← Back to Tomes
ENCertificationRed Team
August 21, 202510 min read

Passed OffSec Experienced Penetration Tester (OSEP) with secret.txt

Hi Everyone, welcome back to my blog!
Today, I’m going to walk you through How I passed the Offsec Experienced Penetration Tester (OSEP) with secret.txt exam on my very first attempt.

meme of the exam

Before OSEP My Motivation

Before I decided to take on the OSEP, I had already passed the OSCP the previous year. While OSCP was a big milestone, I felt it wasn’t enough for me I wanted to push myself further and face a bigger challenge.

That’s when I started looking into the next step. I saw certifications like CAPE and OSEP, and I realized OSEP was the perfect fit for my goals. The timing couldn’t have been better, because my company supported my growth and provided the budget for me to pursue OSEP.

This combination of personal motivation and professional support gave me the drive to commit fully to the 3 months of preparation ahead.

What is OSEP?

OSEP is one of the advanced certifications from Offensive Security. Unlike OSCP, which focuses on getting an initial foothold

New OSEP Mascot

PEN-300 includes a wide array of current techniques and skills, including:

  • Migrating between processes to evade detection and maintain control, even if one process is terminated
  • Modifying attack vectors from Word macros within an executable to deliver a staged Meterpreter payload directly in memory
  • Discussing the drawbacks of PowerShell code that invokes Win32 APIs through the .NET framework and examining a more advanced and stealthy technique known as reflection
  • Executing “living off the land” techniques to gain ever-increasing access to the system and its back-end networks
  • Adding advanced techniques for maintaining access and escalating privileges on compromised Windows systems, including navigating file systems, manipulating user accounts, extracting sensitive information, and establishing persistent backdoors

OSEP exam allotted time of 47 hours and 45 minutes

EXAM INFORMATION

According to the OffSec website FAQs, there are two ways to pass the OSEP exam:

  1. Achieve the objective provided on the control panel which is usually capturing the secret.txt file.
  2. Obtain at least 100 points across the exam tasks, which can include footholds, privilege escalations, lateral movements, and other key milestones.

For me, the first method was the goal — capturing the final secret.txt at 5:00 AM on 10 August 2025. This confirmed that I had successfully completed all the critical steps and achieved the exam objectives.

Knowing these options helped me plan my approach strategically, balancing risk, time, and effort throughout the 48-hour exam.

Exam Proof Filenames

  • local.txt — This file is accessible to an unprivileged user account and can only be found on certain machines. The targets containing these files will allow a foothold as an unprivileged user.
  • proof.txt — This file is only accessible to an administrative or root user and can be found under the /root/ directory or the Administrator Desktop. This file is present on most machines.

What Is secret.txt

  • secret.txt — This file is the proof that is found only on the final machine in the attack simulated penetration test.

My Journey to OSEP

My company purchased the PEN-300 course for me to prepare for OSEP. This course included:

  • 90 days of access to the full course content
  • Associated labs to practice real-world scenarios
  • A single exam attempt

Having this structured course and lab environment was crucial. It allowed me to practice realistic attack paths, focus on advanced evasion techniques, and simulate the exam conditions multiple times before the actual OSEP attempt.

Course progress

I gave myself 3 months to prepare for the OSEP exam. Instead of spending time on every single exercise, I focused only on the Challenge Labs provided by OffSec. These labs are designed to simulate the real exam environment — difficult, realistic, and requiring creative thinking.

Challenges Lab

Month 1 Foundation & First Labs

  • I started by familiarizing myself with the lab environment and reviewing the course material just enough to understand the techniques.
  • My priority was getting hands-on quickly, so I jumped straight into the first Challenge Labs.
  • The early challenges helped me practice initial access techniques and basic evasion methods. I spent a lot of time failing, re-trying, and taking notes.

Key focus: Windows privilege escalation & simple bypass techniques.

Month 2 Advanced Evasion & Lateral Movement

  • By the second month, I was spending most of my evenings working on the tougher Challenge Labs.
  • This is where I started building confidence in AV/EDR bypasses, writing custom payloads, and chaining attacks for lateral movement inside Active Directory.
  • Some labs took me days to complete but those failures were the most valuable lessons.

Key focus: custom shellcode execution, AMSI bypasses, and moving across the domain stealthily.

Month 3 Simulating the Exam

  • The final month was about treating the Challenge Labs as if they were the real exam.
  • I practiced time management, setting a timer and forcing myself to solve each lab
  • Every attack path I completed, I also documented as if I were writing the exam report. This made my reporting process much smoother later.

Key focus: full domain compromise under time pressure + documentation.

By the end of these 3 months, I felt confident because the Challenge Labs had already prepared me for the exact type of thinking and problem-solving needed in the exam.

My advice

Schedule

I officially scheduled my OSEP exam for 9 August 2025 at 9:00 AM GMT+7.

Schedule

Here’s how I prepared for the timing:

  • Morning mindset: I made sure to get a good night’s sleep before the exam so I could focus from the very start.
  • Workspace setup: Monitored network, lab environment ready, and all tools pre-tested.
  • Time management plan: Broke the 48-hour exam into phases initial foothold, lateral movement, domain compromise, and report drafting.
  • Note-taking strategy: Kept detailed notes, screenshots, and commands as I progressed, which made the 24-hour reporting period much smoother.

Scheduling the exam early in the morning helped me maximize my focus and energy for the first crucial hours of the exam.

Exam Date

9 August 2025

I woke up at 6:00 AM GMT+7. My heart was already racing the excitement and nerves felt like a big bang inside my head. To calm myself down, I go to 7/11 and grabbed a big cup of coffee. Back home, I took some time to relax, sip my coffee, and mentally prepare for the 48-hour challenge ahead. Before the exam started, I focused on controlling my emotions. I closed my eyes, took a few deep breaths, and reminded myself of all the preparation I had done in the last three months. At 9:00 AM sharp, I logged into the Proctor Portal, verified my ID, and ran the required commands on this to connect to the exam environment. That was the moment it all became real the OSEP exam had officially begun.
The first few hours were spent on enumeration and initial foothold. It wasn’t easy defenses were tough, and progress was slow. But after persistence, trial-and-error, and applying my lab experience, I finally managed to establish a solid first access.

From there, I began exploring deeper into the environment. By late evening, I had already gained access to additional systems and was planning my next pivot.

Focus of Day : Reconnaissance, foothold.

10 August 2025

I continued working hard on the exam. This day was much more challenging than the previous one. I used every bit of experience I had to push through obstacles and break the walls that kept blocking me.
Each failed approach was a lesson, and I kept grinding through them.
Finally after a long night of persistence at 5:00 AM, I captured the final proof file: secret.txt That was the ultimate “Gotcha!” moment that made all the struggles worth it.

Focus of Day : secret.txt

11 August 2025 (Report Writing)

With the exploitation phase complete, was dedicated entirely to reporting. Thanks to disciplined note-taking and screenshots during the exam, writing the report flowed smoothly. I structured it clearly with:

Files Submitted

The report took around 15 hours of focused effort before I was satisfied and ready to submit at 0.05 am.

Focus of Day : Detailed documentation, professional reporting, and submission.

Waiting for Results

After submitting the report at 0:05 AM on 11 August 2025, the next day
12 August 2025 was spent waiting for the official exam results.

It was a mix of excitement and anxiety. I kept thinking about every step I had taken during the exam and the report I had submitted. Every little detail, screenshot, and note mattered, and I hoped it would all reflect the effort and precision I had put in.

Although waiting was tough, I reminded myself that I had done everything possible to succeed, and there was nothing more I could do until the results were officially released.

meme of the day

Exam Result

I received my OSEP exam results on 14 August 2025
The result: PASSED

Result from offsec

Getting this certification on my first attempt was an incredible feeling. All the months of preparation, late-night lab sessions, and focused practice paid off.

OffSec’s Experienced Penetration Tester (OSEP) certified

Pro Tips & Advice from My OSEP Journey

  1. Revert machines if needed — If something feels off, don’t hesitate to revert the lab machines. You get 50 reverts, so use them wisely.
  2. Use the OffSec — Discord The community isn’t super active, but mentors and other students can help when needed.
  3. NetExec is your friend Excellent for host discovery and password spraying.
  4. Stick to what works for C2 I used Meterpreter throughout the course and exam. Others may prefer Sliver or Mythic; use what you’re most comfortable with.
  5. Run BloodHound As soon as you get domain user access, BloodHound can reveal attack paths and privilege escalation opportunities.
  6. Command execution ≠ reverse shell required Sometimes you can just change the administrator password and use PsExec to move forward.
  7. ADPeas is invaluable This tool is great for Active Directory enumeration and finding misconfigurations quickly.
  8. Challenge Lab 7–8 is good don’t forget kept all command on this to your note

9. ***Enum is key ***

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

What’s Next?

After successfully passing OSEP, I’m already planning the next steps in my cybersecurity journey. My goals include:

  1. Certified Active Directory Pentesting Expert (CAPE) further deepen my Active Directory exploitation and red team skills.
  2. OffSec Web Expert certification (OSWE) strengthen my web application penetration testing expertise.
  3. Burp Suite Certified Practitioner (BSCP) master web security testing using Burp Suite and enhance my practical testing skills.

TRY HARDER

— — — — — — — — See you Next Blog — — — — — — —

Reference

My Profile 
Linkedin
Hack The Box 
OSEP Exam Guide
OffSec FAQs
Reddit — OSEP
OffSec — Forum
GITHUB
OSEP Note1
OSEP Note2
OSEP Note3
Sabastiaz
Sabastiaz
Red Team Sorcerer | OSEP | OSCP | CAPE | CPTS | CRTO | C-ADPenX | Tenable.VM Specialist | Tenable Guardian Thailand
← Back to Tomes