Running into AV on an engagement and hitting a brick wall has always been really frustrating for me. It takes the initial high flying feeling of gaining an initial foothold and brings you back down reality. There are a lot of ways to try and skirt around the problem of anti-virus (AV) as a red teamer or pentester but sometimes you don’t have any option but to go through the brick wall that AV can present itself as. I struggled with this (and still do) and wanted to gain an understanding of AV evasion. After a six month break from Offensive Security certifications I was ready to hunker down and hop back into an OffSec course, Pen-300 or the OSEP.
The Course
The Pen-300/OSEP course covers a large amount of material but from my experience it has two main focuses, AV evasion through the use of C# and Win32 APIs and Active Directory exploitation and lateral movement. There were some smaller sections such as kiosk hacking, DNS exfiltration and domain fronting. While they were fun and informative sections, they really weren’t much of a focus.
What I really enjoyed about this course was the approach OffSec takes in presenting the content to the student. I felt I first learned how to walk and then run compared to the OSCP where I just felt I was drowning the entire time. At the start of the AV sections, OffSec teaches the student how the create an extremely simple “Hello World” C# app and by the end of the course the student is reflectively loading Win32 APIs into memory to call shellcode to establish Meterpreter sessions. Pretty intense stuff!
The AD sections were informative as well. Learning what misconfigured ACLs to look out for all the way to complicated delegation attacks. While I had learned many of these techniques in the CRTP course, I still picked up a lot of great information and tricks to use on my engagements that came in really handy at times.
The Labs
There are labs you can spin up for each module throughout the PEN-300 material which are specific to each student. It was a great way to work through the exercises in each module and gain a better understanding of each topic. I’d highly recommend doing the exercises for each section as it really helped me gain a better understanding of the material.
OffSec also has 6 “Challenge” labs which are not associated with any specific module in the course. Think of these like the OSCP labs but in this case they are full on networks with multiple hosts. The challenge labs are also specific to each student which was nice as I didn’t have to worry about another student resetting a box while in the middle of working on it. I really enjoyed these and felt they were relevant to a huge chunk of the course.
Overall between the material and labs I think this is the best training course I’ve taken to date. With the course being a little over a year old many of the methods have been burned by AV vendors but I feel like it gave me a great foundation to build on to try and develop payloads that can bypass AV. I’ve already used many of the methods for lateral movement and AD compromise in real world engagements.
The Exam
Due to Offsec’s strict academic policy, I can’t go into too much detail about my exam experience but over the course of 48 hours the student is required to obtain 10 flags or the “secret.txt” flag. An additional 24 hours is given to the student to write the report and findings.
With the exam environment being leaked in 2021, OffSec recently recreated the OSEP exam. I’d seen a fair number of students in the OffSec discord complaining that the new version was considerably more difficult. While I can’t confirm their feelings, I will say the exam was by far the most difficult exam I’ve ever taken.
I had a pretty good start and snagged a few flags within the first 2 hours but then was stuck for a whopping 23 hours. I eventually was able to make some headway and ended up just passing with 10 flags total. I slept for about 7 hours over the 48 hour time period and it took roughly 36 hours total for me to obtain the necessary 10 flags.
After completing the report with my findings and sending it off to OffSec I received a confirmation 2 days later that I had passed the OSEP exam.
Overview
While the exam was bit brutal I really loved this course. Most of my time spent in the materials or labs was really enjoyable and not only do I feel like I learned a ton but I had a lot of fun while doing it. It gave me a great foundation to start learning more about AV evasion and developing custom stagers/droppers. The extra AD knowledge has already benefited me and I anticipate that it will continue to be useful in future engagements.
