Home

Awesome

AWAE PREP Layout

This repository will serve as the "master" repo containing all trainings and tutorials done in preparation for OSWE in conjunction with the AWAE course. This repo will likely contain custom code by me and various courses. Below you can see in what order I completed these challenges / courses.

Prep Breakdown

The following table shows notes, courses, challenges, and tutorials taken in preparation for the AWAE.

OrderNameTypeLink
1JavaScript For PentestersCoursehttps://www.pentesteracademy.com/course?id=11
2Edabit (Javascript, Java, PHP)Challengeshttps://edabit.com/
3Simple Object Oriented Language ExamplesNotesN/A (I just wrote simple templates)
4From SQL Injection to ShellTutorialhttps://pentesterlab.com/exercises/from_sqli_to_shell/
5XSS and MySQLChallengehttps://www.vulnhub.com/entry/pentester-lab-xss-and-mysql-file,66/
6Understanding PHP Object InjectionTutorialhttps://securitycafe.ro/2015/01/05/understanding-php-object-injection/
7/dev/random: PipeChallengehttps://www.vulnhub.com/entry/devrandom-pipe,124/
8Understanding Java DeserializationTutorialhttps://nytrosecurity.com/2018/05/30/understanding-java-deserialization/
9Practicing Java Deserialization ExploitsChallenge/Tutorialhttps://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/
10SQL Injection Attacks and DefenseBookhttps://www.amazon.com/Injection-Attacks-Defense-Justin-Clarke/dp/1597499633

Post Prep Breakdown

Having completed the course, below is everything done in regards to prep before the exam. If you have not taken the AWAE and are considering taking it definitely do everything shown above, and read the source! I have provided README's in each directory and source code so you can see what I did. I cannot share extra miles .... so those will not be within the repository. Best of luck!

This may not seem like much, but it's what I did for prep. My best advice is DO NOT OVERTHINK things and don't rush through it. It took me 2 attempts when it should have taken one, I was jumping around not documenting enough what I was trying (It's easy to create your own rabbit holes...). Slow down you have 48 hours!

Community Contributions & Enhancements

If you find a new tutorial, challenge, or improve one of the exploits/payloads feel free to submit a pull request! Since Offsec has recently updated the course I may take it at a later date and upload some new challenges myself.

The main things I ask when contributing any challenges or tutorials is:

  1. All challenges/tutorials MUST be hands on - no exceptions. If its something where you just look at code snippets try to make it interactive. Re-code the samples and simulate them etc.
  2. You yourself must have the challenge completed. This means working through it and having code samples ready to submit.
  3. ALL submissions must follow the same structure as the main repository. Meaning:

For your own safety I recommend adding a header like this to all your code:

#/usr/bin/env python
#
# Exploit Title       : Practicing Java Deserialization Exploits
# Author              : wetw0rk
# Vulnerable Software : https://github.com/NickstaDB/DeserLab
#
# Usage : DeserLab is an intentionally vulnerable server that
#         is vulnerable to java deserialization. This exploit
#         leverages the vulnerability within the application.
#

Just to be sure you get as much credit as you deserve.