Posted on 2021-05-21 by Alexei Doudkine in Industry

It’s done! I just completed my OSEP exam and submitted the report. In true Offensive Security style, the course was challenging but very doable given enough motivation. But was it worth it? Did PEN-300, one of Offensive Security’s new replacement courses for the outdated and retired Cracking the Perimeter course live up to the expectations? If you’re thinking about taking the course, read on as I go into the good parts and bad parts of the course.

What’s covered

The course is divided up into 2 parts. The first part is the course content, which comes in PDF and video form. The second is a set of “challenges”. Each challenge contains multiple machines that you need to break into using tradecraft you’ve learned during the content. You win when you have SYSTEM/root on all machines in the challenge.

Straight away, I will say that I really enjoyed the course content. It goes into significant depth about lots of Windows things like Domains, Forests, MSSQL servers, Kerberos, AppLocker, AMSI, Constrained Language Mode and much more. Being an offensive course, you will learn how to hack all of those things. It is fairly light on the Linux side, but does cover some important topics on persistence and SSH acrobatics that I hadn’t previously done. Check out the full course syllabus.

Overall, the course has a good balance of advanced concepts and, although not everything is common in the real world, learning a concept in more detail is always worth it. For example, ever wondered how reflective DLL execution works? Or what actually happens when you do a migrate 123 in meterpreter? You will develop both of those from scratch and learn how it all works at the memory level. Keep in mind, the content is very information dense. That means you will learn a lot of complex concepts in a short amount of time. If you simply gloss over it, you will not get the full benefit. Doing the content in short but frequent bursts worked for me and made sure I didn’t overload myself with too many new concepts at once.

The good

By far, my favourite part about the course was that you got to make and keep your own tools. I now have a set of tools I can use for very specific workflows in Active Directory environments. Since I wrote them (with the help of the content), I know what they do and how they work, which means I can change parts if I need to repurpose them. For example, I can take the MSSQL enumeration tool and wrap it in such a way to allow it to be used in an environment protected with AppLocker by using the InstallUtil bypass.

I also liked the level of depth the materials went into. I felt like I learned exactly how certain techniques worked (and why they sometimes don’t). It makes things accessible, but doesn’t dumb anything down; like using Win32 APIs without needing to learn C++.

The things you learn are usable in real penetration tests. The concepts that are taught aren’t just there for show. Many of them apply to real environments that I have performed pentests on. Such environments are reflected in the challenge labs which are actually more secure than some real internal environments I have hacked in the past. And although there is definitely a pre-designed path for exploitation, the challenges still get you to think further than simply “I’m going to relay admin creds”. Oh, and I should mention that each student gets their own set of labs; no more sharing!

Improvements

So, what could Offensive Security do to make this course even better? Firstly, since the lab environment is per-student, why not spin it up in the student’s region? All major cloud providers have regions all over the world. Why not harness them? I live in Australia and, at times, the connection was horrifically slow. This was only made worse when you had to use proxychains for pivoting.

I also wish there was a challenge for kiosk escapes. I really enjoyed that module and was a little disappointed when I couldn’t practise in the lab.

The Exam

It’s no secret that I don’t like exam-based certification in general. I think they are a poor way of assessing someone’s strength for any real-world application. Keep my bias in mind and take this section as you will.

Unlike OSCP, the OSEP exam is 48 hours long, with an additional 24 hours given to submit the report. This is a step in the right direction for Offensive Security. Putting newcomers to the industry in stressful, time-pressure situation is bad for retention. Reducing the time pressure slightly helps, but I think this can be extended beyond 48 hours. Let people work at their own pace; they will either get it, or they won’t.

The exam is proctored, which means someone is watching your webcam and all your screens the entire time you’re working at the exam. I get that Offensive Security needs a way to prevent cheating, but such strict proctoring is a huge overcorrection. It also creates stress before and during the exam. The proctoring FAQ suggests you enter the session 15 minutes before your exam so that the proctor can perform their checklist. I was there 25 minutes prior and still started 10 minutes late. Proctors should be better prepared. The stress continues into the exam. Ever tried to work with someone literally watching your every move? It probably wasn’t your best work, was it? I have performed pentests with the CTO literally watching my projected screen, so I’m sort of used to it, but for those who are new to the industry or those who haven’t had experience “performing” can find it daunting.

The exam environment itself is very well designed! I can’t give away details, but there are multiple paths for you to choose. So if you get stuck on one, there are things you can do other than “try harder” to get unstuck. I experienced such a situation during my exam and had to basically restart; easier said than done after spending hours on a path. 😐 I also liked that there is a clear objective for your exam. If you reach the objective, you pass regardless of how many machines you’ve compromised.

Final impressions

Is PEN-300 worth it? Yes! Absolutely. Despite needing some improvement, the vast majority of the course is put together and delivered very well. Both the content and challenges were incredibly enjoyable for me and if you go into it with the mindset of “I’m doing this to learn” as opposed to, “I’m doing this for a cert”, I think you will enjoy it as well.

About the author

Alexei Doudkine is Co-Founder and Offensive Director at Volkis. Hacker, tinkerer, car modder and dog person, Alexei has been in the infosec game for over 10 years focusing on the “attack” side of security. You can catch him on Twitter and LinkedIn.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn