# OSWE **Repository Path**: any3ite/OSWE ## Basic Information - **Project Name**: OSWE - **Description**: No description available - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: main - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2026-01-22 - **Last Updated**: 2026-01-22 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # OSWE / Advanced Web Attacks & Exploitation (AWAE) All my notes / scripts / exploits for OSWE study ## Timeline - 08/02/2024: Start of Exam - 10/02/2024: End of Exam - 11/02/2024: Report Submission - 12/02/2024: Received Pass Email! 🥳 ## Course Content * [x] **Introduction** * [x] **Tools & Methodologies** * [x] 2.1.5.2 Exercises - Burp Suite Introduction * [x] 2.2.1.2 Exercises - HTTP Request Interception * [x] 2.3.2.2 Exercise - Source Code Recovery (Java & .NET) * [x] 2.5.1.2 Exercises - Remote Debugging in VSCode * [x] **ATutor Authentication Bypass and RCE** * [x] 3.2.1.1 Exercises - Initial Vulnerability Discovery * [x] 3.5.2.1 Exercises - MySQL Version Extraction * [x] 3.5.2.1 **Extra Mile** - Alternate Path Discovery * [x] 3.6.1.1 Exercise - Data Exfiltration * [x] 3.6.1.2 **Extra Mile** - Extract Admin Password Hash * [x] 3.7.1.1 Exercise - Authentication Bypass * [ ] 3.7.1.2 **Extra Mile** - Is there another Authentication Bypass? * [x] 3.8.1.2 Exercise - Bypassing File Upload Restrictions * [x] 3.9.4.1 Exercises - Gaining Remote Code Execution * [x] 3.9.4.2 **Extra Mile** - Writing an Exploit! * [x] **ATutor LMS Type Juggling Vulnerability** * [x] 4.3.1.1 Exercise - String Conversions & Comparisions * [x] 4.5.2.2 Exercise - Recreate Type Juggling Attack * [x] 4.5.2.3 **Extra Mile** - Compromise account without updating the Email * [ ] **ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE** * [x] 5.2.6.1 Exercises - Regex, Blind SQL & Character Limitations * [x] 5.4.1.1 Exercise - Python PoC * [x] 5.5.1.1 Exercise - Writing files via. COPY TO * [x] 5.5.2.2 Exercises - VBS Attack * [ ] 5.5.2.3 **Extra Mile** - Additional Attack Vector (Deserialization) * [x] 5.6.3.1 Exercise - Recreate DLL attack -> UDF Function -> Calc! * [x] 5.7.1.1 Exercise - UDF Reverse Shell * [x] 5.8.2.1 Exercise - PG_LARGEOBJECT Reverse Shell * [x] 5.8.2.2 **Extra Mile** - SQL Injection / Large Object / Retreive LOID * [ ] **Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability** * [x] 6.5.1.1 - Exercise - Recreate NodeJS Command Injection Reverse Shell * [ ] 6.5.1.2 - **Extra Mile** - Hardened Version of Bassmaster Application * [ ] **DotNetNuke Cookie Deserialization RCE** * [x] 7.1.2.1 - Exercise - Visual Studio Solutions * [x] 7.1.3.1 - Exercise - An overview of Deserialization * [x] 7.1.4.1 - Exercise - Deserialize to Notepad.exe (Watch your Type, Dude) * [x] 7.2.2.1 - Exercise - Assembly Attribute Modification * [x] 7.2.3.2 - Exercise - Setting Breakpoints! * [x] 7.3.3.1 - Exercises - Follow Execution Path within Debugging Envrionment * [x] 7.3.5.1 - Exericse - Check Payload is Working * [x] 7.4.1.2 - Exercise - Reverse Shell & Info Disclosure * [ ] 7.4.1.4 - **Extra Mile** - Completing the Java Deserialisation in ManageEngine * [x] **ERPNext Authentication Bypass and Server Side Template Injection** * [x] 8.1.1.1 - Exercise - Configure SMTP Service * [x] 8.1.2.2 - Exercise - Configure Remote Debugging * [x] 8.1.3.1 - Exercise - Configure MariaDB Logging * [x] 8.2.3.2 - Exercise - Hunting for Whitelisted, guest-allowed functions * [x] 8.3.1.2 - Exercises - SQL Injection! - from a blackbox perspective? * [x] 8.4.2.1 - Exercises - Authenticaton Bypass and much more... * [x] 8.5.2.2 - Exercise - Discovering SSTI * [x] 8.5.2.3 - **Extra Mile** - Discover another location for SSTI * [x] 8.5.3.1 - Exericse - Rendering the 'class' * [x] 8.5.3.2 - **Extra Mile** - Bypassing Jinja filters * [x] 8.6.1.1 - Exercises - Discovering Popen and more * [x] 8.6.2.1 - Exercises - Obtaining code execution * [x] 8.6.2.2 - **Extra Mile** - Template Modification to Display Output * [x] **openCRX Authentication Bypass and Remote Code Execution** * [x] 9.2.1.1 - Exercises - Playing with JShell & SecureRandom * [x] 9.2.4.1 - Exericses - OpenCRXToken Class & Token Generation * [x] 9.2.4.2 - **Extra Mile** - Token Generator (Added CLI Parameters) * [x] 9.2.5.2 - Exericses - Resetting Account Passwords * [x] 9.2.5.3 - **Extra Mile** - Password Reset Attack Chain * [x] 9.3.6.2 - Exercises - XXE with a hint of XXE * [x] 9.3.6.3 - **Extra Mile** - Parsing XXE Script * [x] 9.3.8.1 - Exercise - Reading XML files with 'Wrapper' * [x] 9.3.9.2 - Exercise - Connecting to HSQLDB Service * [x] 9.4.1.1 - Exercises - Writing Files to Disk with some more XXE * [x] 9.4.2.1 - Exercise - Discovering JSP files with XXE * [x] 9.4.3.1 - Exercises - Shells!!!! * [ ] **openITCOCKPIT XSS and OS Command Injection - Blackbox** * [x] 10.5.1.1 Exercise - Discover DOM XSS * [x] 10.6.2.1 Exercises - Rewrite the DOM * [x] 10.6.2.2 **Extra Mile** - Crafting a fake login page * [x] 10.6.3.1 Exercises - Adding functions to our exploit * [x] 10.6.4.1 Exercise - XSS Exploitation (First run of the exploit!) * [ ] 10.6.4.2 **Extra Mile** - Capturing and Storing Cookies * [x] 10.6.5.1 Exercises - Perfecting our XSS exploit * [ ] 10.6.5.2 **Extra Mile** - Capturing Sensitive Values & JS Keylogger * [x] 10.6.6.1 Exercise - Dumping the Database Contents * [ ] 10.7.4.2 Exercise - Fuzzing WebSockets * [ ] 10.7.5.1 Exercises - Finding disallowed Characters & RCE * [ ] 10.7.6.1 Exercises - Bypass the filter and get a shell * [ ] 10.7.6.2 **Extra Mile** - Full XSS Exploit Chain & Custom Commands * [ ] **Concord Authentication Bypass to RCE** * [x] 11.2.2.2 Exericses - Viewing CORS Configuration * [ ] 11.2.5.1 Exericses - RCE in Concord (Python & Ruby Exploits) * [ ] 11.2.5.2 **Extra Miles** - Exploiting a newer version of Concord * [ ] 11.3.1.1 Exercises - API Information and RCE via. cURL * [ ] 11.3.1.2 **Extra Mile** - Backdooring Concord with a new User via. API Key * [ ] **Server-Side Request Forgery** * [x] 12.3.1.1 Exercise - Finding your first SSRF * [x] 12.3.2.1 Exercise - Discovering Endpoints * [x] 12.3.2.2 **Extra Mile** - Explaning with more HTTP methods * [x] 12.4.1.1 Exercise - Blind SSRF * [ ] 12.4.2.1 **Extra Mile** - Why can't the SSRF exploited? * [x] 12.4.3.1 Exercises - SSRF'ing into Internal Infrastructure * [x] 12.4.4.1 Exericses - Port Scanning with SSRF * [x] 12.4.4.2 **Extra Mile** - SSRF / Port Scan Automation * [x] 12.4.5.2 Exercises - Gateway Scanning * [ ] 12.4.5.3 **Extra Mile** - Hostname Enumeration Automation * [x] 12.4.6.2 Exercises - Internal Enumeration Automation * [x] 12.5.1.1 Exercises - Full SSRF Scanning Script * [x] 12.6.1.1 Exercise - Exploiting Headless Browsers * [x] 12.6.2.1 Exercise - Exploiting Headless Chrome w/ JavaScript * [x] 12.6.2.2 **Extra Mile** - Avoiding Data Truncation * [x] 12.6.3.1 Exercises - Stealing API Keys * [ ] 12.6.3.2 **Extra Mile** - Writing your own web server * [ ] 12.7.1.1 Exercise - Full RCE in KongAPI * [ ] 12.7.1.2 **Extra Mile** - Upgrade to a full shell and identify sensitive data * [ ] **Guacamole Lite Prototype Pollution** * [ ] 13.1.2.1 Exercises - Reconfiguring the lab & Reviewing JS * [ ] 13.1.3.1 Exercise - Configure Remote Debugging * [ ] 13.2.3.1 Exercise - Polluting a JS object * [ ] 13.2.4.1 Exercise - Debugging the application and observing a crash * [ ] 13.2.4.2 **Extra Miles** - Finding another value & directory traversal * [ ] 13.4.1.1 Exercises - Debugging of EJS * [ ] 13.4.2.1 Exercises - Obtaining a Shell via. Prototype Pollution * [ ] 13.4.2.2 **Extra Mile** - Polluting the Escape Variable * [ ] 13.5.1.2 Exercises - Handlebars RCE & XSS * [ ] 13.5.1.3 **Extra Mile** - Pug templating engine with XSS * [ ] 13.5.2.1 Exercises - Debugging the exploit * [ ] 13.5.2.2 **Extra Mile** - Creating a full RCE exploit chain * [ ] **Conclusion** ## Extra Lab Machines * [x] Answers * [ ] DocEdit * [x] Sqeakr