At the end of 2021, I took the PEN-300 course by Offensive Security. After the course, at the beginning of 2022, I took the first OSEP exam attempt which I failed. Then, at the begning of May I took my second attempt (or even third) and successfully passed the Offensive Security Experienced Pentester (OSEP) exam. This blog post is written to share my path, and point of view on the OSEP certification.
Context
At the point when I started the PEN-300 course, I was working as the Web Applications and Cloud Penetration Tester in a big financial company. As I did not have any Red Teaming experience and my knowledge about the Active Directory and Red Team techniques was very basic, I have found the course really difficult to complete. It cost me a lot to go through the book materials as all of the knowledge presented in the book has been something very new to me.
PEN-300 Course
I do not want to go through the curriculum as everyone can find it online. Without prior red teaming experience (or WIN32API C# development experience) in the course, I have struggled a lot going through the materials - it was a really hard journey, but definitely worth going through. The same can be studied by yourself online, so you mostly pay Offsec team for putting all the things in one place.
The new things that I have learned in the course:
- Understanding Win32APIs,
- All sorts of the shellcode runner and code injection techniques
- Defence evasion - AV, AMSI, Application Whitelisting
- Active Directory Exploitation; Abusing Kerberos Delegations
- MSSQL attacks
- Understanding how Kerberos works.
To successfully pass the OSEP exam, you would have to obtain the following skills from the course:
- Being fluent in enumerating and bypassing defenses. Before going to your exam you should make sure that you have all your payloads ready to bypass defenses - it is great to operate quickly so you do not waste time.
- Being able to quickly operate in your chosen C2 framework and/or PowerShell. It is great to have all the oneliners ready.
- Understand how to enumerate internal network and Active Directory Domain. Understand how Linux systems integrate with Active Directory. Understand the implication of various Domain configurations e.g. LAPS, Local Admin passwords in SAM, etc.
- Understand why and when using different code injection techniques e.g. when to use the process injection, when to use the process hollowing, why DLL injection is useful etc.
- Using Mimikatz and Rubeus, running them in-memory with Powershell.
- Documenting your thinking process.
My advice is to think about those skills as the goal of completing the PEN-300 course. The final OSEP exam would be proof that you have successfully obtained those skills. In my opinion, the course does not have enough challenges to practice all of those skills. That is why I have been taking the exam twice; on the first attempt I was lacking practice - even after completing all the challenges.
OSEP exam
Few tips which you can find useful:
- You should have all your payloads and oneliners pre-prepared
- Grab screenshots and document your progress as you go.
- Do not spend too much time in Bloodhound. It is better to enum AD with Powerview. If you want to use Bloodhound, set the timer for 10-20 minutes when reviewing the output. If you have found out that your user/computer does not have any extra domain privileges, move on to something else.
- Set a strong methodology when approaching the target domain.
After completing the OSEP exam, the following email came to the mailbox:
At the beginning, I mentioned that I had three exam attempts. It is because on the second attempt my exam was kind of cancelled before the time out due to some technical issues in the scenario. The offsec help team has given me the extra exam attempt and waived the cooling-off period. So, the last tip is that if you really have the proof that something does not technically work in the exam enviorment you should message the Offsec Team. You may say that when you are stuck you always think that there is some technical issue going on, but in my case I was close to the end of the exam scenario and I was 100% sure and have proofs that something was not working as expected.