Offensive Security Experienced Penetration Tester (OSEP) Review
Introduction
The Offensive Security Experienced Penetration Tester is an ethical hacking certification offered by Offensive Security that teaches penetration testing techniques with an emphasis on evading security mechanisms , phishing, and attacking Active Directory environments in order to perform advanced penetration tests against mature organizations with an established security function.
It comes with the Evasion Techniques and Breaching Defenses video and PDF course and it’s one of the major advanced certifications in the penetration testing world. In this article I take the time to talk about my personal experience with this course, the learning material and platforms I used to prepare etc.
Background
Before completing OSCP I was not quite sure where I wanted to go next, since Active Directory, internal penetration tests, and AntiVirus evasion were some areas where I still felt like I needed more work. Before going for OSEP I decided to obtain the CRTP certification, which focuses on AD exploitation, and I highly recommend it.
After I felt like I had the AD exploitation fundamentals down, it was time to tackle OSEP!
Exam Preparation
To prepare for the exam I used various resources, both part of the course and external. As much as the course material is more than enough to pass, I wouldn’t exclusively rely on it as it definitely lacks some important tools and techniques that you will need in real-life engagements.
The PEN-300 Course
The learning material provided with the course covers a wide range of topics, such as active directory exploitation, phishing, bypassing antiviruses and other security controls, privilege escalation lateral movement and more
I purchased three months of lab access to ensure I had enough time to complete the course material, exercises and labs. I started by going through the videos and the PDF slides, completing and documenting the exercises as I went through the various sections.
The amount of content in the PDF/videos and exercises is incredibly huge, and as such it took me about one and a half months to complete them all, after that, I got started with the PEN-300 labs. Unlike OSCP, completing the exercises will not grant you extra points, though I still recommend completing and documenting all of the exercises as they will be a good way to put the techniques learned into practice and solidify your knowledge. the code will also come in handy during the exam.
The PEN-300 Labs
The labs were comprised of six challenges, each one being an internal network containing an Active Directory environment to fully compromise. The labs were increasingly bigger and often included multiple domains to pivot through.
It took me about six weeks to complete all of the boxes in the labs, and I suggest to try and complete as many as you can, as the more you do the more chances you will have to pass the exam. Make sure you carefully document the steps you performed during each challenge as these could come in handy later on, as well as they will train you to always take notes and screenshots of your steps.
With your lab access, you also get access to the official forum where you can discuss the challenges with other students, and provide/receive hints. Each challenge has its own forum section so this makes it really easy to navigate through it and find what you need. Try not to rely on hints and help from others too much as this can be a bad habit that might cause you to fail the exam.
External Preparation Resources
Along with the material provided once you enroll for the course, I suggest using a number of external resources to better prepare for the exam.
I have listed below the resources I personally used for my preparation after completing the lab challenges.
Active Directory
I used a number of external resources to prepare on the Active Directory and windows exploitation front, despite the course material being quite comprehensive:
- Certified Red Team Professional (CRTP) certification
- TryHackMe Boxes & Networks
- Holo
- Wreath
- Throwback
- USTOUN
- VulnNet: Active
- VulnNet: Roasted
- “Breaking Windows” series
- WindCorp (Ra, Ra 2, Set, Osiris)
- Zero Logon
- Enterprise
- RazorBlack
- Red Teaming path
- Hack The Box Boxes & ProLabs
- Offshore
- RastaLabs
- Sauna
- Forest
- Monteverde
- Cascade
- Resolute
- Mantis
- Fulcrum
- Sizzle
- Multimaster
- Reel
- Reel2
- Dog Whisperer’s Handbook
It can be helpful to have a checklist of things to check when attempting to escalate privileges within the domain. The following resources are a good starting point:
- Active Directory Attacks
- Active Directory Methodology
- Active Directory Exploitation Cheat Sheet
- Active Directory Penetration Testing Checklist
It is also important that you are familiar with performing AD attacks while on Linux, using tool suites such as Impacket.
AntiVirus Evasion
The course material covers various ways to bypass comment security mechanisms such as:
- Windows Defender and other AVs
- Antimalware Scan Interface (AMSI)
- AppLocker
- PowerShell Constrained Language Mode
The techniques are explained in a very detailed and clear manner and approached in various different ways, often using custom code.
For your exam, the techniques shown in the course material should be enough, however, I recommend doing extra research and building your own tools to practice the various bypasses.
To bypass Defender, I recommend building a C# shell that will bypass defender in all scenarios and use the same payload every time you need to obtain a shell. A good option is the process hollowing + XOR encryption shell that can be found in this repository.
When PowerShell execution is possible, I would recommend going for AMSI bypass and a PowerShell shellcode runner such as the one present in the course material. When bypassing AMSI, always remember to execute a script that will bypass it and then call another script containing your malicious code, otherwise, the file will be flagged before AMSI is bypassed.
There are other AppLocker bypasses that can be found online in case you want to explore this further:
The same goes for AMSI:
And CLM:
- PSByPassCLM
- PowerShell Constrained Language Mode Bypass
- CLM Bypass | A Pentesters Ramblings
- Constrained Language Mode Bypass When __PSLockDownPolicy Is Used
When Word macros are required, I recommend starting with a simple payload first, such as a PING command, and using a Powershell reverse shell such as Nishang or this native PS reverse shell.
Alternatively, if you want to embed a shell within the Macro, you can use BadAssMacros to obfuscate MSFVenom shellcode.
There are a few things to keep in mind to ensure your document works properly:
- Don’t use unusual ports as these may not be allowed; stick to common ports such as 443 and 53.
- Remember to add the macro to the document itself, and not to the Word tempaltes.
- Create the Word document on the development machine provided for the exam, as your own Windows host may be using a different architecture of Word.
- Try to get a working payload first before you turn on Defender.
You can also use the obfuscation technique for Word macros shown in the course material.
More specific techniques about AV evasion can also be found here.
Once you have a foothold on a box and you have successfully evaded AV, I would recommend disabling it to avoid further complications. Lastly, it is crucial that before you start your exam you have all of your payloads and code ready to go, as you don’t want to waste any of your exam time trying to bypass AV.
Local Privilege Escalation
When it comes to local privilege escalation, you can apply the same attacks and techniques taught in OSCP and other pentesting courses. I personally recommend you build a checklist or use one of the following:
- Checklist – Local Windows Privilege Escalation
- Checklist – Linux Privilege Escalation
- Windows Privilege Escalation Checklist
- Linux Privilege Escalation Checklist
- Linux – Privilege Escalation
- Windows – Privilege Escalation
The course material also covers privilege escalation techniques, also I wouldn’t rely on just those for the exam.
The Exam
The OSEP certification exam simulates a live network in a private VPN, which contains multiple machines that must be compromised. In total, you will have 47 hours and 45 minutes to complete the exam.
You will first need to obtain a foothold and then perform additional internal attacks to pivot through the networks. There are multiple attack paths through the network that will result in the same level of compromise, though initially you will have two separate paths to go down to.
Some of the machines will require local privilege escalation while others won’t.
The Exam Control Panel will contain specific instructions for your target network and the exam objectives.
Your objective is to exploit the corporate network and collect various flag files, to pass the exam you must either obtain access to an objective described in your exam email or achieve a minimum score of 100
Make sure to read the OSEP Exam Guide and to carefully follow the reporting requirement, exam restrictions and proctoring rules, as failure to do so may result in a fail mark.
#1 Exam Attempt
My first exam attempt was a total failure. I started at around 12PM, it took me several hours to get an initial foothold and I felt totally burnt out after doing so. I decided to go for a walk and after a few hours, I ended up getting a couple more flags, though by that point almost the entirety of the first day was gone.
The following day I managed to get my fifth flag but I then got stuck for the rest of the afternoon. Despite having the entire night left I decided to end my exam early as I was already very tired and I didn’t think the remaining five flags were within reach even if I pulled an all-nighter.
#2 Exam Attempt
I booked my second exam attempt to be about five weeks after my first one, it was set to be on the 6th of December and it was my last change to pass it before the Christmas holidays. This time things went a lot better and I also felt much less stressed about it. I had my first flag within an hour and never really had any major blockers, as I kept getting flags every hour or so.
My exam started at around 11AM and by 11PM I had achieved eleven flags, while taking various breaks throughout the day. I was unsure whether to continue with the remaining challenges or not but in the end I decided to focus on reporting, to ensure I would pass the exam.
Exam Report
I was taking notes as the exam went on and I would take screenshots for each command/script I’d run or page I’d visit, which really helped during the reporting phase.
I decided to complete my exam report the next day after a good night of sleep. I started by double checking my notes to make sure I had all the required documentations, after which I ended the exam and started working on the reporting the flags.
I started working on my exam report which took about 6 hours and ended up being about 85 pages, I then spent another hour double checking it, making sure that all flags were present and all of the steps were correct.
As usual with Offsensive Security Exams, make sure to take plenty of breaks, eat, drink and rest sufficiently Unlike the OSCP exam, where you could do it all in one go, this one is more of a marathon and exam takers are highly rewarded for efficiently managing the time at their disposal.
After about 48 hours I received the following email stating I had passed the exam. There are no words to express how happy this made me, it was like a Christmas gift from Offsec.
Conclusion
While it had its down moments, OSEP overall has been a blast, I learned a ton of new techniques and new ways to use ones I was already familiar with, all while working around security mechanisms that are common in mature environments. I would recommend this course for anyone in the industry who already has some experience and it looking to sharpen their toolcrafting and acquire some new knowledge and skills.
Other OSEP Reviews
There are already plenty of OSEP reviews out there so I recommend you also check those ones out: