In November 2024, I successfully passed the OSEP exam and earned the Offensive Security Experienced Penetration Tester certification. However, the road to achieving this milestone would have been smoother with better preparation and planning (even though I thought I was well-prepared at the time).
This post serves as both a review of the course and exam and a resource for those embarking on their OSEP journey. I’ll share insights and knowledge to help you prepare even before starting the course. Enjoy!
The Course
I purchased the course and two exam attempts through the Learn One offer, which provided one year of access to the materials. Thanks to this, I didn’t feel pressured by time constraints. When I purchased the course, I knew it would be a challenging period—especially since I was also transitioning to a new job.
Course Structure
The course is divided into various topics, starting with a brief refresher on operating systems and programming theory (covered at a very fast pace). It then dives into client-side attacks, providing immediate insight into payload delivery techniques, including Office macros and writing malicious code in PowerShell and VBA.
The next section expands on programming concepts, focusing on developing malware in C#. Topics included advanced techniques like process hollowing and other malware-related tricks. The course also covers creating payloads designed to evade Antivirus solutions, AMSI, and other detection mechanisms.
My Thoughts on Programming
I thoroughly enjoyed the programming aspects of the course, but I was surprised by how heavily it emphasized coding. The course assumes a strong intermediate-level knowledge of programming in C# or a similar language, which could leave beginners struggling.
If you lack programming skills, I strongly recommend learning a language like C# before starting the course. Without this foundation, you might find yourself overwhelmed and unable to keep up.
Chaotic Organization
While the course covers many fascinating topics, the structure felt disorganized. For example, there’s an excellent section on kiosk hacking, but it feels random and disconnected—almost as if it was added simply to increase the course content. Moreover, this topic isn’t even part of the exam.
Things became more exciting with the Active Directory (AD) section. Despite my prior experience with AD, I appreciated the opportunity to revisit familiar concepts and learn new ones, such as managing AD environments on Linux—something I had never explored before.
Challenge Labs
After completing the course, I moved on to the Challenge Labs, which were genuinely challenging. These six labs, with varying difficulty levels, were incredibly valuable for honing practical skills. I spent over a month working through all of them and highly recommend completing every single lab. It’s worth the effort.
Preparation After the Labs
Throughout the course, I used Obsidian to take detailed notes, which proved invaluable during my preparation. However, I realized I needed more than just notes. I created an arsenal of pre-prepared code snippets, including:
- Malicious macros.
- C# injectors.
- Linux-based payloads.
This preparation saved me significant time during the exam, as writing code from scratch under time pressure can be daunting. I also curated binaries and tools essential for local and domain exploitation, such as:
- PowerUp, PowerMad, WinPEAS, and LinPEAS.
- A BloodHound instance (yes, you can and should use this!).
- Exfiltration channels and a custom web server.
With these preparations in place, I felt ready to tackle the exam.
The First Exam Attempt (Failed)
Unfortunately, my first attempt didn’t go as planned. Hours before the exam, I developed a fever. Despite pushing through, I struggled to focus due to my high temperature and couldn’t complete the challenges. While technically a failure, I saw it more as a matter of unfortunate circumstances.
The Second Exam Attempt (Success)
The second attempt went much better. Since I received the same exam scenario, I quickly progressed to the point where I had left off in my first attempt.
The exam itself was straightforward, covering everything taught in the course and Challenge Labs (especially the labs). However, I fell into a rabbit hole on one challenge, overthinking it and losing 12 hours on what turned out to be a simple task.
Despite this, I succeeded in earning the required 10 flags (and even uncovered a secret 10th flag that counted as an extra).
Summary
The course offers a wealth of knowledge but feels disjointed and lacks foundational content. It’s best suited for those with a solid understanding of programming and intermediate offensive security skills.
The exam, while relatively easy, is full of rabbit holes that can lead to frustration or failure. Proper preparation, including mastering the Challenge Labs and having pre-prepared tools and scripts, is crucial.
As with all Offensive Security exams, perseverance is key. Remember: “Try Harder.”
Resources
Here’s a list of resources that helped me during preparation:
- https://github.com/In3x0rabl3/OSEP
- https://github.com/hackinaggie/OSEP-Tools-v2
- https://github.com/Octoberfest7/OSEP-Tools
- https://steffinstanly.gitbook.io/osep-notes/useful-links-tools-and-tricks
- https://github.com/S3cur3Th1sSh1t/OffensiveVBA
