Passing the OSEP in 2024 – A Review

After about 10 months of study, I passed the OSEP exam last weekend. This has been something I have wanted to do for a few years now, but haven’t felt like I was in a position to consistently dedicate time to it until the middle of last year. I was provided access to the Learn One bundle through my workplace, and was confident that as long as I stayed consistent with my study I would be able to get the exam completed within a year.

The course and exam are a few years old now, and there aren’t too many reviews about how the OSEP stacks up in 2024. I wanted to write my thoughts on the OSEP given that the landscape of penetration testing certifications has changed dramatically since this was first released, back when OffSec had an effective monopoly on this niche of the certification industry.

The Course

The Offensive Security PEN-300 course was first released in October 2020, and replaced the now retired “Cracking the Perimeter (CTP)” course. The associated OSEP exam first became available in February 2021. At the time, the OSEP was a much needed modernised ‘next step’ exam for the OSCP which had also been significantly refreshed in 2020. The PEN-300 course builds on the material covered in the OSCP and focuses on bypassing security mechanisms that are designed to block attacks and lateral movement within a larger enterprise environment with multiple domains.

From my perspective, the PEN-300 is essentially split into two core components:

Client Side Code Execution (Initial Access):

• Client Side Code Execution With Microsoft Office
• Client Side Code Execution With Jscript
• Process Injection and Migration
• Advanced Antivirus Evasion
• Application Whitelisting Bypasses
• Network Filter Bypasses

Advanced Network Penetration Testing:

• Linux Post-Exploitation
• Kiosk Breakouts
• Windows Credentials
• Windows Lateral Movement
• Linux Lateral Movement
• Microsoft SQL Attacks
• Active Directory Exploitation

The course and the labs are essentially split into these two components, where you first learn about different methods and techniques to gain code execution for initial access on a machine, and then proceed to perform network penetration testing through privilege escalation, pivoting, lateral movement and persistence to ultimately compromise the domain(s) within the given network.

Course content is delivered via text and video, with a sufficient level of detail provided in both formats. It can be difficult to stay focused when reading or watching the course material, so I suggest you try to learn as you go with the labs if you are short on time, or make sure to keep your learning consistent if you have the Learn One bundle and more time to spare.

The Labs

There are 6 Challenge labs where you can practice the material covered in the course, with each lab focusing on different techniques or attack paths. The labs overall were well done and stable in my experience, and I completed all the labs twice to ensure I had the various techniques understood and documented before my exam attempt. I would highly recommend doing all the labs before attempting the exam, especially the ones that have larger Active Directory networks as these are fairly similar to the exam environment.

In terms of initial access, the labs were setup so the vector required to obtain client side code execution were extremely obvious almost immediately, which wasn’t the case in the exam. This actually took me by surprise a little, but if you’ve completed the OSCP or have experience on platforms like HackTheBox you will be able to clear this section in the exam also without too much trouble.

Outside of these 6 challenge labs, there isn’t much else to practice on. A dedicated learner could probably go through these labs within 30 days fairly easily. For other practice environments, you’ll have to turn to resources such as the Cybernetics or Offshore labs from HackTheBox, which also provide simulated Active Directory environments. I had completed Offshore prior to the OSEP and it overall felt fairly similar, though the OSEP has a bigger emphasis on evasion techniques than Offshore does.

I personally find “doing” to be the best way of learning, so while the course content and videos had a good amount of detail, I do wish there were two or three more challenge labs to go through to really give students something to sink their teeth into before attempting the exam.

The Exam

I started my exam attempt at 6am on Saturday morning, figuring it would be best to wake up early and give it my best shot over the first day. I made steady progress throughout the day, making sure to take frequent breaks. I even took an hour and a half off at one point to go clear my head at the gym on Saturday afternoon. Taking frequent breaks definitely helped to keep me focused, and by 10pm on Saturday night I had 10 flags with a clear direction on where I could keep progressing.

I decided to call it there for the first day, and came back at about 7:30am on Sunday morning. By about lunchtime I had 13 flags and decided to start wrapping it up. I spent another 2 hours triple checking all my screenshots and flag submissions to ensure there were no mistakes, before ending the exam at roughly 3pm on Sunday.

Although I didn’t manage to find the secret.txt file, I did fully compromise the Domain Controller and probably could have found the secret.txt if I had kept going, but I decided to instead focus on reporting and finish up early. By 3pm I was pretty much exhausted and was happy to end my exam session and get some rest. I did the bulk of my reporting while I went, and had it largely finished by the afternoon when I finished up. I gave it a final edit early on Monday morning before submitting it to OffSec. It took just under 5 days for the email notification to come through saying I had passed.

Post Exam Thoughts on the OSEP

As I said at the start of this post, the OSEP is split into two sections: Client Side Code Execution (Initial Access) and Advanced Network Penetration Testing.

My concern with the techniques taught in the initial access section is that they are unlikely to hold up against modern defensive tooling. Best in class EDR products such as Crowdstrike or Defender for Endpoint are highly likely to detect the bypass techniques taught in the course as they are currently presented. There is a recent Crowdstrike blog discussing new attacks identified that start with process hollowing before launching an additional trigger activated by the parent process writing to a pipe. In the course, process hollowing alone is taught as being the most effective way to create an executable that bypasses Antivirus, but four years on from when the course was first released, an executable that only implements process hollowing is no longer going to cut it.

Other examples of how the course feels outdated is the emphasis on Jscript, HTA files and Office Macros for obtaining code execution. These attack vectors are being increasingly phased out in modern environments and teaching them is almost irrelevant in 2024. Office Macros are now disabled by default by Microsoft while the Jscript and HTA based attacks in the course rely on the use of Internet Explorer for execution, which has been out of support since 2022 and is effectively no longer in use. While Macros may still have their place in an attackers toolkit, the heavy focus on Macro from both Microsoft and security vendors in recent years have significantly reduced their effectiveness, with Proofpoint even stating that “macros barely made an appearance in campaign data” in 2023. With the move away from Macros and Internet Explorer no longer being present or in use, APT’s have switched to abusing LNK, PDF and HTML files to obtain code execution. Unfortunately, none of these newer techniques are taught in the course.

Another classic example of this is how post-exploitation of a machine consists of disabling Antivirus to run post-exploitation tools to gain further information or access to a network. Every time I found myself doing this in the labs or exam, I couldn’t help but feel that this is no longer the best way to be teaching advanced network penetration testing. Most modern endpoint tools are now configured with anti-tamper mechanisms built in, so they cannot be disabled or removed even by a local administrator. Even if you could disable this on a machine, the minimum expectation would be for this activity to raise an alert for a security team to investigate. OffSec advertises this course as “teaching learners to perform advanced penetration tests against mature organizations with an established security function”. If this is the case then gaining administrative access, disabling antivirus and running out-of-the-box Mimikatz or Rubeus binaries is not going to cut it.

There is also zero consideration for OpSec or Blue Team function, and students are largely encouraged to be as noisy as they like, leaving testing artefacts on machines or using commands such as “net user” or “PsExec” to perform lateral movement which are typically very easy to log or track in enterprise environments. Even the reverse shells that are used for initial access have no consideration for traffic obfuscation built in, with techniques such as DNS tunnelling not mentioned in the course at all. It’s important for penetration testers to be aware of what they are doing in a network and how their activity could be detected or alerted on. It’s also useful for any Blue Teamers taking the course to be able to identify the ‘noise’ these techniques generate to improve on their detection capability. Other courses such as the CRTO use Cobalt Strike and come with Splunk instances for students to view their activity from a detection perspective, which I think is something that OffSec needs to consider moving forward as the line between Blue and Red teams are increasingly blurred.

With all that said, the OSEP is a good challenge and is a worthwhile certification to get for penetration testers, aspiring Red Teamers and active Blue Teamers. The heavy emphasis on Active Directory makes it especially useful for enterprise environments where a lot of the misconfigurations in the course are likely to be present. Most of the Active Directory toolkit is covered here, and students will be able to use tools such as BloodHound, Mimikatz and Rubeus effectively by the end of the course. I definitely picked up a few new tricks along the way, and if nothing else it was great to “get back into it” and commit to studying for and passing another OffSec course. While I do think there are probably better resources and courses out there in 2024, passing an OffSec exam is still extremely hard work and requires a level of commitment and dedication that practically guarantees you will learn something along the way.

Kento.