Please read this entire document carefully before beginning your exam!
This guide explains the objectives of the Offensive Security Experienced Penetration Tester (OSEP) certification exam. Section 1 describes the requirements for the exam, Section 2 provides important information and suggestions, and Section 3 contains instructions for submitting your completed exam.
The OSEP certification exam simulates a live network in a private VPN, which contains a corporate network
You have 47 hours and 45 minutes to complete the exam.
This means that if your exam begins at 09:00 GMT, your exam will end at 08:45 GMT two days later.
Once the exam is finished, you will have another 24 hours to upload your documentation. Details on how to submit your files are provided below.
All OSEP exams are proctored.
Please make sure to read the proctoring tool student manual and the proctoring FAQ at the following URL: https://help.offensive-security.com/hc/en-us/sections/360008126631-Proctored-Exams
The exam consists of one large network with multiple machines that must be compromised. As the exam network simulates a corporate network, you will have to first obtain a foothold and then perform additional internal attacks. There are multiple attack paths through the network that will result in the same level of compromise.
Some of the machines will require multiple exploitation steps, resulting first in low-level local access, and then in root or administrative privilege escalation. Other machines will be fully exploitable remotely.
While we cover a number of more advanced techniques in this course, foundational attack components are also part of the exam.
Specific instructions for your target network will be located in your Exam Control Panel, which will only become available to you once your exam begins.
You are required to write a report describing your exploitation process for each target.
Your report must document all of your attacks including all steps, commands issued, code written, and console output. Your documentation should be thorough enough that your attacks can be replicated step-by-step by a technically competent reader.
The documentation requirements are very strict and failure to provide sufficient documentation will result in reduced or zero points being awarded. Please note that once your exam report is submitted, your submission is final. If any screenshots or other information is missing, you will not be allowed to send them and we will not request them.
If you have not made any modifications to an exploit or tool, you should only provide the URL where the exploit or tools can be found. Do not include the full unmodified code, especially if it is several pages long.
If you have modified an exploit or written custom code, you should include:
- The modified exploit code
- The URL to the original exploit code (if applicable)
- The command used to generate any shellcode (if applicable)
- Highlighted changes you have made
- An explanation of why those changes were made
Your objective is to exploit the corporate network and compromise the designated critical asset while providing proof of exploitation.
Not all targets contain proof files, some may contain one or two proof files which you must retrieve, submit in your control panel, and include in a screenshot with your documentation. Failure to provide the appropriate proof files in a screenshot for a given level of access will result in zero points being awarded for the target.
Low privileged access proof is given in local.txt files, privileged access proof is given in proof.txt and the final proof is given in secret.txt.
The only accepted way to provide the contents of the proof files is in a remote interactive shell on the target machine with the
cat command from their original location.
Obtaining the contents of the proof files in any other way will result in zero points for the target machine. This means a web shell or RDP session is not sufficient.
The exam control panel contains a section available to submit your proof files. The contents of the local.txt, proof.txt, or secret.txt files obtained from your exam machines must be submitted in the control panel before your exam has ended.
When entering the proof, you must also enter the hostname it is located on.
Each local.txt, proof.txt and secret.txt found must be shown in a screenshot that includes the contents of the file, as well as the IP address of the target by using
ip addr. An example of this is shown below:
You cannot use commercial software such as Metasploit Pro, Cobalt Strike, Core Impact, or Burp Suite Pro. In addition, spoofing attacks against ARP, DNS, NBNS, or IP are not allowed as they can disrupt the exam environment.
Open-source, community, or custom software that performs automatic enumeration and/or exploitation like Metasploit Community, PowerShell Empire, Covenant, Bloodhound or SQLmap is allowed in the exam.
Please note that we will not comment on allowed or restricted tools, other than what is included inside this exam guide.
Downloading any applications or source code from the exam environment to your local machine is strictly forbidden. For more information, please refer to the https://www.offensive-security.com/legal-docs/
Your connection to the exam is to be done with Kali Linux using OpenVPN. We are unable to provide any VPN connectivity support if you choose to use another setup. Your exam connection pack and details will be sent by email at the exact start time of your exam and not in advance.
1) Download the exam-connection.tar.bz2 file from the link provided in the exam email to your Kali machine.
2) Extract the file:
kali@kali:~$ tar xvfj exam-connection.tar.bz2 OS-XXXXX-OSEP.ovpn
3) Initiate a connection to the exam lab with OpenVPN:
kali@kali:~$ sudo openvpn OS-XXXXX-OSEP.ovpn
4) Enter the username and password provided in the exam email to authenticate to the VPN:
kali@kali:~$ sudo openvpn OS-XXXXX-OSEP.ovpn Mon Nov 16 03:18:22 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Mon Nov 16 03:18:22 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
Enter Auth Username: OS-XXXXX Enter Auth Password: XXXXXXXXXX Mon Nov 16 03:18:33 2020 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Nov 16 03:18:33 2020 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Mon Nov 16 03:18:33 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Nov 16 03:18:33 2020 [offensive-security.com] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Mon Nov 16 03:18:35 2020 TUN/TAP device tun0 opened
Mon Nov 16 03:18:35 2020 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 16 03:18:35 2020 /sbin/ip addr add dev tun0 192.168.x.x/24 broadcast 192.168.x.255
Mon Nov 16 03:18:35 2020 Initialization Sequence Completed
The exam control panel is available via a link provided in your exam email. Through the exam control panel you will be able to:
- Submit proof files
- Revert target machines
- View specific target objectives and point values
You have a limit of 50 reverts. This limit can be reset once during the exam. All of the machines will have been freshly reverted at the start of your exam, so you will not be required to revert the machines when you begin.
Note that machines are reverted in groups to ensure stability of the exam network. Please wait patiently for the machines to revert and only click the button once per attempt. Reverting a target machine will cause it to return to its original state, and any changes you have made to the machine will be lost.
- local.txt - This file is accessible to an unprivileged user account and can only be found on certain machines. The targets containing these files will allow a foothold as an unprivileged user.
- proof.txt - This file is only accessible to an administrative or root user and can be found under the /root/ directory or the Administrator Desktop. This file is present on most machines.
- secret.txt - This file is the proof that is found only on the final machine in the attack simulated penetration test.
- The order in which the exam machines are documented inside your exam report is the same order in which the exam machines will be graded and valued
- Points will be awarded for partial and complete administrative control of each target machine
- Each machine has a specific set of objectives that must be met in order to receive full points
- You must either obtain access to an objective described in your exam email or achieve a minimum score of 100 points to pass the exam
You will receive no points for a specific target for the following:
- Using a restricted tool
- Failure to provide the local.txt, proof.txt and secret.txt file contents in both the control panel and in a screenshot
Ideally, one of the following templates should be used for the penetration test report:
You may use your own template as long as the information is presented in a structured, professional manner and follows all other requirements outlined above.
This subsection of the exam guide explains what you should do in case you are unable to complete your exam due to severe external factors. Please make sure to read and understand it carefully.
The exam lab is a dedicated environment with no students connected other than yourself. The total allotted time of 47 hours and 45 minutes does take into consideration the regular interruptions of everyday life.
- You are expected to take rest breaks, eat, drink, and sleep
- You are expected to have a contingency plan in case any number of issues, including those outside your control, might arise. To that end, we highly recommend you have access to a backup Internet connection.
If you have a legitimate issue, please send an email with your OSID to "challenges AT offensive-security DOT com" immediately. Make sure to include all the necessary details and supporting information such as a letter from your power company, ISP, or any other relevant documentation.
If you lose significant lab time due to a technical issue that is Offensive Security's responsibility, please contact us. If the exam subnet is not immediately in use by another student following your exam, we may be able to extend your lab time. If it is scheduled to be in use, we will provide you with a free exam retake attempt. We work very hard to ensure our environments are highly available and issues are rare.
If you encounter any connectivity problems with the VPN or target machines, inform us immediately, directly in the proctoring chat. Should you not be able to access the proctoring tool, please contact us via the live chat available at https://chat.offensive-security.com or via email to "help AT offensive-security DOT com".
Please note that we will not be able to assist with or give hints on any exam objectives, and we will only be available to help resolve technical problems during the exam.
- Your exam report is in PDF format
- You have used the following format for the PDF file name "OSEP-OS-XXXXX-Exam-Report.pdf", where "OS-XXXXX" is your OSID
- Your PDF has been archived into a .7z file (Please do NOT archive it with a password)
- You have used the following format for the .7z file name "OSEP-OS-XXXXX-Exam-Report.7z", where "OS-XXXXX" is your OSID
- You have made sure that your archive is not more than 300MB and the extracted files are not more than 400MB
- You have uploaded your .7z file to https://upload.offsec.com
Note that the filename is case sensitive. Students must submit their exam file following the exact filename format structure above. If your file does not follow the exact filename format and structure, the application will not accept it.
The following subsections provide details on each of these requirements.
Your exam report must be submitted in PDF format archived into a .7z file. Please make sure to include all your scripts or any PoCs as text inside the exam report PDF file itself. No other file formats will be accepted within the .7z file other than PDF file format.
If you submit your report in any other file format, we will not request or remind you to send a PDF report archived into a .7z file and your exam report will not be scored.
Before submitting your exam report, please review the PDF document to ensure the format and content appear as it did in your original edition document and that there are no formatting errors.
After uploading your exam file to upload.offsec.com, the site will provide you with the MD5 hash of your uploaded file.
Please make sure to verify that you have uploaded your report correctly by checking and comparing the MD5 hashes of your uploaded exam file and the file you have locally.
If the values do not match, that means your file did not upload successfully. Click on "Select a new file" and upload your archive again.
kali@kali:~# md5sum OSEP-OS-XXXXX-Exam-Report.7z
Please do not archive your .7z and PDF(s) files with a password. Our system will not accept it should you upload password-protected files.
You must submit your documentation in a .7z file.
kali@kali:~# 7z a OSEP-OS-XXXXX-Exam-Report.7z OSEP-OS-XXXXX-Exam-Report.pdf
7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Updating archive OSEP-OS-XXXXX-Exam-Report.7z
Everything is Ok
Please submit your .7z file via https://upload.offsec.com within 24 hours of completion of the exam and follow the provided instructions in order to upload your archived exam report.
The size limit for extracted files is 400MB and the archive is 300MB. If the size constraints are not met, you would not be able to upload your archive. If you are unable to meet the size constraints, we suggest looking at ways to reduce your file size using techniques such as image compression.
After the file has been uploaded, you will be presented with a "Submit File" button where an MD5 hash of your exam report will be displayed. Make sure to click the "Submit File" button after verifying your MD5 hash to submit your files successfully.
If you do not upload your exam-report via https://upload.offsec.com , it will not be graded.
Once the report is uploaded successfully, a confirmation email will be sent immediately acknowledging the receipt. If you have not received the email, please ensure that you uploaded your report and clicked the Submit File button on the final page of https://upload.offsec.com after verifying your MD5 hash. We also recommend you to check your email spam and junk folders in case the confirmation email has been flagged as spam.
In the unlikely event that we require additional clarification on your exam report, we will get in contact with you via email. You must submit the requested information within 24 hours from the time we have requested it.
You will receive an email with your certification exam results (pass/fail) within ten (10) business days after submitting your documentation. Please note that we do not provide the exam score or solutions to the exam targets.