Overview

This is a curated mapping of Hack The Box machines to PEN-300 (OSEP) syllabus topics. The goal is to give you targeted practice on each exam skill rather than grinding random machines.

How to use: Work sections in order — each builds on the previous. Don’t skip to AD exploitation without doing AV evasion first.

Audience: OSEP exam candidates | Updated: June 2025 | Difficulty: Hard

For the TJNull community OSEP-like list, see the bottom of this post.

1. Operating System and Programming Theory

Sections 1 and 2 of PEN-300 are foundational — Win32 API, WoW64, Windows Registry, process scheduling. No specific HTB machines map cleanly here but the knowledge underpins everything that follows. Focus on the course material for these two chapters.

2. Client-Side Code Execution with Office

Attack Type HTB Machine Attack Used Walkthrough
Phishing — RTF Document (CVE-2017-0199) REEL Malicious RTF via CVE-2017-0199 IppSec · Tool
Phishing — LibreOffice Macro RE LibreOffice macro execution IppSec
Phishing — NTLMv2 capture via link REEL2 Malicious link to grab NTLMv2 hash IppSec
Phishing — LibreOffice Macro RABBIT LibreOffice macro execution IppSec

3. Client-Side Code Execution with JScript

Attack Type HTB Machine Attack Used Walkthrough
HTML Smuggling / JScript WSH OUTDATED Client-side attack via malicious document IppSec
JScript execution via WSH ANUBIS Windows Script Host abuse IppSec

4. Process Injection and Migration

Attack Type HTB Machine Attack Used Walkthrough
DLL Injection / Process Hollowing HACKBACK Process injection for persistence IppSec
Process Migration via Meterpreter JEEVES Migrate between processes post-exploitation IppSec
Reflective DLL Injection CEREAL .NET deserialization leading to injection IppSec

5. Introduction to Antivirus Evasion

Attack Type HTB Machine Attack Used Walkthrough
Macro obfuscation RE Obfuscating Office macro to bypass AV IppSec
Basic shellcode obfuscation OUTDATED Shellcode runner with basic obfuscation IppSec

6. Advanced Antivirus Evasion

Attack Type HTB Machine Attack Used Walkthrough
AMSI Bypass APT AMSI bypass to run PS in constrained env IppSec
AMSI Bypass PIVOTAPI AMSI bypass for PowerShell execution IppSec
AMSI Bypass MULTIMASTER AMSI bypass during AD exploitation IppSec
EDR Evasion SEKHMET AV/EDR evasion via custom loader IppSec

7. Application Whitelisting

Attack Type HTB Machine Attack Used Walkthrough
AppLocker Bypass — ConstrainedLanguage REEL2 Breaking out of CLM by creating a function IppSec
AppLocker Bypass — PSBypassCLM GIDDY PSBypassCLM to escape constrained mode IppSec
AppLocker Bypass — intended path SEKHMET Intended AppLocker bypass technique IppSec
AppLocker Bypass — COR Profiler COR Profiler bypass technique IppSec
AppLocker Bypass HATHOR AppLocker bypass in hardened environment IppSec

8. Bypassing Network Filters

This section is highly theoretical in the course — DNS tunnelling, ICMP tunnelling, HTTP/S proxying. The best HTB practice is:

Attack Type HTB Machine Attack Used Walkthrough
DNS Tunnelling TENTACLE DNS-based communication through restrictive firewall IppSec
HTTP Tunnelling / Pivoting ANUBIS HTTP tunnelling through restricted network IppSec
Network pivoting PIVOTAPI Multi-hop pivoting through network segments IppSec

9. Linux Post-Exploitation

Attack Type HTB Machine Attack Used Walkthrough
SSSD credential extraction CERBERUS SSSD config review, domain password extraction IppSec
SSSD credential extraction SEKHMET Dumping sssd.ldb, kinit for Kerberos ticket IppSec
Linux persistence / cron abuse SEAL Ansible playbook abuse for privilege escalation IppSec
Ansible abuse INJECT Ansible enumeration and privesc IppSec

10. Windows Post-Exploitation

Attack Type HTB Machine Attack Used Walkthrough
LSASS Dump via rundll32 ATOM rundll32 memory dump of LSASS IppSec
LSASS Dump via pypykatz BLACKFIELD pypykatz credential extraction from dump IppSec
SAM / SYSTEM dump BASTION secretsdump against SAM and SYSTEM hives IppSec
LAPS password extraction STREAMIO Identifying and extracting LAPS password IppSec
LAPS password extraction PIVOTAPI Discovering user who can add groups to LAPS IppSec
UAC Bypass ARKHAM UAC bypass via deserialization IppSec
SeImpersonate Privilege SCRAMBLED Abusing SeImpersonate for privesc IppSec
Token Impersonation — Incognito HACKBACK Incognito to grab impersonation token IppSec

11. Kiosk Breakouts

This is one of the most niche sections in PEN-300 — breaking out of restricted environments like ATM interfaces or locked-down kiosk desktops. No dedicated HTB machines cover this well. Focus on the course material and practice with:

  • Sticky Keys / Utilman bypass techniques
  • Task Manager / Explorer shell replacement
  • Constrained desktop breakout via file dialogs

12. Windows Credentials

(See Windows Post-Exploitation above — sections overlap significantly)

Attack Type HTB Machine Attack Used Walkthrough
AD object permissions REEL GenericWrite, WriteOwner, WriteDACL explained IppSec
GenericAll abuse SUPPORT Abusing GenericAll object permission IppSec

13. Windows Lateral Movement

Attack Type HTB Machine Attack Used Walkthrough
PsExec / SMB lateral movement FLIGHT SMB relay and lateral movement via PsExec IppSec
WinRM lateral movement OUTDATED WinRM for lateral movement post-exploit IppSec
Pass-the-Hash MULTIMASTER PTH for lateral movement in AD IppSec
Pass-the-Ticket SCRAMBLED Kerberos ticket abuse for lateral movement IppSec
DCOM lateral movement HATHOR DCOM abuse in hardened environment IppSec

14. Linux Lateral Movement

Attack Type HTB Machine Attack Used Walkthrough
DevOps — Ansible playbook abuse SEAL Ansible playbook for privilege escalation IppSec
DevOps — Ansible enumeration INJECT Ansible enumeration and privesc IppSec
Kerberos on Linux — keytab theft TENTACLE Configuring attacker Kerberos, stealing keytab IppSec
Kerberos on Linux — SSSD CERBERUS SSSD config review, domain password extraction IppSec
Kerberos on Linux — sssd.ldb dump SEKHMET Dumping sssd.ldb, kinit for Kerberos ticket IppSec

15. Microsoft SQL Server

Attack Type HTB Machine Attack Used Walkthrough
MSSQL authentication in AD ESCAPE mssqlclient.py login, MSSQL enumeration IppSec
xp_cmdshell RCE SCRAMBLED Enabling xp_cmdshell for reverse shell IppSec
xp_dirtree hash capture STREAMIO xp_dirtree to steal MSSQL service hash IppSec
MSSQL linked servers QUERIER MSSQL linked server lateral movement IppSec

16. Active Directory Exploitation

Attack Type HTB Machine Attack Used Walkthrough
AD object permissions REEL GenericWrite, WriteOwner, WriteDACL IppSec
GenericAll abuse SUPPORT GenericAll → RBCD for domain access IppSec
GenericAll + WriteDACL MULTIMASTER Chained AD permission abuse IppSec
GenericWrite + WriteDACL REEL Taking ownership, changing user password IppSec
Kerberos Delegation — Unconstrained PIVOTAPI Unconstrained delegation with SQL user, Rubeus tgtdeleg IppSec
Kerberos Delegation — Unconstrained INTELLIGENCE Unconstrained delegation exploitation IppSec
RBCD SUPPORT Resource-based constrained delegation IppSec
AS-REP Roasting FOREST AS-REP roast → hash crack → DA IppSec
Kerberoasting ACTIVE SPN enumeration → TGS crack → DA IppSec
DCSync BLACKFIELD DCSync for domain credential extraction IppSec
Bloodhound AD enumeration ESCAPE BloodHound attack path analysis IppSec

TJNull OSEP List

Community-maintained OSEP preparation list by TJNull, with 0xdf writeups linked where available.

OSEP-Like

Machine 0xdf Writeup
Haze writeup
EscapeTwo writeup
Escape writeup
Absolute writeup
Flight writeup
Sekhmet writeup
Support writeup
Outdated writeup
Hathor writeup
Scrambled writeup
StreamIO writeup
Timelapse writeup
Forge writeup
Seal writeup
APT writeup
Multimaster writeup
Magic writeup
Monteverde writeup
Forest writeup
Querier writeup

OSEP-Harder

Machine 0xdf Writeup
Scepter writeup
Absolute writeup
Search writeup
Anubis writeup
PivotAPI writeup
Monteverde writeup
Sizzle writeup

Further Resources