Here come the journey part, some people like a journey/story including myself since it show how and why the author start it, the challenges, the issues and situation that could be faced by the others too. For the author itself, it could be a source of motivation and great flashback in the future.
TLDR; this post does not contains any technical aspects and it’s more on sharing the story/journey.
When Offensive-Security first released the training online, I check the syllabus and read some of the review. I found out that the course is more tend to source code review perspective instead of BlackBox web penetration test and it does not interest me at all. The reason is simple, like others newbie clueless security professionals that just enter the field, the dream is to become “RED TEAMER”. Learning source code review is clearly not on my top priority.
At the end of 2019, something changed my mind. With more people taking the courses, the more accurate review of the course are available. I was wrong, reading the review opening my mind on how much I don’t know about the web pen-test and how a lot of cool stuff on web pen-test can only be found through deep code review (WhiteBox). I also realized how the source code review can be very interesting things to performed. Its like a chess game between the developer and the tester.
I register for the course when there’s discount provided by Offensive-Security for 30 days lab including exam (USD 999). I found the course materials is easy to digest and followed. However, the extra miles is on another level. At first my approach was I tried to finish all the extra miles on the current chapter first before I move on into the next chapters. I found out its not suitable in my situations since I only able to spend like 1-2 hours in the morning and 1-2 hours in the night during workdays. I don’t really like to pause and resume the extra miles halfway. So I decided to follow through all the course materials during the workdays and on the weekend when I have better time frame, I spend it to solve the extra miles. I found this approach is more efficient and suitable for me.
At the end of January 2020, I finished the course including all the extra miles. The exam was fully booked until March 2020. I book my exam on 15 March 2020. During the time frame of my lab end and the exam date, there’s nothing much I do. I did one or two source code review projects on my daily works. Outside that, I found its challenging to find any playground to practice. For OSCP, we have a lot of choices such as HackTheBox and VulnHub, but for OSWE, I can’t find any places that provide the vulnerable machines with debug environment setup to practice the whitebox penetration test. In the end, I only spend the time on reading back the course materials and some articles found on others OSWE review. I hope there will be a place to learn the whitebox pen-test whether its on the existing platform such as HackTheBox or on the new platforms.
Unsuccessful Attempt
The OSWE exam is a proctored exam. I never take any proctored exam before. One day before the exam date, I take a further look on the proctored exam requirements. On the operating system requirements, to be honest the information is too vague and outdated. I hope it will be updated and be clearer. It will be great if Offensive-Security able to provide a testing session for student to test whether their setup could meet with the proctored exam requirements. To prevent the spam/overload, each student (based on their OSID) should be limited for 5-10 minutes, just to ensure their setup work. As of now, Offensive-Security have added the requirements for student that using Linux as the host OS to try the test session first before the actual exam. Good move, glad to see that.
At that time, I was using Arch Linux for my daily works and its clearly not on the list of recommended operating system for the proctored exam. While there’s possibility Arch Linux could be work for the proctored exam, I decide to not take the risk. My friend recommend to just use Windows 10 and even offer to use his desktop for the proctored exam, since based on his experience on OSCP exam, he has to install new operating system during the exam since its not meet the proctored requirements.
With that being said, I don’t want to just say goodbye to my Arch Linux and move to Windows. I love my current Arch Linux setup. Dual boot can be an option, however I encrypted the hard-drive, so to be able to dual boot I have to remove the encryption, resize the partitions, and then face the GRUB boot loader configurations which can be a lot of pains. I remember I disassembled my personal desktop computer and bring it to Singapore. So I decide to use it since it has been setup with Windows 10.
Here come another challenges, my room does not have a LAN port (So much for an executive condominium in Singapore). Since its a desktop computer, there’s no built-in Wi-Fi adapter. While assembling the desktop, I found this little Wi-Fi adapter which I actually never used since its only for backup.
I don’t know what’s going on inside my mind at that time but I decide to just use that Wi-Fi adapter instead of buying a new one. That adapter is the cheap three bucks Wi-Fi adapter that does not even have the brand. I tested the connection speed using the speedtest and its seems good, but I just not yet realized that small decision will become a disaster later.
The proctorer start with the identity verification and proctor set up tasks. All seems good but 10 minutes after the actual exam started.
Proctorer: Sorry to bother you, can you refresh your proctored page since we lost your feed on our end.
Me: Sure.
10 minutes later…..
Proctorer: Sorry to bother you again, we lost your feed. Can you close the browser, clear the cookies and open again the proctored site.
Me: Hmm okay, sure.
5 minutes later…
Proctorer: Please refresh your proctoring page again and ensure you have a stable connectivity. Can you run a speedtest?
Me: I am sorry for that, sure I will run the speedtest.
Speedtest showed the download and upload speed above 50 Mbps, so its not an issue with the speed. This thing keep going on during the whole exam session.
I am like !@#$%^&*(
I found it really difficult to stay focus on reviewing million line of codes with the periodical connectivity drop and the need to refresh the proctored page every x minutes. At first I thought this was because I am using the Wi-Fi connection instead of the LAN cable that unstable for video streaming. However, some students did the exam using the Wi-Fi connections and does not encountered the same issues as me. In the end, I found out the issue was on the cheap Wi-Fi adapter that I used on my desktop computer. So lesson learned, don’t be like me, don’t use three bucks Wi-Fi adapter for 999 bucks course exam. Long story short, I failed the exam.
To be fair, I can’t solely blame the connection issue for my failure. I think the main reason I failed is my lack of hands-on practices. In term of studying, I think I have spend more than enough time (roughly around 150 hours including the lab time) before the exam. However, its mostly only on reading stuff, such as the course materials on the bus during the travel go and back from office, but not the hands-on practice. During the exam, I even need to look up on the course materials to perform the debugging. This showed the lack of hands-on practice on me, because this kind of things should become a fluency before taking the exam.
Procrastinating and Losing Motivation
After failing the exam, at the same time, the C-virus become a big things on Singapore. The government start the soft “lock-down” and everybody have to start working from home. Working from home could be a paradise for most people, but not for me that live alone on the small room space and just failed the rigorous 48-hour exam.
I am a type of person who like to take a walk to think clearly about a lot of things. During the lock-down I simply can’t do that. I have to keep myself inside my 3×3 room with no-one to interacts the whole time. I start to lose my weight and also my mind. Furthermore, with the bed only one meter away from my working space, its make me lazy and spend most of time working from bed.
Try Harder
On the middle of August, my friend bring up again the OSWE topic which make the flame up again to finish what I have started. I revisited my old course materials and then purchased the new course materials that has been updated since July. The updated course materials seems better and clearer than the old one.
What even better is they provide three machines for student to practice without giving the solutions. This is what I am really looking for. On my OSCP journey, I prepared the exam by trying to attack five machines on OSCP lab within 24 hours. This is like a mock-up exam. I did the same thing for the OSWE. I picked up two machines (Answers and DocEdit) and try to simulate the exam. I managed to solve the Answers machine pretty fast (8 hours) and think of the exam machine should be twice harder than this. For the DocEdit, I found the authentication bypass attack vector but didn’t fully solve it since I got distracted to the new role on my job that I starting to enjoy.
My lab ended on 6th October, and I have scheduled my exam on 2nd October. I didn’t manage to finish all the extra miles and machines from the new updated materials.
Successful Attempt
My exam starts at 22:00 Singapore time. Around 20:30, the heavy rain started to fall. What make it even challenging, the electricity is also down due to bad weather. I am actually small laughing and thinking like “Oh they don’t want to make it easy for you huh, no external dual monitors and no stable good internet connection, great!”. I keep the positive mental attitude and start the exam with whatever resources I have (Emergency light, mobile phone hotspot, and hope my laptop battery has enough power until the electricity up). Luckily the electricity up one hour after the exam started.
Long story short, luckily I managed to get all the objectives within the first 24 hour. I spend the rest 24 hour to finalize the script and reporting. Since I have a lot of time for reporting, I tried to make it as details as possible like how Offensive-Security did on their course materials. This make my exam report end up to 62 pages. I feel on this exam the vulnerability is easier to discover, even though the exploitation could be tricky. I submit my exam documentation on 5th October and received the results on 9th October.
That’s all the journey. Thanks for reading through. As of now, I am still waiting for the new course from the Offensive-Security. I am expecting the great quality as the AWAE.
Did the AWAE course useful for your daily works? Absolutely. Using the knowledge that I gained from the AWAE course, I recall I discovered two CRITICAL vulnerabilities that end up on RCE for two different WhiteBox pen-test projects that I worked on. One of the projects even have been annually pen-test by different security vendors. So yes, its worth every penny. I just hope someday in the future, the OSWE lab will become more like the OSCP lab where student will have a lot of machines to practices on. It will be very very fun and interesting. I think with the recent update, looks like the direction is going there, hopefully.
In the end, I hope this can be an enjoyable reading and there’s at least something that you could find useful.