For the OSEP students

Since this is the most important content to be conveyed in this article, it will be mentioned first. Also, since the content is written for those who are already working on OSEP, it is assumed that you know the content.

- Don't let your preconceived notions of the past hold you back.
The bottom line is that getting the target shell is not everything.

I have taken OSCP and OSWE so far, and in both cases I can get points by taking the target shell. However, in the case of OSEP, there are two ways to pass: 1) get at least 100 points, or 2) get secret.txt.
It becomes very important to use the available vulnerabilities to gather information without obsessing about taking the shell of the target in front of you.

I can't go into details because it would be a spoiler, but keep the above in mind, and if you can't get the shell easily, think about what information you can get from that target, which may lead to the next step.

- Don't skip the lab strategy.
This is a personal reflection, but I had a habit of looking at the answers on the forum for tedious tasks when attacking the labs. I'm not going to write about it because it would spoil the exam, but because I skipped a very simple and tedious task by looking at the answers, I mistakenly thought that this task was outside the scope of the exam.
As a result, I got stuck on the day of the exam and was able to move on after reluctantly doing what I thought was outside the scope of the exam.

- Assume there is an AppLocker limit on everything.
It is recommended that you assume the case where you are restricted by AppLocker during the privilege escalation and Post Exploitation described in the PDF.
In the PDF, Uninstall.exe is used to Bypass AppLocker, but it is also safe to assume that Uninstall.exe is not available.
I implemented an interactive AppLocker Bypass, which made it very easy to perform privilege escalation and Post Exloitation.

- Implement Process Injection and Process Hollowing with Powershell
In PDF, there is a module that implements Shellcode Runner using Reflection, but there is no implementation of Process Injection. However, by implementing Process Injection with Reflection and Process Hollowing with powershell, the encryption process is no longer necessary, which makes the attack much easier.
In my case, I did not create a single C# executable processed by AV Bypass. I don't know if Offsec expected this, but I did everything file less attacks.

What is OSEP(Offensive Security Experienced Penetration Tester)?

This is a penetration testing certification for Offsensive Security, and is above OSCP in difficulty.
This exam features Active Directory penetration testing and anti-virus software evasion, where you will learn the theory behind Active Directory configuration vulnerabilities and signature/heuristic analysis evasion, and implement it in C#. Other topics include Linux Post Exploitation, Kiosk Pen Testing, and Network Filter Bypass, which is a 700+ page volume.

The exam is given a large network, and points are earned by infiltrating the machines participating in the network(I don't mention point details because point details are not listed in Exam Guide).
The exam is given over two days (47 hours and 45 minutes) and is passed by achieving either of the following.
①Achieve a minimum score of 100 points.
②Get secret.txt.

Preparation

In preparation, I focused on the OSEP PDF. Personally, I think it is enough to do the Exercise and Extra Mile in the PDF. I didn't study in Vulnhub and Hack the box.

As mentioned earlier, it is recommended that you assume AppLocker restrictions in all runtime environments, although not in Exercise and Extra Mile. I created the code for an interactive AppLocker Bypass.
It is also highly recommended that you familiarize yourself with BloodHound. BloodHound is a powerful tool and makes enumeration much easier (I assumed this would also run in an environment with AppLocker).

In addition, to reduce the amount of reports as much as possible, I implemented an additional file-less attack with Powershell (which reduces the amount of text in the report since there is no need to process AV Bypass). Specifically, we implemented Process Injection with Reflection and Process Hollowing with Powershell (not Reflection). This content is not in the PDF, but because of this, I never used AV Bypass's own custom C# in the exam.

I thought about releasing the code I created on Github, but I'm afraid of the law, so I haven't. In Japan, it is very risky to release malicious code such as Trojan horses.

Exam

In order to avoid spoilers, please be aware that this is very vague.

On the day of the exam, I started at 8:00 in the morning. I started the exam at 8:00 a.m., but I got stuck for about 5 hours because I misunderstood that the content was outside the scope of the exam. After that, I continued to practice the content taught in the PDF and attacked the exam smoothly, but I got stuck again 8 hours after the start. The reason for this was that I was obsessed with getting the target shell and completely forgot about the goal of the exam (to get the secret.txt file). It took about 20 hours from the start of the exam to get secret.txt and the report was 69 pages long.

Thoughts

I have taken OSCP, OSWE, and OSEP so far, and I found OSEP to be the most interesting. I purchased the labs for 3 months, but I was able to take and pass the exam in about 2 months, so I am personally satisfied. I didn't have any C# coding experience, but even I could understand the content as it was explained in detail in the PDF. In the exam, I was able to get to secret.txt in probably the fewest man-hours of steps. It took me about 20 hours from the start to finish, but it was very tough because my back has been acting up lately.

Also, although it was outside the scope of the exam, it was very interesting to implement Thread Hijakcing, a remote process, in C#.

Next year, new graduates of the same age will join our company, so I would like to continue to work hard to be as good as them.

Thank you for reading this far!