Getting the OSEP cert

Before PEN-300

Before starting the PEN-300 course, I encourage you to take the PEN-200 or HTB-CPTS .

On the PEN-200, the machines were unrelated to each other. The study and exam were based on exploiting a single host; While on PEN-300, everything is connected. The course teaches how to control the corporate environment, not just a single host.

Therefore you need to know what the whole environment penetration test looks like. It's also worth adding that during the OSEP exam, you can use Metasploit at will. The course is about attacking the AD, but it assumes that you know the basics.

There will be a lot of pivoting, tunneling during the course, so it is worth getting familiarized with the topic. In my opinion, the article and course material cover the subject thoroughly.

The last topic is C# programming language. You do NOT need to be a specialist of writing experience in this language to participate in the course. It is explained very thoroughly in the material. However, if you do not program much or feel the need to educate yourself, these some links are more than enough:

• C# for n00bs from Zeropoint Security

• Introduction to C# from Hack The Box

• Writing custom backdoor payloads with C# - Defcon 27 Workshop from @mvelazco

• C# Tutorial - for Beginners and Foundational C# Certification from FreeCodeCamp.

PEN-300

In the first part of the course, you will learn a lot about bypassing security. The provided PDF materials are extensive enough to help you pass the exam. However, if you want to further enhance your knowledge, here are some additional resources:

1. https://karol-mazurek95.medium.com/av-evasion-techniques-aa0742d806db

2. https://www.whiteoaksecurity.com/blog/alternative-execution-macro-saga-inkpicture-part-1/

3. https://github.com/XenocodeRCE/neo-ConfuserEx

4. https://github.com/Karmaz95/evasion

The second half of the course is about lateral movement and exploiting AD. This part, in my opinion, is not enough for taking part in the laboratories and passing the exam. You need to get the knowledge from other places. I found the below mindmap on how to exploit AD very helpful:

If you are looking for tools & commands for exploiting AD, check these blogs: Windows & Active Directory Exploitation Cheat Sheet and Command Reference :: Cas van Cooten Active Directory Cheat Sheet - One Liners, VB Scripts, Queries Etc (brakertech.com)

Tool automated the Post-exploitation phase for both Linux and Windows, which is very helpful for the labs, exams, and work:
Thanks @Karmaz95 Karmaz95/crimson_lisp: Linux Post-Exploitation tools wrapper Karmaz95/crimson_wisp: Windows Post-Exploitation tools wrapper

Study Materials

• OSEP Code Snippets

• Experienced Pentester OSEP

• OSEP Pre

• PEN 300 OSEP Prep

• OSEP Thoughts

• OSEP Code Snippets README

• Osep

• Google Drive File

• Awesome Red Team Operations

• OSEP Study Guide 2022 - João Paulo de Andrade Filho

• OSEP PREP Useful Resources Payloads

• OSEP in3x0rab13

After PEN-300

If you have completed the 6 challenges (labs) only once and still have spare time, you should consider doing them a second time. If you then feel prepared, go straight for the exam. If you need more practice, you can try some lab from HTB:

• Active Directory 101

• Prolab - Offshore

• Prolab - Cybernetics

Additionally, I did some payload preparation before the exam. Make sure to collect all the payloads you have written throughout the course and have them ready to deploy. Write down the scripts, commands, and tools you were taught throughout the course and know how to use them. Since PEN-300 provides the compiled binaries of the tools throughout the labs, I recommend saving them all in one place so that you have a canonical version of Mimikatz or Rubeus that you know will work in the exam environment.

You should also prepare a Windows development virtual machine that uses a shared drive from your Kali machine to easily build and test payloads. Even though the labs and exam provide a development machine, it’s a little slow over the VPN. Microsoft provides a free Windows development VM that’s perfect for the job.

OSEP EXAM

I cannot say much. The exam was challenging for me. The course prepares you very much to bypass security, but you must practice AD exploitation, especially lateral movemen before taking the exam.

The exam itself is 48 hours (actually 47 hours 45 minutes) and provides several pathways to pass. As per the exam documentation, you can either compromise the final target machine or compromise enough machines to accumulate 100 points.

I took about half a day to pivot through the network and successfully compromise the final machine. Although it was enough to pass, I spent the next one and a half days attempting other machines for practice and writing my report. In general, I think that the course material itself covers what you need for the exam. There’s no need to pay for HackTheBox machines - just do your extra miles and complete all the included labs. Overall, the exam is challenging but not impossible, especially with the multiple ways to pass it. Focus on what you’ve learned, refine your payloads in advance, and you will be able to do it.

Extra advice, don’t be Rambo. I went to bed regularly during the exam, but instead of 8 hours, I slept 5. You will be less productive if you stay awake for more than 24 or 48 hours without sleep. You probably think you can do more, but I suppose you might be wrong. I have been through this. It would be best if you slept once a day, at least 4–6 hours.

Cảm ơn vì đã đọc đến đây!

Link reference / resource

• PEN-200: Penetration Testing with Kali Linux | OffSec

• Introduction to Active Directory (hackthebox.com)

• Hack The Box - Pro Labs

• OSEP làm khó tôi a little bit

• I.T Security Labs

• CyberSecurityUP/OSCE3-Complete-Guide: OSWE, OSEP, OSED, OSEE (github.com)

• OSEP Tips and Tricks - NoSecurity

• Pwning the Domain With Sliver Framework | Livestream (youtube.com)

• Ace the OSEP Exam with Sliver Framework (youtube.com)

• Passing the OSEP Exam Using Sliver | Bishop Fox

.