OffSec Experience Penetration Tester (OSEP)
Post Created: 11 January, 2026
Background
After a long hiatus from certifications & exams, I decided to attempt OSEP out of FOMO and also as a warmup for a much more gruesome certification ahead.
Course
Big portions of the course content feels dated, especially around PowerShell tradecraft. The course was first released in 2020, and while there have been minor updates over the years, much of the PowerShell-focused material has not aged particularly well.
Personally, I don't see myself using a lot of the techniques in any real-world red team engagements, as they are far less applicable today than it might have been when the course was first released.
Lab
The arrangement and order of the Module Labs felt a bit all over the place, so I didn’t bother using them; the Challenge Labs, however, were very enjoyable. The student mentors on Discord were also super helpful whenever you needed a nudge or a hint.
If you’re connecting to the VPN from your own Kali OS, you’ll have the freedom to use any tools (aside from commercial ones, of course), which means a single attack can be conducted using different tooling to make your workflow more efficient. This, in my opinion, was a really nice touch compared to certification bodies like KR*ST, which limit you to using, say, an old CrackMapExec version from many years ago and position that restriction as part of the intended learning experience to prepare you for "real-word engagements".
Due to the outdated defender signature found in the labs, code snippets found online (e.g. https://github.com/chvancooten/OSEP-Code-Snippets) can be applied directly in the course work, just by substituting the msfvenom shellcode. In other words, much of the heavy lifting has already been done for you, which somewhat undermines the intended learning experience if you’re not disciplined about following along the course and implement your own code as part of the learning process.
Exam
Unlike the OSCP exam, the OSEP exam felt highly similar to the Challenge Labs and is true to what was taught in the course, which made the exam pretty underwhelming.
I managed to get secret.txt by the 4 hour mark and a full compromise after 14-hours into the exam. In my opinion, 48 hours of exam time was very generous from OffSec considering how little thinking outside-of-the-box is required.
I really liked that the exam environment was only suspended and not fully terminated upon disconnecting from the VPN. This means that all your beacons would still be alive even after a long break and re-exploitation from the very start was not required.
Tips 🤓
Hash Dump
If you're using Sliver C2 to instrument all your attacks, sharpsecdump from Sliver's armory is really fast and helps eliminate the need to drop Mimikatz onto disk and remoting into the target every-time you need to perform a hash dump. It also dumps both SAM and LSA secrets in a single command.
On that note, make it a habit of noting down the local Administrator and machine account hashes post-exploitation, in case you need to refer back to them at a later time. I like to do it in a table format:
MACHINE01$
<ntlm>
MACHINE01
Administrator
<ntlm>
MACHINE01
MACHINE02$
<ntlm>
MACHINE02
Security Context Matters
In Active Directory environments, what you can enumerate is heavily influenced by the security context from which enumeration is performed. For example, I had the most success enumerating cross-domain trusts from an NT AUTHORITY\SYSTEM beacon on a domain-joined workstation; however, running SharpHound with the -s --recursedomains flags as a standard domain user, without local administrator access often resulted in errors when connecting to a foreign domain.
Similarly, if you need to run SpoolSample to perform a coerced machine-account unconstrained delegation attack, it is best to run it from a standard domain user context.
Useful Tools
There were a couple of tools that was recommended by chatters in the discord channel, which have been very useful to me.
bloodhound-quickwin
As there is no option in BloodHound to render all edges on the screen at once, it can be hard to view the larger picture when you’re focused on a subgraph centered around a selected node. If you need a quick run-through of a domain, bloodhound-quickwin can parse data from your Neo4j database and display it through the CLI.
An example use case for this is viewing “Outbound Object Controls” for multiple users at once, without having to constantly change targets in the GUI.
MSSqlPwner
Pretty much mssqlclient on steroids, it helps enumerate trust link automatically and alleviate the complexity of multi-hop command execution to just a single command.
ascan_sliver
I hated chisel or Ligolo-NG for pivoting and have used Sliver's socks proxy for the entirety of this course, but port scanning through proxychains is awfully slow that I want to shoot myself. This Sliver extension solves exactly that and is super fast, often returning results within 10 seconds or so.
Process Migration
Unfortunately, Sliver does not support cross-architecture process injection natively, as described in Issue #715. Luckily, Meterpreter’s migrate works seamlessly out-of-the-box.
As a workaround, getting a reverse shell in Meterpreter, upgrading it to x64 via migration, and then performing session passing to Sliver has been my go-to approach when dealing with cross-arch situations.
Last updated