articles
OffSec Experienced Penetration Tester (OSEP) Exam Review

OffSec Experienced Penetration Tester (OSEP) Exam Review

December 12, 2024·fyx(me)
fyx(me)

Offsec OSEP Exam

Early December, I attempted the OffSec Experienced Penetration Tester (OSEP) certification exam. I survived a failed computer firmware update, slow and inconsistent internet speeds due to living in a 3rd world country (aka Canada) and a sleeping proctor who took an hour to unfreeze my camera and VPN but in the end…

Offsec OSEP Exam Completion email
I successfully passed the exam!

There’s a lot of OSEP reviews out there so I will try to minimise overlap with what overs have said. Use your google fu to find these!

Nevertheless, I’ve compiled a number of tips that will hopefully help you preparing for and taking the OSEP exam.

Preparation

Confused Joe Biden GIF
We need to prep for exams? I thought the exam was the prep...

Learn to use your tools, especially if you’re using a C2 other than the one taught in the course (ie. Metasploit).

TJNull has a lot of great suggestions in his OSEP list of vulnerable machines. A lot of these can be used to test your tools in a controlled environment.

Making cheatsheets could also be useful especially when you do a lot of these (ie. boot2roots, CTFs or AD environments). Saves you time to just copy paste the commands directly instead of having to run -h / --help every 2 seconds…

Choice of tools

C2

Bazaar

Havoc quick reference guide

The course is centered around Metasploit C2 but use any open source C2 you want and are comfortable with. I used havoc because I wanted to play around with it.

Don’t be a hero and try to do everything from C2. If you know how to do it from Kali Linux (eg. impacket, netexec, etc) then use that…

As long as you have screenshots of retrieving the flag from an interactive shell, you’re gucci.

AD Enumeration

Bazaar

AD Enumeration quick reference guide

Bloodhound is overrated in these small environments. Plus, the bloodhound client and/or server (depending on which version you are using) is super resource hungry.

I’d recommend doing manual enumeration using tools like Powerview/powerview.py or adsearch.

Defence Evasion

Important

You’re not tested on OPSEC. You can do risky things w/o worrying about OPSEC and whether you should look at less noisy solutions. Just blast things and see what sticks.

Don’t be scared to disable everything on the environment (eg. firewall, AV, running software), this isn’t production, this isn’t a client’s environment. You’re here to show you understand the vulnerabilities, misconfigurations and can bypass security configurations. If you need to, just revert and if you’re scared add a limitation for the report explaining you did this because you are aware that this is non-production environment and that the “client” (aka offsec) can reset the environment to its original state.

Use your own time to explore other solutions which do not require disabling defences.

Screenshot tool

Note

It’s better to take more then less screenshots… I’d recommend taking fast dirty screenshots, don’t worry about extras and what not, just paste them in your note taking tool like obsidian and reformat them later when writing up the report.

Just use flameshot, there’s no better alternative.

You can also remap your kali and/or host’s machine printscreen button to it.

Makes your life easier… Simply Screenshot > Edit it from the flameshot popup > Copy > Paste to your favorite editor (eg. Obsidian).

Other tools

You don’t need to do everything from the C2. It’s a free for all, the only requirement is to demonstrate that you have access to the machines in the environment and can reach the flags with an interactive shell, nothing else.

So make use of any AD tools you know, including those you can run through proxies (ie. proxychains) like impacket, netexec and powerview.py.

The Exam itself

Important

Exam completion requirements and tips:

  • A total of 100 points (10 points for each proof.txt and/or local.txt flags) OR you reach the end goal and retrieve the secrets.txt file from the target system.
  • Once you reach 100 points, I would focus on ensuring you have all you need for the report (ie. screenshots for the attack paths, valid proof screenshots, notes, etc) and that you have submitted all you flags to the provided control panel. This ensures you don’t forget anything before running out of time.
  • Proof screenshots have a specific format, they need to be taken from an interactive shell and include the (proof|local|secret).txt file contents and the ipconfig of the machine. Also recommended to add whoami in the screenshot because why not (it can help you with write ups later on).
  • You do not need to use a C2 for everything in the exam. The only requirement is that you have screenshots of the flags from an interactive shell. So you can exploit the machine and then drop a beacon on there for example to take your screenshot.

Completion txt files :

  • proof.txt, local.txt - located on User’s home folder, or other publicly reachable folders.
  • secrets.txt (its the last box on the environment so don’t just count on that to pass… if you’re stuck on one path, check the other paths.)

In my opinion, the exam is a lot more straightforward / linear then you think compared to the OSCP.

Take time to eat/sleep/shower/talk to friends (lol imagine having friends and taking a 3 day proctored exam).

Make sure to read the OSEP Exam Guide and OSEP Exam FAQ in details before the exam.

Proctoring

Caution

Don’t forget a government issued ID to show to the proctor when the exam starts (don’t do like i did and panic to find any form of government id when they requested it…)

For the proctoring tool, I had to disable Wayland on Debian Linux because it was interfering with screen sharing (ie. could only share full screen and not individual screens).

I lost close to 1 hour at the beginning because of this. I was told that if I could not get the proctoring tools working within the hour, they will end my exam and cancel it (ie. same as did not attend).

Hence, I would highly recommend that you test screen sharing to ensure you can share all your screens individually before the start of the exam. (And install the required extension if you end up using brave or chrome)

I ended using brave with the Offsec memory hogging screenshare extension… Now that I’ve read more OSEP reviews, I should have tried with firefox after I fixed my Wayland issue.

Tldr

Use firefox. If you can only share your full screen and are running linux, it’s probably a Wayland issue (check online for fixes). If that doesn’t work, see if using brave with the screen share plugin works.

As with all OSEP exams, don’t worry about crashes (VPN, VM, Computer, Proctoring tool, etc). Just message them in the chat explaining what happened (ie. poor software and/or hardware, shit crashes). They’re usually pretty ok with it. Just restart, reshare and explain what happened.

If the proctor is not responding then contact them via this chat. When I had issue and my proctor wasn’t responding for like 1 hour and I needed them to unfreeze the webcam/VPN, I messaged them here and someone answered pretty much straight away and nudged the proctor to respond to me and fix my environment.

The dev Windows VM

They give you a Windows virtual machine that is configured with all the tools required for writing and compiling c sharp, office macros, etc. Machine has Defender disabled, all the tools you need and has quite a lot of hardware resources.

It’s probably the fastest machine in the environment… I recommend to make use of it unless you run your own Windows VM where you can do those kind of things easily. Credentials are on the internal exam control panel.

The Exam Report

You have 24 hours to finalise and send your report after the exam ends. Make sure you follow the instructions on how to send your report properly (ie. 7z without password, submit on that portal, etc).

If you took notes and a lot of screenshots during the exam, this should be a breeze and the formatting should be the most time consuming part.

I personally used the following offsec exam markdown report template which has some nice report layouts and allows you to take notes in Markdown and generate the final PDF report directly without having to touch MS Word.

Warning

When installing the Eisvogel latex template with that Offsec Markdown template, don’t use the v2.5 of the Eisvogel latex template because its bugged for images and will not resize/center them properly.

Ref: https://github.com/Wandmalfarbe/pandoc-latex-template/issues/405
Ref2: https://github.com/noraj/OSCP-Exam-Report-Template-Markdown/issues/63

If you decide to use that tool, be wary that you may need some bash magic to convert links and other things that might break during conversion. You can look at the Github issues on the repo to look for help but if you’re not confident you can fix the formatting yourself quickly then I wouldn’t recommend it and suggest using the Offsec Word Document instead.

Once you’ve submitted the report, you can finally start cleaning up, respond to everyone you ghosted over the past few days and get back to scrolling twitter and watching anime while you wait for Offsec’s email response.

Famous last words

One thing that always amazes me in these long exams is that you can get an insane amount of stuff done, learned and researched in just 48 hours when you disregard all other life distractions and become a hermit.

Probably not good in the long term but interesting food for thought…

good luck comrade soldier
Good Luck Comrade!