OSCP Certification Study Guide: How to Pass on Your First Attempt

The exam allocates points as follows: the Active Directory chain (three machines you must fully compromise as a domain) is worth 40 points combined. Three standalone machines are worth 20 points each (10 for user-level access, 10 for root/system). Bonus points — up to 10 — require submitting documented proof of completing 80% of PWK lab exercises and compromising 30 lab machines before the exam.

The math has critical implications for strategy. If you complete the AD set (40 points) and get full root on two standalones (40 points), you pass with 80 points — without touching the third standalone. With 10 bonus points, you pass by completing the AD set plus getting user on two standalones. Plan your exam time budget around securing the AD set first; it is the single highest-value target and most predictable once you know the methodology.

The PWK lab environment contains over 70 machines across multiple network segments. Most first-time OSCP candidates make the mistake of working through machines randomly or skipping the course material to jump straight into exploitation. Both approaches hurt pass rates.

Recommended sequence: Complete the Buffer Overflow module from the course material first — it is a repeatable, learnable skill that shows up in exams and the methodology translates directly to the exam workflow. Then work through the 'recommended' lab machines (Alpha, Beta, Gamma, and the named machines in the network notes). These are designed to teach pivoting and the multi-hop attack chains that the AD set tests.

For supplementary practice outside PWK, TryHackMe's OSCP preparation path and HackTheBox's 'OSCP-like' machine list (curated by community members like TJNull) are the two most commonly cited resources. Prioritize retired HackTheBox machines with writeups over active machines — being able to verify your approach against a known solution teaches methodology faster than banging against unknown boxes.

The AD set is the most intimidating component for candidates without enterprise Active Directory experience. The good news: the AD attack paths tested on the OSCP are well-defined and repeatable once you internalize the enumeration-to-exploitation cycle.

Core AD techniques you must be comfortable with before exam day: Kerberoasting (identifying service accounts and requesting/cracking TGS tickets), AS-REP Roasting (targeting accounts without pre-authentication), Pass-the-Hash and Pass-the-Ticket lateral movement, DCSync (if you reach Domain Admin), BloodHound for attack path visualization, and basic PowerShell Remoting for lateral movement once you hold credentials.

Tool stack for AD enumeration: BloodHound with SharpHound collector for graph-based attack path analysis, PowerView for manual enumeration, Impacket's GetUserSPNs.py and GetNPUsers.py for Kerberoasting and AS-REP Roasting, CrackMapExec for SMB enumeration and lateral movement, and Rubeus for Kerberos ticket operations. Practice the entire chain — from initial foothold to Domain Admin — on at least five different AD lab environments before exam day.

Buffer overflow exploitation on the OSCP follows a consistent methodology that, once learned, takes 45 minutes to execute reliably. The exam includes at least one machine where this skill applies. Candidates who practice the methodology until it is muscle memory convert this to a reliable 20 points.

The methodology: (1) Fuzz the target application to identify the crash offset using a cyclic pattern. (2) Control EIP by identifying the exact offset. (3) Identify bad characters by sending all byte values and observing which are stripped or modified. (4) Find a JMP ESP gadget in a loaded module with no ASLR/SafeSEH using mona.py in Immunity Debugger. (5) Generate shellcode with msfvenom excluding bad characters. (6) Add a NOP sled and deliver the payload.

Practice this on the VulnServer application (Windows) and the specific PWK buffer overflow exercises. Practice it ten times until you can execute it from memory without notes. On exam day, execute it exactly as practiced — do not improvise.

The most common failure mode is running out of time on the exam because of poor time allocation, not inability to compromise machines. Build a time budget before you connect.

Suggested time budget for a 24-hour exam window: Spend the first 2 hours enumerating all targets simultaneously (Nmap scans running in the background while you review scope). Spend hours 2–6 on the AD set — this is your highest-value target and should be attacked while you are fresh. If you have not made progress on AD by hour 6, pivot to standalones and return to AD later. Allocate 90 minutes per standalone for initial enumeration and exploitation attempts. Take a mandatory 30-minute break at hour 8 — cognitive fatigue is a real factor in a 24-hour exam.

The penetration test report is due 24 hours after your exam window closes. It must include a cover page, executive summary, technical findings for each compromise, step-by-step reproduction steps with screenshots, and remediation recommendations. Use a template — OffSec's provided template or community templates from TCM Security or Noraj's OSCP repo — and fill it in as you go rather than writing from memory after the fact. Screenshots with timestamps are required; take more than you think you need during the exam.

The OSCP is passable by most working security professionals who invest 3 months of deliberate daily practice. The differentiator between first-attempt passes and repeat sitters is almost always exam strategy, not technical skill. Secure the AD set first, know your buffer overflow methodology cold, and use the bonus points system. The exam rewards methodical practitioners over clever improvisers.