In July, I started the OSEP (OffSec Experienced Pentester) course because it got praised on Discord, and because I wanted to sharpen my skills for an upcoming Red Team assignment. Unfortunately, OSEP's chaotic structure and outdated content doesn't make me regard it as having a good hype/quality ratio. The process was about as frustrating as OSCP, on which I wrote back in 2019. Regardless, the learning experience was a fruitful one.

The exam

No OSEP review is complete without a part about the exam. Two days of stress, little sleep and too much caffeine felt painfully noticeable at the old age of 35. Topping it off with a 60 page report did me in a bit. It took me a day to mentally recover. After a week I heard I passed, which lifted a hefty weight from my shoulders.

The proctoring software didn't allow me to share two screens at a time (I'm using Ubuntu with Firefox). This made me quit my first exam attempt after a day because I prepped with two screens. For the second attempt I returned with single-screen prep; keyboard shortcuts to quickly conjure up commands, and scripts for automated logging and shellcode generation. This exam constraint made me work more efficiently!

Tips for success

Here are some items that helped me in the OSEP process.

  • Use ligolo-ng for routing instead of proxychains. Watch out though; if it gets buggy it gets really buggy. Create a backup plan and test it.
  • Have notes, code and tools prepped and ready to go.
  • Take breaks during the exam. Taking breaks feels unnatural when you're on the 'verge of hacking the thing'. But if you've been on 'the verge' for hours you might not be at your best. Every time I took a break I overcame a barrier that locked my brain before it.
  • Having key-bindings to launch xdotool scripts helped me automate typing repetitive commands. It even works inside an RDP session! Next year I want to put all my notes, code and automation tricks from different courses in an online repository, but they will take some time to merge.
  • One of my flags got lost because I tried to start with a 'clean slate' the second day. I 'backed up' logs, reverted all exam machines and restarted my vm. This made me lose some logs, and routing got buggy, which prevented me from getting a shell that worked the day before. So don't do that.
  • Hang out on Discord to fill in the blanks from the course's missing content.
  • Switching from Virtualbox to QEMU worked well for me. QEMU feels faster and less buggy.

Course content

The course labs were lots of fun. My favorite parts were writing Office macros and doing MSSQL exploitation. Lots of tools are used in the course of which the inner workings are not always explained. This gives it a bit of a scriptkiddie vibe, but they make up for it by teaching PowerShell, VBA, JScript, C and C#. Bypassing AMSI is explained in detail, which is also nice and technical, as they take you into its depths with WinDbg and Frida.

OSEP teaches process migration, but explaining 32- to 64-bit migration is out of scope. If you want to learn about that, I recommend Sektor7's Malware Development Intermediate Course, which does show the juicy details.

Areas for improvement

It looks like the course hasn't been updated since 2020. It links to tools that are outdated or don't work anymore. Some techniques are outdated as well. EDR will catch most OSEP tricks immediately, like 'Advanced AV evasion' by xor'ing your shellcode. This article also mentions modern Active Directory attacks that are missing from the course.

The course's difficulty comes not from its content, but from the way it's explained. The structure is chaotic. Scope creep got in the way of methodology. There is a chance you will teach yourself bad techniques and flawed methods, while the 'try harder' mantra will trick you into thinking it's your fault. If you find the process or the exam confusing, know that it's not just you.

Conclusion

In the end, OSEP upgraded my skills, and we obtained Domain Admin access during the Red Team assignment. The knowledge from OSEP helped at certain steps. Although the course can use a make-over, it's an interesting journey, and it forces a technical foundation for techniques that be extended into the modern space.