Are you preparing for OSWE or OSCP certification?

2020-03-17 23:07 Peter Sooky

The goal of this article is to help to all people preparing for OSWE and OSCP certification.

OSWE with AWAE course

Some months ago, I registered the AWAE course and got myself OSWE certified. When I signed up for the course, it just recently got released an online version, so I couldn’t find too much information about what I have got myself into. My initial expectation was that the course is an introduction to whitebox analysis and code review to locate zero-day vulnerabilities in software, which turned out to be true. However, I found the course to be a bit lackluster. I felt that so much more could have been included in the materials.

The training materials are similarly structured to other Offensive Security courses. There are video and text-based learning materials with a dedicated lab environment, student forums, and an IRC channel.

Let’s start with the study materials. The course begins with the basics of how to use some tools like Burp Suite and some decompilers. After that, the course describes several case studies that involved chaining multiple web application attack vectors to gain shell access to specific machines. The course teaches you some quirks of programming languages and databases that could be utilized as useful techniques during exploitation for that particular technology stack. Basic methodologies for code analysis are showcased through these examples. Finally, there is some minor Python automation of exploitation in the spirit of BORE (break once run everywhere). That’s about it.

The AWAE forums at the time were pretty much empty, although I haven’t really found any reason to ask questions during the course. I did not visit the IRC channel, so I have no information about the activity there.

Moving on to other aspects of the course, the lab is designed to help you follow through the exploitation of each machine in the study materials. Here you can investigate the underlying issues behind the vulnerabilities. I did not need much time in the lab. In about two weeks, I completed all the exercises, including the extra miles. I did find the extra miles pretty straightforward, and I felt these were included only to re-enforce the concepts presented. As I went through these machines, I realized that I was missing the most crucial part, which is vulnerability discovery. The course does show some methodologies on how to find the vulnerabilities. Although, at the time, the motivation behind the actions itself was not clear to me. The materials did not convey the information regarding why the author decided to act in a certain way. On multiple occasions, I felt that the course materials were all over the place and only made sense once the whole attack chain was linked together. My lack of understanding of all modules on the first read-through can account for these hardships.

The focus of the course is relatively narrow in the sense that it introduces the student to very limited blackbox fuzzing and manual code review process. I think this is where the course falls a bit short. The use of static or dynamic analyzers is missing from the course, efficient testing and code auditing practices are also left out, and other formal verification methods are not even mentioned. The course utilizes a limited toolkit for bug finding and forces the student to do the code review and find vulnerabilities manually, that would not be identifiable through blackbox testing.

Overall, I evaluate it as positive experience as I did learn a lot of new things either directly or indirectly through the course. The language choices throughout the course were in my favor, as I was familiar with these languages enough so I can read and understand the code, or if needed, I can develop a quick program or exploit. Similarly, I am familiar with Python, so the exploit automation was never an issue for me. I advise learning the languages used in the course to the level that you can comfortably read and understand the code and know how to debug software written in them. A developer background will definitely help you out in the course.

I was expecting the exam machines will have software with small codebases and some exploitable quirks and features of technology stacks I haven’t even heard about before, so I focused on practicing exploitation in my free time before the exam. Bad idea… To my surprise, the exam was the exact opposite. The vulnerabilities were not obfuscated at all, and once you found them, you knew exactly how to exploit them. However, the codebases were massive, that it would not be possible to achieve even decent code coverage under the 48-hours time limit. Fortunately, Offsec took this into account, and they introduced the issues in logically sound places, so us – poor folk – have the chance of identifying these zero-days during the exam. In the end, I successfully got all the objectives on the exam and gained remote shell access to all machines. The final exam report was 44 pages long.

I feel there’s room for improvement, though. As soon as the course started to be engaging, it was already over. I would welcome additional chapters on code analysis using tools that could be useful for large codebase applications, also a short introduction to greybox and whitebox fuzzing. Further, extra mile exercises or other lab machines that can help with practicing vulnerability discovery would also benefit future students of the course. I consider this as an introductory course to whitebox testing. Neither the depth nor the breadth of the course lived up to my initial expectations. I feel a much more versatile range of techniques and methods could be covered in the course.

In conclusion, even with its current shortcomings, I can safely recommend the AWAE/OSWE course. If you are willing to sink in the time, then anything the course explains in-depth, it does it exceptionally. It introduces techniques and chains of exploits, that open up new ways to look at vulnerabilities and makes that ticking in the back of your head asking how could this be used later on in unexpected ways. As for the problems I have with the course, I hope future updates to the course will address them. Until then, there are other courses available out there that nicely complement the AWAE course, although in a bit steeper price range. Consider this course as the start of a journey rather than the final goal.

OSCP with PWK course

Some time ago, I took the PWK course and passed the OSCP certification exam. Based on reading several reviews about the certification before taking the course, I created this image in my head that the course is aimed at InfoSec professionals with a couple of years of experience under their belt. In retrospect, I consider OSCP more of an introductory course into penetration testing, but a challenging and demanding one nonetheless. Therefore, my review will assess the course from this perspective.

If you expect the latest and the greatest exploitation techniques and bypasses, or some fancy attack vector chaining never seen before, this course is not for you. On the other hand, if you want to acquire a solid foundation in penetration testing on which you can build upon later, don’t hesitate to take the PWK course.

Once you sign up for the PWK, you get access to video and text-based learning materials that complement each other. The training material starts with the very basics of Linux usage and slowly ramps up the difficulty by introducing more tools and concepts necessary for security assessments. The course content is built in a way that it walks through the student over each phase of a penetration testing scenario. Even if you have no clue about any of this, the materials are decent enough and provide you the hand-holding to accustom yourself with the tools and the methodology.

Along with the learning materials, you get access to the OSCP forum, which I did not find useful at all. Thus I suggest avoiding it altogether. The Offsec IRC might be different, but I have never visited the channel, so I can’t form an opinion of it.

Finally, the most valuable of the training materials is the lab itself. The lab environment consists of several networks, each with its handful of machines. Working through the lab, you will get your chance to become acquainted with the following concepts:

  • Linux and Windows environments along with techniques useful for transferring files and spot clues for privilege escalation.
  • Basic Programming Skills to debug and rewrite exploits, or automate some redundant tasks.
  • Basics of Web application attacks like SQLi, XSS, LFI, RFI, and RCE variants.
  • Effectively working with several tools useful for penetration testing such as Nmap, Netcat, Wireshark, and others.
  • Windows and Linux Privilege Escalation using publicly available exploits or vulnerable misconfigurations.
  • Metasploit Framework for creating payloads with different formats or for firing exploits directly.
  • Escaping restricted shells and Bypassing simple web filters.
  • Basics of Pivoting and Lateral Movement

It is good to know beforehand that Offensive Security certifications are strictly practical with little to no mentoring. Therefore large chunk of the learning experience for the course involves banging your head against the desk, trying to figure out why some of your exploitation attempts do not work when they should. While it seems a bit counterproductive to enlist in a course where there is no teacher to help you learn and figure out your problems, only to hear the “Try Harder!” mantra, many students view this as a positive aspect of the course. This artificially introduced rigor is probably the most realistic part of the course that emulates a real-world penetration testing job.

That’s enough about the provided materials, let’s talk about my personal experience with the course. A lot of the information I was already familiar with through various university courses or work experience. That being said, the course did help me improve at work and was a fun experience overall. I had no issue with the self-study or the trial and error approach. In the beginning, like many other students, including myself, I was having a hard time with privilege escalation, especially in Windows environments, back then these were the machines I lacked the most experience with. Given the sheer amount of privilege escalation I had to do in the lab provided me with enough understanding and hands-on practice that after the course, I could move on to other more challenging methods. I feel this is where the course shines among other certs, as the practical aspect of the course ensures that you can understand the core concepts. Another section of the course is focused on exploit development. I found this section a bit out of place and quite basic. However, I probably had the most fun during this part. For people interested in binary exploitation courses from Offensive Security, I suggest they look into the CTP/OSCE and AWE/OSEE route. Before finishing my lab time, I managed to get administrative shell access to all the hosts in the lab, which took me around one month without rushing through the machines. For future students, I advise focusing mostly on the lab. You will learn and get the most value out of the course here.

At the time when I took the course, the labs were comprised of quite outdated machines. This aspect is a frequent critique of this course. I did not find this as a significant issue. Given the dynamic nature of InfoSec, I don’t think any course can be 100% up-to-date, which is my experience with much, much more expensive courses as well. In my opinion, the biggest issue with the course and the lab itself is that it doesn’t mimic real-world corporate environments. Therefore, students may have problems utilizing what they learned from this course during internal network penetration testing. As an example, the materials did not touch on Powershell or Active Directory at all, and AD presence in the lab network is somewhat limited. Man-in-the-Middle attacks were not covered at all despite being one of the most utilized attack vectors in those scenarios. Apparently, Offensive Security saw this as an issue as well. With the start of 2020, they updated the PWK course that addresses some of these shortcomings. I did not have the chance to look at the new course materials, so I can’t review their contents.

In general, the OSCP exam is well known for its difficulty, and it’s not the exam systems but rather the 24-hours time limit, which makes it challenging. Due to the continuous enumeration and exploitation of machines, the constant debugging of issues, the fatigue quickly builds up, which causes one’s concentration and efficiency to suffer. These eventually lead to more problems later on. To break this circle, the best advice I can give is to have a thorough plan to ensure you’ll always know what to do next, how much time you are willing to sink into a single problem, and document everything you need to do for compromising a host. The exam machines itself were up-to-date systems so that you couldn’t take the easy kernel exploit path like in the case of some of the lab machines. Difficulty-wise, I found that the exam machines were more difficult than the ones in the lab, but not by much. In the end, I managed to complete all the objectives and gain administrative shell access on all target machines. My final exam report was 38 pages long, and the lab report I submitted had 122 pages.

Few closing words for people who are thinking about trying to get OSCP certified. While Offsec advertises its course as not beginner-friendly, I have to disagree. I think the most value of this certification is for people who want to break into InfoSec, like CS students or IT personnel at the beginning of their NetSec career, rather than seasoned pentesters. Definitely, don’t allow yourselves to become disheartened by the fame OSCP has and dive into the deep end. At the end of the day, the course is a test of discipline and determination above all else.