Exam Strategy Reference
Exam Format (2025/2026)
| Component | Points | Details |
|---|---|---|
| AD Set | 40 pts | 3 machines — assumed breach (you get domain creds) |
| Standalone 1 | 20 pts | Independent (10 initial + 10 root/admin) |
| Standalone 2 | 20 pts | Independent (10 initial + 10 root/admin) |
| Standalone 3 | 20 pts | Independent (10 initial + 10 root/admin) |
| TOTAL | 100 pts | 70 pts to pass |
Since Nov 2024: Bonus points are GONE. AD set has partial credit (10 pts per workstation, 20 pts for DC).
Passing Combos
- AD full (40) + 1 standalone full (20) + 1 standalone initial (10) = 70 → PASS
- AD partial (30) + 2 standalone full (40) = 70 → PASS
- AD full (40) + 2 standalone full (40) = 80 → comfortable
Time Management — 23 Hours 45 Minutes
| Block | Time | Focus |
|---|---|---|
| Hours 0–1 | 1 hr | Scan ALL machines. Let scans run. Read results. Plan. |
| Hours 1–5 | 4 hrs | AD Set — priority. 40 points. |
| Hours 5–9 | 4 hrs | Standalone 1 — pick easiest from recon |
| Hours 9–13 | 4 hrs | Standalone 2 |
| Hours 13–16 | 3 hrs | Standalone 3 or revisit stuck machines |
| Hours 16–20 | 4 hrs | Revisit anything incomplete. Fresh eyes. |
| Hours 20–24 | 3–4 hrs | Clean up screenshots, verify flags, start report notes |
Rules to Live By on Exam Day
- Stuck 45 minutes → PIVOT. Move to another machine. Come back with fresh eyes.
- Screenshot EVERYTHING. Every shell, every command, every flag. You need proof.
- Take breaks. Walk, eat, hydrate. 10-minute break can save 2 hours of tunnel vision.
- AD first. 40 points, chain is usually logical once you find the entry.
- Don’t rabbit-hole on kernel exploits. Rarely the intended path.
- Every credential → spray everywhere immediately.
Tool Restrictions — Know These Cold
BANNED (Instant Fail)
- SQLmap, SQLninja, db_autopwn, browser_autopwn — no automated SQLi
- Nessus, OpenVAS, Nexpose — no vulnerability scanners
- Metasploit Pro, Cobalt Strike, Core Impact, Burp Pro — no commercial tools
- All AI/LLMs — ChatGPT, Claude, Copilot, DeepSeek, even OffSec’s KAI
- Spoofing/Poisoning — ARP, DNS, NBNS, LLMNR, mDNS all banned
- Responder poisoning = banned. Responder
-A(analyze/passive) = allowed
- Responder poisoning = banned. Responder
RESTRICTED — Metasploit
- Exploit/auxiliary/post modules + Meterpreter on ONE machine only. Choose carefully.
msfvenom,multi/handler,pattern_create/offset→ unlimited on all targets- Cannot use
checkcommand on other targets either. - Once you use a module on a target, that’s your one.
ALLOWED
- Nmap + NSE scripts, Nikto, Burp Community, Gobuster, Feroxbuster
- BloodHound, Mimikatz, Impacket suite, NetExec, Rubeus, evil-winrm, PowerView
- LinPEAS/WinPEAS, pspy, Ligolo-ng, Chisel, GodPotato, PrintSpoofer
- Custom scripts in any language
- Open book: personal notes, internet, OffSec portal
When You’re Stuck (General)
- Reread your scan output. Did you miss a port? A version? A hostname?
- Re-run directory brute force with a different wordlist or more extensions
- View page source again — comments, hidden fields, JS files
- Try default credentials on every service you found
- Re-enumerate with found credentials — password reuse across services
- Check UDP ports — SNMP (161) hides critical data
- Google the service + version — exploit, default creds, known issues
- Chain findings — one piece of info might unlock another
- Take a 10-minute break. Walk away. Seriously.
Proof / Screenshot Requirements
# Linux — all four in ONE terminal screenshot
whoami && hostname && ip a && cat /root/proof.txt
# Windows — all four in ONE terminal screenshot
whoami && hostname && ipconfig && type C:\Users\Administrator\Desktop\proof.txt
Screenshot must show: flag content + whoami + hostname + ip a/ipconfig in same window.
Pre-Exam Setup Checklist
- VPN connected and tested
- Kali updated, all tools working
- Obsidian open with this cheatsheet
- Screenshot tool ready (Flameshot)
- Reverse shell one-liners saved and ready
- HTTP server ready:
python3 -m http.server 80 - Wordlists: rockyou.txt, SecLists installed
- LinPEAS, WinPEAS, pspy64, PowerUp, GodPotato, PrintSpoofer, nc.exe downloaded
- Ligolo-ng proxy + agents (Linux/Windows) ready
- Terminal logging:
script -a exam_log.txt - Food and water at your desk
- Slept well the night before
- Remember: SQLmap = BANNED, AI/LLM = BANNED, Metasploit = ONE target
Report Reminder
- 24 hours after exam ends to submit report
- Use official OSCP report template
- Document every step with screenshots
- Include failed attempts — shows methodology
- No report = No pass, even with 100 points
Distractor Recognition
Some hashes, credentials, and services on the exam are deliberate rabbit holes. Learn to spot them fast so you don’t burn hours.
Rabbit Hole Signals
1. Uncrackable hash
- Kerberoast hash that has been running against rockyou + rules for 30+ min with nothing
- AS-REP hash with bizarrely complex password patterns
- Bcrypt/Argon2 on web apps Action: move on. If intended, the lab would want you to crack it in under 10 min.
If a Kerberoast hash resists rockyou+rules for 30+ minutes, stop and try AS-REP roasting instead — some are intentionally uncrackable to nudge you toward another technique.
2. Found credentials that do not authenticate anywhere
- Username in a script/config but user does not exist in AD (nxc LDAP query returns nothing, BloodHound shows no node)
- Credential file that looks real but every target rejects it
- No username variation (john.miller, jmiller, j.m) authenticated anywhere
3. Service/port that looks exploitable but is intended to be noisy
- Default web pages on IPs that do not have real paths
- Services with generic banners that lead nowhere when enumerated
Time Budget Rules
- 30 min max on any single hash crack attempt
- 15 min max on any single credential spray before moving on
- If you have been on a box for 2 hours with no new info, revisit enumeration from scratch
- If you are stuck for 4+ hours, revert and restart that machine
Validation Before Burning Hours
Before committing to an attack path, confirm:
- Does this user exist in AD? (nxc ldap + BloodHound)
- Is this hash a type that rockyou typically cracks?
- Does this service actually respond to the exploit precondition?
If any answer is no or unknown, 5 minutes of validation saves 3 hours of rabbit hole.
Exam Application
The OSCP exam rewards methodical enumeration over aggressive exploitation. If a credential or hash feels wrong, it probably is. Move on, and come back with more context.