Offensive Security PEN-300 Course Review 2022
Introduction
Hello there! I recently completed the course material and labs for Offensive Security’s Evasion Techniques and Breaching Defenses and thought I would take the time to do a quick review of my experience. If you are like me, you are probably scouring the Internet reading reviews before pulling the trigger on the course. I have been there many times myself so I though I would contribute to the bunch! So before I get started, I will briefly discuss my professional experience prior to starting this course. I have been working in Information Technology and Cybersecurity for almost 10 years now and hold 21 professional certifications (including OSCP). I also hold a Bachelor of Science in Cybersecurity and Information Assurance. I would say that I have a solid grasp on the fundamentals necessary to be successful in an advanced course of this nature. I say all of this to give some context for what I am about to discuss. This course pushed me to my absolute limits on a daily basis. It challenged me in ways I would have never imagined. I had thoughts of self doubt and at times I didn’t think I was going to make it through. That is not to say that this course is impossible but more to say that it will take some extreme dedication and a will to learn to be successful. At the same time this was by far the most fun I have ever had with a certification course and would do it all over again if given the opportunity. Now with that out of the way, let’s talk about what you are here for. The course and the labs.
Course Overview
The Offensive Security Evasion Techniques and Breaching Defenses is an advanced penetration testing course that covers various topics such as:
- Operating System and Programming Theory
- Client Side Code Execution With Office
- Client Side Code Execution With Windows Script Host
- Process Injection and Migration
- Introduction to Antivirus Evasion
- Advanced Antivirus Evasion
- Application Whitelisting
- Bypassing Network Filters
- Linux Post-Exploitation
- Kiosk Breakouts
- Windows Credentials
- Windows Lateral Movement
- Linux Lateral Movement
- Microsoft SQL Attacks
- Active Directory Exploitation
More details about the course content can be found here:
Course Review
The course is structured in a crawl, walk, run, full out sprint approach. The course material introduces a topic and then slowly advances all the way to the point where you could feel comfortable taking the extra steps necessary to improve on the technique presented. The course PDF and the videos are almost word for word with some minor exceptions where the video expounds on the code examples a little more than the PDF. At the end of every section there are various exercises that reinforce what was taught in the reading/videos. I opted to complete every single exercise no matter how trivial it seemed and took EXTREMELY detailed notes along the way. I would highly suggest that you take the same approach (trust me on this…). I tackled the course readings and then watched the corresponding videos before completing the exercises for every section of the course. At first, I felt very bogged down by the shear amount of content that was being presented and didn’t really hit my stride until about 30-ish days into the course. In total it took me 45 days (exactly half of my time) to complete all of the readings, videos, and exercises. I really enjoyed the course material and exercises and wrote a TON more code then I initially expected going into the course. This leads me to my next point. WRITE YOUR OWN CODE.
The course material presents code examples that you could easily copy and paste into your IDE of choice and go on about your life. DO NOT DO THIS. I went into the course with only minor experience in writing C# and PowerShell and would have not considered myself confident by any means. I consider myself a fairly decent Python coder and thought I would rely heavily on it for automating tasks (I did not). I wrote so much C# and PowerShell that I now prefer them over Python for automating Windows tasks! At the time of writing this I can definitely say I can confidently write multiple languages now including C#, PowerShell, and Visual Basic. I recently started a GitHub page to dump (some) of my code from the course which can be found here (work in progress!):
One thing that I liked the most about this course is that it is taught almost 100% using Meterpreter as the payload of choice. This is a stark contrast to the PEN-200/PWK/OSCP course mentality where it is taught that using the Metasploit Framework is a sin. I love that Offensive Security finally recognized that real Penetration Testers and Threat Actors use Metasploit to get the job done. I also think choosing Meterpreter as the payload of choice was an excellent decision because of how highly signatured it is by Antivirus Engines. I believe that if you can get Meterpreter past modern AV scanners you have (most) of the tools necessary to lead a successful penetration testing career.
Another thing that I enjoyed about the course is that is was (fairly) up to date compared to PEN-200. The course didn’t rely on legacy systems with some extremely outdated version of software to exploit. Although I will have to say, some of the footholds felt very easy (more on this later). The world of Antivirus bypass is a constant uphill race against the clock. Modern Antivirus Engines are trying to stay one step ahead of Threat Actors by using Threat Intelligence to develop signatures for their software. At the time of writing this I would have to guess that the course is around ~3 years behind the power curve when it comes to breaching modern defenses. Now that is not to say that the techniques covered will not provide a decent foundation in which you can build upon. One of my favorite parts of the course was trying to figure out new ways to bypass AV and get my AntiScan(.)Me detection rate as low as possible. Right now, my shellcode runner sits at a 2/26 detection ration but tomorrow it could be 26/26, so who knows. I loved the challenge of trying to trick systems into executing my shellcode (completely in memory) and give me back a beautiful Meterpreter session. Every time a new Meterpreter session opens I get just as excited as popping my first shell way back in 2018!
Overall I loved every single (painful) minute of this course. I definitely think the skills gained going through the OSCP process are a requirement before starting the material. If I were presented the opportunity, I would swap the Kiosk Breakouts section for more Active Directory attacks. I felt like that section was the most out of place. I also felt that some of the Active Directory attack paths were under-explained and left more to be desired. Removing the Kiosk Breakouts section would allow room for more Active Directory goodness! Now that the course is out of the way, let’s jump into the absolute best part of this course: The Challenge Labs!
Challenge Labs
The challenge labs were far more difficult than I initially planned them to be. I based my opinion off how smooth and simple the exercises were going. Oh was I wrong. In true Offensive Security fashion you will need to “Try Harder” in the Challenge Labs. They consist of 6 small Active Directory domains that each have a different lesson to learn and focus on various points of the material. I believe Offensive Security did a good job with these (for the most part).
As I mentioned earlier, the footholds for the labs felt WAY TOO EASY at times. I think if there were an update to the labs, this point should be addressed. Now I understand that the initial access really isn’t the focus of the course, but it is assumed that you have at least OSCP-level knowledge coming into the course. Beefing up some of the footholds would make the Challenge Labs even better in my opinion.
Other than lacking in the foothold department, the labs were well structured and (fairly) stable. There were some instances where the labs would crash or necessary services wouldn’t start. Offensive Security is already ahead of this problem by giving students 200 Start/Revert actions a day! I only encountered a few instances where I needed to revert the labs because they were “broken”. This is a HUGE improvement to PWK labs in my opinion. This brings me to my next point. INDIVIDUAL LAB INSTANCES!
I absolutely loved the fact that I got to spin up my own instance of every lab in the course. I feel like for the price of Offensive Security certifications all of the labs should have individual instances. The one thing I hated the most about going through the PWK labs was the shared environment. There were more times then I could count where a box was spoiled because someone didn’t clean up their exploit. This is definitely not the case with PEN-300 labs. Each student can spin up, revert, and stop their lab instances at any time during the day! I think this needs to become the standard in the offensive training world.
The final point I would like to make is how much I loved the Active Directory attack paths. Going into the labs I had a feeling that all of the attack paths would be boring and unrealistic, again, I was wrong. I feel like Offensive Security did a great job keeping relevant attacks at the forefront of the labs, some of which, you may even see in real environments! I didn’t feel like there were very many “CTF-y” moments that would never be seen in the real world. I won’t spoil the attack paths for Active Directory so you will just have to take my word that it was way to much fun!
Overall the Challenge Labs were a great experience and at the time of writing this I still have a little over two weeks ion the clock! I plan on using this remaining time to sharpen my toolkit and try to find some alternate paths to Domain Admin! The truth is I don’t want the labs to end and wish there were more. But all good things must come to an end so I will wrap this up as well.
Conclusion
Overall I think Offensive Security hit the nail on the head with this course. There is always room for improvement and I would have to say that this course may be in need for an update if it is to stay with the times. Being that the material is roughly 2–3 years out of date I would say the time is coming soon. I enjoyed every minute of this course and would do it all over again in a heart beat! I am sure that I could think of a lot more to say about this course but for now, this is all I got. If you made it this far, I want to thank you for taking the time to read my review of the Offensive Security Evasion Techniques and Breaching Defenses course. Stay tuned for my review of the OSEP exam coming soon!