Purpl3 F0x Secur1ty

Security Research.

18 March 2021

Course Review - PEN-300

by purpl3f0x


Intro


I signed up for PEN-300 in November 2020, and started in December 2020, and over the next three months I worked on the course material every day. Watching videos, going through the PDF, replicating exercises, and eventually the challenge labs. I sat the exam on March 13th and met the passing objective on the 2nd day of testing. After getting the official passing email I’ve decided to write a review for the course.


The Course


PEN-300 is a new course released by Offensive Security and is meant to be a follow-up to the PWK/PEN-200 course. It takes on more complex topics such as AV evasion, kiosk escapes, bypassing Application Whitelisting, and exploiting misconfigurations in Active Directory. A full syllabus can be found here: PEN-300 Syllabus

The course comes in increments of 60 or 90 days only, no 30 day option is available. In my opinion that is probably best; I initially only signed up for 60 days, and that was not enough, I ended up extending by another 30 days. The material is very in-depth and takes a while to work through, even if you have a chance to work on it on the clock.

The course teaches almost all of the topics from scratch, assuming that students have not studied these topics previously, which makes it much easier to just pick up after finishing OSCP. I do not believe that extensive pre-study is required, unless you are weak in Active Directory, since this course will assume you already know some AD basics. If you took PWKv2, which had AD in it, then you are already set to jump directly into PEN-300.


The Materials


The PDF is just over 700 pages long, and there are hours of video to go through. The materials are stellar, with the PDF going into great detail on every topic, providing citation and references on nearly every page for additional reading, and the videos are very well put together and easy to follow along. They are a little on the slow side though, so playing them at 125% speed would help you get through them all.

The demonstrations in the PDF provide plenty of screenshots and code snips and are easy to follow along with in the labs, and I very highly recommend doing all of the exercises, as well as documenting them well. Having thorough notes will help you later in the challenges and the exam.


The Labs


Almost every module comes with labs specificly made to help you follow along with the material. The labs are not shared, which means that your machines are only accessible by you. There are no flags in the guided labs.

The challenge labs are meant to be completed after you have finished all the modules, and have no walkthrough or guide at all. They will test your understanding of the course material, as well as your general pentesting abilities. Keep an open mind, as there may be some attacks required to solve the challenges that won’t be in the PDF, but in those cases, the attack needed should be fairly straight-forward. There are proofs to collect in the challenge labs, and they can be provided to the student portal for tracking. Unlike PEN-200, there are no bonus points for finishing the labs; collecting the flags is for nothing more than personal satisfaction.


The Exam


The exam is a 48-hour long black box pentest followed by an additional 24-hour reporting period. As with OSCP, your report must be styled as a professional pentesting report, with an executive summary, a technical walk-through, and screenshots of all of the proofs.

The exam can be passed by either finding secret.txt, or earning 100 points. Every flag in the exam is worth 10 points each, and the total number of flags/maximum score is an exam secret, as is the number of targets in the exam.

For me, the exam was harder than some of the labs, but not to an extreme degree. The exam is challenging but it is fair; it will test your comprehension of the material taught during the course, but it is not arbitrarily hard just for the sake of being exclusive. Most people have said that all you really need is the course itself, to do all the exercises, do all the challenges, and take notes. I share that sentiment, as I did not use any outside study material to prep for the exam, other than simple “cheat sheets” to help me with using some PowerShell scripts like PowerUp.

On the first day of the exam, I achieved a total of 60 points in 7 hours, including breaks, but then got stuck badly on one box for the rest of the night. I took the time to get a full 8 hours of sleep before getting up the next morning to resume. After about 2 hours I finally solved the box I was stuck on, and quickly made my way up to 80 points. A couple of hours later, I was able to locate and read the contents of secret.txt, securing my victory.

While I was curious about completing the rest of the remaining targets, I was physically and mentally fatigued from the experience, so I instead triple-checked my screenshots, retook a couple, and informed the proctor that I wanted to end my exam.

I turned in my report the same day that I finished the exam, which was a Sunday, and got my results back 4 days later on the following Thursday.


Final Impressions


This course was difficult and kept me insanely busy for 3 months solid, but my confidence in my abilities has been pushed to a new level. I became more comfortable creating my own tools in PowerShell and C#, and got over my weakness in AD. Things were frustrating at times but fighting through it was ultimately worth it.

I definitely recommend it to anyone who has OSCP or who is an experienced pentester who wants to learn some new tricks. The cert itself may need some time to gain the same wide-spread recognition that OSCP has, but the knowledge alone is worth its weight in gold. It gives you the foundational skills and confidence to push your own research to new heights.

I had a lot of fun exploring additional AV bypasses in C# to suppliment what I learned in the course, as well as building a robust C# MS-SQL client that definitely came in handy in the exam, which made me feel a great sense of personal pride and accomplishment in making my own utilities that I can easily upgrade or change since I both possess and understand the source code.

With this officially under my belt, I will soon be taking step #2 towards earning the OSCE3 by enrolling in EXP-301/OSED, and hopefully before the year is over, I will earn my OSWE.


References


PEN-300 on Offsec’s website
My repo of tools made with PEN-300 knowledge

tags: Offensive Security - Learning - Certification - 👀