I Passed OSCP+ — What Actually Got Me There
I earned OSCP+ on June 18, 2026. No exam spoilers — just the prep, the grind, and what actually worked for a working SOC analyst who not long ago was googling ‘what is an IP address.’
I earned OSCP+ on June 18, 2026. No exam spoilers — just the prep, the grind, and what actually worked for a working SOC analyst who not long ago was googling ‘what is an IP address.’
Assumed breach AD box. WriteOwner abuse on a group, double shadow credentials chain, and ADCS ESC9 certificate abuse to Domain Admin.
Step-by-step methodology for attacking Active Directory — the chain I follow on every AD box.
How I set up and use BloodHound CE for AD enumeration — collection, import, and finding attack paths.
My first AD box ever. Null session on SMB → GPP password in SYSVOL → Kerberoasting the Administrator → Domain Admin.
Hard AD box. AS-REP Roasting → BloodHound → ForceChangePassword → lsass.DMP → SeBackupPrivilege → VSS snapshot → NTDS.dit → Domain Admin.
Second AD box. AS-REP Roasting with no creds, BloodHound attack path through 5 nested groups, ACL abuse to DCSync.
Active Directory box — password spraying → Azure AD Connect credential extraction → Domain Admin.
Quick reference for the Impacket tools I use most — mssqlclient, GetUserSPNs, GetNPUsers, secretsdump, psexec, and more.