Offsec’s PEN-300 course: becoming an OSEP / OSEP Review 2023

OSEP - Offensive Security Experienced Penetration Tester Certification

Introduction

This post is to serve as a general guideline and provide some useful resources to others who are looking to get their hands on the offsec’s PEN-300 course and getting the OSEP certification. This course has been a wealth of information, I strongly advise for anyone interested to look at the PEN-300 course’s syllabus. It mostly relates to penetration testing targeted towards a more hardened modern network environment, which includes modern AV solutions and additional access controls. One of the most important aspects of the course is it strongly focuses on penetration testing against an Active Directory environment.

PEN-300: Evasion Techniques and Breaching Defenses

course details and Frequently Asked Questions

Who is the PEN-300 course for?

The official answer to the above question can be found on the offensive security’s website (quoted directly):

  • PEN-300 is an advanced course designed for OSCP-level penetration testers who want to develop their skills against hardened systems
  • Job roles like senior penetration tester, security researcher, application penetration tester, and any software developer working on security products could benefit from the course

My personal answer:

If you are interested in how modern AV solutions work and want to have a basic roadmap on how to evade them, and/or if you are interested in getting some knowledge over what an Active Directory is and how to find a lateral movement path and breach it, then you will most likely enjoy this course’s learning path. The PEN-300: Evasion Techniques and Breaching Defenses course demonstrates and teaches a lateral movement approach through most its sections, although the skills gained could be applied for other types of privilege escalation as well. The lateral movement approach represents a concept where after gaining an initial foothold, an attacker gains access to additional resources and potentially sensitive data to penetrate into the internal network, gaining access to additional machines behind the DMZ, or machines which are not exposed to an external network and reside behind a firewall.

PEN-300 / OSEP Prerequisites

As stated within my AWAE course review:  offsec advises this is an advanced-level course, and while not an actual requirement, it is strongly recommended to go through the PWK course first. One of the most frequently asked questions on discord was the one below, to which I will try to provide an answer which correlates with my personal point of view and based on my experience.

“Do I need to be an OSCP to take the PEN-300 course?”

The short answer is you can, but you definitely shouldn’t. There was a really great example to this on discord:

The PEN-300 exam is challenging. And it’s far more challenging than the OSCP one. So if you want to skip it, make sure you are confident you would actually pass an OSCP exam. Because at least in my opinion, if you wouldn’t be able to take something as pressured as an OSCP exam, although you are given twice the time to solve the objectives, chances are high that you will fail. The exam would require you to have built a solid base and instinct on where and what to look for once you have spot a technology that might be vulnerable, and you would have a clear understanding of how to test it, be it for either gaining an initial foothold or for moving laterally across the network.

While taking notes and making some preparation on what payloads would be useful later is considered to be greatly useful and rewarding during the exam, which is something most others reviews I have read advise, beware this is by no way a copy-paste exam. You’d really need to be able to think and combine what you have found. One of the most challenging aspects during the exam is to locate which piece of knowledge you need and where to apply it. You will not have the time for research during the exam, so plan ahead and prepare well – you will need to have it already into your head, as far as the concepts taught relate. Once you have read the book, if you feel you lack the understanding for some of the areas, you might want to revisit and read over these specific chapters again, or if you have the time do an overral reread of the book. If you have no previous experience to AD I believe watching the videos at least twice is a must.

“Do I need to further research apart from what is in the PEN-300 course materials?”

This is another question that tends to be asked quite often when someone is enquiring about the course. You may sigh with relief as the answer is no, but you do need to be closely familiar with each of the concepts teached during the course. Having a solid understanding of what’s inside the course and solving the PEN-300 challenges should be enough to pass on its own, and my advise is once you have solved all the exercises and extra miles, to focus and do take your time on the challenges. I can guarantee the effort involved you would put into them would pay off and be really rewarding.

While some suggest htb as an additional preparation step prior to the exam, this is by no way required, but it would definitely be helpful. If I had the time required to invest into this I would have taken either htb’s offshore or cybernetics, and my first preference would be offshore. I have already completed part of offshore prior starting the PEN-300 course and found it quite enjoyable, but I lacked the AD knowledge required to complete it at that time.

Bottom line – if you are willing to invest an additional month of your time and extra $122 I suggest go for one of the htb’s pro labs, otherwise make sure you have understood and have enough familiarity with the concepts taught during the course. Note that the cost of an exam retake is about twice as that, so plan your investment properly.

“Do I need to do the extra miles?”

Extra miles are considered an additional challenge for those willing to put the effort involved. While I consider one could pass the exam without having to solve them, as stated in my review on AWAE I strongly recommend that you do so, mostly for the overall knowledge and problem solving mindset you would get from them.

Note that extra miles can be quite time demanding and would require you to do additional research that may go beyond of the scope of the PEN-300 course’s syllabus.

I have a personal statement when it comes to offsec’s extra miles:

If you you are not to solve the extra miles, you are there for the cert. If you are interested in solving them and take the time to do so, you are there for the knowledge and consider the certification an additional bonus added to it.

Personally I never start an exam without having completed all the extra miles, regardless of how much time it takes.

If you do not put the effort in solving the extra miles you were never there for the knowledge as a main focus. Nothing bad in this as long as you are familiar with what your actual goal is. Having a certification of this rank does always feel good and raises your value among employees, but I never consider it a goal on its own.

On a side note, if you have a busy schedule, feel pressured and required to take more time on your dayjob and regular routine, I consider it acceptable to skip the extra miles as they are not actually required to pass the exam.

“How much time do I need to prepare for the exam?”

Everyone thinks and learns differently so that’s an answer you’d have to make for yourself. As a note, the most popular package offered gives 90 days lab access, and I do believe the calculations are made right as long as you are able to dedicate to it with no previous AD experience. I was already familiar with the majority of AV Evasion concepts taught which might have speeded up a bit my learning curve.

If you are familiar with Active Directory and how Kerberos Authentication works, as well as you know what dcsync is and how mimikatz works (not referring to the actual commands but to the back-end mechanism of what a command is actually doing behind the scenes instead), you might be able to shorten your preparation time at least in half.

The labs

The PEN-300 labs consist of 6 challenges which require you to combine different types of vulnerabilities within an Active Directory setup. According to the official offsec’s OSEP Exam FAQ the last challenge compares in difficulty to the exam environment:

source: https://help.offensive-security.com/hc/en-us/articles/360049781352-OSEP-Exam-FAQ

Solving the challenges is a must, and you would get hell of a torture and excitement from them. If you get stuck at some point, you can ask for a nudge on the offsec’s discord channel – there will be either another student who could provide a hint or an offsec admin might point you to a useful direction without providing any unnecessary spoilers.

The exam

Once again, the exam is challenging, and this is not exaggerated. You have about 48 hours to fulfill the objects given to gather enough points to get a positive result. The exam is also quite exhausting, so I suggest that you plan ahead your time well. I have noticed some students state to have completed the exam with barely any sleep – that seems to have worked for them and if that’s what you think might work for you go ahead, but personally I strongly advise against this and I will argument my reasons on it. Once you get tired and the tension and exhaustion kicks in, your brain gets so messed up that your body will shift priorities and you would lack any focus required to complete a single task effectively. What this means is, if you don’t take at least a few hours sleep overnight, eventually you will be doing in 2 or 3 hours what you would be regularly doing in 1. Of course that’s a very loose comparison and highly individual, but I believe it’s enough to stress on the point. This is also without taking into the equation the health factor involved – 48 hours is lots of time to get no sleep. It’s as simple as this – the more exhausted you get the less effective you are. Taking a short napeven for 30 minutes or less over a few hours should be sufficient to get you back in the game. As with any offsec exam, part of the challenge itself is being able to organize your time effectively and according to your body potential.

Of course, I do not suggest that you get your regular sleep routine either – you will want to steal as much as you can from the time available, just make sure you are not standing in front of a notebook trying to solve a challenge with a disabled mind – remember staying awake just for the idea of staying awake is of no help.

At the end of the post I will be providing some useful preparation resources, some of which might extend beyond the requirement of the course syllabus and the PEN-300 exam.

It can take up to 10 business days to get your exam results, so be patient. If you have reached one of the objectives during the exam and have not violated any of the restrictions or policies, you should be getting an email with the exam result that you have successfully completed the exam challenge and obtained the OSEP certiication.

I received my exam result on just the 4th day after sending my documentation (and on a Sunday!), so I’d like to express my admiration and gratitude to the offsec team!

General PEN-300 / OSEP exam guidelines:

  • It’s a blackbox test – try to do a detailed enumeration, and try to make it as effective as possible not wasting any time with anything outside the scope of the course distracting yourself from the objective.
  • As a general rule for the OSEP Exam, document everything you learn and every single exercise you solve. Build a cheatsheet which you would be able to use once you locate a vector or attack path to find anything you have learned during the course and anything you need quickly.
  • You will need to do some payload preparation prior to the exam to be more effective and steal some additional time for focusing on more important tasks during the exam.
  • Once you have gained an initial foothold, always consider a lateral movement approach across the network to another target
  • It’s an Active Directory environment – you’d need to look both for ways to attack a single machine or what set of machines you would need to gain access to in order to move forward
  • Organize your time properly. While you are supposed to take breaks, eat and sleep, do not expect to have your regular day routine during the 48-hour exam. You will have to sleep less and think more, which will get you exhausted, especially on the second day.
  • 48 hours are plenty of time. However, you will probably need all of it, so do not waste it.
  • Take short breaks once some tension has built up. With exams like OSEP locating an attack path might feel like a slow process (at times). Do not get discouraged by this, and just keep looking. Remember the famous quote that OSCP is a sprint and OSEP is a marathon
  • Have a clear understanding and a methodology on what you will do once you are presented with an objective. You will have to already have built your own personal methodology on how to enumerate an Active Directory Environment and look or potential attack vectors.
  • Use automated tools which do not fall into the restrictions category for exam: BloodHound, linWinPwn, impacket-* scripts etc.
  • Do not postpone your report. Whatever work and effort you have put in to solve the tasks on your exam, it is not to be appreciated unless documented well. While it’s a bit tedious work, take the time to read over your report fixing any grammar mistakes or improve formatting. A professional report always leaves a good impression and is more pleasant to the reader so try to present your findings in the most professional manner. The requirement for OSEP is a bit more loose and allow a write up looking approach, so you do not have to be as strict as with OSCP.

Remember to schedule your exam date ahead! I usually pick a date just as starting a course, being mindful of a possible change.

Useful resources:

https://exploit-me.com/blog/osep-cheat-sheet/ (cheatsheet)

https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/ (cheatsheet)

Kerberos Explained (In 3 Levels Of Detail)

https://adsecurity.org/ (Sean Metcalf’s blog on AD, this is a must to know for anyone dealing with AD)

DEF CON 24 – Beyond the MCSE: Red Teaming Active Directory

An ACE Up the Sleeve: Designing Active Directory DACL Backdoors)

more to be added…

Good luck!

written by @d7x