OSEP Review 2023
Offensive Security Experienced Penetration Tester Review
Introduction
In this article, I will discuss my experience with OffSec’s Offensive Security Experienced Penetration Tester certification.
I will discuss my background and briefly touch on some subjects related to C#, the main language used for developing exploits to bypass protections.
I will also discuss the PEN-300 course itself, highlighting the aspects that I liked and those that I didn’t find appealing. Additionally, I will share my preparation strategy for the certification.
After all the previous subjects are out of the way, I’ll talk about my exam experience.
My background
Before becoming a Penetration Tester, I worked as a Software Engineer for about five years.
My main technology stack was .NET and C#, ranging from .NET Framework to .NET Core. I worked in web application development, more focused on the backend of things, like developing end-to-end web applications, developing microservices, and much more.
Needless to say, I was NOT a fan of frontend 😂
This background helped A LOT in OSEP since the main language to develop the exploits was C#. Having this in mind, I have some remarks regarding the C# portion to help you guys when going for OSEP.
As for Pen Testing, I’ve been working in the field for about one year, and I hold some certifications, like eJPT, OSWP, OSCP, CRTP, and obviously, OSEP.
Of these certifications, the one that helped me out A LOT was CRTP. It made the Active Directory part of the course easy.
I’ll detail it more in further sections of the review.
Going into OSEP
Going into OSEP, I bought the Learn One subscription which had a great discount for folks that had Off Sec certifications. Since I had OSCP (yes, OSWP didn’t count for the discount), I had a great discount which made it really worth it. The difference between Learn One and the 90 Days was like 200 euros or something, so it was a no-brainer.
Since I had a lot of time with Learn One, it took me approximately 60 days to complete everything, counting the materials, the labs, and challenges.
I did it in a slow pace speed, taking my time to explore and do extra stuff.
After organizing everything, including my notes, tools, and backups, I proceeded to register for the exam whichI will discuss further in this review.
To Sharp or not to Sharp
I’ve got to tell you guys something, lucky you that you are using C# to interact with Win32 APIs instead of C or C++. If you think that your life is miserable with C#, let me tell you something, it would be a totally different hell with the ones that I mentioned previously.
So let’s start with the IDE that you’ll most likely be using — Visual Studio, which, in my opinion, is the best option. (And yes, for those Rider fanboys out there, feel free to argue all you want about how that’s not true).
You should familiarize yourself with the IDE since it will be the foundation of everything you develop.
Here are some helpful links to get you started:
- Visual Studio Tutorial
- Visual Studio Shortcuts
- Visual Studio Adding References
- Visual Studio Adding Nugets
After having a good knowledge about the IDE, the C# level, in my honest opinion for OSEP, is very basic. The only part that may pose a challenge is when using C# in PowerShell. It may require the use of reflection, which can be quite complex.
Either way, I will provide some helpful links to assist you with C#. Additionally, if you want to explore reflection a little bit, there will also be links for it.
PEN-300 Course Overview
You can view the PEN-300 official syllabus here.
The first chapter of the course is just a basic introduction. The second chapter is basic theory about operating systems, Win32 APIs, and focusing more on internals of the OS. This sets some basic fundamentals that you’ll need to understand before moving to the next chapters.
The next two chapters heavily focus on client-side attacks with word. The beginning of the third chapter is a bit slow, and a little boring since it will be more foundational but it gets to a very interesting point where you’ll be using different PowerShell Download Cradles, and playing around with reflection and .NET Objects.
The forth chapter focus more on abusing Windows Script Host.
One of my favourite chapter is the fifth one, which is the Process Injection attacks. Here you will learn different techniques to inject your shell code into processes. Besides the Off Sec materials, you also have a lot of information on the internet.
This will come in handy with the previous taught section on client-side attacks where you will have the opportunity to mix the two to achieve remote code execution on the victim machine.
Now, the next two chapters are also my favourite and what I consider to be very important, these two chapters main focus are on bypassing AV detection, with obfuscation, encoding, using non emulated APIs by AV’s, and so on. Another important subject is AMSI Bypass. Now once again, using the previously learned materials, you will need to mix these together in order to make your tools better to bypass any detection tool that might be in place in the machine.
Application whitelisting follows-up as the next chapter, and I honestly was expecting more. Sure, there were fun attacks like bypassing AppLocker with custom PowerShell runspaces and such, but it feels that lacks more techniques.
Bypassing Network Filters and Kiosk Breakups are the two chapters that are just fillers or at least, gave me the feeling that they were just fillers. I don’t feel like these added anything extra, especially the Network Filters, to the attacks that previously were taught. Kiosk Breakups teach you a new vector of attack related to a different subject, which makes it interesting.
Linux Post Exploitation, which is the next chapter, was very weak for something like PEN-300. I was hoping that some more complex Privilege Escalation techniques would be taught.
Linux Lateral Movement was, in another hand, very interesting and touched Kerberos on Linux and DevOps tools that can be leveraged to laterally move.
The chapter about Windows Credentials was very well put together, and it serves very well the purpose of teaching attacks on the subject. In this chapters there will even be a MiniDump Application to do in C# to try and avoid AV protections in place.
Windows Lateral Movement, which has amazing techniques to move laterally is one hell of a chapter. The protocols are very well explained and the attacks performed are somewhat complex and interesting.
Now, also one of my favourite chapters of PEN-300, is Microsoft SQL Attacks, which has A LOT of stuff to do. From exploring misconfigurations, to create your own tools to exploit these misconfigurations, there is plenty of material here to have fun.
Active Directory Exploitation is a straightforward chapter, there are cool attacks taught but I feel like they could have explored it way better. If you have CRTP or CRTO this chapter will almost be invisible to you.
To end this course, you’ll have a module where you see everything being put together. You have a scenario as an example and you see every step needed to exploit it from the materials that you previously learned.
PEN-300 Labs and Challenges
Labs
To be very honest, I did not complete all of the labs because I did not see the need for it. There are labs that are quite necessary to do because you are still learning and getting a feel for things, but as the course progressed, I realised that I would waste time on some of them, so I skipped them.
Challenges
Okay, now the challenges are excellent and will prepare you very well for the exam.
There are six challenges, each of which becomes increasingly difficult.
To tackle them and prepare for the exam, I did them as many times as I could. I ALWAYS took notes while working through the Challenges, and I ALWAYS found new ways to perform the same attack.
For example, on a certain challenge you got a Client-Side attack working with a certain technique, try a different attack to achieve the same goal. Or for example, you can escalate privileges with a certain tool, just try to find different tools that can achieve the same result.
My point is, by having more than one tool or technique to achieve a certain goal, you’ll have a backup plan if in the exam or in a different environment your first tool fails, this is my golden rule and has paid extremely well. Keep this in mind for everything that you do, even if it isn’t related to Off Sec.
Exam
It is a 48-hour practical exam in which you must have 10 flags in order to pass. You’ll then have 24 hours to prepare a report outlining your results. The exam is also proctored, which means you must have a webcam on so that you may be monitored. Your screens will also need to be shared.
The exam will have a panel that will provide you with all of the information you need to complete the exam. It will include a brief description of the target, the objective, and so on.
If you need to reset a machine during the exam, you must also do it in the panel.
This panel will also be where you send flags; be EXTREMELY cautious when submitting flags and ensure that the flag is submitted.
To be honest, I really enjoyed the exam. It is a very large network where you must move around and put everything you have learnt into practise, as opposed to OSCP, where you just have boxes to compromise.
My Exam Experience
So a few days before my exam, I got infected with COVID, yes, what a lucky guy I am. I was coughing my lungs out and it was terrible, but I didn’t want to reschedule so I just went like that (dumb idea, very dumb idea).
Have I mentioned that the exam was proctored? Oh yes, I did. So, how does Off Sec deal with that? With a really bad browser software.
This software will capture your screens and your webcam. Guess what, it really sucks since it makes everything a little slow, like mouse motion and such, and the copy/paste sometimes stops working, for no reason.
My webcam also had problems with the software, if I moved it really fast, it would freeze the video, and I would need to reset EVERYTHING.
So, my exam started at 8:00 AM, and it took me 15 minutes to get the initial shell. I was like “I got this…”, well, after that, I was stuck for 10 hours, in the same initial shell. In between those 10 hours, I took breaks to eat, and to rest, since COVID was really taking a big toll on me.
After dinner, I managed to move on, and tried to get as much done as possible for the next day, since I just lost 10 hours stuck in the same place. At 11PM I went to sleep, I really needed to rest. I slept for about 4 hours, and woke up really early to catch up.
Honestly, I was looking miserable in the webcam, pretty sure that the person on the other end was about to call an ambulance or something like that, but COVID + little sleep, was really tough.
At the second day I made a few to no breaks. The only breaks that I made was for the restroom or to eat something, but by 9 PM I had my 10th flag, and shortly after, I had my 11th flag.
Stayed up until 3AM or close to it to take all the screenshots and making sure that everything was in order.
Once again, slept only 3 to 4 hours. I reviewed my exam prints and checked if everything was in order since I still had some time left.
All that was left was to make the report, so from like 9AM to 9PM, I was making the report and trying not to die in the process.
After 2 weeks I received the email saying that I passed, and it felt so damn good.
PEN-300 Advice
- First and foremost, I strongly advise you to complete the challenges. They thoroughly prepare you for the exam. Try to complete the challenges as many times as possible using as many different ways and tools as you can.
- C# knowledge is required for this exam because many of the tools will be written in C#. As I previously stated, the C# level is fairly basic, and you should take advantage of this opportunity to learn programming.
- The Off Sec community is fantastic, and they have a Discord server as well as a Student Forum.
The Discord community is strong, and Off Sec staff can help you if you run across any issues throughout the challenges or labs. The Student Forum is a little less active, but it still contains some interesting contributions. - In terms of Active Directory, I strongly advise you to do CRTP before OSEP. CRTP covers AD extensively, and with CRTP, AD will be a breeze for you. I am unable to speak for CRTO, but from what I’ve seen and heard, it provides excellent value as well!
- The exam will not only assess your technical abilities, but also your time management skills. My advice is to have a game plan for your time management, whether it’s a schedule or whatever method works best for you.
You don’t have to be strict, and it won’t be your holy grail, but it’s crucial that you have time to eat and rest, or otherwise you won’t be at your best in the exam.
Oh, and one more thing: if you are really stuck, say for 10 hours or so, take all the necessary breaks to breathe and clear your thoughts; it will help you a lot. - Take good notes and have all of your exam materials ready. When it comes to tools, be sure that the ones you’ll be using for enumeration or anything else are up to date.
There is nothing more frustrating than failing to discover an attack vector because your tool is out of date.
Been there, done that. Learn from my mistake.
Conclusion
Even if the materials of the PEN-300 were a little dated, I truly enjoyed them. I believe the Active Directory section needs to be improved, as the materials are out of date with regard to recent attack vectors.
As for the remainder, there are some chapters that are pretty boring, and some that are really good, but I guess you’ll find that in any certification you take.
In any case, it was my favourite Off Sec certification so far, and I would definitely suggest it!
Now it’s time for OSWE and OSED to obtain OSCE3. 😁