OffSec Experienced Penetration Tester (OSEP) Review -July 2024
Although I obtained my OSEP certification on July 11, 2024, I couldn’t write the review because I was on vacation and overloaded at work.
Recently, I was fortunate to obtain the OffSec Experienced Penetration Tester (OSEP) (OSEP) certification from OffSec (previously known as Offensive Security). OSEP certification is considered a red team ( attack simulation ) certification. However, offset calls OSEP an Experienced Penetration Tester.
What is OSEP (OffSec Experienced Penetration Tester)?
Offensive security E-level certifications are considered expert-level certifications, which are divided into three areas: infrastructure (OSEP), Web application (OSWE), and Exploit Development (OSED).
Once you complete all three, you become an Offensive Security Certified Expert (OSCE-3). So, OSEP is one of the OSCE-3 certification which is associated with PEN-300: Advanced Evasion Techniques and Breaching Defenses course.
To take the OSEP exam, you would need to purchase the PEN-300 course, which does not cover basic pen-testing techniques taught in the OSCP course because OSEP focuses on advanced penetration testing and attack simulation.
Course Structure
I won’t delve into detail about each of the subjects, as you can easily find that information on Google. Instead, I will highlight my perspective, which other people may have overlooked.
OSEP certification focuses on modern active directory attacks, including creating custom tools, client-side exploits, process injection, antivirus evasion, advanced lateral movement on Windows/Linux, and advanced MSSQL movement attacks, which can be found in modern active directory infrastructures.
The following topics are covered in the Pen-300 course:
- Operating System and Programming Theory
2. Client Side Code Execution With Office
3. Client Side Code Execution With Jscript
4. Process Injection and Migration
5. Introduction to Antivirus Evasion
6. Advanced Antivirus Evasion
7. Application Whitelisting
8. Bypassing Network Filters
9. Linux Post-Exploitation
10. Kiosk Breakouts
11. Windows Credentials
12. Windows Lateral Movement
13. Linux Lateral Movement
14. Microsoft SQL Attacks
15. Active Directory Exploitation
Many of the topics covered modern attack techniques used by adversaries, such as Windows Lateral Movement, Linux Lateral Movement, Microsoft SQL Attacks, Active Directory Exploitation, and Applocker bypass. However, malware development focusing areas such as process injecting and antivirus Evasion is decent because this course gives the experience of basic malware development to bypass signature-based detection and basic payload encryption and obfuscation.
This is fair enough because the Pen-300 main objective is to give you the fundamental knowledge of malware development and the experience of basic malware development that allows you to understand how you bypass known signage and basic process injection techniques. Afterward, you will know what area to focus on and what to develop such as modern EDR/EPP and antivirus system etc, without having fundamental knowledge of malware development, you can’t achieve these advance area.
My favorite part of this course is the DevOps base lateral movement, such as SSH lateral movement and Ansible base attack. I could not find those areas in other red team courses in the market.
Challenges Lab
Experience in attack simulation and completion of CREST-CCT INF, CRTO, APTLabs, and a few Blackhat’s red team courses, etc. I did not go through the course and lab. No sooner had I purchased The PEN-300 course than I started Challenge Lab.
There are 6 challenges, each with a different setup, ranging from small to large networks. Challenge lab allows you to experience various TTPs, from initial access to obtaining objects and domain control, that you learn from the PEN-300 course and lab. I enjoyed Challenge lab because it covered several initial access and lateral movements, including Linux-based lateral movement and a wide range of post-exploitation techniques for Linus and Windows.
Exam Timing and Structure
Before the exam, you should check all the requirements from offsec’s website. You have to get through the proctoring system to verify who you are and the place where you are taking the exam. You will receive a VPN packet upon successful proctoring process completion.
You are given a Fictional corporation and domain name. This network contains multiple machines like any other corporate network. The exam objective is to obtain either 10 flags or access secret.txt. Each flag is worth 10 points within 47 hours and 45 minutes and stimulate attack simulation from external reconnaissance to action on objectives.
You would first have to obtain a foothold in the given domain to gain access to the internal network laterally from recon to action on the objective (cyber kill chain).
I scheduled my exam for 7:00 a.m. on July 6, 2024, and joined the proctoring tool at 6:40. They sent me APN at 6.50, and then I started my exam at 7 a.m. I took a break from 11 to 12:30 and continued my exam until 4:30; after that, I took a long break until 7 p.m. Afterward, I continued my exam at 11 PM and stopped it since I obtained more than enough to pass OSEP.
The following day, I worked on the exam report I submitted on July 9, 2024. I finally received the exam results three business days after I submitted the exam, indicating that I passed the exam.
Conclusion
From my perspective, the OSEP exam structure is solid and gives you experience with the cyber kill chain from external reconnaissance to action on objectives like ransomware and adversary attacks. However, other exam vendors, such as CRTE and CRTO etc, focus on assume a breach model attack simulation, which does not cover initial access to specific organizations. The exam infra is similar to how most cyber attacks occur in the FSI industry etc. This is what I admire the most about this exam.
Finally, Many of the red team courses available in the market do not cover as much as advanced client-side attacks from externally. Based on the 6-Challenges lab experienced, Many of the client-side attacks involve multiple stages of the attack kill chain, such as AMSI patching in the PowerShell runtime and BypassCLM mode, which is very common in most corporate networks. As I said, this course gives us a full cyber kill chain experience from an adversary perspective.
