Cracking the OSEP Exam: A 48-Hour Marathon to Victory
At the age of 18, I conquered the OSCP exam, an experience I detailed in a blog post that resonated well with the audience. To me, the OSCP exam seemed straightforward; I managed to breach all the machines within 8 hours. Riding on this success, I took on the Offensive Security Web Exploitation (OSWE) exam during my college years, before the inception of BugBase. Regrettably, I never documented my OSWE journey, and now, two years later, all I can recall is its demanding nature — it was an arduous 48-hour ordeal that left me amazed at my own exploits, only now, attributing them to being “in the zone.”
Fast forward to the present, I recently faced the Offensive Security Experienced Penetration Tester (OSEP) examination, and it proved to be no less challenging. Given the fresh knowledge from the material, labs, and exam itself, I’m eager to share my journey with aspiring security enthusiasts worldwide. Balancing the OSEP with my full-time role as the CEO of BugBase scarcely left me sufficient time to delve deeply into the material and labs, but had to “Try Harder” anyway :)
The Preparatory Phase:
I purchased the voucher last year for 3 months, knowing this, and went on to spend every weekend running through 3–4 modules of the PDF while making notes. Due to work priorities, I was unable to complete the PDF in this time and ended up kind of just forgetting about it for a while. Only a month back, I decided that I should probably complete the examination and purchased a lab voucher for an additional month and scheduled my exam at the end of it to set a deadline for myself.
In this time, I went through the material much faster, committing post-work evenings and all weekends (probably missing out on some social events, but eh, that’s life) and wrapped up the PDF in 10 days, including screenshots and documentation on OneNote. Following this, my focus was entirely on the labs.
Diving into the Labs:
The labs are actually a very, very good practice ground to test many of the techniques you learn in the material, and I highly recommend you complete all of them. I made sure to document my techniques as I passed them. While doing this, I naturally ended up making my own strategies combining techniques mentioned in the material along with resources on the internet that gave me the highest success in the fastest time.
The last lab is supposed to be a very close model to the actual exam, with several machines in the network. I spent about 4 days on that lab with ample help from the OffSec Discord server.
The Exam:
I booked my exam on a 3-day weekend (no sales ever happen on weekends, trust me — so BugBase was going to be okay). The exam was as grueling as I had expected it to be; enumeration was key always (as it should be). Once I found what I had to exploit, actually gaining access/privesc was only a matter of an hour of testing. Gaining all the flags to pass took me about 35 hours, and I had gained several more in the 48 hours. I was testing the network until the very end; I feel like I was close to gaining secret.txt but was never able to run the final exploit successfully.
I wrote the report after the exam session had ended, after getting a good 6–7 hours of sleep. I had made sure to take screenshots of all the proofs and exploits running successfully, along with every single command I ran. This was not put in a very nice format, but I was able to do so later on. Writing the report took much longer than I expected, mostly due to the fact that the exploitation was a network with one box after another. I received the email from OffSec congratulating me on the certification in 4 days.
Throughout the exam, Metasploit was my go-to for managing all my shells. The exam network was very stable in comparison to the lab networks, and my shells mostly did not die on their own. I have heard some people use Silver C2, but to be honest, I did not spend the time trying to understand it in detail as I was already pretty comfortable using Metasploit.
The next learning step for me, would be OSED to finally gain the renowned OSCE3 certification. Beyond certifications, I have started researching into the “AI for Security” space and hope to innovate in that domain in the future.
Tips:
- Be thorough with the material and complete the labs, this sets a base for you to take on the exam. Some sections of the material may not be relevant for the exam, but take notes of everything nonetheless.
- Have ready-to-compile binaries for all situations, always use PowerShell if possible, if not, use the process injection payload; it works pretty much all the time.
- Have all your enumeration scripts ready to be downloaded as a list so you can copy and paste them into your PowerShell session at will.
- Use Ligolo-ng instead of proxychains; I have lost my cool to proxychains and the socks5 module in Metasploit several times while doing the labs. Avoid proxychains as much as possible; it is not very stable.
- Use bloodhound like a map when lost. Understand the AD structure, understand what users are in what groups, understand what they have access to.
- Use impacket over custom tooling whenever possible, it is much more stable and does not give false positives which I encountered many times in the exam and while solving the labs with my custom C# scripts(I am talking about you, MSSQL).
- Always have a tail log of apache open in a tmux terminal: it helps out a lot when you’re trying to check for callbacks or semi successful exploits for further debugging.
Some Amazing Resources:
- Ippsec: https://www.youtube.com/@ippsec and https://ippsec.rocks/ just watch his YouTube channel and you will learn — focus on the videos on AD and windows exploitation(TJ Null has a good compilation of his videos — https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview#)
- HackTricks: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
- BloodHound and adPEAS: https://github.com/BloodHoundAD/BloodHound, https://github.com/61106960/adPEAS
- Ready to compile code snippets for OSEP(with additional quality of life improvements): https://github.com/chvancooten/OSEP-Code-Snippets
