AWAE course: My AWAE to OSWE journey and prep advise

In this thread I will give some advise and highlight some details on my AWAE prep which might be useful to other students. After getting my OSCP last year I have already planned on taking this course and was looking forward to get my hands it.

AWAE Prerequisites

The first question one might ask prior to starting the AWAE course is what are the prerequisites to get started.  As offsec advises this is an advanced-level course, and while not an actual requirement it is strongly recommended to go through the PWK course first. Personally I find this to apply mostly to the mindset and enumeration skills you gain through PWK and not that much to the actual knowledge required. You will however definitely find useful having knowledge in various programming languages including Java and C#. Advanced JavaScript skills would be also a great advantage with this course. In case you do not know how to write a simple hello world application in several different programming languages without having to look it up online you may find this course tough. While most students seem to take 1 month of lab time, I took 2. In case you want to do everything in the course without being in a rush (and if you want to have a life) my advise is to go for 2 months and learn the things presented in the course in depth. Note that I still took 2 months and felt a bit overwhelmed although I dedicated a full working day to the course for 2 months, studying and exercising almost every day.

Be warned

this course is not as dynamic as PWK – you will not be throwing shells all day around

This is an advanced-level course, and requires much time dedication unless you are already familiar with the vectors. In case you expect to be popping shells all around like in PWK getting filled with adrenaline and satisfaction from the work you have done, having a big smile on your face from getting the next flag hash you may end up caught in a surprise, as this is an aspect in which the AWAE course differs from PWK. You may find some of the stuff and all the code reviewal process you have to go through a bit boring in the beginning. The learning curve is far more passive then the one presented in PWK and presents examples from real-life white-box penetration testing. Just be prepared to have a patient prepared mindset. Although the AWAE course lacks the dynamics involved with PWK, I found it to a really rewarding one showing some advanced techniques from real-life examples, which is one of the things I really liked.

TLDR: AWAE Preparation and the OSWE Exam

The exam is a 48 hours journey during which you will have to read some code and follow its logic. The labs consist of not not more than 20 machines in total and the environment feels a bit different from the PWK labs. You are presented with everything required to practice the exercises presented in the course materials and three additional boxes to solve on your own.

General AWAE preparation methodology:

  • Watch a module from the course videos, trying to replicate the attacks on the video.
  • Read the module section from the course book
  • Do all the exercises, including those labeled as extra miles
  • Hack into all of the additional lab machines
  • Do everything from the resources listed below
  • Learn as much as you can about the attack vectors presented in the course. You will not have time the time required to do any additional research on the exam. If you want to pass, do your homework.
  • Watch the videos and read the book again (yes, that’s actually the most useful thing one may go for).
  • Try to replicate the attacks within the course materials on your own
  • Read any AWAE threads from other blog posts, which may give you an idea of what the exam looks like and how they prepared for it
  • Join the offsec community platform. In case you have a question regarding an exercise you may found quite helpful hanging around. While you may not get an immediate response as the AWAE part is somewhat tardy when compared to the OSCP channels, I found it useful to interact with other students and get help from offsec admins when needed.
Some students may wonder whether they have to complete all the extra miles to pass the exam. You probably do not have to, but I strongly recommend that you do so. I assure you that the effort you put into the AWAE course extra miles is worth it.

Not just for the exam, but for the overall knowledge and problem solving mindset you would get from them.

General OSWE exam guidelines:

  • Look at the targets from a blackbox perspective. Take your time to get familiar with the objectives.
  • Once you find something interesting, follow the code flow
  • Organize your time properly. While you are supposed to take breaks, eat and sleep, do not expect to have your regular day routine during the 48-hour exam. You will have to sleep less and think more, which will get you exhausted, especially on the second day.
  • 48 hours are plenty of time. However, you will probably need all of it, so do not waste it. While some guys seem to have completed all the objectives in 1 day (totally achievable, but at the same time highly unlikely to happen in most cases), I needed all the time to complete all the objectives.
  • Take short breaks once some tension has built up. At he beginning you may find nothing for hours. Do not get discouraged about this, just keep looking. Rembember the famous quote that OSCP is a sprint and OSWE is a marathon
  • Do not postpone your report. While you may think it is over, it is totally not. Reporting is one the most vital parts in penetration testing. This is the actual you present your findings to the reader. Whatever work and effort you have put in to solve the tasks on your exam, it is not to be appreciated unless documented well. Due to the exhaustion I experienced during the 48 hour exam I neglected some parts of it and the effort I could put in is actually greater. I usually reread several times everything before I send it, however after reading my report the day after I sent it I noticed that it was still having some typos or semantic inconsistencies. A professional report always leaves a good impression and is more pleasant to the reader so try to present your findings in the most professional manner.
  • Have a clear understanding and a methodology on what you will do once you are presented with an objective. As everyone thinks and perceives differently, this is one of the things you are not actually taught during the course. You will have to build your own personal methodology on how to enumerate a web application.
Remember to schedule your exam date ahead! I usually pick a date just as starting a course, being mindful of a possible change.

Useful resources:

https://hansesecure.de/2019/08/from-awae-to-oswe-the-preperation-guide/?lang=en
https://github.com/wetw0rk/AWAE-PREP
https://github.com/deletehead/awae_oswe_prep
https://github.com/timip/oswe
https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_%28en%29.pdf.pdf
https://www.offensive-security.com/offsec/attacking-the-web-offsec-way/

The course materials and the resources from the above threads should be enough to have a solid foundation on the exam vectors. I also practiced some of the stuff on Portswigger Academy.

After sending my report on the 20th of December it took about 3 business days to get my OSWE Certification Exam Results email, which I was eagerly expecting:

Unnecessary to describe exactly how this feels, but it’s something unforgettable!:)

Would I go for the same exam again? Agh.. no way, at least within a year or so;)

Good luck! 🙂

@d7x