Introduction

Recently I completed the Pen-300 or Evasion Techniques and Breaching Defenses course offered by Offensive Security found here. Today, I received the email that I successfully passed the test and received the OSEP (Offsensive Security Experienced Penetration Tester) certification. So, I figured I would provide my thoughts on the course since it is still relatively new. This course was introduced in late 2020 / early 2021 and covers a ton of real-world applicable, advanced techniques. From a high level it touches on social engineering with Office documents, AV evasion, AppLocker bypasses, MSSQL attacks, AD attacks, and much more.

Thoughts On The Course

One of my main gripes with the OSCP and OSCE when I took the courses were that the materials were fairly outdated and I was unlikely to use the techniques in a real Penetration Testing environment. This was not the case with the OSEP. All of the target machines were Windows 10 / Server 2019 and I have already seen real world impacts from taking this course. For example, I was able to compromise a high impact environment using some of the techniques in the course. This course covers a heavy amount of material, the PDF document is over 700 pages and the videos contain an insane amount of content. The course is broken down into 16 sections, each section containing a small environment that is configured to be vulnerable to the lessons taught in that section. The videos and PDF material will walk through how to perform the attacks mentioned. I highly recommend using the videos as a walkthrough and take notes, including the commands ran as this will help you immensely on the challenges and exam. In addition to the learning sections, there are 6 challenges to complete within the course. These challenges cover the materials learned throughout the course. Challenges will consist of a small environment that designed to test a set of skills. The challenge environments can range from AD to Linux to a combination of both. I highly recommend solving all of the challenges and taking detailed notes on how you completed them.

While the course does a great job of covering all of the material needed, some creativity will be required to solve the challenges. Another thing to mention about the course is how deep Offsec goes with their explanations of the techniques. Instead of showing just how to perform the attacks with pre-compiled tools, they teach you how to develop your own tooling to be used on engagements.

How I Prepared

This course covers a lot of material and preparing for everything is not needed. I would however, recommend diving deep into C# as this will help you out a ton during the course. As previously mentioned, there are a lot of instances in the course you will be developing custom tooling. Most of this tooling is done in C#. I would recommend going through this Defcon C# workshop as it gives a good base on what will be created during the OSEP course. Another thing I did to prepare for the course was searching up the syllabus and using that to research techniques, the syllabus can be found here. For example, the syllabus mentions HTML request smuggling. When I was preparing, I would simply search HTML request smuggling and read a quick blog post that covers how to perform that technique. The good thing about this industry is that there is a ton of freely available knowledge out there, all you have to do is look for it.

The Exam

The exam for the OSEP consists of a 48 hour time period to compromise a target environment, with a 24 hour reporting period. The exam is very similar to the challenges. It is evident that Offsec is not trying to test you’re ability to do CTF’s. There are criteria that you should be able to meet in order to pass this exam, there are no tricks or rabbit holes and the exam is very straight forward. In order to pass you must meet one of two criteria. First, you will be assigned a target machine. This machine will be located in a segmented section of the exam environment and will have a couple of paths to reach it. Second, you can pass the exam by gathering enough points. Offsec will tell you the required amount of points and the name of your target machine once your exam time starts. One thing I would recommend for the exam is to take detailed notes as you go. The report for this exam is by far the most intensive of any Offsec course I have taken. My report ended up being 99 pages long. I would also recommend copying every command you run, taking many screenshots, and saving all the source code you create. You will need all of those.

General Recommendations

1. Take many notes.
2. Keep a list of useful commands. Examples are, PowerShell download cradles. These will be used a ton
3. Use the forums when needed.
4. Make custom code server agnostic. Example: In most of the tools created, the target servers are hardcoded into the code. Make the application take the target from user input, this reduces a ton of compiling.
5. Automate when you can.

Conclusion

This course was great, I was very excited to take it and it did not disappoint. I would highly recommend anyone looking to gain some advanced Penetration Testing skills to take this course.