OSEP review
I recently passed the Evasion Techniques and Breaching Defenses (PEN-300) exam, earning myself the Offensive Security Experienced Penetration Tester (OSEP) certification. In this blog post, I review OSEP and give some tips.
PEN-300 is a course, part of the OSCE³ certification. Completing the PEN-300 course and passing the 48-hours exam earns the OSEP certification.
The course advertises itself as an advanced pentesting course and explicitly states that it is not a red team course. Nevertheless, the topics covered do include initial foothold up to breaching Active Directory forests.
OSEP preparation
As preparation for OSEP, I taught myself C# basics using The C# Player’s Guide. I was able to help improve the book as the book itself was still in active development. The author of the book helped me out with some C# topics which I was struggling with.
When looking back at OSEP, I can say that C# preparation is not needed. Offsec provides a lot of code samples that can easily be used and tweaked without comprehensive C# knowledge. Having C# knowledge is always a plus though!
I didn’t prepare anything else for OSEP. Having used BloodHound and some other tools before does help with progressing through the course and improving workflow. However not mandatory and you will learn how to use them in the labs.
Course content
I started the course on 17 January 2021 and completed the course materials and labs within the minimum required lab time (2 months). However, I recommend taking at least 3 months to complete the course and labs. Cramming everything in 2 months is very difficult and I believe this can only be done if you have a lot of time on your hands!
The course itself has a gradual build-up, if you don’t know what the course includes then make sure to take a look at the syllabus.
At the start, it might be hard to see the logic behind the build-up. The course starts with old and outdated techniques. Afterward, explaining why these techniques are not recommended. Even though this might seem useless, it does help gradually build-up to the level of complexity needed nowadays for a successful breach or AV bypass.
After teaching the tradecraft involving initial foothold and AV evasion, the course transitions to post-exploitation topics like application whitelisting bypasses.
The last few chapters include abusing MSSQL, Active Directory, and Kerberos. Even though these are only three chapters, they are crucial for lateral movement. These techniques are heavily used throughout the labs and exam.
Labs
The course includes six labs. These labs contain multiple systems and tend to focus on certain topics needed to complete the lab. It took me five days to complete the six labs. However, I would say a normal pace is to probably take a maximum of two weeks to complete the labs. I was running out of lab time and had to complete the lab as fast as possible.
Lab 5 and 6 seem to be the most complete labs which test multiple techniques and are somewhat similar to the exam.
The labs themselves are isolated environments only available to the student. The labs are very stable and I have not had any issues. The only times I had issues was when invalid payloads broke certain services. If you think something should work but it doesn’t, try redeploying the labs. Maybe you broke something, who knows ;)
Exam
Even though the exam is a secret and not much is allowed to say, I recommend reading the OSEP Exam Guide. It contains some important rules about what is allowed and what isn’t.
The exam felt fair, nearly all topics covered in the course will be tested. I also feel like it was all within scope. Some people complete the exam within one day. I got stuck on some things, so I needed a few more hours on the second day. All added up I needed around 20 hours to complete the exam and receive the OSEP certification.
Conclusion
The course is really valuable, for pentesters who want to improve their infrastructure pentesting knowledge. I feel like the course might also have added value for red teamers, comparing the topics covered in Certified Red Team Expert from PentesterAcademy I feel like the PEN-300 course can compete quite well.
I recommend the PEN-300 course, as I have learned a lot from it. I enjoyed the course even though it is an uphill struggle, especially with the added stress from the impending lab deadline.