This set of notes were used for my OSEP exam taken on July 2025.
There is probably a fair amount of overlap between the Checklist and the individual sections because the checklist was something prepared in the days leading up the my actual exam.
The easiest way to bypass OSEP AV is to make custom meterpreter shellcode (via caesar ciphers or multi byte XOR), using randomised obfuscators like Invoke-PSObfuscation, or doing simple things like renaming variables like $buf into maybe $b_ because the AV is signature based.
| Name | Description | Link |
|---|---|---|
| OSEP Checklist | A checklist of steps to consider from initial access to lateral movement and cross-domains movement | OSEP Checklist |
| Initial Access - Email Phishing | A slightly more detailed section for email phishing at the initial access vector | Email Phishing |
| Initial Access - File upload of ASP/ASPX | Section on what to try if you can upload asp or aspx files | ASP |
| Initial Access - via .hta | What to put inside your hta and how to deliver it to your victim | hta |
| Initial Access- - via .doc | Contains vba code to execute vba shellcode, or to run download cradles to run powershell shellcode | MS Docs |
| Applocker and CLM | Techniques to bypass Applocker and CLM | Bypass Applocker, CLM Bypass |
| XOR Encoder | Python script to XOR encode and make life easier for you😉 | python XOR Encoder for Csharp |
Chvancooten OSEP Code Repo
A famous and convenient repo for OSEP. This is a good starting point and is often referenced by other students and Student Mentors in the Offsec Discord channel.
Invoke-PSObfuscation
Singlehandedly the most important tool I discovered for the OSEP. Obfuscates your powershell shellcode and gets past AV if you can get the host to execute powershell scripts.
In particular, I made great use of the Get-ShellCode repo referred to in the repo for my powershell shellcode runner
Hacker-Recipies for AD Movement and Recon
Very useful resource for commands related to AD lateral movement. The commands that are given in Bloodhound-CE are ...not always correct. Use this website to check for both linux and windows options to abuse AD misconfigurations
ired-team
Yet another great resource to reference