Introduction and starting point Link to heading

This post documents my experience passing the OSEP (OffSec Experienced Penetration Tester) exam using Mythic C2 as my main command-and-control framework.

The goal is not to provide a step-by-step walkthrough of the exam, but to explain how I prepared, why I chose Mythic, and how I structured my tooling and mindset to survive the exam.

For some context, it took me around 13 hours to complete 100% of the exam, including both ways to obtain the secret. I then spent almost the same amount of time redoing everything cleanly while writing the report. This should already tell you how important organization and documentation are for OSEP and how I’m not the best taking notes.

Mythic C2 plays a central role in this post because it allowed me to standardize my approach, automate repetitive tasks, and keep control over multiple compromised systems during the exam. It did not magically solve problems for me, but it provided a reliable framework that let me focus on decision-making instead of rebuilding tooling under pressure.

If you are looking for an introduction to Mythic itself and how to install it, I already covered that in a previous post: https://r4ulcl.com/posts/getting-started-with-mythic-c2/

Session from Mythic during the exam.

Mythic-sessions-OSEP-exam

My cert:

OSEP-cert-r4ulcl

OSEP exam overview Link to heading

OSEP is very different from OSCP. While OSCP focuses heavily on enumeration and exploitation basics, OSEP expects you to operate more like a red team operator exploiting misconfigurations related to Active Directory.

You are not expected to break cutting-edge EDRs, but you are expected to bypass common defenses such as:

  • Windows Defender
  • AMSI
  • Language Constrained Mode
  • Application whitelisting

Passing the exam does not require full compromise of every system. What matters is obtaining the required flags, either by compromising the specified number of machines or by successfully retrieving the designated secret, and documenting your process clearly and correctly. This means you must understand why a bypass works, not just copy-paste commands. This is where a C2 framework starts to make a lot of sense.

OSEP preparation Link to heading

My two main pieces of advice are simple and equally important.

First, do not skip the theory. You do not need to memorize everything, but you must read and understand all objectives before starting the lab. I lost several hours because I initially skipped parts of the theory and later had to come back to concepts I should already have known. The theory mentions multiple tools, configurations, and security controls that you are very likely to encounter later in the labs and exam. Some of them are uncommon, and you may not have seen them before. Understanding them early saves a significant amount of time.

Second, redo the challenges, especially the later ones. Repetition matters, especially if you are new to Mythic C2.

Why Mythic over other C2 frameworks Link to heading

These recommendations can be applied to almost any C2 framework. There is nothing inherently special about Mythic for OSEP. However, most of my tooling and scripts are oriented around Mythic, which is why it is the focus of this post.

First, Mythic is extremely flexible. It allows you to:

  • Generate multiple payload formats through a clean API
  • Load a large set of commands automatically without manually importing binaries
  • Extend functionality when needed
  • Recover all sessions if you disconnect from the lab and reconnect later

In a timed exam environment, Mythic helps you standardize your workflow. Instead of reinventing payloads for every target, you can focus on decision-making and execution. That said, Mythic can also be overkill. For very simple scenarios, manual exploitation or lightweight tooling can be faster. Mythic does not magically solve evasion for you, and you still need to understand what you are doing. For most of the exam, impacket would be more than enough.

Mythic in OSEP Link to heading

OSEP expects you to bypass common security controls such as Windows Defender, AMSI, Language Constrained Mode, and application whitelisting. This is not an advanced evasion course, but if you are coming from OSCP, it is a solid introduction to operating in more restricted environments.

Below, I list the main OSEP sections required to complete the labs and the exam, along with how I used Mythic in each case.

  • Process Injection: For this section, to load the Mythic agent into memory, I used a modified version of “Shellcode Process Injector.ps1” by chvancooten . It is included as dropperx32.ps1.

  • Antivirus Evasion: If the target machine has antivirus installed, it will delete the Mythic payload. To bypass this, the best approach is to use an AMSI bypass combined with process injection to load Mythic from an HTTP server. If this is not possible, the second best option is to use a modified version of NetLoader that bypasses Defender.

  • AMSI Bypass: For basic evasion, I used an AMSI bypass updated to work on more recent Windows versions, split into am.txt and am2.txt.

  • Bypassing AppLocker: To bypass AppLocker and antivirus at the same time, the repository includes the source code and the enc.txt binary of a modified version of NetLoader that uses the .NET uninstall functionality to bypass AppLocker.

  • Windows Credentials, SAM and LSASS: To dump credentials while running as SYSTEM, the best option is to use Mimikatz. If Mimikatz does not work, a faster alternative is to dump the SAM, SYSTEM, and SECURITY hives from the registry and use impacket-secretsdump. If additional access or information is needed after dumping the SAM, it is also possible to use secretsdump directly with local administrator credentials.

  • Proxy and Tunneling: When using Mythic, the best option is to use the Proxy functionality provided by Apollo. However, if SSH dynamic tunneling is an option, I recommend using it instead, as it is much more stable in the labs.

  • MSSQL: You can use PowerShell tools such as PowerUpSQL , but in most cases I recommend using impacket-mssqlclient.

  • BloodHound: To dump all Active Directory information, there are several options. The best ones are Invoke-BloodHound from SharpHound.ps1 or bloodhound-python executed from your own Linux terminal (remember to properly configure DNS settings).

For other tasks, it is not necessary to overcomplicate things with Mythic, as they can be done more simply. This is especially true for phishing, where I used the following repositories.

Note: All commands can be found in the cheat sheet.

While practicing in the lab, I started writing small scripts and adapting existing code to automate repetitive tasks. Over time, this evolved into a complete workflow that I am now publishing:

The main README contains my full cheat sheet with commands ready to copy and paste, as well as explanations on how to use the supporting scripts.

Script to auto generate everything Link to heading

One of the biggest time savers for me was automation. Instead of manually configuring payloads every time, I created a script that:

  • Connects to the Mythic API
  • Generates payloads automatically
  • Replaces IPs and ports in multiple scripts
  • Prepares auxiliary scripts for delivery

How to use the scripts Link to heading

The core script is generate.sh. The idea is simple: create an empty working directory, execute the script, and get everything ready for lab or exam usage.

  • scripts/
    • mythicConfig/
      • apollo.bin.json: Configuration for generating Apollo shellcode, loading all commands by default
      • apollo.exe.json: Same configuration but for an executable payload
      • poseidon.bin.json: Linux payload configuration
      • generatePayloads.py: Python script that connects to the Mythic API and generates payloads using the JSON templates
      • requirements.txt: Python dependencies
    • auxConfig/
      • am.txt: First stage AMSI bypass PowerShell script
      • am2.txt: Second stage AMSI bypass that loads the dropper
      • dropperx32.ps1: In-memory shellcode loader for apollo-osep.bin
      • ping.hta: Simple HTA used for connectivity testing
      • reverse.hta: HTA-based PowerShell reverse shell
      • loadShell.sh: Script that replaces IPs and ports across all auxiliary files
    • utils/: Additional utilities served over HTTP
    • generate.sh: Main orchestration script

Repository: Mythic-CheatSheet

When not to use Mythic Link to heading

Mythic is not always the right tool. If you already have code execution and only need a quick privilege escalation, credential dump, or file read, spinning up a full C2 infrastructure can slow you down. In many cases, impacket is faster and more than sufficient.

Time management for a 48-hour exam Link to heading

  • OSEP is a marathon. Take breaks. Sleep. Eat properly. Fatigue will cause mistakes, and mistakes cost hours.
  • Document everything as I went. Reproducing steps after 20 hours of work is painful and unnecessary if you take notes early.
  • If you get stuck, stop and change direction. You only need the required flags, not a perfect compromise of the entire environment.
  • Mental endurance matters. Stay organized and always be clear about what you are working on.

Other tips and tricks Link to heading

  • Take breaks regularly. A short walk every hour helps more than you think.
  • There are usually multiple paths. If one approach fails, try another.
  • Passing the exam is about collecting the required flags. Full domain dominance is not required.
  • Redo every lab challenge at least twice, especially the later ones.
  • Do not be afraid to use Discord. The lab is for learning. The exam is the challenge.

References Link to heading

These resources were extremely helpful during preparation and the exam:

Repository: Mythic-CheatSheet