OSWE: A Detailed Review

Introduction

Hello!

In this article, I'm going to share my journey towards OSWE certification, in the hope that it can help you in some way. As I'm going to be long-winded, if you prefer a quick answer, I recommend using the table of contents to go directly to the topic of interest.

The OffSec Web Expert (OSWE) certification is obtained after completing the Advanced Web Attacks and Exploitation (WEB-300) course and passing the final exam.

The exam lasts a maximum of 47 hours and 45 minutes for the practical test, followed by a further 24 hours for writing the report. You must achieve a minimum score for your deliverable to be analyzed by an OffSec reviewer.

The course and certification focus on web application exploitation, with an emphasis on code analysis (white-box) and exploit automation.

I recommend it for those who want to deepen their knowledge of web pentest and already have at least an intermediate level. If you're new to the area, there are other better ways to start than taking a course with “Advanced” in its name.

I have about 3 years' experience in the field, as well as some certifications, such as OSCP. However, I consider that my contact with reading vulnerable code was limited before starting this challenge.

The cost of the course and exam varies depending on the package you choose. The Course + Cert Exam Bundle is specific to the certification and offers 90 days' access to the labs, plus an exam attempt, costing 1,649 dollars.

The other packages are subscriptions, which offer access to more content than WEB-300 and last for 365 days. However, they are more expensive. The Learn One package includes two attempts and costs 2,599 dollars a year, while Unlimited offers unlimited attempts for 5,799 dollars a year (I don't know who would spend that much). You can also buy just the voucher for the exam at a lower price if you don't pass and you've run out of attempts.

Previous Studies

I believe that this applies to any OffSec certification, but it is essential to prepare before starting the course, especially if you are limited to 90 days of access.

This will make the learning process much easier and ensure that you don't get lost learning concepts that the course already assumes you know. The course won't take you step by step, teaching you the fundamentals of basic content, precisely because it's not a certification aimed at beginners.

For this phase, I looked up some other reviews and studied what people recommended. I've documented these learnings in this repository on GitHub, but basically what I've done is:

1. Study all the PortSwigger topics (not all of them are necessary, but I took the opportunity to see them all);

2. Complete some of the machines on the TJ Null's List (the more complex ones require more than what's required in the exam, so I let it slide);

3. Solve some OSWE-like challenges, such as VulnHub's Secure Code.

Below is a list of these materials:

• PortSwigger

• OSWE TJ Null’s List

• Tudo

• Order

• SecureCode

• Potato

• Raven

Remember that if the challenges offer this option, use a white box approach when carrying out the attacks, reading the source code. This will help you get used to the format of the course and the exam.

Another fundamental thing you need to have is a basic understanding of how to read code and program. You don't need to be the best programmer in the world, but it is essential to understand simple concepts such as declaring variables, loops and functions.

In addition to the ability to read code, you need to learn how to write it. In this case, it's essential to write code to automate the exploitation of machines, where, in many cases, there will be a chain of vulnerabilities that leads to the end result. This can be done in any programming language, but I believe Python is the most suitable.

Take advantage of the study machines listed above and start practicing automating them, it helped me a lot. On my GitHub, I have the automation for most of them, in case you want to use it.

Create templates to reuse code, this will greatly speed up your automations. For example, if you've explored SQL Injection, develop a template based on that automation. When you explore another scenario, you probably won't use exactly the same code, but a lot can be reused, especially the basic parts, such as making requests.

Below is a general template to use in your automations. In this example, we use urllib3 to ignore errors with web server certificates. We collect arguments when calling the exploit using sys, which is essential as the exploit needs to be dynamic.

It is also recommended to create functions for each vulnerability that is part of the exploit chain, as this makes everything more organized. If you look at the code below and don't understand anything, I recommend you go back to studying Python.

import urllib3
import sys

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}

# Getting arguments
def main():
    if len(sys.argv) != 4:
        print("(+) usage %s <target> <username> <attackerIP> <attackerPort>" % sys.argv[0])
        print("(+) eg: %s http://vulnerable.com b1d0ws 192.168.45.181 4444" % sys.argv[0]) 
        sys.exit(1)

    target = sys.argv[1]
    username = sys.argv[2]
    reverseIP = sys.argv[3]
    reversePORT = sys.argv[4]

# Create functions for each vulnerability/step
def function():
    continue

if __name__ == '__main__':
    main()

Below is a simple skeleton for making requests:

import urllib3
import sys
import requests

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}

session = requests.Session()

url = 'http://example.com'

# GET Request
params = {'cmd':'ls'}
session.get(url, verify=False, proxies=proxies, params=params)

# POST Request
data = {'parameter':'example'}
session.post(url, verify=False, proxies=proxies, data=data)

# You can also set proxy like this
session.proxies.update({'http':'http://127.0.0.1:8080'})

Course

The 90 days of access are enough to complete the entire course. I started my access on July 18th and finished on September 23rd, with one month left.

Content

The course is made up of modules, where you learn the content through texts, videos, exercises and extra miles. There are also practical laboratories, where you put what you've learned into practice by exploring machines that simulate the test.

You can check out the syllabus at this link.

It's funny how the content starts off extremely easy, covering basic topics such as “How to use BurpSuite” and then quickly moves on to complex topics such as “Exploring Deserialization in .NET applications”.

For me, the first modules were a little daunting because of the complexity of the topics, which made me question whether I had really done the right preparation beforehand. As the study progressed, the modules became easier, with the last two being extremely simple compared to the others.

The modules are organized into chapters, some of which include exercises and extra miles. The exercises are essential for consolidating the content learned, while the extra miles are optional. I don't particularly recommend doing the extra miles, as they cover more complex topics that can take up valuable time. But if you feel you have enough time, go for it!

Remote access via RDP can be slow, which can be a bit annoying and require patience. In the exam, this access tends to be more fluid.

Labs

The practical labs are made up of 3 machines and are reasonably difficult, offering some avenues for exploration. As with any simulation, you may have trouble solving them, but that's part of learning.

OffSec does not provide the resolution of the labs. I believe there could be walkthroughs in this regard, because often, in order to proceed in a scenario where you don't know what else to do, you have to seek help from the community, and you don't always get answers.

Speaking of the community, there's a Discord server that includes various channels to integrate students, as well as specific chats for OSWE. You can access it from the OffSec platform.

This is where you can ask for help and interact with other students and tutors. If you get stuck in a lab, I recommend searching for words related to your problem in the search engine, as this may give you some answers.

At the end of the day, my way of studying was: I went through all the modules, solving the exercises and automating the exploits. I preferred to learn from the texts, and only used the videos in a few cases. Sometimes the videos go into a little more detail about content that isn't explained so well in the text.

I then solved the labs using the first path I found and also automated them. Finally, I reviewed all the content from the beginning and re-did the labs, this time looking for all the possible explorations. As I didn't know how many ways there were, I looked up this information on Discord with the other students.

One interesting thing is to create a group with people who are studying in the same period as you. I didn't have this idea at first, but one of the students called me privately, asking if I wanted to join a study group, and it was really useful. When everyone is there pursuing the same goal and helping each other, everything is easier!

Exam

The first thing to do about the exam is to read the official OSWE guide. It contains most of the information you need to know: what you need to hand in, what you can and can't do, among other guidelines.

A good tip is to book your exam as soon as possible, especially if you need a weekend slot. These times are very popular, and if you leave it too late, there's a good chance you won't find the time you need.

OffSec's exams are monitored in real time, so it's important to be familiar with this process. You can find more information at this link, but here's what you need to know.

15 minutes before the scheduled time, you must access OffSec's monitoring system to check in. Check-in consists of presenting a valid identification document. The portals tell you that the document must be in English and have an expiry date. For OSWE and OSCP, I presented my ID in Portuguese and without an expiry date, and that wasn't a problem. They just asked me if there really was no expiry date on my document.

The only difficulty I encountered was getting my webcam to focus properly. As it didn't focus enough, I had to show a digital document. That's why I recommend having such a document prepared on your computer in case this happens.

After that, you need to show the entire room where you will be taking the test to make sure there are no other electronic devices. Make sure they are all removed from the room (don't take this literally, televisions, for example, are acceptable). In my case, while showing the proctor around, I realized that I had left my Alexa on the table, so I removed it immediately. It's unlikely that anyone would use an Alexa to cheat, but it's better to avoid any headaches.

Also make sure you have a camera that can scan the room. This may seem obvious, but sometimes the camera is attached to a fixed support and isn't flexible enough to show the whole room.

Some features are not allowed in the exam. It is forbidden to use programs that automate exploits, such as SQLMap. Artificial intelligence tools, such as ChatGPT, are also forbidden, so avoid getting used to using them during your studies.

The exam is made up of two machines, and 85 out of 100 points must be obtained. Each machine has two flags: one, obtained through Authentication Bypass, which is worth 35 points, and another, through RCE, which is worth 15 points. You therefore need to capture three flags, and you need to obtain at least one RCE flag on one of the machines.

It is necessary to automate the exploitation of vulnerabilities, and the exploit must print the flags or return a reverse shell. The report must include the exploit in text, as well as evidence and descriptions of the vulnerabilities found. This is detailed in the dashboard you access during the exam.

My Experience

My exam was scheduled for October, but when I realized that I would finish the course earlier, I rescheduled it for September 25, a date very close to the end of my studies. I don't particularly like to leave a long gap between my studies and the exam, so I tried to schedule everything as close together as possible.

The week of my exam, specifically on Sunday night, my keyboard stopped working. As I use a desktop computer, I had to buy a new one the next morning. Although this wasn't a big problem, I was already quite anxious about the exam, and the nerves started to kick in. After a while, I was just relieved that it hadn't happened on the day of the exam.

During the previous two days, I'd only revised the content I'd learned and hadn't dedicated myself intensely to studying. My exam would start at 9 a.m., a good time because it's like I'm starting work. Then came my second piece of bad luck: the weather gods decided that during the 30 days of the month, it would only rain on my two exam days, and it would rain a lot!

At midday, three hours into the test, I still hadn't found anything and my energy dropped. At that point, I despaired, already counting my defeat and wondering how unlucky I was that this was happening. Fortunately, my energy returned quickly, but I was apprehensive that they might cancel my attempt.

When you lose the connection to the monitors, your VPN is cut off, so it's easy to return to the exam, you just have to share the screens again and carry on. However, I didn't know it was that simple and I really thought they would cut off my access because of what happened.

After some time without success on the first machine, I decided to move on to the other. I spent about two hours on it and got the first flag. Great, 35 points were already guaranteed! At this point, about 7 hours had passed and I decided to take a break to eat something and rest a bit.

For some reason, I was still extremely nervous and anxious, thinking that just one flag in 7 hours wasn't enough, considering that I still needed to automate the exploits and find at least two other flags. Now, I see that this was well within time. It's funny how our emotions distort our perception of things.

My break lasted about 20 minutes and I went back to the computer to continue. To take breaks, you just have to tell the monitor that you're leaving and then tell it that you're back, and you don't have to wait for it to respond. In the OSCP exam I always waited for the monitor to “release” me to pause, but it's not necessary. In OSWE the breaks are much more frequent, so don't really wait for the monitor to respond before taking a break.

I went back to the computer and tried to find the RCE of the second machine, but to no avail. I didn't think about it for long, because I thought: I don't necessarily need that RCE, but I need the Auth Bypass from machine one to move on, so I decided to go back to it.

Around 7pm, I thought of a possible exploit vector, but there was one detail missing that I couldn't find. Now here's a tip I haven't seen in any other review: be careful with the resolution you use to access the debugger machine. I won't go into details, but this caused me to waste a lot of time on something that should be instantaneous.

Having solved this problem, I continued with the exploration and got the flag for the first machine, now totaling 70 points after almost 12 hours of testing. Remember that you will only have access to the flags on the real machines, not the debugger machines. In other words, as soon as you find the exploit, test it on the official machine too.

I listed the routes that required admin authentication, did another quick search on RCE, and started to figure out what the route might be. At this point, I decided to take a longer break and took a shower to clear my head. During the break between the first break and this longer one, I also took several short 5-minute breaks to go to the bathroom, stretch my legs, and make a cup of coffee.

I got back to the computer around 9:45 and was feeling a bit more motivated. However, as time went on and I couldn't find the RCE, I started to get extremely apprehensive, even though I still had over 30 hours of exam time. I was definitely stuck, and my mind started to sabotage me, thinking that I still needed to automate everything.

I found the RCE around 1 AM, and as soon as I realized that I had achieved code execution, I burst with joy. The feeling of relief in those moments is indescribable. I validated my exploit on the target machine and obtained the third flag.

After 16 hours of the exam, I already had the necessary points to pass, but I was still apprehensive, knowing there was still a path ahead. Shortly after, I decided to go to sleep.

You can turn off the webcam to avoid the embarrassment of sleeping while being monitored if you are taking the exam in your room. Just inform your proctor. I notified the proctor via chat that I was going to sleep and would turn off my camera, but no one responded. Wanting to avoid complications as much as possible, I chose to sleep on the couch in the living room to get away from my room a bit, and I left the webcam on.

Falling asleep wasn't the easiest task, despite my exhaustion, but I managed to sleep for about 6 hours. Around 8 in the morning, I woke up feeling much calmer, had a leisurely cup of coffee to recharge, and returned to the exam. Now, my mission was to automate the exploit for the first machine to return a reverse shell and the exploit for the second machine to print the flag, since I still didn't have RCE on it.

This was the most enjoyable part, as I really had no complications, and it was what I was most proficient at during my studies. I developed the exploits and tested them multiple times on the target machines, resetting them whenever necessary. My exploit for the first machine took some time to run, so I took advantage of that to do other things in parallel while it was executing.

In the meantime, I also collected all the evidence I would use in the report and began adding the exploitation process to the OffSec template. You can use the template provided if you’d like, but I recommend using theirs, which can be found here.

By noon, I had finished everything, after 27 hours of the exam, I had enough points to pass. I took a half-hour break for lunch and returned to the exam. Now, I still needed the RCE from the second machine. I spent about 3 hours trying but made no progress. I took a break, and during that time, my power went out again, which somewhat demotivated me.

I returned to the computer and had to redo everything: connect to the VPN, collect the requests in BurpSuite since the Community version doesn’t save them, and connect to the debugger machine. I decided that, despite having about 15 hours left (obviously, I wouldn't use all of that due to fatigue), I would stop here because my mind was no longer thinking clearly.

I validated the evidence again, polished the report during this time, and tested the exploits dozens of times since my biggest fear was that the automation would fail. I played the role of a reviewer, saved my report as a PDF, and copied the exploits to my machine as if I were reviewing them. At that moment, I realized that in Word format, the exploit's indentation is preserved, but in PDF, it is not.

To avoid issues, in addition to using plain text, I decided to add my code in base64 to the report, thus maintaining the correct indentation. Finally, around 5 PM on the second day, I submitted my attempt. Before that, I stared at the submit button for a few minutes, wondering if I had forgotten something. One of the reasons I decided to end the exam was to relieve myself of the commitment to the proctors and to feel more comfortable in my room.

After taking a short break, I made another coffee and returned to work on the report. I had until 9 AM on Saturday to submit it, but I was so anxious that I was working on it Thursday night. After reviewing it a few times, I realized I was missing evidence for one of the vulnerabilities. While this wouldn't significantly compromise my report, I was worried because it was evidence that should have been there to clarify everything.

I thought I could retrieve that evidence in BurpSuite, but in addition to losing the requests due to the power outage, my Kali Linux also crashed a few times while I was trying to explore the second machine. I’m not sure why that happened, but it was yet another reason to make me tense during the exam.

Finally, around 8 PM, I submitted my document, still filled with anxiety that something could go wrong. I remember that the result of my OSCP took about three days to arrive, so I imagined I would only receive my evaluation the following week, given that I submitted the report on a Thursday night.

A friend of mine mentioned that he received his result in just one day, which raised my hopes of getting an answer on Friday and having one of the best (or worst) weekends of the year. The next day, I checked my email every three hours until, around 8 PM, I received the notification: I was APPROVED! The feeling was similar to passing an exam that would change my life. I celebrated intensely and hugged my parents, who supported me throughout the stress of the last two days of testing.

Conclusion

I've heard every possible account about the OSWE: some people loved the course, others criticized absolutely everything, some were approved, and even highly skilled individuals failed due to unfortunate circumstances. In short, anything can happen.

In my opinion, the course taught me valuable techniques that will be useful throughout my career and contributed to my technical knowledge. However, there are downsides: some modules are confusing, the lack of walkthroughs on the exercises and labs from OffSec, which follows the motto "Try Harder," doesn't convince me, and access to certain labs is slow.

This was, by far, the certification that stressed me out the most, but it was also the most rewarding to achieve. It truly represents both sides of the coin. Now, I plan to take a break from certifications and focus my studies on other activities. There are many other ways to learn and enhance my professional journey.

Overall, I learned a lot about how to automate web exploits, and this has already proven to be beneficial. One example is that I developed an exploit for a public vulnerability that previously only had a manual exploitation method. In this way, I was able to contribute to the community with the knowledge I gained.

Finally, I recommend the OSWE to those who have the time and financial resources to invest in a course from OffSec, which is known for its high prices. It’s clear that certifications like this have a significant impact on one's resume.

I also want to emphasize that this is not the only option available in the market. There are several other certifications and courses that cover similar content. Recently, various platforms, such as HackTheBox, have been investing in their own educational materials and certifications.

Thank you for reading this far! I hope this article can be useful in some way. If you have any questions, feel free to reach out to me on LinkedIn.

See ya =)