My OSEP journey

Evasion Techniques and Breaching Defenses (PEN-300) is an advanced penetration testing course. It builds on the knowledge and techniques taught in Penetration Testing with Kali Linux, teaching students to perform advanced penetration tests against mature organizations with an established security function. Students who complete the course and pass the exam earn the Offensive Security Experienced Penetration Tester (OSEP) certification, demonstrating enough skills to penetrate hardened systems.

For my case, OSEP since the release date has been a course I was excited to take because of the nice skills it taught. I was mostly attracted by the antivirus evasion chapter. But I was a little bit slow since I have been preparing for the OSWE exam since 2021. In addition to the nice content in the syllabus, I was and I am still motivated to get the OSCE3. OSEP  is now one of three certifications making up the new OSCE3 certification, along with the OSWE for web exploitation and the OSED for exploit development.

My OSEP journey started in march 2021 when I was called to develop a tool in order to grab information from malicious cyberspace people who were using phishing to steal people or abuse people’s trust. I needed to make the tool undetectable to antivirus, and then I remembered that the OSEP course teaches that. It was the time for me to do research about AMSI and how it is possible to defeat antivirus by disabling it. I also searched for macro exploits. It was an opportunity for me to start getting ready before buying the course, it’s always my methodology when it comes to Offensive Security courses.

OSEP teaches many other topics. For example, you will learn basics about Operating System and Programming, theory and practice about process migration / process hollowing, bypassing application whitelisting, system and network filters bypassing, MSSQL enumeration and active directory exploitation. A special focus point is given to this later topic (Active Directory) which can be considered as a core part of PEN300 course.

I bought the course on April 24th 2022 and the 3 months of lab were supposed to start from May 1st. I took the first month to browse deeply into the course materials (PDF and Videos). I got stuck so long on the Active directory section (mainly the delegation part) but finally managed to understand after reading, rereading and rerere…reading.
After completing the course and their lab, I started the 6 challenges. The first 2 ones were quite easy but the 3rd one started being more challenging. This is the place where I could put in practice the theories that were not explicitly covered in the course lab modules. It was really challenging but I learned a lot from them. Today I have more confidence in myself when it comes to checking for insecure object permission in Active directory. I’m more familiar with bloodhound and PowerView (powershell script for AD enumeration). These latest tools are almost unavoidable in AD penetration testing.

In the last month of my lab (July 2022), I took a short vacation at the office in order to focus more on the labs. I spent it in another town of the country, where I knew nobody and trust me, it was so beneficial. Sometimes, it’s useful to disconnect from the daily tasks and focus on only one topic. An important thing to mention is that after every challenge done, I used to note every new command in a kind of personal cheat sheet, so that I can reuse it in the future without any difficulty.

At the end of the lab (end of the month), I’ve successfully rooted all the challenge lab and I was not seeing anything restricting me from the seating for the exam. Monday August 1st was a public holiday so I decided to schedule my exam for Sunday July 31st.

The exam was a little bit more than what I was expecting. It took a long time for me to get the initial foothold which was the entry point for the whole system.  The exam actually consists of one large network with multiple machines that must be compromised. As the exam network simulates a corporate network, it is mandatory to first obtain a foothold and then perform additional internal attacks.

I had some issues I had never met before. For example, I discovered an insecure object right and was about to abuse it. The exploit was not working just because I didn’t comment a single line in a specific file. These kinds of problems hold you back from the real work to do, and since the machines are linked, you’re stuck until you find a way to resolve it and move forward.

Finally, on the second day of the exam, I managed to fulfill the requirements to pass the exam. I sent my report the following day and received an email on August 3rd, announcing that I’ve successfully passed the exam. This is making me the 1st in my country to pass OSEP exam and I am grateful for that.

From my experience the exam itself in not that hard if the following TODO are effectively done:

• Understand every chapter of the course (take the needed time, it’s not a competition).
• Make sure to practice all the labs inside the course.
• Make sure to solve all the 6 challenges.
• Check every possibility of vulnerability, sometimes what you’re looking for is not located where you expect it to be.

Below are some resources that may help to hone your skills in Active Directory enumeration and exploitation : 

• https://github.com/Orange-Cyberdefense/GOAD/
• https://mayfly277.github.io/posts/GOADv2/
• https://github.com/alebov/AD-lab
• https://github.com/WazeHell/vulnerable-AD
• https://github.com/cfalta/activedirectory-lab
• https://github.com/fjuza/Active-Directory-Lab

Powerview cheat sheet 

• https://zflemingg1.gitbook.io/undergrad-tutorials/powerview/powerview-cheatsheet
• https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview

Bloodhoud custom queries and cheat sheet

• https://infinitelogins.com/2022/01/28/bloodhound-cheatsheet-custom-queries-neo4j-lookups/
• https://github.com/CompassSecurity/BloodHoundQueries
• https://github.com/hausec/Bloodhound-Custom-Queries

Good luck to anyone wishing to seat for OSEP exam, you can do it with Desire, Dedication and Discipline.