Home

Review of Offensive Security - Advanced Web Attacks and Exploitation (AWAE)

These are my personal opinions based on my background and training experience.



Course


Format:

This course is online.


Materials:

The course materials include videos, a PDF course guide, and access to a forum with other students.


Class size:

The class size is unknown.


Environment

The lab environment is not shared with other students.


Estimated cost:

At the time of this review, the course prices were listed as follows (Check the web site for actual prices!)

PACKAGES

AWAE + 30 days lab access + OSWE exam certification fee $1400
AWAE + 60 days lab access + OSWE exam certification fee $1600
AWAE + 90 days lab access + OSWE exam certification fee $1800


RETAKES

OSWE certification exam retake fee $200


LAB EXTENSIONS

AWAE lab access – 30-day extension $500
AWAE lab access – 60-day extension $700
AWAE lab access – 90-day extension $900


UPGRADES (ONE-TIME OFFER FOR ALUMNI)

Upgrade AWAE course materials to the latest version + 30 days lab time $99
Upgrade AWAE course materials to the latest version + 60 days lab time $299
Upgrade AWAE course materials to the latest version + 90 days lab time $499



About the Course:

First, this isn't an entry level course. It is a white box web application penetration testing course. As their website says, "The bulk of your time will be spent analyzing source code, decompiling Java, debugging DLLs, manipulating requests, and more, using tools like Burp Suite, dnSpy, JD-GUI, Visual Studio, and the trusty text editor."


My motivation:

I originally signed up for this course right after it went public. I spent a lot of time working with a very knowledgeable co-worker (one of the co-workers I truly admire) who had also signed up for the course as well, and together we worked through most of the course, doing the exercises and the extra mile exercises. I originally only signed up for 30 days, paid out of pocket, and spent every free moment learning and working as hard as I could on the course. I signed up for a 30 day extension on the lab, and continued to work toward completion of the course guide. (I was also changing jobs around the time, battling some health issues, and so there was a lot going on at work and at home.) I ended my lab time lacking two extra mile exercises. I had invested a large amount of time into one of them, and have yet to look at the other one. The one that I had worked on for months after the class kept bugging me. I finally stopped obsessing with it, and a year passed and something made me revisit that extra mile. There were more entries on the forums for that extra mile exercise, but they all said basically the same thing. Well, I finally got the hint/nudge/snippet I needed and it kind of fell together. I was able to complete the exercise and let off a big sigh of relief. A few months later, Offensive Security e-mailed saying they had updated the course and added 50% more content and that I could upgrade my materials and get 30 days of lab time for $99. The course was fresh on my mind, and I really didn't have much going on, so I signed up, picked a date (then had three other courses fall between then and my start date.) I had already taken the 48 hour exam, which was monitored, and failed it. I failed it badly. I failed it so badly, I would venture to say I never even started it. Of any exam I have ever failed, this fail was 100% legit. I had no clue, plus I was freaked out and was not prepared. I spent a lot of time reflecting on what happened, replaying the code over and over again in my mind (slowly forgetting what I had seen) and one day I realized I had actually had more of a clue than I thought, and I just spent my time not knowing what I was looking at and blaming the fact that I was *not* a "programmer" or a "coder" or a "web application" person. So my first attempt at this course left me feeling like I had a huge gap of learning missing. And I still feel that way, although I realize now that the gap may not be as wide as I thought, nor as deep as I thought, but there is a gap that must be filled through hard work. And I have another 30 days with which to work hard to fill that gap.


My Review:

When my updated lab time started, I jumped into the lab, and started looking around. I was lost for a few minutes, until I carefully read the control panel screen and went back to my original start e-mail and found the URL of the in-lab Wiki. Once I was fully set up for the lab, and had tested a few things, I loaded that Extra Mile mentioned above, in the motivation section, and tested it to be 100% sure it worked. It worked. It worked! And I was understanding it. Then I realized I had missed the final two Extra Miles (and one was missing in the updated course work.) Since I had a ton of info for one of those extra miles I decided to take a little time and work on it to get back in the groove, and while I didn't write the automation script for it, I did manually do the steps to exploit it and verify it worked 100%. So now I have a final extra mile to go, but I will revisit that extra mile once I finish the new stuff and will automate the other one (if I have enough time!)

One of the first things I noticed was that there were a lot of new boxes in the lab. My first time, there were five machines. This time, there are twelve machines. The first PDF was 267 pages and the second PDF is 412 pages. What was really good for me was that I connected back to the lab and got the exact IP address scheme as I had the first time. So all I had to do was update my /etc/hosts file and add the new machines. When I tested that Extra Mile I had done outside of the lab, all I had to do was run the python script. So all those 'test' scripts, the ones where I hardcoded IP addresses until the test was successful and then I made the final script to take arguments, will still work. That is a relief!



More to come on this...



As I started back in the AWAE lab, I had very similar feelings as I had the first time. And as I finished those lingering extra miles, suddenly the whole experience from the first time came crashing back into my memory.

I remember my co-worker and I, in the days leading up to the class start date, we both did the Javascript for Pentesters by PentesterAcademy (which helped a *LOT* earlier in the labs), and once my lab access started, I jumped head first in to the PDF, stepping through each exercise and doing everything and keeping a ton of notes in KeepNote. When I would reach an Extra Mile exercise, I would start working on it full force. There were times when I did the Extra Miles with no help, and some I needed a nudge. Others, I remember there were times when I would hit a brick wall and talk to my co-worker and he would either have the answer or we would work together to come up with the answer. Sometimes we had to seek help from others to fill a knowledge gap, but we pressed through the PDF and the feeling of accomplishment was the best feeling in the world.

But what I also remember was pulling up a chair outside my co-worker's cube, and looking over an Extra Mile exercise, and suddenly I couldn't breath, I couldn't think, and the pain in my kidney was so bad that I almost fainted, and I was leaning over so far that I almost fell out of the chair. I remember him talking to me, but some of that time I have no clue what he was saying and other parts of the time I could concentrate. I also remember talking to him and almost blacking out and having no clue if I finished what I was saying or not. Kidney stones are not fun! And I was supposed to get on a plane and fly five hours one day, spend a day in a car and walking around the next day, and then spend five hours flying home the day after...luckily my work allowed me to skip that trip or else I would have had a horrible experience.

The class was still in progress when the new knowledge paid for itself and instantly made everything worthwhile. And since then, the information I have learned has been needed over and over again. I have worked on projects and remembered code I wrote for the class, pulled it up, modified it and/or rewrote it from the ground up, and used the new script for work, for a CTF, or during another training course. This was not a learn new stuff, take a test, and forget everything I learned type course. This is a course where I still use the knowledge almost weekly.



I'll add more to this later as well...



Well, maybe not. Between the issues with my arm, having to do massive setup to follow along in the lab manual, and the update to RastaLabs that made it crazy hard and challenging, I have let my lab time expire. With a long weekend coming up, and three flags left in RastaLabs which I hope to finish by the end of the week, I will just read the rest of the AWAE manual, wacth the videos, and if there is something super duper amazing important, I will figure out a way to get more lab time, but I will probably just back burner the AWAE till I advance my skills a little further.



Misc:


The Exam:

All I am going to put here is that it was like a 48 hour exam, the exam was proctored, and the login screen and web panel were very similar to my OSCP exam. I ended up calling it quits before the end of the 48 hours. See above for my feelings on this exam.






My two cents:

Based off my inital experience and the updates, I think they did a great job with this course. If code review, and advance web attacks are of interest to you, this is a good course.






Copyright © 2024

Contact: redteamtrainingreviews @ redteamtrainingreviews.com