Pwning OSEP with `secrets.txt` on my first attempt
Last updated
Was this helpful?
Last updated
Was this helpful?
Hi everyone, i hope this blog finds you well 😄​ In this post, I’ll share my personal experience with the OSEP exam and give you some tips to help you pass it. I won’t go into too much detail about the course content itself since there are already many blogs covering that.
The course has a lot of important topics every red teamer should know, it covers the basics and essential skills, so if you’re already at an advanced level like developing your own exploits and bypassing security solutions you might not learn much new theory.
However, the labs are excellent, and i was really lucky to take the course when they added new challenges to the materials, it made the experience even better.
During the exam, sometimes i got stuck but i developed the skill to guess what might happen next, i believe i reached this point because before getting my OSCP, i spent a lot of time practicing. i worked on many machines on Proving Grounds and every time i hit a wall, i would review my methodology to figure out what i missed. This habit really helped me avoid rabbit holes which can waste a lot of time :/
I didn’t use any external sources during my preparation, like HTB Pro labs i read some blogs where people recommended practicing on those and while i agree those labs are great and can help but i don’t think they’re necessary at this stage for OSEP, OffSec has added enough challenges in their own labs to practice on.
As for the timing:
I started the exam at 10:30 AM
I spent about 13 hours on the first day (from 10:30 AM to midnight), then went to sleep
Woke up at 10:00 AM, continued the exam and captured all the flags and obtained the secrets.txt file at 04:10 PM
After that, I started the report at 5:00 PM and finished it by 5:00 AM, submitting everything before the exam time expired.
You should be very comfortable with Windows and Linux privilege escalation, if not you’ll struggle, since most exam failures happen here.
Master pivoting practice with PowerView, BloodHound, and manually check ACLs and don’t rely blindly on PowerView commands that automate ACLs enumeration like the command Find-InterestingDomainAcl etc, sometimes they miss things.
For network pivoting, i used Ligolo and it worked perfectly for me.
I worked with Metasploit. I initially tried using Sliver which is also great but run into a few issues in the lab, so i switched to Metasploit it did the job just fine.
If you tend to forget things or get stressed during exams i recommend making a checklist for PrivEsc and pivoting. For example in pivoting you might check user access via WinRM, SMB, MSSQL, RDP, etc, so a simple mistake or missed step can waste a lot of your time in the exam.
Everything is available on GitHub, so you have the choice to either develop your own exploits or use open-source ones.
You can still pass the exam without any knowledge of C# or PowerShell scripting, but it’s important to learn the techniques taught in the course if you truly want to go further in this field.
One last thing I’d say is to build a strong foundation in Active Directory attacks and practice exploiting any ACL misconfigurations on both Windows and Linux and don’t rely on just one tool for enumeration for example, don’t depend only on PowerView. Use it alongside BloodHound, AD modules and other tools to cover everything properly.
Disclaimer: This is just my personal perspective i might be wrong. I highly recommend you do your own research, read some Reddit threads and blog posts and then make your decision based on what fits your goals and situation.
When comparing these two certifications, you need to consider two things:
Your budget
Your main objective for getting certified.
If budget isn’t a problem, I recommend doing both. I believe that everything you go through during your learning journey will teach you valuable lessons.
But if your budget is limited, here’s my personal opinion and of course the final decision is yours:
This may vary depending on your country. For example, here in Morocco, the OSCP is more recognized than the OSEP so for someone who wants to enter the field of cybersecurity, it’s a good idea to start with the OSCP. It can open up more job opportunities and give you better chances to negotiate your salary. It’s also a great option if you already have around 1 year of experience and want to increase your salary in your current company or look for new opportunities.
On the other hand, the OSEP has great, more advanced content compared to the OSCP. It’s better suited for someone who wants to build solid red teaming skills. But as we all know, red teaming jobs in Morocco are still rare compared to regular pentesting positions. So if you’re planning to look for opportunities outside the country or if you already have at least 1.5 - 2 years of experience and want to take your skills and career to the next level, then go for the OSEP.
For more information about OSEP, you can check the official Offsec .
To avoid repeating tips from my , I’ll only add a few that complement those:
I highly recommend taking or from Altered Security it’s a great way to master Active Directory attacks.
if you find this blog useful. 😄
