🏆 I Passed the OSCP on My First Attempt - My Study Plan

"OSCP doesn't test if you're a hacker. It tests if you can think methodically under pressure for 24 hours."

ATNO For Cybersecurity | Hacking

~6 min read · May 18, 2026 (Updated: May 18, 2026) · Free: Yes

📋 My Starting Point

Going in I had:

CompTIA Security+ already completed
About six months of TryHackMe and HackTheBox practice
Basic Python scripting ability
Comfortable with Linux command line
No professional pentesting experience

If you're at a similar level, this plan applies directly. If you're more junior, add two to three months of foundational lab work before starting the PWK course.

🗓️ The Full Timeline: 6 Months

MONTH 1: Foundation gaps and TCM Security
MONTH 2: PWK course material (PEN-200)
MONTH 3: PWK labs, first half
MONTH 4: PWK labs, second half + TJ Null list
MONTH 5: HackTheBox OSCP-like machines + exam prep
MONTH 6: Final review, weak spots, exam attempt

🧱 Month 1: Filling Foundation Gaps

Before starting the official course material I spent a month identifying and fixing weak areas. The honest assessment of where I was:

Strong areas:

Web application vulnerabilities
Basic Linux privilege escalation
Nmap and service enumeration

Weak areas:

Active Directory attacks (almost no experience)
Buffer overflows (completely new)
Windows privilege escalation (surface level)
Post-exploitation methodology

What I used to fill those gaps:

TCM Security's "Practical Ethical Hacking" course covered Active Directory end-to-end better than anything else I found. Their "Windows Privilege Escalation for Beginners" and "Linux Privilege Escalation for Beginners" courses are focused and practical.

The TCM courses cost about $30 each during sales. For the ROI relative to OSCP prep, they're essential.

📚 Month 2: The PWK Course Material

Offensive Security updated PEN-200 (the course that comes with OSCP) significantly.

The current version covers Active Directory extensively, which the older version didn't. Take this seriously.

How I worked through the material:

Read each section once for context
Attempted every exercise before looking at hints
Took structured notes in Obsidian organized by topic
Didn't move to the next section until I could explain the current one without notes

The course exercises aren't optional. People who skip them and jump straight to the labs consistently struggle more.

The exercises build the methodology that the labs test.

Note-taking structure that worked:

For each technique covered:
- What is it (one sentence)
- When do you use it
- The exact commands with flags explained
- Common errors and fixes
- How to recognize when it applies

This structure means your notes are searchable during the exam.

Not to copy commands blindly, but to jog your memory when you know what you need but can't recall the exact syntax.

🖥️ Months 3 and 4: The PWK Labs

The labs are where the real learning happens.

90 days of lab time was my choice. 60 is survivable if you're experienced. More than 90 is rarely necessary if you're focused.

My lab approach:

Target count mattered less than methodology consistency.

I aimed to fully compromise each machine rather than get partial credit and move on.

Understanding why something worked matters as much as that it worked.

For each machine I followed the same process every time:

Full port scan, then targeted service enumeration
Research every service version found
Manual exploitation attempts before automated tools
Full privilege escalation path documented
Clean writeup written immediately after, while the process was fresh

The writeup habit is critical.

After 50 machines your notes become a personal methodology guide that reflects your own thinking patterns.
That's more useful in an exam than any generic cheatsheet.

When I got stuck:

The rule I used: 30 minutes of genuine effort, then the hint system if available, then one targeted Google search about the specific service or CVE, never a walkthrough until after I'd compromised the machine or given up completely.
Getting unstuck yourself builds the skill that the exam tests. Getting the answer from a writeup builds familiarity with that specific machine, which doesn't transfer.

🎯 The TJ Null List

TJ Null's list of OSCP-like HackTheBox and VulnHub machines is the most referenced OSCP prep resource outside the official course.
It's a curated list of machines that share characteristics with the exam: realistic services, real CVEs, and privilege escalation paths that mirror what Offensive Security uses.
Work through the retired HTB machines on this list.
They're all available through VIP membership or free since they're retired, and writeups are available for after you've attempted them yourself.
The list is maintained at: github.com/tjnull/OSCP-Stuff
Focus on the ones marked as medium difficulty.
The easy ones are warm-up, the hard ones are stretch goals. The mediums are where exam-relevant practice lives.

🏰 Active Directory: The Part That Trips People

The current OSCP exam includes an Active Directory set that's worth a significant portion of the points.

When the exam was updated to include AD content, pass rates dropped noticeably. People who prepped on older material weren't ready.

The AD concepts you must understand mechanically, not just by name:

Enumeration with BloodHound and manual methods
Kerberoasting: what it is, when it applies, how to use the hash
Pass-the-Hash and Pass-the-Ticket
AS-REP Roasting for accounts without pre-auth required
DCSync once you have the right privileges
Common misconfigurations: unconstrained delegation, GenericAll on users or groups, WriteDACL

Resources that built this:

TCM's Practical Ethical Hacking AD section. The HackTheBox Pro Labs "Offshore" if you want a realistic multi-machine AD environment. TryHackMe's Active Directory rooms for guided practice on specific techniques.

# The enumeration flow I used on every AD machine:
# First: Get lay of the land
crackmapexec smb target_ip

# Enumerate with credentials once you have them
crackmapexec smb target_ip -u user -p password --shares
crackmapexec smb target_ip -u user -p password --users

# BloodHound collection
bloodhound-python -u user -p password -d domain.local -ns target_ip -c all

# Kerberoasting
impacket-GetUserSPNs domain.local/user:password -dc-ip target_ip -request

💥 Buffer Overflows: Don't Fear Them

Buffer overflows were removed from the OSCP exam in the 2022 update, but understanding them still comes up in the labs and in real work.
If you're on the current syllabus, this is lower priority than AD.
If you're not sure which version you're on, check the current PEN-200 objectives.
For the labs you'll still encounter services with overflow vulnerabilities.
The TCM Security "Buffer Overflow Prep" room on TryHackMe and the dedicated TCM course cover the methodology clearly.

📝 Month 5: Exam Simulation

The final month before the exam I shifted from learning to simulating.

What exam simulation looked like:

Full 24-hour practice sessions on sets of machines I hadn't touched.
No breaks longer than I'd take in a real exam.
Taking notes in exactly the format I'd use for the exam report.
Practicing the report writing itself, not just the hacking.
The report is worth a significant portion of the exam.
People fail not because they couldn't compromise machines but because their documentation was insufficient.
Offensive Security needs to be able to reproduce your findings from your report alone.

My report template sections:

Executive summary (brief, non-technical)
Methodology overview
For each machine: service enumeration, vulnerability identified, exploitation steps with commands and screenshots, post-exploitation, flags
Appendix: raw tool output

🧠 The Exam: What Actually Happened

The 24-hour exam has changed format several times. Check the current Offensive Security documentation for the exact current structure before your attempt.

What I can speak to is the mental game:

First four hours: Methodical enumeration on every machine. Don't chase rabbit holes. Note everything, exploit nothing until you have a full picture.

Hours four through twelve: Work the most promising paths. Take breaks. Eat. Hydration matters more than you think at hour 18.

Hours twelve through twenty: If you're stuck, rotate. A fresh look at a machine after two hours on a different one regularly surfaces things you missed.

Final four hours: Document everything, even the paths that didn't work. Start the report before the exam ends if you can.

I compromised enough machines to pass with about four hours remaining and spent that time on report quality.

💡 What I'd Do Differently

One thing only: I'd start the AD-focused prep earlier.
I underestimated how different AD exploitation feels from standalone machine exploitation.
The mindset shift from "compromise this box" to "move through this network" takes time to internalize.
Everything else in the plan I'd repeat.

🏁 The Honest Assessment

OSCP is hard enough to be meaningful and approachable enough that consistent preparation gets you there.
It's not a test of raw talent. It's a test of methodology, persistence, and whether you've put in enough hours on real machines to have internalized a process.
The people who fail on the first attempt usually have one of two problems: they didn't do enough machines before the exam, or they panicked and abandoned their methodology when something didn't work immediately.
Both are fixable. The methodology is learnable. The hours are just hours.
Six months of consistent work got me through. It'll get you through too. 🔐

#oscp-preparation #oscp-certification #cybersecurity #hacking #ethical-hacking

< Go to the original