Today, I’m thrilled to delve into one of the most sought-after certifications in the field of penetration testing: Offensive Security’s OSEP (Offensive Security Experienced Penetration Tester) certification. Having already achieved my OSCP (Offensive Security Certified Professional) certification, I decided to take the next step in my career and explore the depths of advanced techniques and evasive maneuvers through the OSEP course.
I will walk you through my journey, providing a comprehensive review of the Evasion Techniques and Breaching Defences video and PDF course that form the foundation of the OSEP certification. Furthermore, I will discuss the learning materials and platforms I utilized to fully prepare myself for the challenges that awaited me.
Background
Before starting the course, I had completed the Offshore Labs by HackTheBox which helped in giving me an understanding of Active Directory and various other tools. Although offshore lacks on the AV Evasion side, the OSEP course would be more than enough to compensate for that. I would also recommend doing the CRTP certification.
Course
The course materials and labs were filled with content that was completely new to me; except for a few sections, most things were new to me, and this proved to be daunting initially, as I tried to comprehend everything. At one point, the 90 days weren’t enough, and I barely completed the last lab.
places where you could find information and help regarding the course.
You can get the full syllabus for OSEP (PEN-300) in here.
What are the prerequisites for Evasion Techniques and Breaching Defenses? All learners are recommended to have either taken Penetration Testing with Kali Linux (PEN-200) and passed the OSCP certification or have equivalent knowledge and skills. These skills include:
- Working familiarity with Kali Linux and the Linux command line
- Solid ability in the enumeration of targets to identify vulnerabilities
- Basic scripting abilities in Bash, Python, and PowerShell
- Ability to identify and exploit vulnerabilities like SQL injection, file inclusion, and local privilege escalation
- Foundational understanding of Active Directory and knowledge of basic AD attacks
- Familiarity with C# programming is a plus for this course.
Resources & Tools
Most of the resources and tools listed here are based on my personal experience during the labs and exams. There are many other resources, but rather In addition to the quantity, I have tried to focus on quality resources that have helped me.
I have added the whole set of notes as a cheat sheet for the OSEP course into a Git book:
- OSEP Code Snippets
- OSEP Notes
- Mayfly - Game Of Active Directory v2
- MindMap - Pentesting Active Directory
- CheatSheets - Active Directory
- HackTricks - Linux Active Directory
- HackTricks - Active Directory Methodology
- Windows & Active Directory Exploitation Cheat Sheet
What You Should Know Prior
Although the course delves into modern techniques and bypasses, it misses out on some basics. Maybe they require the learner to have a prior understanding of these as well, but since these tools and techniques are used extensively in the course, it would be better to add them as part of future updates.
- CrackMapExec: This would greatly help in identifying reusable passwords and credentials, and a lot more functionalities are available.
- BloodHound: Learn how to collect BloodHound data with SharpHound, analyze it, and discover lateral movement vectors. PenTest Partners has a great walkthrough.
OSEP Exam
Before the exam, you need to ensure that you have checked all the requirements before beginning your exam. As usual, all the information can be found on the Offsec website here.
The exam will last for 48 hours, as mentioned on the Offsec website. However, according to the website, the actual duration is 47 hours and 45 minutes. So mine started at 7 AM (May 18th) and ended around 7 AM (May 20th). As stated in one of the FAQs in Offsec website.
There are two ways you can pass the exam: either you achieve the objective provided on the control panel (secret.txt) or you obtain at least 100 points.
1 Flag = 10 Points. So 10 Flags = 100 Points. Read the FAQs here.
The most crucial thing is to make sure that you have recorded all relevant evidence, commands, and payloads. I used the Offsec-provided report template for my final report, putting all the steps and supporting documentation into the format given.
#1 Exam Attempt
I had taken my first attempt in March, which was disappointing as the exam machine was having issues after a while. I was able to own the first machine, but after a while, I was having trouble. After being stuck for more than 10 hours at a stretch and after trying N number of methods. I gave up hope and asked the support team to check my exam machine, which had been retested a couple of times prior, but this time they took longer to test and informed me the exam machine was having some issues.
They finally called off the attempt and gave me a free attempt in the future.
#2 Exam Attempt
The second attempt was also not smooth, but the support team helped whenever I faced an issue. A couple of resets helped in places where things were supposed to work.
There are stablility issues overall as per my exam experience, I think offsec should try to correct this for the future as this is one of the advanced courses. The exam network being large, even the reset and support takes a significant time.
Overall, things were much better compared to first attempt, and I was able to complete the exam.
Wrapping it Up
In the end, I stopped the exam with 11 flags and called it a day, since I was tired beyond anything. I started rechecking everything in the report to ensure I did not miss any screenshots or miss submitting any flags.
On May 23, 2023, I received the mail stating that I had passed OSEP.
Now that OSEP is completed, I want to continue on the red team path and complete CRTO. Maldev Academy is also a possible path. I might enroll in OSWE after these.
Leave a Comment