How I passed the OSWE exam

OSWE is a security certification for advanced pen-testers and information system auditors. Honestly, it was the hardest exam of my life. I forgot my health and my sleeping schedule (for 48 h I ‘ve got only 12 h of light sleep) and I have never known I could swear that much. I’d describe my state back then as “f*cked off”. Though, let’s start from the beginning.

What’s OSWE

OSWE (Offensive Security Web Expert)

  • The certification was developed by a well-know Offensive Security company (they’ve also developed and supported Kali Linux)
  • OSWE goes hand in hand with AWAE (Advanced Web Attacks and Exploitation). You can’t just choose only OSWE certification. Plus, what’s the point to enroll for the exam without practice that AWAE provides.
  • Who’s the target audience

-guys experienced in pen-testing

-techs and developers who can read code and debug.

  • Certification is pricy. The cheapest course package costs $1400
  • Previously, the course was held offline during the Black Hat conference. Now it’s an online product.
  • The flow is simple: you should analyze web-system source code and exploit vulnerabilities. The goal is to break through a live system.
  • The good news is the certificate has no expiration date. Guys who developed this certification assure you if you pass the exam once, you’re the boss in this field even in 10 years.

What’s AWAE

About the AWAE (Advanced Web Attacks And Exploitation) course

  • No foundations, forget “Hello, world”. The course covers quite familiar vulnerabilities, registered in CVE in real open-source projects
  • you can find those vulnerabilities and even exploits right here — exploit-db.com or cvedetails.com
  • you’ll be given plenty of materials and videos that explain vulnerabilities and how to exploit them
  • for the course time, you receive a personal VPN access to a test environment. You don’t need to deploy anything, everything is entirely set up. Go ahead, break all you want
  • all hand-outs are signed personally to avoid unapproved sharing or uploading to torrents. If it happens, the owner will be detected soon and punished with certificate suspension.
  • the course goal is to exploit system vulnerable places to the full — Remote Code Execution (RCE), get admin access and remote SSH to a web-system
  • one of the conditions is to exploit vulnerabilities using POC exploits (you can write them on any language but Python is recommended)
  • The course provides excellent new practices for penetration testing
  • The course covers:

-Topics: XSS, CSRF, Session Hijacking, Session Riding, Blind SQL Injection, Path Traversal, Type Juggling, Insecure Deserialization, Arbitrary File Upload, etc.

-Tools: Burp Suite, Kali Linux, Metasploit, etc

-Languages: PHP, Node.js, Java, .NET, Python

About the exam

  • The online exam lasts 48 h. It’s your choice of how much time to spend on sleeping and eating.
  • You take the exam at your computer remotely but you’re always watched by a supervisor from the OSWE side.
  • First thing: ID validation — you use your passport.
  • Using the camera you demonstrate your working place and even what’s under your table.
  • Then you share your screens and switch on the camera — take it as it is: for 48 hours you and your computer are under constant supervision.
  • Need to go to the bathroom — notify your supervisor. Came back — tell him again.
  • As I mentioned above, the AWAE course covers vulnerabilities stated in CVE. The exam though will include custom unfamiliar vulnerabilities — so don’t waste your time googling.
  • In a separate protected VPN network, you’ll have two goals — two web-systems, pleading to hack them.
  • Your task is to bypass their authentication and get shell access to servers.

-authentication bypassing brings you 30 points

-getting remote access — 20 points

-to pass the exam you have to get at least 80 points

  • To prove the attack was real you should find a secret file (it is out of web application directory) and show its content.
  • Before the exam, I hoped the task at least would provide some instructions. Wrong. You get a live server IP and a test environment to analyze system code and debug.
  • You’re quite hard-limited in tools. Vulnerability scanners, Bruteforce are not an option.

Difficulties

  • No one can help you. The only helpful thing I got from your supervisor is his catchphrase — “try harder”.
  • Prepare yourself for 48-hour stress. Your brain would have no rest, even in sleep, it will be searching for possible attacks.
  • I’ve managed to gain 100 points but I hardly met the deadline.
  • At some point, I needed to rewrite an exploit from C# to Python. The attack via VPN didn’t go well, and I thought of Kali Linux that allowed me to exploit the goal in a blink.
  • On Reddit, I came on some guy who wrote it had taken him half of the first day to hack both systems and the rest of the time he just chilled. That’s bullshit or I’m not so talented )). The work capacity is huge, and hardly an average man can handle it that fast with no hassle.
  • Another guy on Reddit wrote that for 48 h he couldn’t find anything and resulted in 0 points. He worried that exam retaking would be the waste of money and may lead to the same outcome since he analyzed EVERYTHING.
  • I assure you there would be moments of total disbelief in yourself and moments of euphoria that you can do everything. And then again, and again. The main rule is to keep doing and don’t give up.

What I recommend

  • OSWE is a proper exam for any pentester. The outcome depends a lot on your security and development experience.
  • Store and structure all your handful practices, commands, tricks in some tool — for me it’s been CherryTree for a long time.
  • Dig into every vulnerability to the full.
  • Combine vulnerabilities into one attack to achieve the severest effect.
  • In any stressful situation your attitude, as well as the ability to stay cool, decides a lot.
  • TRY HARDER

Good luck

Denis Koloshko

Penetration Tester, CISSP, OSWE