OCSP Study Guide by Ray Heffer (K1LLSSF434)

Posted on 04 Feb 2023 by Ray Heffer

Note: Once the exam is finished, you will have a further 24 hours to upload your documentation.


Pass: 70/100 points to pass the exam

60 points: BOF (Buffer Overflow), 1 Easy, 1 Hard

  • 3 independent targets
  • 2-step targets (low and high privileges)
  • Buffer Overflow may (or may not) be included as a low-privilege attack vector
  • 20 points per machine
    • 10 points for low-privilege
    • 10 points for privilege escalation

40 points: Active Directory Set

  • 2 clients
  • 1 domain controller
  • Points are awarded only for the full exploit chain of the domain
  • No partial points will be awarded

Study Resources

Thanks to TJ Null, for this awesome list of Hack The Box an Proving Grounds OSCP like machines to practice with. The first link below for his blog outlines OSCP boxes for both Proving Grounds and HTB, plus there is an updated HTB list by Rana Khalil, so thanks also to Rana!

Getting Started

Here is the order that I’d recommend based on other people experiences with the OSCP exam. Start with TryHackMe, especially if you are new to this. TryHackMe will be a much easier point of entry for beginners. Then, when you are more comfortable with Kali Linux and have the basics down, move on to the rest on this list.

  1. TryHackMe Premium Membership for $72/year (first year)
  2. Udemy courses (see below) and / or PEN-200 course included with the exam options in step 4.
  3. Get HTB VIP $203/year: https://app.hackthebox.com/vip
    1. and/or Proving Grounds Practice $199/year: https://www.offensive-security.com/labs/individual/
  4. Exam options
    1. Get the PEN-200 course and certification bundle $1599/year which includes the exam and 90 days PG Practice access.
    2. Get Learn One $2499/year which includes the exam and 1 year PG Practice access.

Udemy OSCP Courses

Create a new Udemy account for each course to get the discounts, otherwise if you use an existing account you’ll end up paying full price.

Blogs & Articles

Exam Tips

  1. You MUST own the Active Directory part, this gives you 40 points since no partial points are awarded here. This is a GOOD thing! Know how to do this, and the rest will be easier.
  2. Learn pivoting
  3. Do all TryHackMe rooms for Active Directory
  4. Do the THM rooms by Tib3rius
    1. Buffer Overflow
    2. Windows Privilege Escalation (part of Windows Privilege Escalation for OSCP & Beyond!)
    3. Linux Privilege Escalation (part of Linux Privilege Escalation for OSCP & Beyond!)
  5. Learn how to compile C programs (gcc), which many exploits will require.
    1. Compiling and Running C++ Applications Separately
  6. Make awesome notes, and post write-ups. If you can’t explain it simply, then you are winging it. I use Obsidian, since I write in Markdown and like how it simply creates directories and files, not some proprietary nonsense.

Exam Restrictions

You cannot use any of the following on the exam:

  • Spoofing (IP, ARP, DNS, NBNS, etc)
  • Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
  • Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
  • Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
  • AI Chatbots (e.g. ChatGPT, YouChat, etc.)
  • Features in other tools that utilize either forbidden or restricted exam limitations