New year, new cert. After having completed the OSEP and OSED, I felt that I was ready for a new challenge, so I decided to take on the OSWE to brush up on my web exploitation skills which I felt were a little lacking.

OSEP in 2024

Overcoming another challenge - the PEN-300 course by Offsec and earning the OSEP certificate!

West Side ElectronicsBenjamen Lim

OSED in 2024

Let’s go ropping - the EXP-301 course by Offsec and earning the OSED certificate!

West Side ElectronicsBenjamen Lim

And I promptly got distracted by the Hack The Box CWEE.

My previous experience with HTB was learning content for CDSA. I was curious how HTB's 'advanced' level courses would compare with Offsec's 300 level courses.

Tldr; HTB's structure and the conscious approach to reducing friction in learning allows for more consistent, short-term learning 'bursts', but has a shallower depth of content.

Content is more digestible

HTB structures its content in modules, broken down into topics. Each topic is its self contained mini-course, with an introduction, explanation with and hands on exercises. At the end of the module, there is a skills assessment that tests everything that you learned.

Offsec follows a more traditional course layout, where a larger chunk of information is given to you as it relies on real-world examples, this sometimes makes it hard to break break or focus on specific aspects of the vulnerability as considerable background about the application has to be covered first.

Both courses replicate the examples closely in their exercises, so it is hard to go wrong, but Offsec doesn't give as many skills assessments as HTB where it may require a little out of the box thinking.

For HTB, I estimate each chapter in the topic takes about 5 to 10 minutes to cover, with usually 5 minutes of practice at the end. This is great when you can only snatch 30 minutes of your day here and there, and it makes keeping consistent progress much easier.

Offsec requires a higher time commitment upfront, and my experience is that you want to set a good two hour block aside to read through and understand the content, and maybe another hour or two practicing. I appreciate the realism that this provides, as it also covers some tips for enumeration and discovery of these particular vulnerabilities, and it allows the course to go deeper, as evidenced by the real-world examples that OSWE uses, but also makes it harder to keep consistent progress.

In-Browser VM makes learning on the go easy

HTB offers Pwnbox, an in-browser VM with all the tools that you need to practice the content. In my experience this takes about five seconds to start up both this and the practice machines. It also offers a small 52MB (tiny!) persistent storage to store your scripts. I had a few instances where the persistent storage failed to mount, but this occurred only very rarely and did not affect my learning experience.

It is very convenient when you don't want to start a whole VM just to install some tools to practice or test out a new concept. It also allows me to take my learning to any machine I was using at the moment. I didn't think I would like this so much. Again, this removed another point of friction for me.

For Offsec, the start times are longer for the VMs, and in the case of OSED, where there is some lengthy manual setup required, this can be up to 30 minutes before you can start learning. Some applications require you to SSH in to start them, which I felt was another additional step that can be automated away.

Content focuses on breadth over depth

The CWEE content focuses on expanding your knowledge of web exploitation to the niche and edge cases. Things like LDAP injection, XPath injection are not typical exploitation vectors you see in day-to-day engagements. It also focuses on edge cases like HTTPS exploitation, which is quite impactful if you can find on an engagement, but are quite rare these days unless it is a legacy unpatched system as these bugs would have been found and patched a long time ago.

There were some advanced topics on how to exploit Blind SQLi, and other means of XSS exploitation to deepen knowledge in existing knowledge, but these were the exception.

It isn't necessarily a weakness, but it is different from Offsec approach where the 300 level courses revisit 200 level content at a deeper level. Comparing it to OSWE's content, while both rely a lot on whitebox methodology, OSWE went deeper in terms of explanations. Since the applications used in OSWE were real-world applications, the code base was also considerably more complex.

Examinations are more relaxed

HTB examinations are comparatively relaxing 10 day affairs compared to Offsec's breathless 72 hour exams. The exam is structured such that you are able to do it like how you approach the course, an hour or two every day.

Like the 300-level courses from Offsec, it felt like a fair test of what I've learned.

The reporting requirements were much higher because the report needed to be structured like a professional pentest report rather than a description of how you managed to obtain the flags. I found myself spending much longer on the reporting than in OSED or OSEP.

You are also offered one free retake when you book the examination, and unlike Offsec's proctored exams, there is no stress of having to book an available date or time for your exam. The longer exam window also gives room for any hiccups that may occur, and you don't have to plan weeks in advance. This made the entire process stress-free for me.

My examination experience

I did not pass the first time around. Reading about previous experiences that others had on the exam ('e.g. nightmare level exam') made me a little too overcautious and I did not commit fully to it until towards the later part of the exam. My prep and optimisation was also minimal compared to Offsec style exams, as I thought I would have the time to refer to the course content during the exam itself. On hindsight, I think I would have passed on the first attempt had I committed from the very beginning and optimised my notes better.

My notes came in useful during the exam, and I would say that in order of importance:

• taking good notes of discovery and exploitation vectors
• a good playbook on how to enumerate different possible vulnerabilities
• and having links back to the actual content is useful in case you missed anything.

There were times when I got stuck because I neglected to enumerate a possible vulnerability, or didn't try an alternative exploitation vector after I managed to successfully exploit a vulnerability, so it was also useful to me to keep track of what exploitation vectors I tried for a particular vulnerability.

It is hard to gauge how difficult the exam was, because everyone has different experience and background. But I think if you did not struggle learning the content and have gone through it in detail, it is highly unlikely that you will struggle too much during the exam. I felt the difficulty was pitched at the right level, and the exam was fair. Comparing it to Offsec exams, I would personally put it between around OSED in terms of difficulty because there was no time pressure even though it was longer. I would even say the exam was quite fun due to the lower stakes.

Final Verdict

• Good breadth of content with focus on expanding on a wider variety of web exploitation vulnerabilities.
• Example-focused rather than real-world applications
• Exam attempts are low-stress

I really enjoyed taking the CWEE course. There were some duds in terms of the content, but I learned many useful techniques and expanded my web exploitation repertoire.