Sign in Subscribe

Breaching the OSEP

sueks

3 min read
Breaching the OSEP

A few weeks ago I received the email that I successfully completed the requirements to obtain my OSEP, Offensive Security Experienced Penetration Tester. The journey to this point wasn't an easy one and I wanted to share my experiences with the course, exam and overall mental bandwidth it took to finally crack this beast of an exam. If you're looking for spoilers about the exam, you won't find them here.

Not Wasting Any Time

I passed my OSCP on December 23, took the holidays off as a much deserved break and then purchased the 90 day course for OSEP. I couldn't wait to dive right into this course, after all I've heard great things about it. The course starts by teaching some Programming Theory, and if you don't know the course heavily relies on C#. If you've never tinkered with C, C++ or C#, I recommend not skipping this one and taking the time to read in depth what Offensive Security has put in the PDF. It's probably important...

Once you get through this you jump right into some C# programming and it feel awesome. You get your hands dirty right away with VBA, Macro creation, social engineering pretexting and so on. The course is heavily focused on C# for the first 10 chapters and rightfully so, it will become the backbone to your custom exploits, evasion techniques and the secret sauce to breaching those fully patched defenses.

Once you've mastered the art of evading Defender, other antivirus solutions and the big bad Anti Malware Scan Interface (AMSI) you will go hands on with some lateral movement techniques which the course does a great job with so many different ways to shift laterally in an environment. From using RDP to SSH Hijacking, you add quite a few tools your toolkit.

The course covers techniques to abuse Ansible, Artifactory, MSSQL and various types of attacks against Active Directory such as Constrained and Unconstrained Delegation, pwning AD Forests with extra printers and more.

Timeframe + Labs

As mentioned earlier I signed up for the 90 days, but between work and life responsibilities I had to purchase a 30 day extension. I actually finished the course prior to the course ending but I wanted to spend some time on the labs which were the highlight of the course. They were difficult and in my opinion a fair assessment of what you'll see on exam day. I finished all six labs the day before my 1st attempt.

1st Attempt

It's not a good Offsec story if there wasn't a failure on the first try right? These 300 level courses from Offensive Security test more than your ability to master the material, they test your mental aptitude to handle stress and think creatively. Without too much detail, I got 8 flags in on my exam environment and hit a wall. After trying everything in my toolkit about 10 times over, the clock had run out. I waited to the day to receive the official failure notice and  rescheduled for the earliest time available.

2nd Attempt

Armed with a large cup of coffee, I started the 2nd attempt with a vengeance. This exam got me once and I wasn't going to let that happen again. By the end of the first day I had 6 flags locked in and with 24 hours left to go I was motivated and feeling good about my ability to get this done. 12 hours later I had 10 flags and knew that was enough to pass. I did my little dance in my room and got right back to work collecting screenshots, making sure I had all my documentation in order. When I was doing this I noticed something I overlooked in one of my scans and decided to take a break and pop one more flag. I finished OSEP with 11 flags in the bank and countless shells in my C2 framework.

I submitted my report the next day and received the notification I passed 24 hours later. Insane turnaround time.

What Can You Do to Prepare?

If OSEP is something you know you want to crack but can't purchase the course right now, I recommend getting comfortable with some type of C programming language. Make simple programs that use documented Windows APIs like popping a message box with your username in it.

After that I would try any HTB machine that focuses on Kerberos and Kerberos based attacks. You really should know Golden Tickets, Silver Ticket, AS REP Roasting and Kerberoasting attacks like the back of your hand. The course is labeled is an extension of the PWK/OSCP course and it feels exactly like that. The OSEP/PEN-300 course is backed with advanced attacks, evasion maneuvers to avoid detection from antivirus and more. On the OSCP you are cracking vulnerable machines but on the OSEP you are breaching fully patched ones.

Also making an AD lab at home and testing new techniques in this environment is huge. You can easily create this with minimal hardware at home and I think TCM's Practical Ethical Hacker course covers a whole AD module. If you're on the fence  about taking the course, I promise you won't be disappointed in the quality of the content.

Sign up for more like this.

Enter your email
Subscribe