AWAE Journey (Starting Jan, 2020)

si20

I started WAPT by eLearnSecurity and got 50% through before my workplace decided that I should do AWAE (90 days) then return to WAPT. There's a long backstory to it, but it's not too important. Essentially, I start AWAE Sunday 26th January.

Skill level prior to starting: OSCP, OSWP. Worked as a Security Analyst for approx 3 years, web app pentester for the last year. I have very limited scripting abilities. I'm a relatively quick learner, so i'll give it all i've got and give very regular updates. 

I'll be 100% honest - i'm truly not expecting to pass this, let alone understand it all. I had intended to do WAPT in early 2020 and AWAE in late 2020, but for numerous reasons, I have to do AWAE first (can't go into it, work-related).

chrisone

If you have the backing from your employer it makes sense to switch over. It doesn't matter how hard the exam may be, it is about the effort you put into the journey. The journey will gain you so much experience.

Good luck and enjoy the course! 

SteveLavoie

Well.. at least WAPT and AWAE are both web application certs... Sure AWAE look more intensive but if work mandate this, and if they do this I am betting there is some contract requirement under that, so you will have their backing to do that certs. (money and time specially)

si20

So, 63 days left of AWAE and i've logged in approximately twice so far. I've just had no time whatsoever. I'm working off a 14" laptop. I know, I know. Sounds like excuses. But I've had an issue in my personal life that will be on-going for a while. It's safe to say this course has been a total failure from the get-go. If it was given to me at the end of this year (2020) I think i'd be all over it. As it stands, the timer is counting down and it's too late really. I know I can't pass it in the remaining time.

I am a bit gutted because I know work wont pay for another 90 days, so i'm screwed really. I guess for anyone reading this: make sure you have 90 days TOTALLY FREE and access to a good computer with approx 2-3 monitors (thank me later). Attempting this course with a 14" laptop and extremely little time is just not worth it.

yoba222

At this point, maybe try not to aim for a pass but instead just try and grind out like 30 days worth of quality studying. That way if you get another chance in a few months or a year, you're not starting again from zero.

chrisone

Don't give up! even if its just 30 days of decent studying just don't let is pass. Try to get in 30 minutes a day or every other day, try to go over certain topics during your bathroom breaks, sit on the toilet and try to read the course book. Wake up at 6am on saturday/sunday and log into the lab a bit. 

Ever heard of the 5 minute habit stacking method? It has helped many people get started in doing something they don't have any desire to do. Basically dedicate 5 minutes a day, the time of your choosing, do the task or don't do it (the point is to just show up for those 5 minutes), eventually add a minute when you feel you want to start 6 minutes to your daily task, stay consistent, build your new habit and increase the time you spend on that habit.

You have 60 days left, give the 5 minute habit stacking method 15 days to increase your desire and schedule. When you have the habit and desire built up, you will have 45 days of lab time left. Even then you can choose to go hard core gun blazing those last few days or just continue your stacking. Either way it was not an opportunity lost and you should try to take the test, you never know, you may just pass.

Good luck and I hope you give those 10-15 days of habit stacking a chance.    

SteveLavoie

Well... first, buy 1 or 2 monitors(depending on your situation)... you should receive them in 48h or less   First easy problem solved

Then, bolt yourself to your laptop and new monitor and "Try harder"   It seem harsh, but it is looking like false excuse. Your company gave you the chance to do it, they are expecting you to do it.   Also as @chrisone said, start his 5 minutes habits... (in your case, I would suggest 15-30 minutes first) but just start keep it flowing. 

si20

Hi all - apologies for all the confusion. A TL;DR is that I made the executive decision to finish the WAPT course by putting crazy hours in (12 hours on a sat/sun for 2 weeks straight) which amounted to 48 hours of study, plus the study I'd already done and did the exam. Now I'm awaiting results.

That's because.....my AWAE course is due to resume Saturday. Yep, with less than 1 week between them, now I've done WAPT I'm jumping back onto AWAE. Expect my first proper update Sunday as I see out the next ~50 days on AWAE.

si20

Ok so my course actually resumes on the 20th. I made a mistake thinking it was this weekend.

How have I been preparing? I've been going wild on capture the flag challenges (web based) and I've spent the last week working on HTML5/CSS3 as I need to slowly start building up the knowledge to not only write code but spot bugs in it.

Additionally I've been doing some HackTheBox challenges (2 "easy" machines down in total. Will publish a write-up when they're retired). I don't think they were easy but that's another topic for another day!

I've done as much pre-prep as I think is possible. So as of Wednesday, I will be back on the AWAE journey. My goal is to do as much as humanly possible to try and get a pass. If I'm honest, I'm not expecting a pass. I might not even take the exam unless I'm feeling 100% confident. A 48 hour exam knowing you're going to fail just isn't worth it for me. So, I'll stay positive and try to push myself to the limit.

chrisone

Hey @si20 have you looked into Pentester Academy's JavaScript for Pentesters course? It apparently helps for AWAE similar to SLAE for OSCE. 

si20

I haven't heard of that course before but I'll definitely take a look, thanks for the tip! The problem I've got is that I can just about read (some) code but that's it. I've never really used JavaScript which is why I can't see me passing this course. If it was up to me, I'd have done 12 months of dev work before taking on this course but I'll make do with the knowledge I've got and see what happens!

si20

Ok so I'm back on the AWAE. Been working on it today and I'm on page 44/268. It turns out I've got 62 days left. I don't doubt for a second I'll be able to complete all of the material by then (aside from challenges perhaps?). I'm not actually sure if the challenges help towards you passing the exam if you document them?

My impressions of the course still remain as they were last time. It still feels unpolished. The goals aren't all very clear. At the moment I'm just following instructions, it isn't teaching me a mindset. But I'm 44 pages in. Maybe that will come in time. I'll do another hour tonight and that's probably the best I can do on a weekday. Bring on the weekends!

chrisone

I guess at this moment, just continue to be fully committed. Any "study" time you have alotted is 100% for AWAE. 62 days will come and go, but still plenty of time to get to a point of understanding the material. Perhaps things will become clearer 4 weeks from now. 

si20

Checking in for my Sunday update. I have been doing 3 things - 1) CTF'ing. 2) AWAE'ing and 3) @chrisone's suggestion of JavaScript for Pentesters.

The CTF'ing is just to keep me sharp and make me look further/deeper at problems - it's not really related directly to the AWAE in any way.

AWAE - I'm on pg 65ish - I've actually found the PDF isn't as good quality as the videos. I've been following along with the videos and it all makes sense so far. There's nothing I don't understand (at the moment, I'm sure that'll change).

I've just finished the "Session Riding" section and I'm about to move on to turning an XSS into an RCE. 58 days left. It's too early to call, but I think whatever happens, pass or fail, it's going to be one hell of a tough battle.

chrisone

Thats awesome! I am just finishing the WAPTv3 Session Security module last challenge "web shell, server rdp info, etc"

I hope to finish 3-4 modules this upcoming week, then trying to finish the rest of the modules by the week of June 8th and possibly take the test on June 15th. I am really trying to take advantage of this work from home covid situation

si20

Nice!! The WAPT does turn into a bit of a hard slog during the final few chapters. I'm looking forward to hearing your thoughts on the exam!

As far as AWAE goes. Things just got extremely difficult. It now goes into code review, more specifically PHP. I am now out of my depth and I realize that I need to spend a solid 2 years on webdev alone. As you say, this course will teach me many things, including my own weak areas. I am somewhat ok with the idea that I've passed WAPT but I'm struggling on AWAE because it lets me know my current skillset and what needs improving.

JoJoCal19

si20 said:

Nice!! The WAPT does turn into a bit of a hard slog during the final few chapters. I'm looking forward to hearing your thoughts on the exam!

As far as AWAE goes. Things just got extremely difficult. It now goes into code review, more specifically PHP. I am now out of my depth and I realize that I need to spend a solid 2 years on webdev alone. As you say, this course will teach me many things, including my own weak areas. I am somewhat ok with the idea that I've passed WAPT but I'm struggling on AWAE because it lets me know my current skillset and what needs improving.

I would say a 2 year slog thru webdev isn't necessary. What all languages does the course use? I'm guessing HTML/JS/PHP as a base, but are there any other backend or other frameworks in it? Honestly I'd hit up CodeAcademy and go through their courses. Should take a month or so to get the basics down solid for each language.

chrisone

From the reviews I have seen on AWAE, many people do recommend spending time reviewing some basics of web dev courses. I don't think you need 2 years of this stuff. Even if you dedicate the rest of this year on AWAE it should be more than enough time. You already have done a very respectable mid tier level web pentesting course in WAPT, now you are jumping into a very extreme expert level course in AWAE. I think sometimes we pressure ourselves due to lab limitations and personal goal deadlines. I feel if web app pentesting is 100% your focus and expertise, then I would stay calm, do your best to do as much as possible with the last 55 days of lab you have left. I say this because you will be spending years doing web app pentesting , no need to sweat a cert right now

Have you seen this study guide?
https://github.com/wetw0rk/AWAE-PREP

I was using this guide because I actually had started AWAE prep and study for a couple months back in aug-sept of 2019. I finished the pentester academy javascript course (really only understood like 70% of it) then I started some other php and javascript basics courses. But as I got deeper into the "prep" work I realized this was too advanced for me right now. I have WAPT, I should start from there. Fast forward to today, and I am enjoying the WAPT course, but don't see myself getting serious or advanced into web app pentesting at the moment. So I dropped my ambition for AWAE several months ago. I really like cloud technologies from a career perspective and started to like exploit dev for a hobby. Amazingly I realize exploit dev is just a hobby, can't have that added pressure on me anymore lol. 

edit: Here is another interesting guide https://github.com/M507/AWAE-Preparation

Elitis

I've got serious respect for you guys doing courses and certs for web pentesting and exploit dev Chrisone and si20. A little too boring for myself, ironically, seeing as my journey into IT, cybersecurity and all things tech started with web development (as a hobby) years ago. I'll probably get into x64 buffer overflows at some point just for completion sake, but I don't think I'll ever i'll ever really get too deep into web pentesting, bug bounties, or exploit development. Anyway, I think you'll both do fine with your certs. I think si20, you may be putting a bit too much pressure on yourself. Pass or fail, you'll learn a lot. And there's nothing stopping you from retaking it until you pass.

chrisone

Speaking for myself I feel like as I progressed and learned more, I found new passions into certain areas of security. I just had to calm my excitement and identify the return on investment. Not just from a monetary stand point but also from a time invested standpoint.

@Elitis I see you have your eJPT & eCPPT, are you focused on pentesting at the moment? Any current course goals that you are interested in, in regards to that area?
 

Elitis

I can relate to that. Absolutely hated all things CLI when I was just getting started in IT doing the trifecta and web development. A few years later, I learned networking and loved it. So, I could see myself learning to enjoy exploit dev and web pentesting once I'm actually decent at it.

And yes, at the moment, I'm focusing on pentesting in order to hopefully get into offensive security later this year. I'm about halfway through the PWK 2020 course material and thinking about taking the exam within the next month or so. Its a bit weird going through the material after eCPPT. The majority of it is review, which is boring, although good to go over again.

I don't enjoy it as much as the eCPPT either, but a couple areas do go a bit more in depth on doing things manually which I enjoy. I want to do eCPTX afterwards, especially since it should be getting updated sometime this year, but I hear the material is quite advanced. So, I'm not sure if I'll be ready for it. If not that cert, I'll look at the Pentester Academy ADAD course.

I put CCNP on the back burner once I realized how much of a time commitment learning to hack would be, so after I learn a bit of red teaming, I may return to finish that. Other than those 3, I'm really more or less done with certs for a while. Although those three alone would probably take me halfway through the next year.

chrisone

Good luck on the offensive sec journey!

The ADAD course and exam was a beast and I highly recommend, especially for the price compared to elearn, offsec, sans.

I am waiting for the PTXv2 as well, I hope it does come out sometime this year. 

What is the reasoning behind CCNP? Are you going for a network engineer position? I was a network engineer for 10+ years and a sec engineer for 6+ years. To be honest you don't need a CCNP or CCNA for a security engineer or cyber analyst role. But I am only assuming here that you are intending to be int the sec field.  

Elitis

Thanks! Would you say ADAD would be a good choice for someone still pretty new to pentesting (OSCP level of knowledge or so)? Or should I wait a short while and learn a little more before attempting to tackle it? I realize there is a course attached to it as well.

For CCNP, there really is no logical reasoning. Just a personal goal. I had started studying for it shortly after passing my CCNA, since at the time I had planned to continue with networking in the private sector, and had planned to study for both it and learn pentesting at the same time, but like I said, I realized pentesting would take a huge amount of time and focus so I dropped it.

I guess I could always learn the skills without necessarily taking the exams, but I feel I learn better with certs as an end-goal and way of proving to myself I do know the topics. Maybe I just have too many interests and too little time to do it all lol

chrisone

PA AD course is completely different from what OSCP or eCPPT is and you will not require OSCP eCPPT level knowledge. AD course has zero pentesting of services. Its a red team skill set and will teach you how to own a domain once you already inside the network. For the price of the course, these skills are priceless and compliment any pentester or blue teamer. 

I get excited for many courses and technologies and want to do them all as well. However I learned to see these courses and certs based on ROI. It really helps check my wallet and my time

Elitis

Interesting. So, it's entirely an internal assessment course? I'd wager that means the course assumes you can already handle the external aspect and get it into the network in the first place then? It's sounding more and more like what I'm looking for. I really should get it now while their discount still applies.

Red teaming definitely sounds like hacking on hard mode, and abusing services and misconfigurations is already difficult enough, but I like how it sounds as a next step. "you can get into a network, now can you do it silently, and remain there undetected" 

chrisone

Correct, you start inside a low level user on the domain. The course will teach you to escalate to local admin, steal credentials, then lateral move unitl you pwn domain. If I have time and energy, I will look into CRTE. However I definitely want to do PACES sometime next year

Elitis

Just looking at PACES sounds incredible. A bit frightening to think there are dangerous people out there that could potentially own entire forests given the chance. But I guess that's why offsec is such a valuable thing. 

SteveLavoie

PACES ??? is it me or too much acronym today

chrisone

Wait till the purple team certs start coming out

CPTAEDE
Certified Purple Team Adversary Emulation & Detection Engineer or (Expert, because gotta have expert in the title lol)

si20

I'm afraid I'm going to fold on this one guys. I just simply don't get the content. I think it's a multitude of reasons. I think the course is poorly put together and I don't think they make it obvious enough that this is really a source-code reviewing course/exploit-dev. I'm not either of those. It's not just an advanced course, it's a highly-advanced, specialist course - if that's a thing. I've beat myself up about it, but truth be told, I'm just not at that level yet.

The only plus point is that I now know exactly where my skillset is and what I need to do to work on it. In order to keep me from crying in a corner, I'm going to attempt the Pentest+ (within the next 10 weeks). So, I'll post a new topic there and get going on it (self-funded).

chrisone

I understand, its a case where because you are pressed for time and running out of lab time, you can't really focus on the basics. I have heard this story in the past that people are not really liking the course and its mostly just code review. 

Most reviews or prep guides mentioned a couple months of JS, PHP, practice. Personally I struggled with the pentester academy JS course, only because I had zero experience with JavaScript and trying to jump into pentesting JS was way over my head. I understood only like 40% of the course and then I started to study the Eloquent JS book to get a better foundation. I just felt I was too behind to jump straight into AWAE. I had too many other certs\course interests to push all that aside for web app pentesting. Plus web pentesting isn't my favorite lol I like it, but its not my focus.