Your Path to the OSCP+

I have one year of experience in red teaming operations, backed by a strong foundation in cybersecurity. Recently i passed the Offensive Security Certified Professional (OSCP+) certification after dedicating 4 months to intensive preparation, including hands-on labs through the PEN-200 course and various other practical exercises.

I passed the exam on 12/11/2024 and submitted the report the next day. I’ve decided to share all my knowledge to help others succeed in cracking the OSCP+.

Earning the OSCP+ certificate was a challenging but rewarding experience. Over the course of three months, while managing a full-time job, I dedicated the first 1.5 months to completing the PEN-200 course material. Afterward, i transitioned to practicing HTB machines from the TJ Null list, Lainkusanagi list and focused on building a strong foundation in Active Directory by working extensively on AD-focused machines and then i moved on to PG (Proving Grounds Practice), completed over 70 machines.

OSCP course summary

The course covers the basics in each module and depending on your experience level you might learn something new.

For me most of the modules were things i already knew and i highly recommend following the CPTS path as it covers the OSCP topics in more depth and detail. I’m not suggesting you skip the course material but you should complete it first and then move on to the challenge labs.

Remember, every challenge you solve is an advantage and you'll learn something new and have the opportunity to add valuable insights to your cheat sheet.

All the challenge labs are excellent for gaining more practice and knowledge and for additional information, you can explore Reddit or Medium blogs. Personally, i completed all of them except Skylark where i only reached 30% completion , however i highly encourage you to finish it as it offers valuable learning opportunities.

For more information about OSCP+, you can check the official Offsec website.

The Key Tips

Enumeration is Key You’ll hear this constantly and i can confirm it so enumeration is absolutely essential. Check everything uncommon ports, unfamiliar services and every clue you find. Your best friends during this process are Google, HackTricks, IppSec’s website and my cheat sheet xD.
Time Management I always heard about managing time but didn’t give it much attention until the exam made me realize how crucial it is. It’s like advice from parents you ignore it until you grow up and understand its importance. Set time limits for different parts of the exam.
- AD Set: Allocate 3 to 4 hours depending on your experience. If you can’t compromise the domain in that time, move on to another machine.
- Standalone Machines: Similarly, set time limits for each step (e.g., foothold, privilege escalation). If you’re stuck, switch to another machine you may begin with the difficult one and feel more stressed and pending too much time on it drains energy and wastes valuable time.
Take Breaks Taking breaks every 2 hours or after getting a foothold that helped me reset and think clearly. It’s important to pause, rethink and rebuild your ideas, don't feel ashamed to ask the proctor for more breaks. Just send a message and take one.
Practice, Practice, Practice
- Focus on Proving Grounds machines (TJ Null List and Lainkusanagi List).
- Work through PortSwigger Labs to master common attacks like file uploads, LFI etc.
- Build familiarity with both standalone and AD style challenges.
Stress Management Don’t overcomplicate things. Stay calm even if you spend 8 hours without a foothold in any machines you can still earn enough points in the remaining time just manage stress by taking a step back, breathing and revisiting problems with a fresh mindset.
Diversify Your Toolkit Learn multiple tools for the same task. For example, relying only on linpeas for Linux PrivEsc might cause you to miss something critical. Using a second tool or a manual approach can reveal what one tool might overlook.
Manual Over Automated Automated tools are helpful but not foolproof. For instance, if you find PuTTY installed on a machine, don’t just rely on tools like LaZagne to retrieve saved passwords. If the tool fails, manually investigate the registry for stored credentials—it could save time and effort.
Learn from IppSec Watch IppSec’s videos and adopt his methodology. Combine it with your own approach to develop a well-rounded strategy.
When Stuck, Step Back If you’re stuck, go back to basics.
- Check HTTP titles, source code, CMS names, vhosts, etc.
- Look for things you may have missed during the enumeration phase—it’s the cornerstone of OSCP success.
- If you’ve spent over 3 hours without progress, refer to a writeup to learn what you missed, update your cheatsheet, and move forward.
Don’t Be Hard on Yourself Missing something simple happens to everyone. Instead of getting discouraged, learn from the experience and move forward. Every mistake helps you improve.
Don't trust automated tools
Prepare your environment
- Take a snapshot of your Kali VM to safeguard against any crashes.
- Reboot your machine before exam day to ensure everything is functioning properly and there are no unexpected issues.

By focusing on these strategies, you’ll improve your skills and increase your chances of success. Good luck and rremember,it’s all part of the learning journey.

The New AD Set structure

OffSec has updated their AD set in OSCP+ by providing a valid user credential making it easier compared to the older version.

In the previous version you’d spend more time enumerating web applications and trying to get a foothold which caused many to fail due to that scenario. The focus wasn’t entirely on testing AD skills but now with the updated version the game has changed and you can concentrate entirely on the AD section.

Recommendations for AD set

Play Active Directory 101 from HackTheBox to build a strong foundation.

Practice AD machines on Proving Grounds using the TJ Null and Lainkusanagi lists to understand OffSec’s AD mindset.
The key to cracking the AD Set lies in being proficient in Windows PrivEsc. Strong AD skills alone won’t be enough you need to complement them with solid PrivEsc techniques so to improve your PrivEsc:
1. Tib3rius - Windows Privilege Escalation (Udemy Course): This course is highly recommended for learning practical PrivEsc techniques.
2. Play more Windows machines on Proving Grounds. If you get stuck during PrivEsc, take the time to crack it, as you won’t have writeups during the exam.
3. Use two different tools for tunneling and PrivEsc to avoid relying solely on one.
4. Enroll in the Windows PrivEsc Path on HackTheBox Academy. It’s a great module that covers various PrivEsc techniques and prepares you for the exam scenarios.
BloodHound will be your friend, so practice more on it and it's not that hard. It will give you an overview of how the domain looks like. A trick is to import the JSON files into BloodHound GUI if they don't load just don't import the computers JSON file, just the others for a quick view. However, you need to restart the extraction of JSON files.

OSCP+ summary

OSCP+ is a challenging certification not overly hard but definitely not easy. Even with experience and strong skills, you might fail because the exam demands a deep understanding of OffSec’s mindset. It’s not just about technical skills but it’s about how you approach their machines.

Recommended for preparation

TJnull List
Lainkusanagi List
Active directory 101 in THB
Practicing in portswigger labs
Enroll cpts htb path
Read writeups
- 0xdf
Join online communities like the OSCP subreddit for support and advice

Common questions

Do I really need to use Hack The Box machines while studying for the OSCP with PEN-200, Labs?

I don’t think is necessary, as I mention on the post I think people are still trapped on the idea that PWK200 is not enough, because that was the case a few years ago but not the case anymore. The exam is a CTF and the style of HTB is very different to OSCP

Would you say PG boxed and pwk200 are enough to pass this exam ?

Absolutely, they are more than sufficient.

I am having a hard time getting the foothold what can i do?

Watch videos from OffSec Siren to understand the methodology.
Practice using the LainKusanagi or TJNull lists and work through the boxes.
Set a maximum time limit for yourself before checking hints, don’t waste hours struggling aimlessly. If you’re stuck and can’t figure it out, move on and learn from it later.

HTB vs PG

HTB helps you learn faster, with fewer rabbit holes, and the amazing Ippsec videos are a great resource. However, PG boxes are more aligned with the exam format, so it’s better to get used to them and if you get stuck, consider asking for a hint in the OffSec Discord rather than immediately resorting to a walkthrough.

Scope and Exam Difficulty

I felt the exam was very much within the scope of the study materials. Make sure to do all the course labs and challenge labs. For OSCP-A to C, as others have mentioned, for more practice play PG.

How did you practice the independent machines?

Lab challenges and LainKusanagi's and TJNull lists (PG practice around 70 boxes). I would also read walkthroughs for the boxes that I didn't attempt and add new concepts to my notes.

Practical Advice

If you get credentials for a user, fully enumerate that user (check folders, groups, and services).
For domain credentials, use tools like CrackMapExec or Nmap with --local-auth and -d flags to perform enumeration.
Always try default admin creds like admin:admin on web apps; OffSec often uses simple usernames such as username:username as credentials.
Start with the most obvious and simple attacks, then increase the complexity as needed.
Use at least two tools for the same task (PrintSpooler and GPPotato, Dirbuster and wfuzz with different wordlists, Mimikatz and SecretsDump, etc.).
Remember, OSCP doesn’t just test knowledge, it tests your methodology.
Watch the IppSec OSCP prep playlist to familiarize yourself with the process.
For the AD section, have a ready methodology. Consider all possible scenarios when you approach AD with credentials. Test each scenario methodically and note down the results.
Always perform thorough enumeration and fingerprinting after exploiting a target and avoid exploiting immediately.

PreviousCLM and Applocker Bypass NextPwning OSEP with `secrets.txt` on my first attempt

Last updated 7 months ago

Was this helpful?