PEN-300 and Offsec Experienced Penetration Tester (OSEP) Certification Review 2023

10 min readOct 21, 2023

Background

Hi Folks! I hope all of you are doing well :)

In this opportunity, I will continue to discuss some courses and certifications related to Red Teaming, Active Directory, and Enterprise Security.

A little story, after completing several training courses and obtained a few certifications such as CRTP, CRTE, eCPTX, and CRTO, in an effort to sharpen and expand my knowledge in these fields. I decided to take another course from Offensive Security (Offsec), namely the PEN-300 course (Advanced Evasion Techniques and Breaching Defenses) along with the OffSec Experienced Pentester (OSEP) certification.

I did this with the purpose of taking on new challenges and completing my Certification Path in the areas of Red Teaming, Active Directory, and Enterprise Security.

Then this article was made because there are still limited reviews related to this certification. Therefore, I want to share my experience and provide tips and an overview to friends who are interested in studying or taking this certification.

Course Introduction

Evasion Techniques and Breaching Defenses (PEN-300) is a course that covers tactics and techniques for performing advanced penetration testing.

PEN-300 (Evasion Techniques and Breaching Defense)

This course is also suitable for a Penetration Tester who wants to understand how to perform Infrastructure Pentesting in a Windows environment. However, this is not an introductory or beginner course.
Therefore, I highly recommend taking PEN-200 (OSCP) and CRTP or CRTE courses from Altered Security’s first before jumping into this course.

The basic price for this course is $1599. For this fee, we will receive access to the course materials (PDFs, videos, and labs) for 90 days, along with one exam voucher.

Course and Syllabus

There are 18 chapters with a total of 705 pages, along with labs and extra miles. For more details, please refer to the syllabus at the following link: https://www.offsec.com/documentation/PEN300-Syllabus.pdf.

During this course, I try to spend 2 hours studying at night, 1 hour in the morning, and 6–10 hours studying while doing labs on the weekend. Here are some summaries that I have compiled from each chapter:

The first chapter is an introductory intro, which includes an introduction to the course, a description of the material to be covered, information about the labs, and also gives an overview of the exam rules.
In the second chapter, we will be introduced to Windows operating system concepts, such as Windows On Windows, the use of Win32 APIs, managing the Windows Registry, and the basics of programming using the C# language.
The third till sixth chapters focus on Client Side Code Execution attacks (HTML Smuggling, Phishing, Macro VBA, WSH, Jscript) as well as creating a Custom Loader/Dropper that focuses on using C# (PInvoke/DInvoke) and PowerShell to Bypass Antivirus detection. The method involves Obfuscation or Encryption techniques, which include the incorporation of Process Injection techniques, such as the use of Win32 APIs, Reflective DLL Injection, and Process Hollowing.
The seventh, eighth and ninth chapters are a deep dive into the previous material to perform advanced bypasses of existing protections in the Windows AD environment, such as bypassing AMSI, UAC, AppLocker/Application Whitelisting, CLM, Network Filters, and others.
The tenth and eleventh chapters perform Post Exploitation in a Linux environment (Shared Library Hijacking via LD_LIBRARY, VIM Config Simple Backdoor, or Keylogger) and learn tactics and techniques to perform Kiosk Penetration Test (Windows Kiosk Breakout Techniques).
Chapter twelve explains the concept and how to Abusing Windows, Kerberos, and Domain Credentials (SAM Database, Elevation with Impersonation, Memory Dump).
The thirteenth and fourteenth chapters, gives an insight into the most common techniques used by penetration testers to perform Lateral Movement on Linux and Windows by exploiting several security misconfigurations (SSH Hijacking with ControlMaster, Exploiting Playbooks for Ansible Credentials, Weak Permissions on Ansible Playbooks, Sensitive Data Leakage via Ansible Module, Reverse RDP Proxying with Chisel).
In the fifteenth and sixteenth chapters, we will be introduced to the general techniques of Active Directory Exploitation (Unconstrained, Constrained, and RBCD) and attacking Microsoft SQL Server services (UNC Path Injection, Relay My Hash, Abusing Linked Database). This chapter does not cover the material in detail, it just provides short and to-the-point information. So, if we want to learn other techniques, I recommend looking for more detailed material from outside, such as those provided in the Certified Red Team Expert (CRTE) and eCPTX courses.
The seventeenth and eighteenth chapters are the concluding chapters that combine some of the attacks or techniques we have learned and show how to apply them in an engagement, such as conducting a pentest from start to finish to get Domain Admin (DA) and Domain Controller (DC).

Extra Miles

Each chapter or module includes additional assignments (Extra Miles) that we can do to help us sharpen our skillset or knowledge. In my opinion, these additional tasks are not very impactful for us to succeed in the exam. All the resources, such as labs and challenges, are more than enough.
Although Extra Miles can technically be skipped, I would suggest that you don’t skip any of the exercises if you have more time.

So far, I like how the content is delivered in increasing complexity and is comprehensive. However, it is unfortunate that the course is already a bit outdated, with the last update in 2021, and it also does not cover Operations Security (OPSEC) practices.

Lab dan Challenges

There are labs where we can practice and apply the theoretical concepts and techniques we learn. Each lab may have one or more machines with different configurations or scenarios to ensure a thorough understanding and mastery of the concepts.

Aside from the labs, there are six challenges included. These challenges are different from the labs in that they have a wider range of environments, multiple attack vectors, and difficulty levels that get more complex or increase with each level, and simulate well what the exam environment will be like.

For example, in the first stage (Initial Access), we will be given an asset that has a vulnerability to be exploited or conduct a Spear Phishing attack to compromise one of the assets in the public segment. Once we have successfully exploited, the asset will give us access to the Internal network through the Pivoting process (Blackbox Approach or Not Assumed Breach Execution — Insider Attack).

We also need to create a Loader or Dropper that can bypass Antivirus with some of the methods we have learned before, such as Obfuscation or Encryption by combining Process Injection/Hollowing techniques. The most interesting part is also when we do Post Exploitation or Lateral Movement from Linux to Windows in an Active Directory Environment with multiple protections that we have to try to Bypass, such as UAC, AppLocker, CLM, AMSI, and others using custom code.

During the challenge, we also needed to collect flags scattered across the machine to complete it.

Overall, this course lab and challenges are one step ahead and involve rather complex and chained attack methods between Linux and Windows within the Active Directory environment.

Exam

I can’t provide too many details about the exam and may only be able to give an overview.

When the exam starts, we will receive login instructions to the proctor app that will monitor us during the exam process, as well as VPN access to access the lab and exam panel. In the exam panel, we will also get some information about the objectives of the test and targets.

To pass the exam, there are two approaches. The first is to get the secret.txt file on the last machine, the Domain Controller (DC), and the second way is that we must collect at least 10 flags (Proof.txt and Local.txt) with a total value of 100 points, where each flag has a value of 10 points. Keep in mind that not every machine contains a Proof.txt or Local.txt file.

In the exam, we were restricted to using commercial C2 tools such as Cobalt Strike, Metasploit Pro, Burp Suite Pro and could only use open-source tools such as Metasploit, Empire, and Convenant.

Overall, the exam was fantastic and challenging, especially supported by the various ways to pass the exam and have

What I like about this exam is that there are several different attack paths to achieve certain goals and/or reach the required points to pass the exam. Each path has its own entry point and exploit path. I was able to complete the first path and gain access to the secret.txt file. Although that was enough to pass, I still decided to spend the next day getting some more flags on the second path.

After successfully collecting the flags and taking the necessary screenshots, I proceeded to write the report in detail and ended up with 150 pages. So far, this is the most intensive exam I’ve ever taken compared to any other course or certification I’ve obtained.

Once I submitted the report and waited about 3–4 days, I received an email notification of my exam result. I was very happy and proud of this achievement, even though it was only the first step toward starting a new journey. I’m coming OSWE!

This certification has no expiration date, so we don’t need to retake the exam to renew it.

Exam Tips and Helpful Tools

Here are some tips from me that might be useful and can help you prepare:

First and foremost, I highly recommend to complete as many challenges as possible, using various methods and different tools. Thank me later!
Take notes during the course or lab, especially the sections on Antivirus Bypassing, AMSI, UAC, AppLocker/Application Whitelisting, CLM, and also learn or explore more about the Process Injection/Hollowing techniques.
Join the Offsec community on Discord to get support on anything related to the course, labs, and challenges if there are any issues.
I recommend to take or complete the CRTP (Certified Red Team Professional) and CRTE (Certified Red Team Expert) courses before OSEP (OffSec Experienced Pentester). These two courses, summarize the essential aspects of understanding and applying exploitation techniques in Active Directory in more depth. The material is up-to-date, the last time the material has also discussed how to bypass AMSI, Antivirus and other techniques and use C2 in performing Lateral Movement (Convenant).
Also consider to take or learn the eCTPXv2 and CRTO courses as an option, as that will also be helpful. Technically, I don’t think CRTO has much impact on this certification, as the course focuses more on how we perform Active Directory (AD) exploits using Cobalt Strike as Command and Control (C2), as well as how to operate it. This only makes it easier for us to attack in the engagement process, such as bypassing antivirus, avoiding detection, and Lateral Movement or Pivoting. Meanwhile, using C2 Enterprise is prohibited in the OSEP exam.
Don’t overthink what is best for the exam when you choose or use C2. In my opinion, using Metasploit or Empire is more than enough. I also suggest that if you plan to use an alternative C2 framework, start using it during the lab challenges. This way, you will be more familiar with it and be able to customize your methodology before the exam starts.
Everyone has their own way of doing things, but as a personal suggestion, I would like to suggest to learn or mastering some of these tools to make things easier or can help us in the exam later. Such as BloodHound, Impacket, Chisel, Ligolo, Rubeus, Mimikatz / Safetykatz, PowerSploit, PowerupSQL, CrackMapExec, and so on. All these tools are your best friends!
If you’re stuck for 4 hours or more, take a break to breathe and calm down to clear your mind. This will be very helpful.
Use a common port to reverse shell, such as port 53, 80, or 443, as other ports may be blocked. If you need to revert or reset a machine, I recommend not resetting just one machine because this may affect the other machines’ performance and configuration.
Please be sure to read the OSEP Exam Guide carefully and to follow the reporting requirements, exam restrictions, and rules. Otherwise, we may fail even if we have met the goal or obtained the required flags. For example, please don’t show the contents of the flag file using a Web Shell or RDP session, as this will result in zero points for the target machine.

Here are some additional labs and resources that might be considered for study or to be used

Summary

Overall, I think the course materials cover what we need for the exam. No need to pay for additional HackTheBox Pro Labs machines — Just “Try Harder” to complete all the labs and challenges provided.

Is it worth it? Everyone has different values, some people look at the economic value, and some people look at the benefits. Whether it’s worth it or not is different depending on what each person values. In my opinion, the price may be too expensive, but in terms of the materials, labs, and challenges provided, it is worth it.

Hopefully, this article and the experience can be useful for others who want to pursue this certification. Thank you, and I hope it continues to be useful!