awae / web-300 unused prep notes

Shortly after earning my OSCP I wanted to someday continue that push through the Cracking the Perimeter/OSCE certification as well. I never got around to it, and then OffSec retired that course while releasing AWAE(now WEB-300)/OSWE (and EXP-301/OSED), which I immediately also wanted to do. Part of my prep for a major certification is to Google up all sorts of reviews and posts about the certification and what other study materials and tips and insights other students found useful. This includes blogs, reddit posts, forum posts, and anything else that I could find or dig through. As such, I did plenty of this as preparation for the AWAE (WEB-300). I still plan to pursue this someday, but for now I wanted to share what I had compiled into my personal notes.

Some of these things I may have gained knowledge of through other less formal means over the past few years or just outright completed without really planning it, but AWAE is still pretty new and all of these resources are likely still relevant.

That said, never let too much preparation get in the way of getting access to the course and the labs for practice. You don’t just get sent off straight into an exam, and can always put that part off for later if some gaps in knowledge continue to linger.

Lastly, it should go without saying to click links below at your own discretion. All are external to this site.

My Goals

  • level up my hands-on web app pentesting
  • code review skills looking at vulnerabilities
  • writing exploits for web app vulnerabilities
  • actionable python (requests, etc)
  • learn much more about .NET, C#, nodejs, php, and some more on java…enough to feel comfortable reading source code and tracing requests and parameters
  • more familiarity with Visual Studio Code, debuggers

I do like to write out goals, as they do a few things for me. First, the goals help make sure I’m aligning my certification path and the preparation towards it with what I hope to get out of it. Second, it helps give me an idea what the certification path is all about, so that I can slot other possible preparation topics into it. In other words, managing expectations and summarizing the output.

This is my initial seeding of research and prep

Preparation Checklist

This is my reviewing of the above items and setting up some semblance of a plan. Considering what this cert is, I definitely don’t see myself signing up for this until the latter half of 2021. Worst case scenario, I am not entirely prepared, but sign up for the course anyway and either put off or fail the exam. Either way, I still come out of that with some learning, and extra time (and less stress based on deadlines), and a good idea of my next steps.

General things I need to do:

  • learn what MVC and OOP really mean
  • Python, writing small scripts to deliver exploits, handle requests <–should be comfortable with this
  • C#/.NET
  • nodejs/Javascript
  • php
  • java
  • learn debugging and decompiling tools, dnspy, de-gui
  • regex
  • more SQL injection
  • do various vulnerable web apps
  • Visual Studio Code
  • SublimeText
  • brush up on various in-scope web app vulnerabilities types
  • comfortable debugging the above on Windows and Linux, or at least aware of techniques

Actual things to do


  • dnSpy – .NET decompiler
  • Python requests and exploit building
  • de-gui for java?
  • use Visual Studio Code regularly (many benefits; hotkeys and debugging, going to modules/references)
    • leverage Visual Studio Code SSH extensions
    • understand the launch_json files in Visual Code
  • learn some SublimeText (for python)
  • Burp (set scope, intercept requests, manipulate requests…)

Languages / major themes / skills

General techniques to know about

Pre-course things to revisit before purchasing the course

  • read the footnotes and links, do the extra miles!!!
  • define a methodology: blackbox the app first, then white box source code (grep/ngrep?)
  • set up kali and note strategy
  • read offsec faqs and guidelines for course and exam

Lastly, make a list of things from the above to review halfway through the course, and another list to review before scheduling the exam.

Balancing Private Notes and Public Notes in 2022

Back in the early 2000s I often used my blog to hold notes, links, and things I’d consumed or done or would check deeper into or read or do. Over the years, this activity sort of moved away from being in a blog, and more to my own private notes, or into Pocket (never to be seen again!). I feel like some of this is the result of the growing avalanche of information at our fingertips from 2000 until now.

I’ve gotten to the point where I kinda want some of that stuff cycled out of my private notes, but not always entirely lost. Something I could possibly still search and re-reference, without maintaining my own mini-encyclopedia of topical notes and links and to-do lists. Honestly, sort of the same itch that a diary or journal serves for thoughts and experiences…or other blogs and feeds. And the same sort of thing that will just go away when I do as the domain/hosting expires. (See, that’s the good part of hosted blogs, like blogspot and blogger, right? They’ll stay around?)

So, maybe I should start to empty out a bunch of my private notes into my blog here! I mean, on the other hand, why not? And while not private, it’s not like a bunch of folks will read most anything I put in here. 🙂 I feel like the days of personal blog-popularity are long gone anyway.

I used to also have a personal wiki I hosted, but never really did too much with, that I could resurrect for some things. Or just move that sort of usage over to Github Wiki.

I don’t think I’ll ever use a blog as a “to-do” list, as that is way too suited to a notes app. But, I can at least have a way to trim things off without feeling like I’m forever losing a resource or reference. Thereby maybe regaining control of my “to-do” list! Let some things go, ya know?

Anyway, I’ll see how this goes.

btlo lab recommendations based on soc tiers

Regularly over the years I’ve had opportunities to give advice and direction on new or growing cybersecurity folks. I like to point out books, certifications, courses, resources, and most importantly other practical activities to grow knowledge and confidence as we all forge career paths. I’ve recently discovered and been playing on the Blue Team Labs (BTLO) platform which has, as the name suggests, blue team-themed exercises, challenges, and labs. There are nearly 200 labs and standalone challenges on the site, some of which are very difficult while others are relatively simple to solve.

Rather than discuss the platform itself at length, Dimitry Bennett wrote an article about his experience on the BTLO platform that basically says all that needs said on the topic.

But, there is still one thing I thought was daunting about the platform: Where to start when one is pretty new to cybersecurity? And this is the challenge any time I talk to someone else about where they’ve come from and where they want to go. All of us bring to the table different levels of experience, knowledge, and comfort with various technical and even non-technical topics. Some of us are very inexperienced with Linux, or have never written a program or script before, or maybe have done very little Windows system administration, but know Linux like no one’s business. What I wanted was a quick cheat sheet on what to suggest to students who wanted to quickly get their hands into the BTLO labs without immediately hitting walls.

This page is meant to help me prescribe labs and challenges to security analysts I encounter that are looking to build particular skills or experience what common SOC tier expectations exist.

I do want to make clear that the SOC tier expectations and levels of knowledge is just my take on the subject. I’m not going to be correct on all of these, nor will I be correct for how every organization/environment defines the job duties and expectations of each tier. I’ve just given this a best effort in the context of the whole of the labs, since I’ve gone through every single one, and my own experiences over years in the IT and security industry.

I also want to make clear that BTLO does allow students a chance to see what they’re getting into. Every lab has a difficulty level set to it, the date it was released, the general tools expected to be present, and even the number of solves that have been recorded since the lab was released. All of these can also help guide students to maybe avoid things they may find frustrating.

Here is a quick key to some of the columns in my table.

  • Diff(iculty): Difficulty 1-10, 10 being hardest. My personal subjective value of how difficult this exercise is. Usually this is influenced by how much effort and knowledge may be needed to complete.
  • SOC: My gut feel on what SOC analyst tier level I would expect to complete these exercises. Some tasks are pretty normal for tier 1 SOC analysts, whereas some of the more involved analysis may be reserved for higher tiers. I add a “+” if this task kinda overlaps into a higher tier. As an example, analyzing an image of live system memory or a PE executable file is typically reserved for more experienced analysts.
  • Skills: My summary of the tools needed. If you don’t know Wireshark and want to learn more, then look at the easier Wireshark exercises. Of particular note, I make sure to list an OS if knowledge of or comfort using that OS is a huge help in solving the exercise. Adding “administration” to the OS is my way of saying that experience being an administrator of this server would be very helpful.
  • Notes: My very quick reminder about what the main point of this is.

INVESTIGATIONS (by difficulty & SOC level)

Deep Blue11Windows, Event Logs, PowerShellFocused, easy, good lesson (use the tool provided!)
Indicators21Windows, OSINT, PowerShell, exiftool, notepadBasic analysis of a strange file that is likely malicious
PhishyV121Linux, web, emailMostly entry level, and good foundational skills
Bits21Windows, Bits, Event LogsGood lesson, specific Windows tool (bits)
Exposed21+GitFocused on git, a bit offense-like
SOC Alpha 121+ELK, Windows administration/attackELK, logs of common attacker actions on Windows
Miner21+Wireshark, Network Miner, networking, pcapsSome not-beginner concepts using pcaps
Replaced21+Text editor, OSINT, Visual Basic, codeVery straight-forward Visual Basic code analysis
Fingerprint21Wireshark, ja3, Linux (to use ja3)Pcap that requires filter use, external ja3 tool
Eradication21+Yara, Linux, joesandboxRunning yara rules on linux
Mon21Windows, sysmon, IRSysmon and malware IR on Windows
Print21+Wireshark, Windows, sysmon, printersFocus on Windows and printer tricks
RDP21Windows RDPFocus on RDP tricks
Defaced31+ELK, web logs, web attacksELK, but another way to look at web attack
Doctor31+Linux, web logs, web attacksWeb compromise on Linux system
SOC Alpha 231+ELK, Windows administration/attackELK, Windows logs of a network attack/malware actions
Exxtensity31+Windows, browser extensions/settingsGood focus on browser extensions
Joppers31+Javascript, WindowsNo frills Javascript parsing
Browser Bruises31+Linux, dumpzilla (python), browser historyUsing dumpzilla to analyze local firefox artifacts
Defender31Windows DefenderAll about Windows defender logs
Awwdit31+Windows Admin, Audit Policies, Basic PEFocused on audit policies in Windows,  basic PE dynamic analysis
Lintro31+Linux compromiseBasic Linux compromise and PE analysis
Xhell31+Maldoc, olevba, LinuxOld Excel maldoc analysis on Linux, oddball
Venom31+Linux logsAnalyzing linux logs for intrusion
Heaven32Windows, PE static/dynamic analysisGood into to basic and dynamic PE analysis
Stealer32DnSpy, basic dynamic analysisPretty much all dnSpy and basic dynamic analysis
Trash31+Windows terminalWindows and recycle bin tricks
Shortcut31+Windows shortcutsWindows and shortcut tricks
Link31+Windows adminFun with Windows and lnk files
Maldroid31+APK, Java, LinuxIntroductory analysis of an Android APK on Linux
Ducker31+Linux, DockerIntroduction to Docker on Linux
Pie31+Linux, web attacksAnalyzing Linux logs in Linux for web compromise
Backstage41+Linux, Linux logs, wiresharkLinux IR looking at logs and pcap
Crypto41+Linux, Windows admin, wireshark, volatilityGood intro to volatility and IR with various artifacts
SharpAttack42Pdf maldoc, javascript, LinuxPurely a pdf maldoc analysis
Kill42Volatility, Sysinternals, PE basic dynamicGood intro to memory analysis and exe dynamic analysis
First Day42IDA, OSINT, Procmon, pestudioStarting point for PE-based statis analysis, no debugging, OSINT
Logger42Windows, basic dynamic analysis, SysinternalsA few more steps into dynamic analysis
Honey41+Windows admin, RedlineA good first romp into Redline, gotta know Windows, though
Total Recall (R)41+Windows admin, RedlineUsing Redline to investigation a Windows compromise
Ben42Windows admin, filesys image, dynamic analysisSome Windows dynamic analysis tricks for malware
Sam42Linux, Windows memory w/ volatility, wiresharkGood romp into volatility and a Windows compromise
Obfuscated52Linux, PythonRequires some Python work, Lite Linux IR
Peak 252Linux, wireshark, sysmon (linux)Analyze logs in Linux of a Linux compromise
Bot52Linux, OSINT, CTF-likeLinux and some CTF-like challenges
Pandemic52Windows admin, PE dynamic analysisStraight-forward Windows PE dynamic analysis
Dot52Windows admin, wireshark, ProcDOTTricky ProcDOT tool to track an advanced process compromise
anDRE51+APK, Java, LinuxDeeper analysis into an Android APK (static still)
PE51+Linux, ELK, Windows adminMore ELK, a bit tricky with osquery logs
Pretium51+WiresharkTricky wireshark tricks
Invoice (R)51+Linux, ELK, Wireshark, Windows adminKinda easy Windows IR investigation with plenty of artifacts
Sticky Situation52Windows admin, AutopsyAnalyzing artifacts to answer questions about USB usage
Countdown (R)52Windows, Autopsy, IRWindows IR investigation with some tricks
SOC Alpha 351+ELK, Windows administration/attackELK, Windows logs of malware activities, just deeper
Hashish52Windows IR, OffenseIR on a local Windows compromise, requires some red knowledge
Too Late52Windows admin/attack, WiresharkTricky look at Windows malware compromise and artifacts
Test52Linux, Linux filesys imageIntermediate Linux IR and filesystem image handling
Rigged52Windows admin, Wireshark, IRIntermediate IR into a Windows compromise
Peak (R)62Linux, ELK, Linux compromise, linux logsLinux knowledge and using ELK, Linux logs
The Last Jedi62+Wireshark, CFF (PE basic static), RedlineWindows malware infection, lite PE analysis, Redline heavy
Baby62Linux, Linux filesys imageLittle harder than Test, but Linux IR and image handling
Exceltium62+Linux, pdf maldoc, shellcode analysisMore advanced pdf maldoc analysis on Linux, involves shellcode
Gotham62Windows basic PE static analysis, IDA, OSINTBasic static analysis of a malicious executable
LOL (R)62Windows, IDA, Python uncompyle, OSINTMore RE static analysis
Recovery62LinuxLinux IR investigation with linux logs and knowledge
Rekcod62Linux, DockerTricky investigation into Docker again
PhishyV262+Linux, HTML, Phishing, PHP, tiny bit CTFPhish kit analysis, web site analysis, coding
Multi Stages63Linux, wireshark, Windows admin, grepping memoryUsing Linux to investigate Windows pcap, memory of attack
Poor Joe62Windows admin, Volatility, logsWindows compromise investigation, kinda tricky, logs and live memory
Triage62Windows admin, Volatility, logsWindows compromise investigation, kinda tricky, logs and live memory
Hooked62Linux logsAnalyzing Linux logs/host that has been compromised
Eric62+Linux, volatility on Linux memoryA twist on memory analysis with a Linux image
Signal62Windows admin, redline timeline, pcap, basic PEA mix of involved pcap and file timeline analysis, basic PE
Irritate72+Windows admin, dynamic analysisLogs of fighting with dynamic analysis and CTF-like hunt
Pretium v272Wireshark, Packet Whisper, lite CTFAnswering questions based on a pcap
Covert72+Wireshark, PowerShell codingDive into a C2 pcap, powershell coding required
Wargames72+Linux, volatilityMemory analysis of a Windows compromise
Ghosted72+Linux, Wireshark (pcap), suricataInvestigating a web recon and attack mostly with suricata
Evil Maid82+Linux, filesys image, SIFT, Windows attackWindows file system investigation on Linux (SIFT)
The Key82+Windows, file system imageWindows file system forensics (and some offense)
Bad Logic (R)82+Linux, Windows admin, wiresharkLarge artifacts in a Windows attack investigation
Stuck83Windows attack, memory analysisWindows compromise with lots of tricky pieces
Divorce Court93Windows attack, filesys image, IDAAnalyzing Windows compromise, light debugging
Supreme Court93Windows attack, filesys image, IDA, C#/PoSHAnalyzing Windows compromise, debugging
Counter93IDA, debugging/reversingPure debugging/reversing, intermediate dynamic analysis
Multi Stages 2103Linux, volatility, Windows admin, MFT/TimelineHeavy memory analysis and file timelines; very difficult questions

CHALLENGES (by difficulty & SOC level)

D3FEND11Google (D3FEND Framework)Looking up things in the D3FEND material online
ATT&CK11Google (MITRE ATT&CK Framework)Looking up things in the ATT&CK material online
The Report11PDF readerLooking up things in MITRE report (pdf)
Phishing Analysis 221Text editor, ThunderbirdAnalyzing a phishing email
Phishing Analysis21Text editor, ThunderbirdBasic phishing email analysis
Meta21Exiftool, OSINTAnalyzing some basic info from image files
Brute Force31Linux, text editor, grepAnalyzing logs of an RDP brute force attack
The Planet’s Prestige31+Email client, text editorAnalyzing malicious email plus office type attachments
Suspicious USB Stick31+Linux, peepdf, strings, VirusTotal, hex editorBasic analysis of a malicious PDF
Powershell Analysis – Keylogger32Powershell, Text editorAnalysis of a malicious PowerShell script
Log Analysis – Privilege Escalation32Linux, bashIdentifying malicious commands in a bash log
Network Analysis – Malware Compromise42WiresharkAnswering some basic questions based on a pcap
Log Analysis – Sysmon41+Sysmon, Windows, PowershellUsing sysmon logs to answer incident questions
Malware Analysis – Ransomware Script42Text editor, LinuxAnalyzing bash script for ransomware
Log Analysis – compromised WordPress42Linux, Apache logsAnalyzing a web attack from Apache logs on Linux
ILOVEYOU42+Windows, text editor, sysinternal, regshotDynamic non-PE malware analysis
Follina42Windows, OSINT, text editorAnalysis of multi-stage maldoc 0-day
Melissa52+Oledump, text editorNon-PE malware analysis
Shiba Insider52Wireshark, Steghide, Exiftool, LinuxUnwrapping layers of hidden data and common artifacts
Network Analysis – Web Shell52Wireshark, Linux and attacker knowledgeAnalyzing a Linux attack using a pcap
Malicious Powershell Analysis52PowershellParsing a Powershell script and basic obfuscation
Spectrum62Fcrackzip, Photorec, Audacity, efitool, steghideUnwrapping layers of hidden data in less common artifacts
Employee of the Year62Photorec, scalpel, CyberChef, Linux, stringsRecovering and unwrapping various file types
Network Analysis – Ransomware62Wireshark, OSINTAnalyzing and even recovering files using a pcap artifact
Memory Analysis – Ransomware72+Volatility, Windows, OSINTMostly entry level volatility analysis of memory image
Paranoid72LinuxAnalysis of linux logs to answer incident questions
Secure Shell72Linux, text editor, OSINTAnalysis of an SSH log
The Package7CTFOSINT, CTF, Math/PythonDon’t recommend. Clever CTF-Like math riddle.
Reverse Engineering – Another Injection73IDA (Disassembler), Sysinternals, API MonitorPE analysis and debugging, not entry level, but close to it for malware analysis anyway
Barcode World8CTFLinux, PythonDecode flag from 9000+ image files; don’t recommend
Browser Forensics – Cryptominer82+Linux, FTK Imager, Javascript, WindowsAnalyzing image file for browser artifacts
Reverse Engineering – A Classic Injection83IDA, Sysinternals, WindowsStatic and dynamic analysis of a PE file
Injection Series – Part 383IDA, Sysinternals, WindowsStatic and dynamic analysis of a PE file
Squid Game8CTFSteghide, image editorCTF-like image stego; don’t recommend
Injection Series Part 483IDA, GhidraPE analysis using debugger
Secrets8RedPython, JWT, Linux probablyRed team web app attack against weak jwt
Veriarty8CTFHashcat, Veracrypt, Linux, Thunderbird, gpgRecovery and decoding of files; don’t recommend
D-Crypt9CTFBrowserlingsDecoding a string several times with minimal guidance
P2SEC – Minigame9RedWeb App attacking, OSINT, exiftool, PE analysisUnguided multi-stage mostly red team basics; long
Classical City10CTFSanityDecoding ciphers – don’t recommend