OSEP certificate (Offensive Security Experienced Penetration Tester)

La imagen tiene un atributo ALT vacío; su nombre de archivo es image-35.png
PEN-300 and the OSEP Certification | Offensive Security

In this post we are going to talk about one of the new certifications offered by Offensive Security, specifically OSEP (Offensive Security Experienced Penetration Tester).

This certification is part of the new OSCE along with the, also new, OSED (Offensive Security Exploit Developer) and OSWE (Offensive Security Web Expert).

Like all Offensive Security certifications, it is mandatory to take the course associated with the certification, called “Evasion techniques and breaching defenses” which we will talk about later as well.

As of today, the price of the course is $1299, which includes 2 months of lab access and the exam sitting (of 48 fantastic hours :P).

I guess, if you’re reading this post, you already knew all of the above, so let’s dig into what you probably don’t know!

Is this certification worth it?

In my opinion, emphatically YES. It is an advanced level certification (higher than the highly regarded OSCP) that will allow you to take your skills to the next level.

In this case, we assume to be are dealing with heavily defended environments and our goal is to compromise organizations without a single security vulnerability at the perimeter. I say we assume because both during the training and in the exam, it will be necessary to apply basic vulnerability exploitation knowledge for initial compromises or lateral moves.

Regarding the aforementioned required knowledge….

What level should I need to access this certification?

As mentioned above, it is an advanced course and certification. You should have a minimum level of OSCP with strong networking skills and preferably with basic knowledge in programming with special emphasis on Visual Basic and C#.

What are we going to be able to learn?

Surely, by now you have accessed the certification syllabus found at https://www.offensive-security.com/documentation/PEN300-Syllabus.pdf.

In my opinion, of everything we can find in the table of contents, the most interesting things are the following blocks:

  • Code execution with Office. In this block we will learn how to inject a shellcode directly into memory avoiding the disk (and we all know the benefits of avoiding the disk).
  • Code execution with C#. In this block, you will not only learn how to create .dlls and .exe from c# to inject directly into memory the shellcode, you will also be able to apply simple (or complex, depends on your programming skills) ciphers to theshellcode, convert it to jscript and even create .hta files to evade different security measures like Applocker.
  • Simple and advanced antivirus evasion. This block gives you the necessary theory to apply in the rest of the modules and understand how to evade from a simple antivirus based on signatures to the most sophisticated EDR.
  • Application Whitelisting. You will find the theory of how Applocker works and some of the evasion mechanisms used as installutils.
  • Windows credentials and lateral movements. In this block you will delve into the authentication mechanisms and how to abuse them to extract credentials and perform lateral movements. Probably, it is one of the most important blocks of the course because its understanding is basic for different sections and it is used in each and every one of the challenges.
  • Microsoft SQL attacks. During this block you will learn the necessary mechanisms to enable and execute commands on the servers themselves or use them to pivot to other machines using interesting techniques such as ntlmrelay.
  • Active Directory exploitation. Another of the big blocks of the course, where you will study how to abuse the trusts between domains and/or escalate privileges from a subdomain to its root.

Broadly speaking, all this comprises the syllabus, but it will not be the only thing. You will also need to make large domain enumerations, study them and follow a plan to become an Enterprise Admin or Domain Admin.

Another of the big unknowns you may encounter before signing up is about the lab….

How will you be able to practice?

Just as you may have encountered in the OSCP, each topic has its own exercises for you to practice everything you have learned.

But unlike the OSCP, the OSEP has only 6 challenges, each one more difficult than the previous one.

Each challenge is a business organization that you have to access using various methods (Office macros, .hta, C binaries, etc) or by exploiting vulnerabilities (it’s rare, but you will find it).

Once you have the initial compromise, you will have to compromise the whole organization which can comprise from a couple of computers to 9 computers, passing through different user workstations, servers, domains and/or networks with many security measures such as AV, firewall, applocker, powershell restricted language, among others.

Once the lab is finished, it will be time for the dreaded exam.

La imagen tiene un atributo ALT vacío; su nombre de archivo es image-36.png

What is the exam like?

The exam is a corporate network that you are going to have to compromise to in 48 hours.

I recommend that once you start the lab you schedule your exam so you can select the day and time that works best for you; I made the mistake of not doing so and started on a Tuesday at 5 A.M.

Regarding the exam, you can pass in 2 different ways.

  • The first one is by getting 100 points, which you get when you find a local.txt or proof.txt (each one is worth 10 points).
  • The other option is to find secret.txt. If you find this file you can directly turn off the computer and go for a beer. Obviously, finding it will cost you more than making the 100 points.

Once you’ve got the 100 points or the secret file, it’s time to do the report, for which you’ll have an additional 24 hours. So be careful with that beer…

My experience

I started with the two-month plan, which is enough if you have a minimal base or are going to be able to devote enough hours a day to studying.

Before signing up for the certification, I studied everything related to macros and C# because you can practice it without a big environment behind, only with your development virtual machine (machine highly recommended to keep during the whole lab and exam).

Regarding the time spent, each person has a different background and will need more or less study time. In my case, during the first weeks I could afford to study for quite a few hours and it allowed me to do several times the challenges and rest a couple of weeks before the exam from all the wear and tear involved.

Regarding the exam, as I said, I started at 5 in the morning, although the doubts of whether you are ready to do it hover until the last day.

Once done, I can say that you are ready for the exam if you have done all the challenges, even if you needed a little push at some point.

The difficulty of the exam is high and the pressure to complete it in 48 hours even more so, so leave your knives sharpened to face anything. And by sharp knives I mean have in your cherry macros ready, c# ready, commands ready to do copy&paste and a good coffee pot.

Fortunately, I had the knives very sharp and was able to compromise and locate the secret.txt file in 15 hours, with a couple of hours for lunch and rest in between. However, in the Offensive chat itself you will be able to find dozens of experiences of 48 hours without sleep and not even achieving 50 points. My recommendation is: DON’T BEE TOO CONFIDENT, but if you are prepared, it is within your reach!

Finally, the delivery of the report is almost like another exam (it cost me more than the exam itself) in which you have to be very careful to avoid failures for not delivering enough documentation or deliver it poorly demonstrated. To give an example of the danger of the report: you will find machines where remote interactive shell access will be unfeasible for different reasons, however, delivering a capture of the proof.txt by RDP is considered invalid.

I hope all that will help you to make the decision of whether to certify or not, but in case you decide to go for it, I can only tell you….

La imagen tiene un atributo ALT vacío; su nombre de archivo es image-37.png