For the past few months I’ve been engrossing myself with the Evasion Techniques and Breaching Defenses (PEN-300) course. The course content has allowed me to dig deeper into topics I’ve always wanted to learn but never had enough time to do so. Recently I passed the exam, becoming a certified Offensive Security Experienced Penetration Tester (OSEP). In this post I will talk about my experience with preparing for and passing the OSEP exam and collect the resources I found useful for this certification.

What is OSEP

As the course page states, the OSEP is designed for experienced penetration testers and primarily aids in developing evasion and breach techniques. Although the course clearly states that it is not a Red Teaming training I still feel that it lays very important groundwork for those looking to become (better) red teamers.

Course Content

During the course, you get access to a huge 700 page lab guide as well as videos and exercice labs for each section where you get to develop payloads and test their effectiveness in real environments. At the end of the lab you test your tradecraft in 6 challenge labs. Each one is designed to measure your progress and give you a taste of what might come during the exam, so I highly recommend you to leave enough time for these and make detailed notes.

If you’d like to start pre-preparations I can recommend both of these repositories as they have collected a ton of resources on each section of the content:

Evasion techniques and the passing of time

A very important question on my mind going into this course was how effective the AV evasion chapters would be. Even though the course is still fairly new (released in the later half of 2020), from a red teaming perspective 2 years might as well be another decade. And indeed some of the specific tricks shown are no longer as effective as they were back then. In certain cases payloads showing successful evasion is picked up already and I have no doubt that this is because people re-used the example tricks without modifications and ’leaked’ it into the public.

However, the techniques are still solid and the knowledge can absolutely be used to bypass AVs such as Defender to this day, you might just have to customize them a bit more to get it working.

Of course, don’t expect to make short work of something like Carbon Black or Sentinel One, but it is a great entrypoint to understand and pick up current techniques as well.

The evasion section covers, among others:

Different VBA macros and direct Win32 API calls,

C# shellcode runners,

DLL Injection techniques,

and Process Hollowing techniques.

While right now different kinds of Gates and SysWhispers is all the rage, that is not to say that classic techniques such as the ones above are going away anytime soon.

Before you Start

Offensive Security recommends the following prerequisites:

  • Solid ability in enumerating targets to identify vulnerabilities
  • The ability to identify and exploit vulnerabilities like SQL injection, file inclusion, and local privilege escalation
  • A foundational understanding of Active Directory and knowledge of basic AD attacks

With the new OSCP format, taking that can give a solid headstart on all of this, and I agree with their list. To increase your chances of success I believe you should already have a strong area, be it in AD enumeration and exploitation or AV evasion.

I felt like these two were the largest knowledge areas in the course and because I had fairly limited experience with evasion I easily spent a solid month on that alone.

If you are into Hack the Box, going through the Pro Labs such as Offshore, Rastalabs or the newer ones is also an about equivalent level of challenge (for certain parts).

Taking the course

Once you decide to take the course I recommend at least 90-days to go through it. Since Offsec is officially retiring all their shorter courses this is now the default.

I tackled the material by first reading and watching a section and then replicating the exercises and doing the extra mile challenges. Evading active antivirus software is going to be a big part of the challenges and the exam so it is really critical that during your lab time you build a solid and trustworthy arsenal of payloads. You don’t want to spend time evading defenses during the exam.

In a way, this actually simplifies at least one part of the exam. If your payloads are working consistently in the lab, you will be able to operate during the exam as well.

The extra mile challenges and the way the content goes from introductory to advanced is amazing and was the best part of the course. In multiple instance I would go through manual exploitation to understand techniques before Offsec would say: “Oh btw there is also this tool that does it out of the box.”

This explicitly teaches not to be over-reliant on one single tool. Consistently, custom-built tools that did that same thing as public payloads were harder to catch for AVs.

Once you have everything ready to operate, the fun begins. The challenge and exam environments simulate a real network, interconnected, just going about its daily business. The environment has Linux boxes sprinkled throughout as well which makes operating inside more of a challenge.

The Active Directory part and lateral movement sections were well put-together but I already felt pretty comfortable around it so it was more of a refresher for me. Although I did pick up a couple of techniques that I did not use before that will definitely make life easier in the future.

Passing the exam

During the exam you get thrown into a ‘real network’ environment where you have multiple attack paths and ways into the network. In order to pass, your objective is to get into a specific server on a separated network and retrieve company secret in the form of a secret.txt file. Alternatively for every hash you gather and submit you get 10 points and if you get 100 points you pass. Machines could have a low-priv user.txt and admin/root privileges proof.txt, or just one or none.

I really enjoyed this part of the exam as it made my decision-making a bit more dynamic as well. Do I want to push for the final objective immediately or try to gather as many hashes as possible. As always, I cannot give out details on the exam itself but it was definitely the hardest one I took yet. To be fair I could have practiced more, but I still felt going into it that I might just go through it all in a day. Well it took a bit longer than that in the end…

I started the exam at 7AM on an extremely sunny morning, making me reconsider my life choices as I brew a fresh batch of coffee. I discovered two ways into the network pretty quickly but then panic mode set in as neither of the initial payloads triggered a shell. Pulling myself out of this few minutes of terror and refocusing I slowed down my actions, going back to simple detection and validation methods from full-fledged shellcodes. This proved successful and within an hour I was inside a domain.

Identifying the next step proved difficult however, and it was only a couple hours later that I realized it was because the exam environment did not deploy correctly.

I had to send multiple e-mails to helpdesk as I struggled with weird errors such as DNS not resolving or certain hosts being inaccessible. I never had this happen before and really hope it was just a one-off thing for Offsec but I ended up losing a good 5-6 hours to these issues. It does make me a bit sour that even though you have a live proctored exam, you cannot reach live agents to help you with technical issues.

I am not expecting anyone to help with the exam of course but it should be possible to do a simple verification of “hey I cannot access this machine but it looks like I should. Can you confirm if this is expected?”. On the flip side, ultimately helpdesk did answer and confirmed they were having VPN issues offering to cancel the exam and waive the cooldown period. But by this point I was in too deep…

I finished the first day around midnight, having made some progress and gathering around 50-60 points.

The next morning I started early again around 7AM and continued with lateral movement. By this point I was going down separate attack paths simultaneously as I felt it gave me a better chance to avoid potential network issues. Timing wise I do not recommend this approach as it is much slower than just focusing on one area.

In my case though it proved useful as I once again hit a roadblock where both paths had the same exact lateral movement path forward but only one of them seemed to work for me. Typically I would err on the side of blaming myself but once you run into one or two environment problems you start to become more paranoid.

By around 3PM of the second day I had collected a 100 points and could pass but I wanted to go for the ‘real’ win and grab the secret.txt too. I was already fairly close so I pushed forward with it. I finally managed to achieve that too around 11PM of the second day, capping off two days of a hacking marathon.

Despite the intermittent issues where I sometimes had to re-deploy parts of the exam (which by the way was super useful that you could choose to deploy just one part at a time and not have to retrace your steps completely), I really enjoyed the overall experience.

Having a main objective to guide you made the whole exam more realistic as I pilfered data looking for a way in. I did not feel too stressed as 48-hours is plenty if you have the right game plan and can keep calm, although this time I was cutting it a bit close. Making the machines interconnected made it a lot more fun and I particularly liked the fact that I had to expand on my lateral movement and port forwarding techniques.

Closing thoughts

I really enjoyed the exam overall and the content was top-notch as can be expected from Offensive Security. I highly recommend it if you are looking to improve your AD tradecraft, want to get started with developing C#-based tools or learn more about evading antivirus and using raw shellcodes in combination with custom droppers.

Although I have not (yet?) taken it, I have heard great things about the Red Team Ops training from Zero Point Security:

It could probably work as a great addition to this exam, as it uses Cobalt Strike and is focused on Red Teaming specifically.