This post is a summary of my journey to obtaining the Offensive Security Experienced Penetration Tester (OSEP) certification.
Before diving into the article, here are the most common questions regarding the OSEP exam:
Is OSEP difficult?
- It could be, but it depends on your experience. For me personally, it was less difficult than OSED, probably somewhere between OSWE and OSCP. Of course, it’s probably different for you. If you have experience testing Active Directory environments, you shouldn’t find OSEP that hard. If not, you’ll encounter plenty of interesting challenges along your journey. Having the OSCP or a similar certification is recommended as basic pentesting is not covered in this course. Familiarity with C# is nice to have as you’ll be writing quite a lot of it during the course.
How many attempts are there for OSEP?
- There isn’t a limit to the number of times you can take the exam, as long as you pay the retake fee or have one of their subscriptions. As always, everything you need to pass is in the course.
Is OSEP an entry level certification?
- The course for OSEP is called PEN-300 in Offensive Security’s platform. Courses that contain the 3xx notation are meant for advanced users. Furthermore, this course doesn’t teach beginner level pentesting and focuses more on advanced tasks such as lateral movement, AV bypasses, process injection, etc.
Can I get a job after obtaining the OSEP?
- As OSEP is a great follow up to the OSCP exam, it should be an advantage to have it on your CV.
Does OSEP expire?
- No, OSEP is a lifetime certification.
How long is the OSEP/PEN-300 course?
- Like all current Offensive Security certifications, you can get a minimum of 90 days of lab time or you can go with one of the subscriptions. The PDF has about 700 pages, so it takes a while to go through. The videos help clarify that information, but you can watch them at 1.5 or 2.0x and the labs allow you to practice some of those skills.
What should I learn before the OSEP exam?
- From the official website:
- Solid ability in enumerating targets to identify vulnerabilities
- The ability to identify and exploit vulnerabilities like SQL injection, file inclusion, and local privilege escalation
- A foundational understanding of Active Directory and knowledge of basic AD attacks
What is the syllabus of the PEN-300 course?
How long will it take to prepare for the OSEP exam?
- It depends on how much time you have to invest, your experience with Active Directory, memory injection techniques, client side attacks, C# and more. I did all the exercises, but no extra miles. Labs took less than 10 days to complete. Doing some Windows/AD Hackthebox or even some of the Pro Labs helps.
What is the format of the OSEP exam?
- It’s a 48 hour exam and another 24 hours to write a report. The report must contain all the steps required to reproduce the attacks you performed. The time is enough. Took me around 16 hours to complete passing requirement and I wrote the report during the second day of the exam.
What positions would benefit from the OSED?
- Application security engineers, penetration testers, red-team operators, security researchers, bug hunters.
Is OSEP proctored?
- Yes, it’s an online, proctored exam.
The Road to OSEP and OSCE3
After obtaining the Offensive Security Experienced Penetration Tester (OSEP) certification I had not one, but two reasons to be happy. The joy was multiplied by hitting a huge milestone in my cybersecurity career: obtaining the Offensive Security Certified Expert 3 certification! Not long ago Offensive Security decided to retire the original Offensive Security Certified Expert certification and split it into three courses and their corresponding certifications:
- Offensive Security Web Expert (OSWE)
- Offensive Security Exploit Developer (OSED)
- Offensive Security Experienced Penetration Tester (OSEP)
Conquering the above 3 certifications automatically awards you the Offensive Security Certified Expert 3 certification (OSCE3) which replaced the older one. And now, with the help of OSEP, I can proudly say that I am a OSCE3!
The PEN-300 Course
The PEN-300 course covers plenty of aspects, from client-side attacks with Office macros, jscript, C# to kiosk breakout, SQL Server attacks, AV bypasses, Windows API & memory injection techniques and Active Directory attacks. Throughout the chapters you get to increasingly develop your skills and payloads, defeating one mechanism after another from Powershell CLM to AMSI, AppLocker and PPL. You will constantly improve you trade craft to get your payloads past various security mechanisms. Lots of times you’ll find the PEN-300 course teaches you several methods of bypassing one security measure. You’ll learn how to do enumeration with common tools like PowerView and Rubeus. You’ll also learn how build your own tools for process injection, shellcode runners and even your own implementation of PSExec. You’ll learn to abuse MS SQL servers, various AD trust relationships and the most common Kerberos attacks, such as Unconstrained, Constrained and Resource Based Constrained Delegation. I particularly enjoyed the latter as it did clarify why these kind of attacks exist and why they are so common in enterprise environments.
The course is built like the other Offensive Security courses: you get a PDF and videos. The PDF includes exercises that help cement the information taught in the course, while helping you identify certain particularities of the tools or implementations you’re using. The book also includes Extra Miles, which although not necessary for the exam, they do make you a better red-teamer. I felt like the information from the videos was basically identical to that of the book. Watching them will help, especially if you’re a more visual learner or have a hard time focusing on the text in the book. I did watch them at 2x speed, so it didn’t take too long.
How to approach the PEN-300 course?
It’s probably a matter of preference, however here is my recommendation: read the PDF, watch the videos, do the book exercises and finally the labs. You can also do the exercises as you read the book, but I feel that it slows down progress. Even if it might take the same time as doing them at the end. I prefer to do an initial quick pass over the material and eventually go through it several times by looking at the videos and completing the exercises. A few tools to get familiar with that are not present or insisted on in the course:
- Bloodhound - invaluable, as it makes the AD aspects a lot easier
- PowerSploit - just know what it is able to do
- Enumeration scripts like WinPEAS and adPEAS
There are 6 labs to complete. You should do them in order, as they increase in difficulty from 1 to 6, with the last one being the closest to how the exam will look and feel. I finished the labs in under 10 days, so don’t worry as they’re not that difficult.
Preparing for the OSEP Exam
Make sure you have a C2 framework you’re familiar with. I used Metasploit and it did the job fine, even if its meterpreter shell is detected easily by today’s tools. You’ll learn in the course how to go around these minor issues. You can use a different C2 framework, as long as it’s a free, non-commercial solution. However you need to make sure it does everything you need, including handling routing for pivoting and port forwarding as you will probably need that (like Metasploit’s autoroute).
Hint: you’ll mostly “learn” what you need in the labs and during the last chapter of the course called “Combining the pieces”.
I’d recommend taking notes during the course and the labs. When you finish, you will have a list of commands and tools that you know for sure work. From various powershell download cradles to Rubeus, PowerView, Powermad and PowerUpSQL syntaxes (but not only). I’ve used CherryTree to take notes. Before the exam, I created a template called “Methodology” to make sure I don’t miss things. CherryTree has a “list”/“checklist” functionality, so I basically created a summary and checklist of all of the course: what to look for when you encounter SQL, different privilege escalation vectors, AD enumeration and exploit commands, download cradles, etc. All of them included commands, including IPs. So I just had to do a replace-all operation on the IP string during the exam and all the commands were valid, without needing to waste time tinkering with them.
The OSEP Exam
To pass the OSEP exam you need to obtain 100 points or obtain access to an objective described in your exam assignment. Note that technically you can get more points than 100. While this was a 48 hour exam like other Offensive Security certifications, I managed to get 90 points during the first day, while taking plenty of brakes during the process. Including food brakes, I spent around 14 hours on those 90 points during the first day.
Next day it took me one more hour to achieve access to the exam objective and at the same time, obtain 100 points. I wrote the report the same day as I still had access to the exam machines. This way I could take additional screenshots or collect evidence in case I didn’t catch it in my notes. Final report had around 50 pages, but I submitted it the 3rd day so I could review it with fresh eyes. Two days later I received the “you pass” confirmation email!
I found the PEN-300 course offers good value with the content it offers. My favorite chapters were the ones where you crafted your own tools and the AD exploitation ones. My least favorite was the kiosk chapter, but hey, you never know when it will come handy! Getting the OSCE3 certification is a huge achievement and milestone for me and I’m extremely happy with it! Now that it’s over, I might look into EXP-312, which is the Mac specific course that OffSec offers or perhaps a cloud certification? Thanks for reading!
About the Author:
Application Security Engineer and Red-Teamer. Over 15 years of experience in Application Security, Software Engineering and Offensive Security. OSCE3 & OSCP Certified. CTF nerd.