pop3ret

I like to break stuff.

3 minute read

Hello! I decided to start my blog with a post about a certification a did a month ago. OSEP

Study Plan

Well, there is so much things you can study before you do the exam. I will share some of my studies I had to do before and while the VPN was online.

1 - The material

It looks obivous that you need to study the materials but you can easily get distracted while studying clicking in links or searching something during your reading. I read the material 5 times entirely to understand (ALMOST) all the content. Go ahead and read, try EVERYTHING in the lab, not kidding, you need to understand what are you doing with the techniques during the lab, exam and your daily life as pentester, so practice as much as you can.

2 - C# and PowerShell

The course syllabus says that you need a basic level of C# to comprehend the subjects, but when you start reading you are SPAMED with C# and PowerShell. My recommendation is if you didn’t buy the course yet, start a course on Udemy about C#, like a quick Bootcamp, understand how the language works in a basic/intermediate level is crucial for you to continue you journey into this awesome course. Regarding powershell, there are some things like a reflection powershell runner or in memory powershell execution that you’re gonna stuck if you do not understand. My recommendation is also take a look at the language, understand its logic and every time you pick up a script, try to understand it, don’t rush the materials. (I am saying this because I did this lol, take your time, it will be better to spend more time in one subject than rush through the materials and get lost)

3 - Take notes

This is very important, I use Obsidian to take notes, but you can use whatever you like, do your notes about commands, highlight parts in the code that you do not understand and research them.

4 - LABS

DO THE LABS.

The labs will help you ALOT, there are 6 labs, the first ones are easier and the last ones will make you almost cry. Take your time, research, if you stuck TRY HARDER and continue. I learned ALOT during the resolution of the labs, the 6 lab is the most realistic one.

The exam

I cant say much about it, but you will have some objectives and you need to achieve them. Offsec did an awesome job in the exam and the labs, you will use all the things you learned, that’s why your annotations are important. My tip here is to write some prototypes of functions, macros, payloads that bypass AV and so on. Then use them during the exam, it will fasten your resolution. Also there is one important thing, if you did OSCP or another certification that covers Active Directory, mix them with your OSEP notes, they will be valuable during the exam. I took the entire 48 hours to do the exam and like 14 hours to finish the report.

Worth it?

Of course! In my opinion this exam was one of the best exams I did in my career, learned so many things related to AD, Antivirus and other bypasses that blew my mind. If you have the condition to buy it or your company gives the cert to you, don’t waste time and get it :).

Complementary content

Some friends of mine said that these labs also help during the preparation:

  • Dante Lab hackthebox
  • APT Labs hackthebox
  • Rastamouse lab hackthebox
  • You can create your own lab and exploit them

And these contents will help you during your journey

  • PowerView (Take notes)
  • Invoke-ACLScanner and Invoke-ACLAbuse (To abuse AD ACL’s)
  • Invoke-SharpLoader (Efective way to bypass AV in memory but beware of Add-Type)
  • BloodHound
  • Standard AD techniques to exploit privileges, permissions and tickets.

Beyond the course

Here I give you some topics to research during or after the course to improve the content:

  • D/Invoke
  • Direct Syscalls
  • Hell’s gate technique to bypass AV (Beware of C++, learn it first)
  • Sektor7 courses on malware dev are also a good path to follow beyond this certification.
  • STD Api Metasploit (Why disable it first?)
  • Second stage encoding metasploit
  • Mix the techniques of AV bypass and create your own payload (Do not put your payload in virus total)
  • Try to bypass the latest version of your AV as an exercise

I used only metasploit during the course and exam, but you can use other C2 as well, like Covenant and if you stuck during the exam, breath, sleep and repeat.

Feel free to send me a message in my email [email protected] or reach me in Linkedin with your questions too.

That’s all!

You May Also Enjoy

AWSome Pentesting Cheatsheet

28 minute read

This guide was created to help pentesters learning more about AWS misconfigurations and ways to abuse them. It was created with my notes gathered with unc...

Bypass LSASS Dump protection with RAM Dump

1 minute read

There is nothing more frustrating than an Antivirus blocking the execution of our tools and/or preventing certain actions to occur, like spawning a shell or ...