On January 28 I started the exam. I picked this date with a reason, as it was a Wednesday, and the company I work for, SecureIT, generously allowed me three days of paid absence for taking this exam. For which they also paid. So first of all, big thanks to them.
So my plan was to connect these three days with the upcoming weekend, so I can have full focus available for five consecutive days. My girlfriend Angela was also very supportive with preparing and bringing me meals so I can have all my focus on the exam. Big thanks to Angela as well.
Five days later, on the 1st of February, Sunday I have acquired the last flag. I used four more days, as I was lazy, to write down the report. And after some time:
Now let's dive into the training for the exam.
As I am not allowed to leak any details of the exam itself, I'll try to bring the experience of CWEE as closer as possible to all you reading this without doing anything against the rules.
The Training
There are 15 modules for the Senior Web Penetration Tester path on the HTB Academy. My advice for anyone that is a beginner, to go first through Web Penetration Tester modules for the CWES exam as these 15 are definitely advanced and labs, especially skills assessments will be testing your nerves as well.
Even before CWES and CWEE, a long time ago, I have gone over most of the labs on the PortSwigger Web Academy. I wouldn't compare PortSwigger and Hack The Box directly as they kind of have a different role in a career path for a web penetration tester role. PortSwigger for each topic has multiple labs, gradually increasing the difficulty, defensive measures and bypasses. And that's it. Hack The Box creates a whole story behind everything they teach. Of course modules for CWEE and PortSwigger aren't the same, but I generally liked Hack The Box way of teaching way more than PortSwigger. But again, PortSwigger is totally free, available to anyone, they have amazing researchers that are leading in web application security.
Also, I have done a lot of code review labs on PentesterLab which have been pretty cool.
And at the end, I have many years of experience in conducting web penetration testing projects.
The Exam
Let's dive in to the exam.
The exam lasts 10 days, during which you need to grab X amount of flags by hacking Y amount of machines.
I spent 12 hours daily on average for the exam for five days and I was kind of surprised that I am not that tired after that many hours of full focus. Haven't used anything such as caffeine or nicotine for focus, just tried to have 7+ hours of sleep and not having distractions such as phone (social media etc.) near me.
Mindset and Tips
But even with this mindset I have been stuck on certain stuff that I shouldn't have been stuck at all. I was too tunnel visioned a few times. Yes, the exam has a lot of chaining that you need to do, but for few flags, I was blocking myself by thinking something like "There's no way the vulnerability will be here, so I won't inspect it much". And I was wrong. The vulnerability indeed was there.
Some flags are a lot easier than some others in my opinion. But my main advice would be to make breaks, yes you need to get into the full focus with the flow and all of that, but again make breaks, I haven't done much but I'd like if I did. Take a walk, go for a run, go to the gym, lay down for 20-30 minutes without doing literally anything, whatever suits you.
Also be aware of distractions and rabbit holes in the exam. You'll definitely need to be aware of all possible vulnerabilities, but to also triage them in a way that you first focus on the ones that most probably lead to a flag.
At one point I was so confused with what's going on, I was doing every possible thing I could imagine or think of for one flag, but I just couldn't get it. Looking back, I should have just stepped over that and tried to think of other possible ways to get what I need.
I was so confused that I even started drawing in my notebook, yes, literally, drawing with a pen of how I think something is and how it should be exploited.
Don't even try to uncensor this, it's handwritten, and my handwriting is basically so ugly that it's encrypted, sometimes even for me. And also the stuff that I wrote and drew... didn't actually help me, at all. So it's useless, completely.
What Actually Helped
Now what did actually help me during the exam is definitely debugging. A lot of times I tried exploiting something that definitely needs some debugging and logging, I just spent a lot of hours for nothing, and I could have saved it if I debugged right away.
Regarding vulnerabilities, everything is covered in modules and I really have to praise them for creating such an interesting and realistic exam. You get a wonderful experience seeing how some vulnerabilities could exist in a real world.
Final Thoughts
I am not sure if there's anything else I'd add to this blog post. I couldn't compare it to OSWE as many do because I still haven't done OSWE, but I plan on doing it and making a comparison.
Overall my experience with studying for CWEE and doing the exam is 100% positive and I would recommend it to everyone specializing in web penetration testing or seeking an Application Security Engineer role. I also feel more confident in these kinds of engagements and overall web penetration testing, which is just a privilege in my opinion.
Stay tuned for more exam reviews and random hacking posts.
Follow me on LinkedIn to stay updated.
Happy hacking!