Hi fellow hackers and security researchers, hope you guys are all happy and doing well. It's been a while since I have written a blog. This blog is going to be about my honest review of a highly demanded and respected certification from Offensive Security. I feel immense pleasure to announce that I have recently passed the OSWE exam on my first attempt😌.
What is OSWE?
Offensive Security Web Expert (OSWE) is an exam conducted by Offensive Security. You get 47 hrs. 45 min (exam time)+ 1 day (to write a complete report) to finish the exam challenge. It is proctored the entire time. In the exam, you get 2 vulnerable web applications and their entire code as well. The main exam objective is to find security vulnerabilities in the application by looking at their code and then prepare an exploit script to automate the entire attack including both, authentication bypass and remote code execution. Read here for more.
The intended audience for OSWE
Security researchers, application developers, software developers, penetration testers, and anyone who wants to improve their secure code review skills, as this exam challenge is completely white box penetration testing.
How I went through the exam?
2nd Jan 2023: My exam was on the 2nd and 3rd of January. So I woke up at 8:00 AM on 2nd January, followed my usual morning routine, logged in, went through the ID verification process, and then at 9:30 AM my exam starts. I was like:
I picked up the first machine, and started going through the application and then the code. Unfortunately, I continued on a certain path, unaware that it was a rabbit hole and it wasn’t going to take me anywhere. 6 -7 hrs went by, i had no lead. Things started to become tense. Then, I switched the machine and came to the second one at around 6:00 PM, with no clue about the first machine. Now again 6 hrs went by, its 12:00 AM on 3rd Jan, and I had a little clue as to how to get the authentication bypass. Continued till around 1:30 AM, and then woke up at 6:00 AM (5 hrs of sleep).
Funny (yet serious) part: On 2nd January (1st day of the exam), I received my salary and I became so stressed that I even started to think that “okay, I have received money for my second attempt”. 🤕 And this thought stayed in my mind till the end; you will know why, keep reading…..
3rd Jan 2023 (Day 2): I woke up with only a little relief, that I had the first part of one machine. So I started scripting it. I found this part easy. Then I spent 4–5 hrs on the code execution part. Tried many things, and went through code multiple times but ended up being exhausted and demotivated without any luck ☹️. It was around 1:30 PM. Had a little break for lunch. After I came back from lunch, I decided to come to the second machine, of which I had no idea what was happening. Then after around 45 min — 1 hr, with one of the payloads, I got the authentication bypass of the machine. I took a sigh of relief. Then I started to write a script for the same and ended up creating the script for that part at around 4:00 PM. Once I had the authentication bypass of the second machine, the next part was fairly easy to locate but it was interesting to note, how your payload is getting executed. I was able to do it manually so I started writing the script for that part too. It was around 6:30 PM ( ~ 34 hrs into the exam). I put the script on running and since it was taking longer to execute, I went on a break for coffee with the confidence that I will pass for sure. 😃
When I came back from coffee, I found out that script ran fine, but it didn’t give the intended output and failed to get the job done. Since it was taking on an average of 35–45 minutes to run, I had to wait for so long every time I run it. I made some changes to it, ran it again, and went for dinner. It was around 10:30 PM. I came back and found out that it failed due to a silly syntax error. Again, I ran it and sat there for ~ 45 minutes staring at the screen like a ghost.
Now when the script failed again, all my happiness and confidence that I had earlier washed away.
At this point, I was running out of patience and started to think that I am going to fail, for sure. This was a moment of realization for me because initially, I was all happy and jolly but now thoughts of failure began to appear every couple of seconds.
It was ~ 12:30 AM on 4th January (only 8 hrs left for the exam to end), this was the scariest duration of time that I lived. The problem was, I was able to do it manually but my script was not working the way it should and over this, I was not able to think of anything that I can do to make it work. Still, I sat there and read my script end to end, reverted the target machine, and made all the checks but I was not able to locate any mistakes. It was ~3:00 AM, and at this point I literally hit the rock bottom 😰. I was all tired and exhausted both physically and mentally; literally felt like a big failure. I was so close yet so far 🤕. To be honest, I cried in front of the proctor herself. BUT, surrendering and accepting the defeat was never an option. After some more banging of my head against the wall, at ~6:00 AM, I got a clever idea so I went and made that change in my script and ran it. I waited and stared at the screen straight for ~ 45 minutes, and BOOM, it executed properly and gifted me with a reverse shell. Man, I can never forget that moment. The reason why I feel proud of myself for this is that I was awake for 24 hrs straight and you can’t really expect a solution when you are up for this long. I am proud of myself for that 🤘. One hour left for the exam to end, I spend that time taking all the necessary screenshots and running the script for one last time, but time got over before it could finish.
Then I slept for a couple of hours, had breakfast, prepared the report the next day, and submitted it.
This was a brief of my experience. One hell of a ride it was. Now I would like to mention a few things to always keep in mind if you are planning to appear for the exam : (Following are based on my experience, those may or may not work for you)
- Have patience: OSWE is a marathon, not a sprint (unlike OSCP). You need to keep your composure and stay calm throughout. 48 hrs is sufficient time to pass the exam if you have studied well in the lab time.
Even if you think you are losing it, chances are you can craft out a solution only if you step back and think it over again from a different perspective.
- Diet: Eat less than usual. Just make this sacrifice for 2 days. Trust me, you don’t wanna feel drowsy just because you ate too much. Consume a low carbohydrate diet. Stay hydrated. If possible, do some pushups during your break. (this may sound silly, but it works 😉)
- Breaks: Take frequent breaks. Get some sunlight during your break. And when you are on a break, don’t keep on thinking about the obstacle you are facing in the exam. Just give your brain some relaxation. I think during the entire 48 hrs, sleeping for 5–6 hrs is not gonna do any harm.
Have little walks every now and then.
- You don’t know your limits. When you think you are gonna fail, chances are you can come up with a solution even in that situation only if you push yourself a bit further. I seriously never thought that I can stay awake for such a long time and think of a decisive solution.
- Don’t rush: I can’t stress this point enough. Take things slowly. Read through the code slowly and try to relate it to the endpoints you discovered in your black box assessment. Even a little mistake can cost you hours, so be careful and efficient.
- Get mentally and physically ready for some discomfort. You are gonna have to endure physical as well as mental pain. Expect it.
- How to go about AWAE lab? Go through the entire pdf+Video+hands at least two times. I might face some criticism here, but you don’t need to do all the extra mile exercises. Those are in fact good but if you have a job and you want to finish the lab as well then keep those for the end. While doing the labs, absorb as much as possible as the content is awesome and Offensive Security has really put good effort into explaining the concepts. Prepare good notes. If possible, have them in colored text.
Resources I used for preparation
- Pentester lab white badge -> to get acquainted with code review
- Portswigger -> to understand various vulnerabilities and payloads
- Write automated scripts for various exploitations like blind SQLi, file upload, XXE, XSS, CSRF, etc.. (dvwa, webgoat, bWAPP)
- Learn how to parse and extract HTTP responses using python or whatever language you will be using for script writing
- Do the above, before starting the lab. In the lab, try writing the exploit wherever possible
- Absorb the contents of the lab as much as you can. Try to get the most out of it. Strictly, do the unsolved lab machines as well.
Where Offensive Security can improve?
Offsec should include more practice machines in the lab. That will help students better to understand and practice code review. They can also improve their student support system in terms of the time in which a student’s doubts are heard and attended to.
One of many reasons I chose to do OSWE is because it's tough and doing tough things gives you confidence. This journey will teach you a lot of things and contribute heavily to your overall growth. For me personally, it made me stay out of my comfort for most of the time. As I am a full-time employee at a firm, it's not that easy to study for OSWE parallelly but honestly speaking, it's just an excuse. Have good people around you. I am so so grateful for the kind of people I am surrounded with. I have got my parents, my brother, my mentor, and my close friends. Can’t thank you, guys, enough for all the support I got from you 💜. Love you guys. The Infosec community is also there. I met some really awesome people here. It's not just a 3-month journey, it's rather a long one where you will learn a lot of things. Believe in yourself and just go for it. 🤓
And then finally, the day comes when I get this :
And this is my reaction :
OSWE is another one in the arsenal. Many more to go. See you guys next time, All the very best for future endeavors. Stay safe. Keep smiling.
Happy hacking! 😃
signing of ….