OSEP Guide: Multi-Network Pivoting with Web, SQL, and Internal Systems
The OffSec OSEP pivoting guide (Offensive Security Experienced Penetration Tester) labs are built around one core idea: you’re never attacking just one machine. Instead, you’re navigating segmented networks, limited visibility, and chained access.
In this scenario, systems like web07, web09, file02, client01, client02, sql02, sql03, jump01, and mgr01 are spread across different subnets. At first, it feels scattered—but there’s a clear structure underneath.
Environment Overview OSEP pivoting guide
External / Semi-Exposed Systems
- 192.168.61.210 (web07)
- 192.168.61.234 (web09)
These are typically your entry points. Web servers often:
- Handle user input
- Connect to backend systems
- Store credentials in configs
Internal Network (172.16.61.0/24)
- 172.16.61.224 (file02) → File server
- 172.16.61.37 (client01) → User endpoint
- 172.16.61.32 (client02) → Another workstation
- 172.16.61.212 (sql02) → Database server
- 172.16.61.67 (sql03) → Secondary DB
- 172.16.61.72 (jump01) → Pivot system
- 172.16.61.80 (mgr01) → Likely management / high-value host
This layout clearly indicates:
➡️ Network segmentation + pivot dependency
Initial Access: web07 & web09
Start with:
- web07
- web09
These systems often expose:
- Web vulnerabilities
- Config files with credentials
- Connections to SQL servers
What matters here:
➡️ Not just access—but what you can extract
Look for:
- Database credentials
- Internal IP references
- Service account usage
Moving Inside: From Web to Internal Network OSEP pivoting guide
Once you gain access to a web server:
➡️ The goal shifts to internal access
Typical paths:
- Use extracted credentials
- Pivot into client01 / client02
- Access backend systems like sql02
This is where OSEP becomes different from simpler labs.
You’re no longer exploiting—you’re navigating.
SQL Systems: sql02 & sql03
- 172.16.61.212 (sql02)
- 172.16.61.67 (sql03)
SQL servers are key pivot points.
They often:
- Store credentials
- Allow command execution
- Connect to multiple systems
If accessed, check for:
- Execution capabilities
- Linked servers
- Stored credentials
➡️ SQL = internal movement accelerator
File Server: file02
- 172.16.61.224 (file02)
File servers are often underestimated.
But they can contain:
- Scripts
- Backups
- Credentials
Look for:
- Shared drives
- Configuration files
- Password reuse
➡️ Sometimes the easiest escalation path starts here.
Workstations: client01 & client02
- 172.16.61.37 (client01)
- 172.16.61.32 (client02)
These systems help with:
- Credential harvesting
- Session hijacking
- Lateral movement
Focus on:
- Logged-in users
- Token reuse
- Credential artifacts
jump01: The Pivot Hub
- 172.16.61.72 (jump01)
This system is critical.
It likely:
- Connects multiple segments
- Has access to restricted systems
- Acts as a gateway
➡️ Without jump01, movement may stop
mgr01: High-Value Target
- 172.16.61.80 (mgr01)
This is typically:
- Management system
- Admin-level access point
Reaching this usually means:
➡️ You’ve chained everything correctly
Example Attack Flow OSEP pivoting guide
- Initial access on web07 / web09
- Extract credentials from configs
- Pivot into client01 / client02
- Access sql02 / sql03
- Execute commands / dump credentials
- Enumerate file02
- Pivot via jump01
- Reach mgr01
Common Mistakes OSEP pivoting guide
- Staying too long on web servers
- Ignoring file shares
- Not leveraging SQL properly
- Missing pivot points like jump01
Final Insight
The OSEP lab scenario teaches one key skill:
➡️ Pivoting is more important than exploitation
Systems like web07, sql02, file02, jump01, and mgr01 are not separate targets—they’re steps in a chain.
If one step fails, the whole path breaks.
Vendor: https://www.offsec.com/courses/pen-300/
Buy this dump: https://cyberservices.store/
