✨OSEP 2025 Review – The Non-Tech Mid-Careerist Edition

There are (probably) only two reasons you are here:

1) You are preparing to take the OSEP and want to find out tips or read about one’s experience of the exam;

2) You are thinking of taking the OSEP but are not sure what to expect heading into the course

Good news! I aim to cater to both audiences:)

Anyway here is my github repo containing my notes for OSEP: https://github.com/OoStellarnightoO/OSEP_Notes

---

About Me

I graduated with a degree in Economics a long time ago and worked in non-technical fields for the majority of my professional career. I transitioned to a cybersecurity career in mid 2024 with zero background in programming, OS and network fundamentals. I am literally this meme:

In the last two years, I have achieved the following:

Dec 2023 – Passed TCM Security Practical Penetration Network Tester (PNPT). My first cyber cert and what convinced me to dive into cybersecurity. Shout out to TCM Security for being awesome

Oct 2024 – Passed SANS GCIH with 100%.

Feb 2025 – Passed OSCP+ with 70 points

Apr 2025 – Passed SANS GCTI with 99% and also passed HTB Certified Defensive Security Analyst (CDSA)

Jul 2025 – Passed OSEP with 16 flags; Maybe one step away from secrets.txt but was tired and rather used the time to make sure the report is comprehensive

This is the result of consistent hardwork and support from my loved one in a bid to rapidly ramp up my creds. For the past 1.5 years, I spent most of my free time after work and on weekends, just studying and gyming. My steam games are quietly languishing in the corner😥.

I’ll be honest. I took OSEP because (1) I was bored and I had time, (2) I did it out of spite because I was rejected by a few companies and I got to show them what they are missing, (3) I do eventually want to get OSCE3 because it is an achievement and I love achievements and challenges; and (4) well I was really bored and needed a goal to hone my restless mind towards.

---

PEN-300 Musings

I won’t repeat the same things that most other reviews have already shared about; namely the outdated materials that PEN-300 is teaching given the shift away from VBA, jscript client-side attacks and the antiquated AV and also I do not have enough real experience to comment on this extensively.

I took about two dedicated months to go through the material. I split the entire course into three big sections:

1. AV Evading Payload Generation in CSharp, VBA and Jscript
2. Some random stuff to do with Linux
3. Actual AD Stuff including MSSQL, Windows Lateral Movement

The first section was the most difficult for me personally because it involves coding and three languages that I was completely unfamiliar with, namely C#, VBA and jscript. The AV portion took a while to figure out because you will need to obfuscate your shellcode. The course teaches caesar ciphers but I think it is worth the time to investigate how to do XOR for csharp, powershell, vba payloads. I included a sample python script to XOR your shellcode.

The Linux was well there. It is relevant but it is kinda evokes the oh okay feeling.

The AD section is the other main meat. There is more Csharp for things like print spoofer, MSSQL enumeration and exploitation and fileless lateral movement. This got me worried because it was fairly complicated to moi who was already struggling with the Csharp stuff. Good news if you are like me. You dont have to touch any of those because there are open source tools or metasploit functions that does those. Got SeImpersonate? Use SigmaPotato (not flagged by OSEP AV) or GetSystem from Meterpreter. Use impacket mssqlclient to enumerate and laterally move around SQL servers. Fileless lateral movement is not required when good old psexec works.

You may wish to use this relevant resource before going through the course:

https://github.com/mvelazc0/defcon27_csharp_workshop

TLDR Review of PEN-300

The Good ☺️

• Much better than PEN-200 in terms of actually giving you useful information to tackle the labs and the exams (even though a lot of the techniques are not very efficient and there are better ways of doing it); but you could use them to pass the exam though it will probably be a painful experience:)
• Like the progressive way of approaching AV evasion where you start with a simple payload and then progress to a stage where you can finally evade (the crappy) AV; if you follow diligently, you actually learn quite a bit about WinAPIs and scripting a CSharp shellcode runner though it can be tedious and dry at times
• Some interesting (though underdeveloped) materials on Linux SSH session hijacking, and abusing Ansible which I have never learnt before
• I like how each of the challenge labs from 1 to 6 are designed to test a particular technique from Word Doc phishing to MSSQL lateral movement instead of just a random scattering of labs like PEN-200
• Recent additions of CowMotors and DenkiAir as Challenge Labs are timely given that they simulate the exam environment very well. Essentially the OSCP A/B/C of PEN-200 but FAR MORE RELEVANT and difficult.
• I didn’t really run into any major issues with the labs. The Offsec Discord for PEN-300 is quite helpful.

The Bad 👎

• Outdated materials. While I was going through the material, they were actually updating the modules to Windows 11 but when I went through the new modules, it is practically copy and paste from Windows 10 except for minor changes. No discussion of modern defenses such as EDR or AI-driven defenses. Still good old defender
• Downloaded PDF is outdated. For a course of this price where you don’t have lifetime access, i think it is farcical to not be able to download an updated version in PDF form of the course material. I was stuck with a 2024 version with the PDF when I was already six months in to 2025 and multiple updates to the course modules! No excuse here OffSec!
• For a more AD focused course, the AD here is still kinda weak? Good to see that there is a new module on ADCS but this is not yet reflected in the labs.
• While OSEP is not a red team course, I thought that there should be discussions on how to be more stealthy when attacking enterprise systems. Right now, because there is no emphasis on this, students may develop bad habits such as disabling AV, running noisy commands such as nxc and SharpHound, throwing binaries onto host systems and leaving behind a ton of artifacts.
• Too pricey for the amount of content. Limited HR value (unlike OSCP) and potentially better and cheaper alternatives like CRTO, CPTS
• Wish the course had sections about impacket tools, netexec, Ligolo-ng, bloody-ad and SharpHound since everyone uses them

Preparing For the Exam

I was fortunate that during my course access, they added Challenge Labs 7 and 8 which are Cowmotors and Denkiair respectively. From my understanding, these were actual exam sets that are retired. As such, I can say that there is absolutely no need to use any external resources. The eight challenge labs are more than sufficient. IMO, I felt that the exam is easier than Cowmotors and DenkiAir.

I suggest to try to finish DenkiAir (the final challenge as of Jul 25) no later than one week before your exam. This is to leave time to consolidate your notes and create your own checklist. Use the remaining time and the relevant challenge labs to test out your payloads. I suggest to have your own Windows development VM as the one Offsec provides is laggy and occasionally missing LIBRARIES (looking at you Challenge Lab 4 where dotnet2js refuses to work on their dev machine). I also took care to develop at least two ways to confront each of the following situations which could happen during your exam:

1. Phishing

• Prepare multiple .doc files that has template code to perform the following functions:
  • test for command execution and connectivity through a ping check back to attack host
  • a Powershell Download Cradle that pulls an AMSI bypass script and a Powershell Shellcode Runner
  • One that pulls an exe with the shellcode hidden inside the uninstall component and then executed via InstallUtil
  • a direct VBA Shellcode runner (with your choice of encryption and sandbox Evasion)
  • (if you have time) Do one that does process hollowing from VBA
• Prepare the following .hta files
  • one that pulls and executes powershell shellcode in memory
  • one that has the actual shellcode (from dotnet2js) right inside the .hta
  • One that pulls an exe with the shellcode hidden inside the uninstall component and then executed via InstallUtil

2. General Payloads ( you can find this in my github)

• Powershell Shellcode runner with shellcode that is obfuscated via XOR, caesar-cipher or Invoke-PSObfuscation
• A Process Hollowing C# payload
• A Process Injector C# payload
• Interactive RunSpace payload to bypass CLM
• Payload to be used with InstalUtil to execute whatever you want

3. Helpful tools

• Python script to XOR or caesar cipher

Also book your exam ahead of time so you get a humane time for yourself. You can always reschedule (up to three times).

Do the Challenge Labs. All eight of them. It is okay if you are stuck. Ask for help on the student discord. I was stuck multiple times even when during cowmotors and denkiair. Nothing wrong with asking for help especially if it is an unknown unknown. Learn what works and what doesn’t and put it in your notes.

---

THE EXAM EXPERIENCE

I initially set up my exam for 5 July but work got busy and I had to prepare for some interviews thus I pushed it back to 18 July.

On 14 July, I completed my checklist, tested all my payloads and was raring to go so I did the ballsy move of pushing it forward to 16 July. There was a timeslot at 10am which is my fav timeslot to take exams since I had time to freshen up, get a cup of coffee and have my first scheduled break at around lunch time (1pm).

According to the Exam guide, there are two ways to pass:

1. Get the secrets.txt allegedly buried deep inside the AD; or
2. Get at least 10 flags

For me, the first 8 hours was the hardest for me. After that I felt like I was just steamrolling the entire exam though I was not able to get secrets.txt. I was probably missing something obvious but I was tired.

Take a lot of breaks. It is 48 hours. Honestly that is a lot of time. Most of the time you are just bumping into walls but the moment you get it, you are getting multiple flags in a short amount of time so don’t panic if things dont look good at the start!

Start Time: 1000H

As you might have read, there are two attack paths for OSEP to the end objective. I unknowingly took the harder path and was stuck for about three hours. At this point, I was like Am I going to fail OSEP with 0 flags?!

Flag 1 and 2 (The “Hard” Path): 1300H

And then I took a short break, marveled at the world from my window and then something clicked in my head. Boom, two flags in five minutes. I mentally slapped myself for missing something that obvious but nevertheless was happy to finally gain a foothold. My mood turn a 180 degree from complete dejection to over jubilance thinking that it is going to be an easy ride from here. Guess not.

Flag 3 (The “Hard” Path): 1730H

At this point, i thought it was a good time to take a lunch break. Added persistence just in case my shell dies. Came back and was feeling confident until I got stuck for the next few hours. And then a touch grass moment, five minutes later third flag. Once again, it was something stupid and I got stuck in some random rabbit hole. This will become a recurring theme. Everytime I get stuck, it is always something stupid.

I took a 30 minutes nap at this point because I can feel my eye straining. Also it was a good time for dinner after the nap.

Flag 4,5,6(The “Hard” Path): 2100H

After dinner, it was relatively smooth getting the next three flags. Afterwards, I was stuck for a while. I then decided to get some fresh air and I went for a run around the neighborhood when inspiration struck me like a thunderbolt. I ran faster than usual, eager to take a shower and test out my theory.

Flag 7,8,9(The “Hard” Path): 0100H +1

After taking a refreshing shower, I got another three flags in quick succession. In less than 16 hours, I was on the verge of passing. I was on the verge of glory but I was also incredibly tired. So i decided to sleep and wake up early to stroll through the finish line.

The Sleep (0100H to 0700H)

The sleep was terrible. I was having dreams (nightmares?) of attacking the AD and getting nowhere in my sleep. Exhausted by dream hacking, I decided to just wake up and do it for real. It took a while for the Procter to respond to my request to resume my session. I was stuck for about a while then I decided to look at the other path.

Flag 10: Passed (0850H)

Yay…. easy? Ate breakfast.

More Flags (1100H)

I got four more flags in two hours. I was on a roll baby.

Flag 15 and 16 (1600H)

I took a lengthy nap after lunch. Woke up, chose Try Harder and got another two flags. At this point, I was hoping to get secrets.txt but after plugging at it for three more hours, i decided to wrap it up and focus on making sure my report was comprehensive. I ended the exam at around 2100H, way ahead of schedule after being satisfied with all my screenshots.

I submitted the report past midnight and got my results at about 4pm.

Looking back at it, the exam was surprisingly manageable and maybe a tad easy? As expected, initial access is a pain in the ass but I was pretty confident once I have a foothold as that was what I was better at. It felt a bit anti-climatic after all the intense preparation but a win is a win and I will take it:)

For now, it is job hunting time. I will leave OSWE and OSED for next year and hopefully sponsored:))