OSEP (OffSec Experienced Professional) is an OffSec
(previously known Offensive Security) certification,
launched in late 2020.

It was one of the three certifications (along with
OSWE and OSED) that appeared to conquer OSCE(3) as a
replacement for the mythical OSCE. OSCE was way more
advanced and difficult than OSCP, but whose contents,
although mostly relevant up to its final, dated back
to 2012.

The first exams were reportedly taken on January 2021
and John Hammond was
arguably one of the first to earn it

OSEP is about advanced Pentesting and Red Teaming
techniques and is heavily focused on creating custom
tooling, client-side abuses (Office, WSH, MSHTA),
process injection, Antivirus evasion, advanced lateral
movement (Windows/Linux) and Active Directory attacks.

To enroll on OSEP, you have
multiple plan choices.
I used the Course & Cert Exam Bundle, which allowed me to:

• Get access to the course material (written and videos)
• Ability to download the course materials (once!)
• 90 days of lab/challenge access
• 1 exam attempt

As it was designed to be a replacement of an honestly
weak evasion section of the Cracking The Perimeter (CTP)
course, OSEP can be ranked as a hard certification. The
course that prepares you to takes the certification
is called PEN-300. Let’s take a look at the course
summary.

PEN-300

The official PEN-300 syllabus can be seen
here.

The first two chapters are informative. The first
is an introduction to the course, materials, labs,
and exam information. The second describes Windows
Operating System theory, including the Win32 API,
WoW (Windows on Windows) and the Windows Registry.

The next two chapters are focused on client-side attacks.
Starting with HTML smuggling and VBA basics, the
third chapter rapidly escalates on difficulty with
PowerShell download cradles, PowerShell .NET object
calling and Reflection. The fourth chapter describe
abuses of the Windows Script Host tool that can run
arbitrary code on VBScript and JScript. As there’s no
known way to directly call Win32 APIs from JScript,
tools like DotNetToJscript and SharpShooter are used
to accomplish this task via deserialization.

The next chapter is about Process Injection, where
different techniques are described to inject code
into another process, including the use of Win32 APIs,
DLL Injection, and Process Hollowing. Those techniques
can be used together with the client-side attacks
described in the previous chapters, and this is where
the fun of PEN-300 starts.

The two chapters after are related to Antivirus
bypasses, with techniques like obfuscation, behavior
bypass, sandbox detection and
AMSI bypasses.

The following chapter was my favorite, and it’s
related to AppLocker bypasses. Several techniques are
described thoroughly, including the use of custom
PowerShell runspaces and the use of client-side attacks
for bypassing AppLocker rules.

There are two no consecutive chapters (Bypassing Network
Filters and Kiosk Breakups) which are highly theoretical
and too specific. IMO, that kind of content is more
relevant on an article of a blog than on a chapter of a
certification book and if they’d chopped that content
from the course materials, nothing relevant to OSEP
would be lost.

The chapter Linux Post Exploitation is somewhat weak
too. A couple of abuses using VIM backdoors are described.
The only fun part was the implementation of DLL Injection,
but in the Linux realm using shared libraries.

Then a chapter appears to restore the expected level of
the course. Enter Windows Credentials. In this chapter
the most common was of abusing Windows Credentials are
mentioned, including SAM dumping, Security Tokens
manipulation, Kerberos and a custom MiniDumpWriteDump()
implementation is created to dump the LSASS process
memory to avoid AVs.

The next chapter, Windows Lateral Movement, is also
very interesting. Abuses of RDP are explained, beyond
the obvious use of the protocol for lateral movement.
Also, a technique called Fileless Lateral Movement was
quite fascinating and relevant for everyday’s Red
Teaming engagements.

The chapter Linux Lateral Movement also describes
abuses using the SSH protocol and tools that can be
found in modern Linux servers that are part of an
on-prem DevOps infrastructure, like Ansible and JFrog.
Also, a mention of abuses on how Kerberos and things
relevant to an Active Directory deployment are
relevant on a Linux-joined machine.

The next two chapters are the largest. Microsoft SQL
Attacks and Active Directory Exploitation cover
misconfigurations that can be leveraged to escalate
privileges on an AD Domain. Although the longest,
the depth of contents is nothing like courses as
CRTP, CRTE, CRTO and eCPTX. If you are expecting to
master AD attacks using only the PEN-300 content,
you may be disappointed.

And finally, the last chapter Combining the Pieces
was my second favorite. It is a very helpful chapter
describing a sample scenario on where most of the
techniques described throughout the course are
employed, which gives a glimpse of what the
Challenges and Exam would be.

Lab

Along the way of the course contents, there are labs
on which you can practice everything that’s presented.
Each lab may contain one or more machines, with
different configurations and learning objectives.
You will need to use an OpenVPN client to access the
environment.
On most of the course contents, there are exercises
to practice on the lab. You may end up with several
custom tools for specific attacks. I heavily recommend
organizing it properly because many of those tools
will be used during the Challenges and even the Exam
with minimal changes. This is how I arranged the
resulting artifacts during the course:

Challenges

Aside from the labs, there are six challenges
included in the PEN-300 course. Those challenges
provide an environment on where you must gather
flags on different machines to complete them. The
first four challenges are focused on specific
topics of the course. The fifth and sixth are more
broad in scope and simulates very well what the
exam environment would look like.

Take notes and save any tool you create or modify
when solving the challenges. I created a notes.txt
file on each stage of the challenges to use it
as reference:

Therefore, it is absolutely recommended finishing
all the challenges before attempting to take the
exam. You can thank me later.

Exam Tips

1. Finish all the challenges before attempting the
   exam. That’s it. Bye. Jokes aside, this is the
   most important tip of all. If you can even
   solve them twice…
2. I strongly recommend taking certifications
   like CRTP or CRTO before attempting OSEP. Life will
   be easier.
3. Practice on HTB:
   1. Cybernetics (Prolab)
   2. Offshore (Prolab)
   3. Dante (Prolab)
   4. Hades (Endgame)
4. Join the OffSec Discord server.
   The community is awesome and there are OffSec
   support personnel that can assist on anything
   related with the course, labs, and challenges.
5. There are different exam environments. If you
   fail it, the next retake may not be the same
   environment as the first attempt. Take that into
   account.
6. The VPN connection is not stable. As it’s a
   UDP tunnel, there can be problems with the MTU
   size calculation (VPN MTU > Link MTU), which can
   lead to packet loss during heavy traffic, like
   downloading/uploading a file to the environment,
   performing port scanning, etc. Follow
   this guide
   to troubleshoot it. In the end, I had to add the
   mssfix 1387 line to my OpenVPN connection file
   to fix those issues.

The Bad

The course content is slightly out of date. The last
update was on 2021, which is a very long time for the
highly dynamic world of Active Directory attacks.
Things that are not present include: ADCS abuses,
advanced coercing attacks (MS-RPRN, MS-FSRVP, MS-EFSR
aka. PetitPotam, etc), vulnerabilities like KrbRelayUp,
ZeroLogon, modern technologies bypass (EDRs, ETW, ASR,
WDAC, Kernel Callbacks), GPO abuses (!), WMI/COM,
persistence mechanisms.

Also, the exam is proctored. The proctoring plugin makes
the computer really slow. I used a 4k screen that made
my laptop run very hot. I had to change the resolution
to 2k to mitigate the resource consumption.

Comparison

PEN-300/OSEP covers several things from evasion to Linux
and Windows advanced attacks. If you want to get
comfortable with Active Directory attacks, doing CRTP
or CRTO first will give you a confidence boost.

CRTL is currently more up-to-date than OSEP in terms
of bypassing techniques. Doing it will also help you
with OSEP.

Finally, the most close certification to OSEP would
be eCPTXv2. The main difference is that OSEP includes
Linux attacks, and eCPTXv2 goes very deep on Active
Directory abuses.

Conclusions

PEN-300 is a high quality course. Aside a couple of
chapters, every module had a very rich and deep
technical information.
The course needs an update. Major abuses and
attacks have been discovered since the last update.
In the end, the OSEP certification will boost
your Pentesting skills to a whole new level.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Andres Roldan. Read the original post at: https://fluidattacks.com/blog/osep-review/