OSCE3 Review (OSCP+OSEP+OSWE+OSED)

In January 2022, I achieved the OSCE3. This passage includes the reviews of OSCP, OSEP, OSWE, and OSED.

This article is also available in 简体中文-OSCP, 简体中文-OSEP, 简体中文-OSWE, 简体中文-OSED.

Parts of this article is outdated, please refer to the official information.

Introduction

I achieved the OSCP in 2020, achieved the OSWE and OSEP in 2021, achieved OSED in January 2022. Absolutely, It’s a tough journey.

PEN200-OSCP

Official information about the PEN200-OSCP: https://www.offensive-security.com/pwk-oscp/

OSCP is NOT a part of OSCE3. If you are confident in yourself, it’s not a problem to chase the OSCE3 without OSCP.

As we all know, OSCP is the most well-known certification in the OffSec ones. When I was the student of it, I didn’t have any experience of it. As the saying gose, all things are dificult before they are easy. It was so difficult for me, but with the several months hard working, finally I achieved it.

Because I took the course and exam in 2020, the updated course, that I was using, contains the content about Active Directory, but there is nothing about AD in exam. From January 11th, 2022 on, the OSCP Exam has changed a lot, the penetration with AD is requied in exam now. We will analyze this later.

How to prepare

Althought there is nothing about prerequisites, in my opinion, if you have the capability as below, your journey of leraning PEN200-OSCP will be much more smooth.

• Competent in debian-based Linux
• Competent in coding with Python
• Proficient in using Google and other search engine

Apart from this, it’s a good idea to learn the content mentioned in the syllabus by yourself before the beginning of the PEN200 course. It will save your course time.

Official Syllabus: penetration-testing-with-kali.pdf (offensive-security.com)

If you want to attack some machines as the exercise before taking the OSCP course, there are some platforms such as HackThebox and OffSec Proving. There is a list of OSCP-like boxes offered by TJNull.

Get the OSCP-like boxes list: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159

The Course

The virtual lab environment is shared with all the PEN200-OSCP students. Don’t for get to join the official Discord server, you can find the invitation link in https://portal.offensive-security.com/.

You could learn a lot of knowledge about peneration with PEN200 course, such as information gathering, using the exploit, and the privilege escalation. In the exam or during the study, both the Windows and Linux will be met.

The most import for the PEN200-OSCP are enumeration and exploitation. With the scanning result, find the suitable exploit with search engines(Google, Github, etc.)

If you make a personal cheatsheet when you are reading the teaching material or exercising in the virtual lab environment, it will help you save a lot of time in penetration in the exam and lab.

The Lab

Although there are 850+ pages in the PDF, because learning the penetration needs a lot of practice, the lab is the core part of the PEN200 course.

Most machines can be solved independently, but there are dependencies between some machines. You need to attack another machine first and obtain enough information in Post-Enumeration to break through another machine.

You can find the relevance between the amount of compromised machines in lab and the pass rate in a offical passage. The passage introduced the lab environment in detail, incluing the network topology.

A Path to Success in the PWK Labs | Offensive Security (offensive-security.com)

The newly added requirement in exam: Active Directory

Chapter 21 of the PEN200 course has talked all the content about AD which will be used in the exam. In my opinion, It is enough to pass the exam(AD part) with these knowledge. Apart from this, there is a detailed example about how to exploit the AD in the last chapter of the course. There are some exercises in lab, too.

Although I didn’t take the OSCP exam with AD, I have taken the OSEP exam which is full of examinations for AD. It’s not too hard to master this technology. What you need is just to have a full understanding of the content taught in the course and finish the exercises in the lab.

You can ask in the discord official server about what is the IP of AD-associated machines.

About the new exam

Offical Exam GUIDE: OSCP Exam Guide – Offensive Security Support Portal (offensive-security.com)

Because the structure of exam has changed a lot, talking about my exam review doesn’t make sense. I do suggest every student read some exam reviews posted in 2022 or later.

The changing about the exam has been introduced by the official in this passage: https://www.offensive-security.com/offsec/oscp-exam-structure/

As we can see, the examination about buffer overflow becomes optional from necessary, the examination about Active Directory becomes required from never taking.

The OSCE3 - General Information

After the OSCP, the following I will talk about is the 3 certifications consisted the OSCE3. They are more difficult and have higher demand to pass the exam.

• The WEB300-OSWE mainly examines white-box code assessment.
• The PEN300-OSEP mainly examines pentest with Active Directory and anti-virus bypassing.
• The EXP301-OSED mainly examines exploit development with Windows x86. (Binary Security)

Horizontal comparison in the OffSec 300 series

Although each one of them focuses on a different field, there still are some differences independent from technology.

• WEB300-OSWE - The oldest one, the most difficult one in thinking, maybe it’s caused by the updating year by year.
  • However, it’s the easiest for me bacaue of my strong foundation of web security.
• EXP301-OSED - The latest one, the most difficult one in general, maybe it’s prejudice because fewer people are working on binary security than web security.
• PEN300-OSEP - Generally, it is thought of as the easiest one of the three, I think it is because of the lower requirement of coding.
  • However, there is a lot of coding in need during learning the course.

PEN300-OSEP

Official information about the PEN300-OSEP: https://www.offensive-security.com/pen300-osep/

I has owned the OSEP in August 2021, it is the next part of OSCP, focuses on Lateral Movement, Peneration with Active Directory and Anti-Virus Bypassing. It also offers content about fishing and is closer to red teaming.

How to prepare

The courses in the 300 series are recognized by OffSec as advanced courses, all of which require more or less development capabilities. The official page also gives the requirements for basic capabilities, as follows

Apart from the official prerequisites, in my opinion, owning capability as below could benefit your learning or help you during the exam.

• Proficient in Powershell, especially able to invoke .Net Framework with PowerShell
• Proficient in C# and advanced language features, especially the reflection
• Solid ability in calling Windows API, able to call Windows API with C#
• Understanding of Microsoft’s Products such as Microsoft SQL Server and ASP.NET

The syllabus: PEN-300-Syllabus (offensive-security.com)

If you have plenty of time, you could preview each knowledge point following the syllabus, which is also a good choice.

Since such an intranet practice environment composed of multiple targets is still relatively rare, I didn’t take any extra exercise. If you want, just choose by yourself.

Although I mentioned that OSEP has the lowest development capability requirements in the 300 series certification, why do I still recommend that you master PowerShell and C#? This is because the course will provide in-depth explanations for the various techniques used, including what each line does and how to modify it yourself. Although you can directly save the template code and apply it directly to the exam, I think that it is the most important thing to understand the principles in the course, otherwise you will still be an advanced script kid.

About the Course

The resources of the course are mostly the same as the one of PEN200, but there is a significant difference between the PEN200 Lab and the PEN300 Lab. In the lab of PEN200, every mahines is a individual challenge, but in the lab of PEN300, the most important is Lateral Movement and Penetration with Active Directory, there are several challenges which are consisted of many machines, it can be as little as three or as many as 10. Each machine has different solution to break, such as fishing, lateral movement, SQL vulnerabilities, etc.

By the way, it’s not the same as PEN200, the lab environment for the 300 series is not shared with other students.

The exam focuses on the ability to examine 4 areas, and it is also where we should focus on learning

• Lateral Movement ( Including traversing between multiple network segments )
• Penetration with Active Directory
• Anti-Virus Bypassing ( Mainly based on static bypassing )
• Client Side Code Execution ( Such as fishing)

Compare to PEN200-OSCP, PEN300-OSEP is closer to penetration in the real world. You will find that the antivirus software is working in nearly every machine, but working offline. After gaining administrator privileges, you also need to find a way to disable or bypass these security software, otherwise they will not only hinder you in the stage of obtaining a shell, but also when you perform lateral movement or post-enumeration.

About the Exam

Offical Exam GUIDE: OSEP Exam Guide – Offensive Security Support Portal (offensive-security.com)

Many students learned about OffSec’s certification system only because of the OSCP certification. Compared with other certifications, the examination format of the OSCP certificate is quite unique, while the OSEP adopts a more interesting examination form.

In the OSEP exam, we still need to attack each target machine because we are still being examined for penetration testing, but this time we are provided with a simulated environment. OffSec simulates a fictitious target, such as a large company or a bank. The exam provides students with several IPs as exposed security boundary. You can break through in many ways. You can break the security boundary by attacking Web services, exploiting directly, or even phishing.

After breaking the security boundary, it’s time to move laterally. Every time you owned a proof.txt or local.txt, you will get 10 points. There are two ways to pass the exam, get 10 flags, that is, 100 points to pass the exam, or finish the ultimate goal of the simulation, the flag is saved in secret.txt, and you can pass the exam directly after getting secret.txt

According to the official statement, there are at least two attack paths that can reach secret.txt, which means that either one of the paths is completed, or both paths are almost halfway through, which is relatively flexible, and everyone can choose freely during the exam.

During my exam, because the security software in the machine which is in the boundary of another route can’t be bypassed for me, I have to try to get the secret.txt from the way I can break. Luckily, I got the secret.txt and successfully passed the exam. It also passed through more than one network segment. The OSEP exam is so interesting for me.

All the technologies used in the OSEP exam have been mentioned in the lab challenges, so I think that as long as you solved all the challenges in the lab like me and master every knowledge point, passing the exam will not be a problem.

WEB300-OSWE

Official information about the WEB300-OSWE: https://www.offensive-security.com/awae-oswe

I has owned the OSWE in April 2021, it’s the first certification about exploit development.

How to Prepare

The courses in the 300 series are recognized by OffSec as advanced courses, all of which require more or less development capabilities. The official page also gives the requirements for basic capabilities, as follows

As we can see, the requirements for the basics of web coding are relatively high. If you’re a experienced CTF-Web palyer, it’s will be easy.

However, the WEB300-OSWE focuses on white-box assessment, which is diffrent from CTF.

If you’re not a CTF player and don’t have knowledge about web security. I recommend the basic course by PortSwigger, which is free.

https://portswigger.net/web-security/all-materials

The Syllabus of WEB300-OSWE: awae-syllabus.pdf (offensive-security.com)

If you have looked at it in detail, you can find that most of the course are based on real examples. Both WEB300 and EXP301 are used to study Exploit Development (EXP development), so you will study with real example. If you have mastered the above programming basics and Web vulnerabilities. It’s time to start the journey of WEB300-OSWE officially.

About the Course

The resources of the course are mostly the same as the one of PEN200.

The lab is consisted of several chanllenges, which is consist of white-box(main) and black-box, but the exam only examines the white box assessment.

The way of learning the WEB300-OSWE course is relatively monotonous. The method I used to learn it is to practice while reading the PDF. After practicing all the examples in the course, I have mostly mastered it. This may be because I was a player in CTF-Web. Due to my experience, this course is not very difficult for me

As follwoing, we need to solve the challenges in the lab. It may be too hard for those student who don’t have experience with web assessment, don’t be hesitate to ask others for help in discord. As long as the vulnerability taught in the course can be tested, including client-side attacks like CSRF or collision attacks.

For both WEB300-OSWE and EXP301-OSED, I strongly recommend summarizing mind maps while studying, which is extremely helpful for consolidating study and thinking about attack paths in exams

About the Exam

The exam examines manual white-box auditing, so you are not allowed to use various automated tools. Each challenge will provide 2 machines. The 2 machines are exactly the same except for the passwords. One is used for students to obtain source code and Analysis, another used to get the Proof.

For every challenge, there will be 2 stages, first one is to bypass login, the others is to achieve remote code execution.

The full score of the exam is 100 points, and 85 points are passed. There are 2 machines in total, 35 points in the first stage and 15 points in the second stage, which means that the Bypass Login of the two machines must be successful, and RCE only needs to complete one of them. Because I had a lot of spare time for the exam, it took less than 20 hours to get the full score and write the report, so I got it all done.

After getting all the Proofs, The student have to write an Exploit to automate the attack. I recommend using Python3 to write exploit scripts.

Compared with the course that use real cases as examples, the exam is consisted of OffSec’s self-developed challenges, and the code language used in exam is different for everyone.

EXP301-OSED

Official information about the EXP301-OSED: https://www.offensive-security.com/exp301-osed/

How to Prepare

The courses in the 300 series are recognized by OffSec as advanced courses, all of which require more or less development capabilities. The official page also gives the requirements for basic capabilities, as follows

EXP301-OSED only examines the 32-bit environment of Windows, that is why it is being criticized, because most of the computers are now x64 architecture. However, in fact x86_64 is an upgraded version of the x86 architecture. I think it’s a good choice to learn basic binary research skills by learning x86. If you start directly with x64, the learning curve will be too bumpy

In order to be familiar with the 32-bit basic binary exploit, you can choose the CTF-PWN as the entry option, or you can choose the practice questions provided by the ROP Emporium for practice, because this website only provides executables, there is no virtual practice environment. You can use a virtual machine to build a virtual practice environment. Here I recommend a small tool I made myself to build a practice environment. The documentation is on my blog: DIPD Document - 4xpl0r3r’s blog, you can also leave a message below the article about usage issues.

ROP Emporium offers 4 practice architectures for each challenge, x86, x86_64, ARMv5, MIPS, if you are only preparing for EXP301-OSED, you only need to practice the challenges in x86 architecture, if you want to feel the difference between x86 and modern x86_64, you can also practice with x86_64, if you want to enter the IoT binary security field, you can study ARM and MIPS, but you need to build a QEMU heterogeneous virtual machine yourself.

About the Course

The resources of the course are mostly the same as the one of PEN200.

The learning method I used in the EXP301-OSED course is similar to WEB300-OSWE. My learning method is to practice while reading PDF. After practicing all the examples in the course, I have mostly mastered it. Through repeated practice, I summarized my own methodology.

As same as the WEB300-OSWE, it is recommanded to summarize mind maps during learning the EXP3-1-OSED.

I concluded that the core content of EXP301-OSED is: stack overflow as the core, study the bypass of DEP and ASLR, and learn the shellcode development with assembly and reverse engineering. These are also the core content in the exam, so you can have a general understanding before taking the course.

There are also some small details that need to be paid attention to. The OSED exam allows the use of IDA but not IDA Pro. Only the free version of IDA can be used, which means that the IDA can be only used for disassembly and you can get the pesudo-code by IDA F5. Attention: Debugging is also only possible with WinDbg

About the Exam

Compared with in course and lab, which generally use real cases as examples, the exams all use challenges developed by OffSec.

The exam consists of three independent assignments, with scores of 40, 30, and 30, respectively. The score for passing the exam is 60, so you can pass the exam by completing 2 of the assignments.

The 3 tasks of the exam will examine all topics in the syllabus, including reverse engineering, developing exploits to bypass mitigation (i.e. DEP and ASLR), and developing self-made shellcode (developed in assembly language)

Compared with the difficulty of thinking, this exam pays more attention to the understanding of the underlying computer, it will be very difficult for students who are not familiar with assembly language, because the amount of code to be read is still not small, most of the challenges are relatively straightforward, and the more creative part I think is building the ROP chain and reverse engineering to find exploitable vulnerability.

Every assignment is pretty binary as far as I know, if you have the flag and good docs, it is max score for that challenge, but if any of these is missing, I guess it is 0.

Some chanllenges will provide a template exploit, which needs to be further improved, while some chanllenges do not have a template, and need to find vulnerability through reverse engineering

There are some important to pay attention

• You have to use IDA Freeware to perform disassembly, neither IDA Pro and Ghidra are allowed.
• The exploit have to be written by Python3, neither other languages and Python2 are allowed.
• Unlike other OffSec certifications that only need to upload the report and do not need to upload the code, OSED needs to upload the final code of each assignment

The End

If the information you want to know is not mentioned in this article, you are welcome to send me an email to communicate, and you are also welcome to be my online friend, just send me your contact information by email.

4xpl0r3r@gmail.com

Here are my certifications