Course Content
PEN-300 builds upon the content covered in PEN-200 (OSCP). I really liked the depth & breadth of content coverage. First off, OffSec clearly states early in the material that PEN-300 is not a “red team” course, but “an advanced penetration testing course” (for an official red team course, see my review of the CRTO). Below are some of the general topics covered:
- Initial Access was covered across several chapters with topics such as MS Office macros and Windows Script Host. I loved how this content was imparted in increasing complexity. Process injection & migration was also covered in-depth which was an excellent section.
- The AV Evasion sections were excellent to cover modern AV bypassing, but did not extend to cover any EDR evasion topics (to me, this is the biggest gap in the course considering I’ve encountered EDRs on most of my pentests in the field). I also wished they would cover customizing known tools used in the course to bypass defenses.
- App Whitelisting was covered in-depth, and the techniques are certainly still relevant. I will always come back to this section as an initial step when I encounter this on an engagement.
- The Linux Post-Exploitation sections included backdoors, keylogging, and some Linux AV evasion. It’s certainly something I would come back to as needed, but honestly not anything I’ve dug into since the labs.
- The Linux Lateral Movement was pretty slick, covering SSH persistence/hijacking, DevOps abuse, and Kerberos on Linux. I found the Linux Kerberos section especially great since I use Impacket so often.
- Kiosk Breakouts was content that I don’t use myself very often, but I loved learning about it and trying it out.
- The Windows & Advanced AD Exploitation sections were top-notch. I will certainly go back to the MS-SQL sections and use the custom tooling we worked on. I loved how they had a section on Windows credentials to discuss Mimikatz, access tokens, Kerberos, and local credentials. One thing I wish they had covered in this section was LSA secrets as it’s something that has been a really fruitful source of privileged credentials for me in past engagements. The Active Directory section covered Kerberos attacks (delegation), ACEs, trust abuse, and inter-forest attacks.
I would give the course content an 8/10. While there were a few things I wish would have been addressed, the depth of coverage was about what I would expect from a 300-level course from OffSec. I very much appreciated how much of the tooling was custom and could be modified and used in my engagements. It has come in handy a few times!
There are a few things I would love to see added or changed in the course. One is additional C2 frameworks. The focus was almost exclusively on Metasploit with meterpreter. It would be very beneficial to discuss other popular frameworks to expand the student’s experience. As mentioned above, I also wish that masking existing tools (Rubeus, etc.) would be covered as well. Finally, I would love to see ADCS attacks added as certificate abuse is a goldmine for engagements.
There are a few things I would love to see added or changed in the course. One is additional C2 frameworks. The focus was almost exclusively on Metasploit with meterpreter. It would be very beneficial to discuss other popular frameworks to expand the student’s experience. As mentioned above, I also wish that masking existing tools (Rubeus, etc.) would be covered as well. Finally, I would love to see ADCS attacks added as certificate abuse is a goldmine for engagements.
Labs
OffSec is all about the practical training! The labs were a ton of fun, and were a really great opportunity to refine each topic in the course. PEN-300 has two types of labs: course module labs and challenge labs.
The course module labs were essentially a carbon copy of the environment in the course content. Each chapter had an associated lab where you could follow along with the modules and then do the associated exercises. I highly recommend doing as many of these as possible to gain experience with each topic.
As with every other OffSec course, the main benefit is in the six challenge labs. These labs are of varying difficulty and test many of the key topics necessary to pass the exam. I absolutely loved these labs! This is where your skillset will truly be honed.
I recommend crafting your own shellcode runner as you go through the course and discuss the evasion techniques and test your runner in the challenge labs. This will give you a tested payload that is exam-ready. I used the techniques and templates to craft a payload runner (I called it “lastpass64.exe”
) that used either a hardcoded payload, load a payload from a Base64 blob on the command line, or make a web request to my attacking machine to load a raw shellcode file. This worked great in the labs, but it was not usable in field engagements as EDR usually caught it. If I were to go through the course & labs again, I would create a single .NET assembly program that combined all the different techniques including the MS-SQL code.
I recommend documenting all your attack paths in a note-taking tool such as Obsidian, including the commands and code you used. I came back to my notes repeatedly!
The course module labs were essentially a carbon copy of the environment in the course content. Each chapter had an associated lab where you could follow along with the modules and then do the associated exercises. I highly recommend doing as many of these as possible to gain experience with each topic.
As with every other OffSec course, the main benefit is in the six challenge labs. These labs are of varying difficulty and test many of the key topics necessary to pass the exam. I absolutely loved these labs! This is where your skillset will truly be honed.
I recommend crafting your own shellcode runner as you go through the course and discuss the evasion techniques and test your runner in the challenge labs. This will give you a tested payload that is exam-ready. I used the techniques and templates to craft a payload runner (I called it “lastpass64.exe”
) that used either a hardcoded payload, load a payload from a Base64 blob on the command line, or make a web request to my attacking machine to load a raw shellcode file. This worked great in the labs, but it was not usable in field engagements as EDR usually caught it. If I were to go through the course & labs again, I would create a single .NET assembly program that combined all the different techniques including the MS-SQL code.I recommend documenting all your attack paths in a note-taking tool such as Obsidian, including the commands and code you used. I came back to my notes repeatedly!
The Exam
I can’t say much, but as always with OffSec, I loved the exam. Personally, I actually thought the exam was easier than I was expecting, but that could be due to my work experience. Most of the flags (enough to pass) were in my grasp by around 32 hours in, with plenty of breaks in between.
Reporting as you go — this is the way! I usually write directly in the report template they provide and it saves me a lot of time. I recommend stopping and checking your documentation when you have enough points to pass, but still have access to the exam environment. You don’t want to be stuck with enough points to pass but not enough documentation!
If you get stuck during the exam, I recommend taking a break, eating a snack/grabbing coffee, and going back to the topics covered in the course. Perhaps they are testing a technique that is right in the course that is being missed due to tunnel vision! Have fun!
Reporting as you go — this is the way! I usually write directly in the report template they provide and it saves me a lot of time. I recommend stopping and checking your documentation when you have enough points to pass, but still have access to the exam environment. You don’t want to be stuck with enough points to pass but not enough documentation!
If you get stuck during the exam, I recommend taking a break, eating a snack/grabbing coffee, and going back to the topics covered in the course. Perhaps they are testing a technique that is right in the course that is being missed due to tunnel vision! Have fun!
Last edited by a moderator:
