Guest post by J3rryBl4nks, OffSec student and OSCP holder
My PEN-300 Approach
My name is J3rryBl4nks. I have been in roles in information technology for 17 years. I started out as a first-tier customer support technician, then worked my way up as a developer to become a development manager and software architect.
I then pivoted into infosec and am currently an information security engineer. My responsibilities include application security review at a code and architecture level, application security testing, network security testing, red teaming, consulting with third parties and partners on their own technology, running the company bug bounty program, and whatever else falls into my lap on a given day.
My pivot into infosec started largely with getting my OSCP certification. Offensive Security produces incredible quality in their courses and their Evasion Techniques and Breaching Defenses course is no different.
While reading the PEN-300 materials and working through the exercises and labs (I have completed all six challenge labs now), I have learned an incredible number of techniques and fundamental concepts that I have been able to immediately apply to my work.
PEN-300 not only gives examples and techniques, it explains the fundamentals behind each of these in a way that means that I can expand on the techniques and adapt them to a given situation. The PDF covers a very large topic space while not wasting time talking about things that don’t matter. All of the information in the course PDF is explained in great detail and shows the expertise the authors have.
Even if specific payloads used in the course are not relevant due to anti-virus updates, the fundamental concepts taught in the course will continue to be applicable for a long time.
I have already been able to apply the fundamentals learned in PEN-300 in my day-to-day work and have increased my skill set in a meaningful way.
There is a lot of code to be written during this course, but the explanations of the code and the workings behind it are top notch.
The course PDF is broken down into logical pieces (in my opinion):
- High level theory
- Practical applications
- Combining the pieces
Each section starts with the theory behind the exploit/attack and then shows some practical applications. Then each section has something that combines the pieces in an overall exploit/attack.
You also get a lab to follow along and replicate each attack in. This lab is dedicated to you, so you don’t need to worry about other students interfering with your work.
The PEN-300 videos are top notch and give you a good visual reference point for each of the concepts taught in the PDF.
At the end of the coursework, you are presented with six challenge labs. These labs exist to give you a place to identify and run your exploits. Like the labs for each module, these are dedicated to you alone.
Labs 1 -3
The first three labs are designed to teach you some specific lessons by demonstrating the path to follow to exploit them. These labs are challenging but are doable.
The last three labs are designed to mimic real world environments and put to the test your ability to enumerate and exploit.
Special Lab 6 note
The course creators have said that Challenge Lab 6 is the closest in complexity and difficulty to the exam. This lab was fun to work through and presented some interesting challenges without being contrived.
Overall Lab Feel: The labs always felt fair and balanced. There were no strange CTF type challenges. If your enumeration is good, you can identify the exploits and then refer back to the source material to find out how to move forward.
I would recommend Evasion Techniques and Breaching Defenses to anyone who wants to get a good grasp on the materials mentioned in the syllabus. I think this course is fantastic for students at ALL levels. I look forward to being challenged in the OSEP exam and hope to give my exam thoughts soon.
About the Author
J3rryBl4nks is an InfoSec engineer who loves hacking things. He loves cracking passwords, privesc, and finding unintended paths to turn into software exploits. He’s active in the #Infosec-Prep discord. Connect with him on his website: https://github.com/J3rryBl4nks