在2021年1月16号的早上九点开始OSWE的考试,第二天下午五点交的考试报告,然后第二天的下午五点就收到邮件告诉我考试通过了。offsec官方只用了一天,相比我的OSCP/OSCE,效率提升太多了。

背景

长话短说,我去年10月29号的时候用1400美刀买了一个月的AWAE的课程,然后offsec在11月23号开始了AWAE的课程促销,一个月的课程只要999。。。999买不了吃亏,买不了上当。而我多花了400美刀还不能退款。。。

我在我上个学期最后一门期末考试结束的时候开始的AWAE课程,这样的话我就有整整一个月的时间做准备,这一个月的准备时间对我来说刚好够用

准备

我AWAE的课程是12月6号开始的。我直接开始看视频,一个模块的视频看完就去跟着视频里的操作复现lab。每个模块我大概平均会花2天的时间,有些模块可能会上下起伏一点。比如说.net的程序的话,我就花了4到5天的时间去理解反序列化以及相关漏洞利用的知识,而atmail/atutor的模块的话,我每个模块只花了1天的时间因为我曾经也搞过一点php的代码审计。

我非常建议你们去做每一个extramile,如果你完全没有头绪的话,可以去论坛看一下(虽然论坛上的帖子少得可怜,而且也没啥人回复,但是仔细看的话还是有一些有用的信息的),或者在rocketchat里问问题。(rocketchat是一个基于社区的聊天平台,上面有其他学员,offsec员工。在rocketchat上问问题比在forum上效率高,而且得到回复的几率更大)

如果你还是搞不定某一个extramile的话,那干脆放弃吧,别死怼了。有时候你可能会发现学会放弃是一个很重要的心态,特别是你在OSWE的考试的时候,这样的话你不会陷在一个兔子洞里太久拔不出来。

个人认为 熟悉/熟练掌握 一门脚本语言 对这门课而言很重要。(python yyds)然后,你得对处理http请求的相关库熟练运用。(比如说python的requests库)可以快速的写出一个PoC 来验证自己的想法很重要,特别是在OSWE那种时间有限的情况下,你要是一直卡在写PoC上的话,多半心态也会崩。如果你做了AWAE课程里的包括extramiles的所有练习的话,你就练得差不多了。实际上这门课程视频里用到的脚本,他都会提供给你,当然你也可以选择不用,自己写一份自己的当做练习。

网上有很多资源,我个人觉得在精不在多。虽然这么说,但还是要马的。马了就是看了,看了就是会了,会了就是过了。

考试

我本来没有打算lab一结束就考试的,因为我感觉自己没准备好。我的lab在1月6号就结束了,然后我11号就去实习了。实习了两天之后,我感觉我可能没时间再练习了,再不考试的话,可能前面学的都忘记了。所以我就定了最近的OSWE考试,1月16号的上午9点。

我不确定考试的哪些内容可以分享,所以我还是回忆一下我考试的时候的情况吧。

我先挑了一台我觉得比较有信心的机器下手,然后四个小时没审计出一个漏洞。。。然后我就去吃午饭了,顺便休息了一个小时,然后继续怼那台机器。有一个地方感觉很接近了,但是死都找不到办法绕过。试过各种办法,我去翻防御相关第三方代码的github的commit历史,希望可以找到有啥绕过的办法,还去读了php的源码(c写的那个),只需要一个非常小的绕过就行了,然而就是找不到。这台机器的后续漏洞链我都找到了,可就是前台绕过找不到。(假如整个的漏洞链是A -> B -> C -> D,我相当于找到了B -> C -> D,可我偏偏找不到A -> B,那我找到的B -> C -> D都没卵用)

七个小时之后,我最后还是放弃了死怼,转头去搞另外一台我没啥信心的机器。那个时候心态就有点不对了,还有点后悔为啥自己要这么作死,明明没有准备好就要来考试。但是另外一台机器出乎意料的简单,我两个小时就找到了漏洞,并且在目标机器上拿到了shell。再用了一个小时写好了全自动的利用脚本。

拿到50分了,我就去吃晚饭了,顺便休息一下。脑子完全是糊的。9点我才重新坐到电脑前继续死怼第一台机器。

我干脆就把第一台机器重置了(代码里被我加了无数行var_dump。。。别问我为啥不动态调试。。offsec不允许把代码下载到本地,只允许我连接到调试机的RDP上,我操作起来像放ppt,最后就放弃用vscode调试了,只用vim看代码。)我把功能代码文件一个一个通读了一遍,除了前面我死怼的那个地方以外。最后终于找到一个可疑的利用点,写了个PoC验证了一下我的猜想,看上去是行得通的。然后我就去睡觉了。。因为我已经找到所需漏洞了,再给我几个小时就可以搞定了,狗命要紧,先去睡觉。

第二天我七点就起来了,一个小时就拿到了目标机器的shell,再花了一个小时写好了利用脚本。搞定完这两台机器之后,我就去吃早饭了,然后就瘫沙发上休息到吃午饭了。等我吃完午饭,我再坐回电脑前开始写报告。下午五点报告写完之后就结束考试,把报告交掉了。

24个小时之后就接到offsec的邮件告诉我考过了,这也意味着我的OSWE之旅告一段落。

自我反思

我之前搞过一点代码审计,然而这门课学到的东西在以后的工作能力能不能用上我也不确定,毕竟真正工作中我还没做过代码审计。希望能有用吧。

Offsec决定把AWAE/OSWE促销价沿用下去(据他们说是为了让人人都能承担得起web应用程序相关的安全培训课程)然而我发现现在已经没有1个月lab的课程选项了,这是看不起我的学习能力?(我个人认为1个月的lab对我来说刚好够用

image-20210123145616009

你可以在这里看到当前的价格:

image-20210123145804765

你可以在这里看到12月份促销的价格:

image-20210123145836486

考完这个证我就莫得钱也莫得时间考offsec的其他证了,至少在可以预见的未来一年里(当然如果有人愿意赞助我的话就另当别论了,OSEP/OSED皆可,OSEE。。。我还是不做梦了)

对于准备学AWAE/考OSWE的人来说,我这里没啥诀窍或者秘诀,毕竟我自己都没好好准备。我只能说

接着怼