Earning The OSCE3

In this blog post, I will be summarising my journey towards the OSCE3 certification from Offsec. Approximately a week after I finished the OSED exam, I got the confirmation from Offsec that I'd finally completed the OSCE3:

OSCE3 Email

Timeline

My OSCE3 journey took me just over three years of on and off studying; I completed the OSWE in January 2021, the OSEP in August 2021, and the OSED in July 2024. It's definitely possible to complete the whole set much quicker depending on how much time you are able to invest into it. In my case, I ended up taking some time away after completing the first two courses in 2021 to focus on other things, deciding at the start of 2024 to finish the job.

Prior to the Learn One and Learn Unlimited subscriptions being released by Offsec, all three courses came as a 90 day certification bundle with optional lab extensions. With a dedicated study routine, it's possible to complete each course within a 90 day timeframe, although this will vary on an individual basis. I personally like to set aside plenty of time for each by documenting each chapter, lab exercises, and challenges, so I can keep referring to them long after my lab access has expired.

Prior Experience

Before getting started on my journey to OSCE3, I'd worked for a couple of years in cyber security as a security consultant. In each of my roles I've been fortunate to work on a variety of projects, including web and mobile assessments, Active Directory, and cloud. I'd also completed the pre-2020 OSCP certification back in November 2018, so before starting the journey I had exposure to Offsec's courses and the famous 'try harder' mantra.

I had also tried out other training providers such as HackTheBox who offer some decent resources if you're looking to skill up before locking in your lab time. The HackTheBox Academy features specific learning modules such as Whitebox Pentesting 101 and Secure Coding 101 which can help with OSWE. As for OSEP, Offshore is a good HTB prolab to build up your AD related skills. I worked through it in 2020 along with the CRTP and CRTE labs from Altered Security, which combined gave me an initial skillset in attacking AD environments.

Prior to starting my cyber security career, I'd obtained my BSc and MSc degrees in Computer Science and researched IoT security as part of my post-graduate dissertation. From there, I developed a fairly solid foundation in computing, with my particular interests being in programming, networking, and security. I also competed in a couple of CTF's during my time at university, although back then I mostly stuck to the basic web challenges.

You don't necessarily need career experience in cyber security or even a technical degree to get started on OSCE3, however it's recommended to have some fundamental knowledge of computers and networking before jumping head first into hacking anything. If you are completely new to the field, there are free resources out there to learn the basics.

Offsec Web Expert (OSWE)

When I got started on Advanced Web Attacks and Exploitation (now known as WEB-300), I was mostly testing black box web applications in my job role. Around 2019, Offsec released an updated online syllabus for the AWAE course, which previously was only provided at in-person training events such as Blackhat. Seeing this as a good opportunity to upskill in white box testing and code review, I purchased the course with 90 days of lab time but didn't fully commit to studying it until the 2020 update was released. The current WEB-300 syllabus can be found here.

WEB-300 offers a good breadth of content on hacking web applications from a white box perspective. At a high level, the course demonstrates how to attack a variety of web applications when you have the source code at your disposal. Each module examines a vulnerable web application written in a popular programming language such as PHP, Java and NodeJS. From here, the course establishes the end-to-end vulnerability discovery process, starting with source code analysis for common language flaws, identification of attack vectors to achieve authentication bypass and RCE, before finally scripting a fully functioning proof-of-concept in Python.

I enjoyed working through the WEB-300 course and have since applied the white box methodology to find bugs in several open source applications. Nowadays, my focus is usually on black box targets so it's less often that I leverage the skillset taught in WEB-300. That said, there are times where I review application or exploit source code to replicate vulnerabilities when red teaming. Based on my experience of the course, I'd recommend WEB-300 to application security specialists and developers, penetration testers, or bug bounty hunters looking to add more skills to their arsenal.

As part of Offsec's course revamp and rebranding, the material has been updated and there are now more modules and case studies to help sharpen your web skills. To complement the white box approach taken by WEB-300, Offsec also introduced the black box focused WEB-200 course aka OSWA, providing decent coverage for a new student looking to learn web hacking from both perspectives.

To read more about my experience with OSWE, check out my OSWE review.

OSWE Banner

Offsec Experienced Penetration Tester (OSEP)

After completing OSWE in February 2021, I switched my focus to internal pentesting. The PEN-300 course was perfect for this, teaching a combined approach of Active Directory attacks, custom C# tool development, and defense evasion techniques. I initially purchased the course with 90 days of lab time, but ended up taking an additional 30 days to complete all of the exercises, extra miles and challenges. This was the first Offsec course where I ramped up my note taking and documentation by moving to Obsidian. The current PEN-300 syllabus can be found here.

PEN-300 introduces common offensive techniques used by an attacker operating in an internal network. It begins by teaching some fun, albeit fairly outdated techniques including document macros, PowerShell / C# droppers and AV bypass methods, which are followed with Linux and Windows post-exploitation, lateral movement and Active Directory exploitation. I particularly liked the focus on tool development and the 'living off the land' approach, both of which I still find useful in my role today.

Since completing OSEP, little to no changes have been made to the syllabus, which is probably my only real criticism of it. In the years since its release, offensive capabilities have evolved considerably along with updates to defensive tooling, and whilst the techniques taught were effective at the time, several of them can now be detected by modern EDR with ease, or could otherwise be mitigated. That said, it's useful to know how certain older techniques work in order to understand and appreciate the more modern ones. In addition, the emphasis PEN-300 places on developing your own tradecraft can be readily adapted to creating new tools and techniques to evade controls now and in the future.

Whilst PEN-300 isn't a red teaming course there is some overlap in pentesting and adversary simulation, so some of the content is still applicable if you plan on getting into red teaming. For instance, the C# dev modules can easily be applied to crafting custom tools in .NET or modifying existing public toolkits, and the Active Directory sections are relevant for the majority of enterprise environments out there today. For the areas that are perhaps more outdated, I've found it useful to supplement the content with newer resources, such as Maldev Academy for malware development and CRTO for Cobalt Strike and C2 experience.

To read more about my experience with OSEP, check out my OSEP review.

OSEP Banner

Offsec Exploit Developer (OSED)

My final and personal favourite of Offsec's 300 level courses is EXP-301, or Windows User Mode Exploit Development (WUMED). I first started studying for EXP-301 in January 2022 but ended up taking a break to focus on other things, namely the EXP-312 course (see my review here). Since coming back to it at the start of 2024, I've thoroughly enjoyed getting into the low level exploitation and reverse engineering topics that it teaches. The current EXP-301 syllabus can be found here.

EXP-301 is an update of the original binary exploitation part of the old OSCE course, featuring a range of topics related to vulnerability discovery and exploit development. As OSCE did previously, EXP-301 focuses on 32-bit Windows exploitation; showcasing common memory corruption techniques such as the basic buffer overflow and gradually moving into modern bypasses against DEP and ASLR. This time round, the course teaches vulnerability discovery through reverse engineering rather than fuzzing, and trades Immunity Debugger for WinDbg. Amongst other updates, newer topics including custom shellcode creation and format string vulnerabilities are also covered, as well as old favourites such as the egghunter technique.

The thing I always enjoyed about doing the OSCP was the sheer joy of getting a netcat shell or the "Meterpreter session 1 opened" popup after exploiting a tricky machine. Beyond launching another off-the-shelf exploit, the emphasis in EXP-301 is on building it yourself: from discovering the vulnerability to constructing a ROP chain and crafting custom shellcode. The end product is an exploit or shellcode that is completely bespoke to whichever application, operating system or architecture you're targeting. This makes for a challenging but highly satisfying learning experience, which teaches that each and every line of assembly and ROP gadget has its purpose in a successful exploit. Besides the constraints of x86, the only real limits are your own creativity and willingness to stare at a debugger for hours on end.

Having just passed the OSED exam, I'm keen to carry on down the exploit development path by moving on to Linux and x86_64 architecture. Eventually, I would like to do the EXP-401 training before sitting OSEE, but until then I will be brushing up on my Windows internals knowledge and reading into more recent security mitigations and bypass techniques. I felt the course content of EXP-301 was just right, as it gives you a good sense of skill progression whilst avoiding making things too easy or overwhelming you completely with the low level technicalities. Considering that EXP-301 only covers x86, the only other thing I felt it lacked would be content that covers heap exploitation. If like me you're looking to continue where OSED left off and want to get into heap exploitation, it features as part of the in-person Corelan advanced training, which I've also heard positive things about.

To read more about my experience with OSED, check out my OSED review.

OSED Banner

Closing thoughts

OSCE3 for me was a decent certification pathway for learning web, AD pentesting, and exploit development. It's by no means the only way to become proficient in these areas, as most if not all of the topics covered can be researched if you look in the right places. Offsec conveniently pulls together the relevant material into one place and provides a solid lab environment to practice in. As I learn best by doing, I always look for a strong practical element to any course I work on and in my experiences so far, Offsec delivers.

Overall, I'd say the best takeaway from working on OSCE3 would be the problem solving attitude each course encourages. One thing I have learned from working in cyber security is that things are rarely straight forward, irrespective of whether you're attacking or defending. The Offsec courses and exam experience do well to reflect this by throwing you plenty of curve balls along the way, helping prepare you to expect the unexpected, which is a core skill to have when venturing beyond the labs. Techniques will come and go but if you apply the core principles along with a healthy curiousity to whatever you are testing, the learnings will prove invaluable.


Close