Right, so I had been doing bug bounties for the past year. Managed to make some decent cash from my side hustle and thought that I should bring it to the 'next' level by improving my white box/code review skills. Unfortunately for me, I suck big time at coding. Then came the difficult question, do I pamper myself with a new Macbook Pro 16' or do the right thing and spend my hard earn bounties on upskilling myself?? Thankfully, I came to my senses and decided on the latter. I signed up for Offsec AWAE course with 3 months lab time.
The course material started off with XSS, which wasn't that difficult to understand but then came the extra miles exercises that required some XHR javascript coding. This part was a challenge for me as I had not written much code for sometime. Anyways, I managed to finish all the exercises and extra miles. Completed all materials in about 1 month. Then came the announcement from Offsec that new material had been updated to the course and existing students will get an upgrade plus 1 month lab for free. I downloaded it and found 3 extra topics. I didn't really focus much on it since I planned to complete the exam ASAP before they refresh the questions!
I sat for the exam shortly after completing the old course materials but failed miserably. The difficulty is not exploiting the bugs, but finding it! This is where I feel Offsec fell short, the course focuses on exploitation and automation but not on bug hunting techniques. In my opinion, there should be more emphasis on how to find the bugs. Once you find it, usually, it's not difficult to exploit. But that's provided you had NOT been down countless rabbit holes that just zaps your energy, that's what happened to me during my first attempt, by the time I found the bug, I was too lethargic to proceed further, let alone writing the necessary exploit code. I tried in vain to complete the 1st host within the first 24 hours but failed to even find one flag but I didn't give up. The next day, I attempted the 2nd host but still fell short of finding all the flags. :( This was very demoralizing but I wasn't prepared to quit so soon. Remember, to pass this exam you need to do 3 things - find the bug, exploit it and write decent code to automate the exploitation. Fall short in any of these and you will not make it thru the exam.
There was a cooling off period of 4 weeks, so that gave me ample time to adjust and think about my next strategy. Since I had already completed all the extra miles in the course materials, there was no point in redoing it, so I searched for some real life targets in different Bug Bounty platforms for practice. By using the techniques directly taught in AWAE course materials, I scored my first CVE-2020-15160 with a USD250 bounty! How's that for real life application!
While I can't talk much about the exam, all I can say is never give up. On my second attempt, the 1st box was still difficult and I nearly felt like quitting but I was very confident that I had identified the bug and that I just needed to get the exploit automated, this was where my coding skill was really tested. Thankfully, within 12 hours, I had scored the first & second flags and within 22 hours I had enough points to pass the exam. I took my time to write the final report while the exam was still in progress. Finally, after about 24 hours I had completed documenting all my findings along with the necessary proof.txt and local.txt flags.
My advice for peeps planning to sit for this exam - complete all extra miles and take note of the PoC scripts that you had written in the course materials. The exam is not exactly straight forward, it test your understanding of exploiting common Web vulnerabilities. I highly recommend anyone interested in learning white box testing to undertake this course and work towards certification. I for one, will never wish to sit for such a gruesome 48 hour exam again! If I compared it to the other Offsec exams, OSWE is more difficult than OSCE and OSCP. Primarily because you need to master all 3 skills (bug identification, exploitation & exploit development) to clear this exam. In OSCE, the coding skill required was nothing compared to this one. In OSCP, there was hardly any coding required with the exception of the BoF exploit which is considered child's play. I think people with good coding skills should find it easier than those that don't, just my opinion.
Finally, get use to the idea of someone constantly watching you during the exam via webcam and desktop sharing, LOL! I tried to look decent at all times, but Malaysia is a hot and humid country. All the best!
