OSEP Review 2024 - OffSec Experienced Penetration Tester
OSEP review
Course overview
Offsec’s Offensive Security Experienced Penetration Tester (OSEP) certification is an advanced penetration testing course that builds on the knowledge and techniques taught in OSCP focusing specifcially on evasion techniques and bypassing defences within AD environments.
I won’t go into detail about what the course teaches as you can google that but in a nutshell the course covers:
- Developing custom C# process injectors and hollowers
- AV evasion & bypassing Applocker
- AD & MSSQL exploitation
- Windows and Linux lateral movement
- Phishing & client-side attacks (whilst evading AV)
I enjoyed reading other student’s OSEP reviews, and as they are much sparser than OSCP reviews, decided to share my thoughts on passing the OSEP in 2024 :)
Background
Having passed and really enjoyed the OSCP, CRTP and CRTO certifications, I decided the next logical step was to step up and do the OSEP. I originally put it off as I deemed it a bit daunting considering my lacking experience with C#, but I eventually decided it would be a good challenge. I managed to convince work to pay for 90-day access to the course, which proved plenty of time for my background. I probably only had time to spend half of that (45 days) on the course, whilst also balancing final year uni deadlines and work commitments.
Having a fair amount of experience exploiting AD from multiple certs, a year hardening AD environments in industry and a handful of internal engagements at work under my belt, I primarily took the cert to level up my evasion game, which for sure it did! I see quite a lot of people comparing the CRTO and OSEP and ultimately think they complement each other very well, e.g. the CRTO teaches the importance of ppid spoofing and good processes to inject shellcode into, which is beneficial for OSEP and vice-versa the CRTO teaches using Cobalt Strike as a commercial C2 whereas the OSEP teaches using open-source C2s in a more manual approach.
Course learnings
I started the course on 10/09/2023 and tackled the heavy 705-page PDF, with the course walking through the development of multiple custom C# loaders using P/Invoke with Win32 APIs and various phishing techniques such as getting VBA macros in word documents and JScript round defender. Each custom exploit is built upon and gradually improved through the course which is ultimately a really awesome learning experience for an insight into exploit development. The process is also made easier through their online portal which breaks the PDF down into more digestible chapters with exercises that basically get you to repeat what is shown then improve the payloads to better avoid detection as a further exercise.
Overall I thought the content of the course was great with it teaching me an absolute ton in a short space of time. I wasn’t expecting to learn much on the AD side as was already pretty experienced in exploiting AD environments, but I actually learned some cool MSSQL techniques and tricks for domain joined linux machines I wasn’t aware of. Obviously the main focus was learning the AV, Applocker and phishing techniques which were all new to me. I especially enjoyed the insight of bypassing Applocker by manually executing C# in unmanaged runspaces which is similar to what powerpick from Cobalt Strike does on the backend.
The course recommends using https://antiscan.me/ to assess how your payloads fare against defender, however this is no longer available. Instead, I opted to use RastaMouse’s ThreatCheck to test my loaders on my personal W10 VM with of course plenty of trial and error for my obfuscated phishing macros (with cloud sample submission off as to not burn all my payloads).
I learned that AES encrypting shellcode goes a long way to avoid static detection and with a few heuristic evasions sprinkled in can make a pretty nice loader. In fact the C# code from the course with a bit of tweaking and inspiration from GitHub can bypass up-to-date AV no problem. I would also recommend using neoconfuserEX to obfuscate any public C# tools like Rubeus which is possibly the easiest way to statically evade defender.
Looking back I completely over engineered my shellcode loaders with AES encryption using D/invoke to avoid writing to IAT and heavily obfuscated my phishing payloads to achieve FUD against fully updated AV which, although not required for the labs/exam, is good practice for real engagements. Obviously EDR is a different ballgame, but the course is not intended to teach bypassing that (not yet at least).
Labs
After going through the PDF making detailed notes and testing my FUD payloads, I tackled the labs. There are 6 private challenge labs of increasing difficulty that will teach you what you really need to learn from the course material, with the last supposed to be representative of the exam environment.
The labs are great fun and I highly recommend doing them in as many different ways as possible to best prepare for the exam - e.g. using tools remotely from Linux & tools on Windows with/without credentials to simulate all possible scenarios that could appear in the exam. Also after doing the labs, I found great benefit in searching through the discord channel history to see how other students tackled the labs, which taught me a bunch of other ways to do them I hadn’t even considered.
The course uses meterpreter as the open-source C2 which I personally opted for within the labs & exam. I also went back through the labs with sliver which is definitely favourable for real engagements as even with evasion techniques meterpreter is heavily signatured.
A slightly frustrating thing about the labs is that each time you connect to the lab VPN your IP address changes meaning all the shellcode in your payloads needs to be manually regenerated. However, this is a blessing in disguise as it forces you to automate the payload building process and build an offensive tooling pipeline.
Exam
The OSEP exam simulates a live network in a private VPN, which contains multiple machines in a corporate network giving 48h to obtain 10 flags or gain access to secret.txt + 24h for reporting. There weren’t very many exam slots over christmas and the new year and with the exam being pretty lengthy there wasn’t a great deal of opportunity where I had free time to take it.
I grinded through my uni deadlines before Christmas and picked the first available exam slot in the new year to start at 08:00 on 04/01/2024. With my course access having expired on 09/12/2023 I had about a month to do further practice for the exam so I completed Zephyr and half of Cybernetics from HTB, having already done Offshore last year. This was a great idea getting some more pivoting practice with ligolo-ng and refining my C2 workflow which really sped up the exam and was definitely useful for Offsec’s creative thinking needed in the exam.
I took a recommendation from the discord to use Firefox for the proctoring software to avoid the extremely buggy Janus plugin they make you install if you want to use Chrome which disconnected for me every 10-15 mins when taking the OSCP. This paid off having no disconnect issues this time round and allowed me to forget the proctors were even there!
Overall the exam was challenging as expected, but fair, pretty fun and definitely built on the stuff taught on OSCP. My best tip would be that trying too hard is sometimes the problem, keeping it simple and enumerating more should do the trick! I got the first flag 1.5 hrs in, then progressed gradually through the environment, getting stuck twice for what seemed like an age with nowhere to go. But I kept at it and surprisingly ended up with secret.txt 8.5 hours in. I grabbed a few more flags for the fun of it then focused on making the report whilst still having access to the environment to ensure I had all the required screenshots.
At 1 AM I was falling asleep at my computer so went to bed, taking it easy the next day finishing up the report with plenty of breaks. I ended up submitting a 90 page overly verbose report at 40 hours in, ending the exam early feeling pretty pleased.
1 day later, I got my passing email with the nice green certificate!
I learned from the time-consuming pain of formatting my OSCP exam report using Word on a few hours sleep and decided to write this one up in Evernote, exporting to markdown and used this awesome template repo to convert the
.mdto a beautiful looking
Final thoughts
Honestly, I absolutely loved this course and would recommend it to anyone wanting to level up their offensive security game. The awesome feeling of getting .doc phishing macros or process hollowers round defender was easily the best part of the course. Although I would say the course content does need an update as it is missing more modern attacks against ADCS, GPOs, SCCM and evading more modern defences like WDAC, EDR and ETW.
However, in 2024 it still does a brilliant job at levelling up skills and bridging the gap from OSCP to more advanced penetration testing. I’ve seen many say the evasion is outdated but I think a lot of people take the course material too literally and expect the exploits to work out the box, which will never work when trying to evade constantly evolving AV signatures. Using what is taught in the course, searching GitHub and doing slight tweaks will get the C# shellcode loaders past fully updated defender easily so is still very relevant. Especially with AD environments I’ve seen IRL, this course is more than sufficient to get you DA with no issues on your next engagement.
What’s next? I’ll likely finish up Cybernetics then check out the red team labs from Vulnlab, as well as finishing up my dissertation at uni and try to get a pentesting job when I graduate in a few months time - if you’re hiring, feel free to reach out for a chat ;)
