Exam Strategy Reference


Exam Format (2025/2026)

ComponentPointsDetails
AD Set40 pts3 machines — assumed breach (you get domain creds)
Standalone 120 ptsIndependent (10 initial + 10 root/admin)
Standalone 220 ptsIndependent (10 initial + 10 root/admin)
Standalone 320 ptsIndependent (10 initial + 10 root/admin)
TOTAL100 pts70 pts to pass

Since Nov 2024: Bonus points are GONE. AD set has partial credit (10 pts per workstation, 20 pts for DC).

Passing Combos

  • AD full (40) + 1 standalone full (20) + 1 standalone initial (10) = 70 → PASS
  • AD partial (30) + 2 standalone full (40) = 70 → PASS
  • AD full (40) + 2 standalone full (40) = 80 → comfortable

Time Management — 23 Hours 45 Minutes

BlockTimeFocus
Hours 0–11 hrScan ALL machines. Let scans run. Read results. Plan.
Hours 1–54 hrsAD Set — priority. 40 points.
Hours 5–94 hrsStandalone 1 — pick easiest from recon
Hours 9–134 hrsStandalone 2
Hours 13–163 hrsStandalone 3 or revisit stuck machines
Hours 16–204 hrsRevisit anything incomplete. Fresh eyes.
Hours 20–243–4 hrsClean up screenshots, verify flags, start report notes

Rules to Live By on Exam Day

  1. Stuck 45 minutes → PIVOT. Move to another machine. Come back with fresh eyes.
  2. Screenshot EVERYTHING. Every shell, every command, every flag. You need proof.
  3. Take breaks. Walk, eat, hydrate. 10-minute break can save 2 hours of tunnel vision.
  4. AD first. 40 points, chain is usually logical once you find the entry.
  5. Don’t rabbit-hole on kernel exploits. Rarely the intended path.
  6. Every credential → spray everywhere immediately.

Tool Restrictions — Know These Cold

BANNED (Instant Fail)

  • SQLmap, SQLninja, db_autopwn, browser_autopwn — no automated SQLi
  • Nessus, OpenVAS, Nexpose — no vulnerability scanners
  • Metasploit Pro, Cobalt Strike, Core Impact, Burp Pro — no commercial tools
  • All AI/LLMs — ChatGPT, Claude, Copilot, DeepSeek, even OffSec’s KAI
  • Spoofing/Poisoning — ARP, DNS, NBNS, LLMNR, mDNS all banned
    • Responder poisoning = banned. Responder -A (analyze/passive) = allowed

RESTRICTED — Metasploit

  • Exploit/auxiliary/post modules + Meterpreter on ONE machine only. Choose carefully.
  • msfvenom, multi/handler, pattern_create/offsetunlimited on all targets
  • Cannot use check command on other targets either.
  • Once you use a module on a target, that’s your one.

ALLOWED

  • Nmap + NSE scripts, Nikto, Burp Community, Gobuster, Feroxbuster
  • BloodHound, Mimikatz, Impacket suite, NetExec, Rubeus, evil-winrm, PowerView
  • LinPEAS/WinPEAS, pspy, Ligolo-ng, Chisel, GodPotato, PrintSpoofer
  • Custom scripts in any language
  • Open book: personal notes, internet, OffSec portal

When You’re Stuck (General)

  1. Reread your scan output. Did you miss a port? A version? A hostname?
  2. Re-run directory brute force with a different wordlist or more extensions
  3. View page source again — comments, hidden fields, JS files
  4. Try default credentials on every service you found
  5. Re-enumerate with found credentials — password reuse across services
  6. Check UDP ports — SNMP (161) hides critical data
  7. Google the service + version — exploit, default creds, known issues
  8. Chain findings — one piece of info might unlock another
  9. Take a 10-minute break. Walk away. Seriously.

Proof / Screenshot Requirements

# Linux — all four in ONE terminal screenshot
whoami && hostname && ip a && cat /root/proof.txt

# Windows — all four in ONE terminal screenshot
whoami && hostname && ipconfig && type C:\Users\Administrator\Desktop\proof.txt

Screenshot must show: flag content + whoami + hostname + ip a/ipconfig in same window.


Pre-Exam Setup Checklist

  • VPN connected and tested
  • Kali updated, all tools working
  • Obsidian open with this cheatsheet
  • Screenshot tool ready (Flameshot)
  • Reverse shell one-liners saved and ready
  • HTTP server ready: python3 -m http.server 80
  • Wordlists: rockyou.txt, SecLists installed
  • LinPEAS, WinPEAS, pspy64, PowerUp, GodPotato, PrintSpoofer, nc.exe downloaded
  • Ligolo-ng proxy + agents (Linux/Windows) ready
  • Terminal logging: script -a exam_log.txt
  • Food and water at your desk
  • Slept well the night before
  • Remember: SQLmap = BANNED, AI/LLM = BANNED, Metasploit = ONE target

Report Reminder

  • 24 hours after exam ends to submit report
  • Use official OSCP report template
  • Document every step with screenshots
  • Include failed attempts — shows methodology
  • No report = No pass, even with 100 points

Distractor Recognition

Some hashes, credentials, and services on the exam are deliberate rabbit holes. Learn to spot them fast so you don’t burn hours.

Rabbit Hole Signals

1. Uncrackable hash

  • Kerberoast hash that has been running against rockyou + rules for 30+ min with nothing
  • AS-REP hash with bizarrely complex password patterns
  • Bcrypt/Argon2 on web apps Action: move on. If intended, the lab would want you to crack it in under 10 min.

If a Kerberoast hash resists rockyou+rules for 30+ minutes, stop and try AS-REP roasting instead — some are intentionally uncrackable to nudge you toward another technique.

2. Found credentials that do not authenticate anywhere

  • Username in a script/config but user does not exist in AD (nxc LDAP query returns nothing, BloodHound shows no node)
  • Credential file that looks real but every target rejects it
  • No username variation (john.miller, jmiller, j.m) authenticated anywhere

3. Service/port that looks exploitable but is intended to be noisy

  • Default web pages on IPs that do not have real paths
  • Services with generic banners that lead nowhere when enumerated

Time Budget Rules

  • 30 min max on any single hash crack attempt
  • 15 min max on any single credential spray before moving on
  • If you have been on a box for 2 hours with no new info, revisit enumeration from scratch
  • If you are stuck for 4+ hours, revert and restart that machine

Validation Before Burning Hours

Before committing to an attack path, confirm:

  • Does this user exist in AD? (nxc ldap + BloodHound)
  • Is this hash a type that rockyou typically cracks?
  • Does this service actually respond to the exploit precondition?

If any answer is no or unknown, 5 minutes of validation saves 3 hours of rabbit hole.

Exam Application

The OSCP exam rewards methodical enumeration over aggressive exploitation. If a credential or hash feels wrong, it probably is. Move on, and come back with more context.