OSCP Exam Preparation Guide

A comprehensive guide to help you prepare for the OSCP certification, including structured learning paths, recommended practice boxes, and essential exam tips.

OSCP Exam Overview

Official Reference Links

Official OSCP Exam Guide - Complete exam rules and requirements
PEN-200 Course Details - Official course information
OSCP Certification Details - Certification requirements and benefits
OSCP Exam FAQ - Common questions and answers

Important Update: Starting November 1, 2024, successful candidates will receive the OSCP+ certification, which expires after 3 years, representing a commitment to continuing education in cybersecurity.

Current Exam Structure (2025)

3 Stand-alone Machines (60 points total)
- 20 points per machine
- 10 points for initial access
- 10 points for privilege escalation
1 Active Directory Set (40 points total)
- Contains 3 machines
- Provided with initial credentials (simulated breach)
- Machine #1: 10 points
- Machine #2: 10 points
- Machine #3: 20 points
Exam Duration: 24 hours
Report Submission: 24 hours after exam completion
Exam Environment: Proctored online exam with VPN access

Passing Scenarios (70/100 to Pass)

40 points AD + 3 local.txt flags (70 points)
40 points AD + 2 local.txt flags + 1 proof.txt flag (70 points)
20 points AD + 3 local.txt flags + 2 proof.txt flag (70 points)
10 points AD + 3 fully completed stand-alone machines (70 points)

Note: The exam now includes more modern attack vectors and focuses heavily on Active Directory exploitation. Buffer overflow machine is no longer guaranteed in every exam.

Point Allocation Rules

Machines are graded in the order documented in your report
Partial points awarded for independent targets based on access level
Each machine has specific objectives for full points
Minimum 70 points required to pass
Maximum possible score: 100 points
Specific objectives and point values available in exam control panel
Buffer overflow machine is no longer guaranteed in every exam
AD set is now a mandatory component of the exam

Certification Value:

OSCP/OSCP+ is considered more technical than other penetration testing certifications
One of few certifications requiring practical demonstration of skills
Highly valued by employers for practical penetration testing abilities
Opens doors to roles in penetration testing, security consulting, and vulnerability research

TryHackMe Rooms

Learning Paths

Essential Practice Rooms

Windows:
- Blue - EternalBlue exploitation
- Steel Mountain - Windows exploitation
- Alfred - Windows privesc
- Relevant - Windows enumeration
- Internal - AD exploitation
- Throwback - Active Directory
- Wreath - Advanced Windows
- Attacktive Directory - AD basics
Linux:
- Vulnversity - Web app basics
- Basic Pentesting - Enumeration
- Linux PrivEsc - Privilege escalation
- Mr Robot - Web exploitation
- Overpass - Web and Linux
- Linux 2 - Advanced Linux
- Linux PrivEsc 101 - Privilege escalation
- OverlayFS - Kernel exploitation

HackTheBox Machines

Windows Machines

Easy:
- Legacy - MS17-010
- Blue - EternalBlue
- Devel - FTP/IIS
- Granny - WebDAV
- Grandpa - WebDAV
- Optimum - HFS exploitation
- Access - Windows file analysis
- Netmon - PRTG Network Monitor
- Bastion - Windows backup
- Nest - Windows configuration
- Sauna - Active Directory
- Remote - Windows remote services
- Buff - Gym management software
- ServMon - NVMS-1000
Medium:
- Bastard - Drupal exploitation
- Jeeves - Jenkins exploitation
- Arctic - Cold Fusion
- Jerry - Tomcat manager
- Silo - Oracle database
- Conceal - IKE/IPSec
- Forest - Active Directory
- Sauna - Active Directory
- Cascade - AD enumeration
- Monteverde - Azure AD
- Bart - Web application
- Sniper - PHP web app
- Control - Windows services

Linux Machines

Easy:
- Lame - Samba
- Bashed - Web shell
- Nibbles - Web app
- Shocker - Shellshock
- Beep - Multiple vectors
- Valentine - Heartbleed
- Help - HelpDesk
- Curling - Web enumeration
- Irked - IRC service
- FriendZone - DNS zone transfer
- LaCasaDePapel - VSFTPD
- Safe - Buffer overflow
- Traceback - Web shell
- Admirer - Web enumeration
Medium:
- Poison - FreeBSD
- Sunday - Solaris
- Node - Node.js
- Teacher - Moodle
- Tartarsauce - WordPress
- Vault - Port forwarding
- WriteUp - CMS Made Simple
- Mango - MongoDB NoSQL
- Bitlab - GitLab
- Book - SQL injection
- DevOops - XXE
- Hawk - Drupal
- October - PHP

Vulnhub Machines

Beginner Friendly:
- Kioptrix Series (1-4) - Essential OSCP-like boxes
- Brainpan 1 - Buffer overflow practice
- Vulnix - Linux enumeration
- SickOs - Web exploitation
- Mr-Robot 1 - Web application
- FristiLeaks 1.3 - Web exploitation
- Stapler 1 - Multiple vectors
- pWnOS 2.0 - Web application
- Lin.Security - Linux security
- Temple of Doom - Web and system
- PwnLab: init - Web exploitation
Intermediate:
- HackLab: Vulnix - Linux privesc
- Lord of the Root - Web and kernel
- Tr0ll - Enumeration practice
- PwnLab - Web exploitation
- SkyTower 1 - Web application
- /dev/random: scream - Boot2Root
- Tr0ll 2 - Advanced enumeration
- NullByte - Web and crypto
- Bob 1.0.1 - Web application
- Breach 3.0.1 - Multiple vectors
- OZ - Web and system
- Election 1 - Web application
Advanced:
- Wintermute - Advanced exploitation
- Tr0ll 3 - Complex enumeration
- Node 1 - Node.js exploitation
- Homeless 1 - Multiple vectors
- Seattle v0.3 - Web application
- Ted 1 - Advanced privesc
- Raven 2 - LAMP stack
- Potato - Web exploitation
- Secure Code 1 - Code review
- Pipe - Advanced Linux
- Pinky's Palace v1 - Advanced exploitation
- Metasploitable 3 - Vulnerable Windows/Linux

Proving Grounds Practice

Access all machines at: Proving Grounds Practice Portal

Windows Machines:
- Nickel - Windows enumeration, SMB service
- Hutch - Active Directory, LDAP exploitation
- Vault - Windows privesc, service exploitation
- MedJed - Web application, IIS exploitation
- Heist - Windows privesc, service misconfiguration
- Billyboss - Windows, web application
- DVR4 - Windows, command injection
- Helpdesk - Windows, service exploitation
- Craft - Windows, web application
- Algernon - Windows, service misconfiguration
Linux Machines:
- Potato - File upload vulnerabilities, web exploitation
- Sorcerer - Web exploitation, PHP vulnerabilities
- Peppo - PHP exploitation, web application
- Wombo - Linux privesc, service exploitation
- Fail - Web and database exploitation
- ClamAV - Linux, service exploitation
- Dibble - Web application, PHP
- Zino - Web exploitation, command injection
- Pelican - Linux privesc, web application
- Exfiltrated - Web application, data exfiltration
- Hawat - Linux, service enumeration
- Banzai - Web exploitation, PHP

Note: Proving Grounds Practice requires a subscription. Individual machine URLs are only accessible after logging in to the platform.

Practice Tips

Start with easier machines and progressively increase difficulty
Document your methodology for each machine
Try to solve machines without walkthroughs first
Focus on understanding the techniques rather than just getting root
Practice writing professional reports for each machine
Time yourself to improve speed and efficiency

Active Directory Practice Labs

TryHackMe AD Labs:
- Attacktive Directory - Basic AD attacks
- Post Exploitation Basics - AD post-exploitation
- Breaching AD - Initial access techniques
- Lateral Movement - AD lateral movement
- Enterprise - Complete AD environment
HackTheBox AD Labs:
- Forest - AS-REP Roasting, DCSync
- Sauna - Kerberoasting, BloodHound
- Cascade - AD object manipulation
- Monteverde - Azure AD integration
- BlackField - Advanced AD exploitation
- Intelligence - GPP abuse, Kerberos
Proving Grounds AD Labs:
- Hutch - LDAP exploitation, credential abuse
- Heist - Service account exploitation
- Vector - Domain controller attacks
- Vault - AD certificate services
- APT - Advanced persistent threat simulation
Key AD Attack Scenarios to Practice:
- NTLM Relay Attacks
- Kerberoasting
- AS-REP Roasting
- Password Spraying
- DCSync Attack
- Golden/Silver Ticket Attacks
- Resource-Based Constrained Delegation
- GPP/cPassword Attacks

Tip: Focus on understanding the relationships between AD objects and attack paths using BloodHound. Document your methodology for each attack vector.

Before the Exam

Get proper rest - aim for 8 hours of sleep
Prepare your workspace and test your setup
Have backup internet connection ready
Organize your notes and tools
Practice with your documentation template

During the Exam

Start with the buffer overflow machine
Take regular screenshots and notes
Set a timer for each machine (max 3 hours)
Take breaks every 3-4 hours
Stay hydrated and eat properly
If stuck, move to another machine

Time Management

First 2 hours: Recon on all machines
Next 4-6 hours: Buffer overflow machine
Remaining time: Other machines
Last 4 hours: Review and cleanup

Documentation Tips

Document as you go
Use clear, concise screenshots
Include command outputs
Note failed attempts
Use a report template

Learning Platforms

TryHackMe
HackTheBox
VulnHub
PortSwigger Web Security Academy

Essential Tools

Reconnaissance:
- AutoRecon - Automated enumeration
- RustScan - Fast port scanning
- Feroxbuster - Content discovery
- Gobuster/ffuf - Directory bruteforce
- Enum4linux-ng - SMB enumeration
Active Directory:
- BloodHound - AD visualization
- Kerbrute - Kerberos enumeration
- Impacket Suite - AD exploitation
- PowerView/SharpHound - AD enumeration
- Rubeus - Kerberos exploitation
Web Application:
- Burp Suite - Web proxy
- SQLmap - SQL injection
- Nikto - Web vulnerability scanner
- WPScan - WordPress scanning
Privilege Escalation:
- LinPEAS/WinPEAS - Enumeration scripts
- PEASS-ng Suite - Updated privesc tools
- PowerUp - Windows privesc
- Linux Smart Enumeration - Linux privesc
Post Exploitation:
- Mimikatz - Credential dumping
- Evil-WinRM - Windows Remote Management
- CrackMapExec - Network scanning
- Metasploit (Limited use in exam)

Active Directory Attack Paths

Initial Access:
- LLMNR/NBT-NS Poisoning
- Password Spraying
- Kerberoasting
- AS-REP Roasting
Lateral Movement:
- Pass-the-Hash
- Token Impersonation
- DCSync Attack
- Golden/Silver Tickets
Persistence:
- DPAPI Abuse
- ACL Modifications
- Group Policy Abuse