Passing the OSCP

Metrics

• I took the OSCP on October 15th, 2025, and passed with 80/100 points on my first try.
• I studied sparingly for 6 months and very intensely for 4.
• It took me about 9 hours to get a passing score of 70.

Disclaimers

I took the OSCP using my company’s money and therefore got the expensive training.

Prior Knowledge

I’ve been working as an application security engineer for a few years and have also participated in a handful of CTFs, but I do not believe these experiences contributed greatly to my passing score. The OSCP is enitrely network penetration testing, which I had very little experience in before beginning to study.

If you’re starting from absolute 0 (like you don’t work with computers at all) you may want to consider taking Sec+ first to get a basic idea of ports, protocols, and how the network stack works.

Phase 1: Gathering Knowledge

I highly recommend taking the paid OSCP training. It is structured, understandable, and created by the people who will test you, so it enforces good habits early on. If you can afford it, or can get your company to pay for it, do so.

The OSCP training has ~27 modules at the time of writing. Almost every one of them is important. I took notes on every module, and still wished I had taken more and organized them better. I recommend taking notes on the purpose and requirements of every single command.

For example, if the module uses this command: nmap -p22 $IP --script ssh-auth-methods --script-args="ssh.user= $USER, I would take note of:

• every argument (--script, -p, what are they, what do they add, how to use)
• when I could use this command (what systems, and with what information)
• why I would use this command (what does this accomplish, what information should I gain)

There are some modules I found less practical than others, but they are all fair game for the exam.

One thing to note here; although there are metasploit commands listed throughout the modules, the OSCP exam limits your use of metasploit to ONE machine. That means you cannot use it to tunnel, and if you rely too heavily on it you’ll miss other machines. I tried to use metasploit as little as possible when studying. There are other ways to find exploit scripts, and it’s better to learn how to edit them and pass arguments correctly anyway. I would only use metasploit as a last resort on the exam.

If you can’t afford the training, take a look at TJNull’s list here and start from the top. I’ll be referencing this guide in the next section anyway; it’s a great resource.

Key Points

• I’d say a good general timeframe for obtaining a knowledge base is ~ 3 months (7hr days) - 7 months (3 hour days)
• Take excellent, robust notes that are easily searchable, focusing on commands
• Do the practice problems within the modules
• Join the OSCP discord. It’s okay to look at hints, but only do so when you’re banging your head against the keyboard. And be sure to take note of why you needed the hint - this indicates something is missing from your notes.

Phase 2: Using the Knowledge

Once I finished the modules, I started with the Challenge Labs. I did labs 0-2 and 4-6, completely skipping the “stretch goal” and harder labs. This is because my primary goal was to pass the exam within the timeframe I had committed to.

I finished the Challenge Labs about a month before my exam. This left me a lot of time for the Proving Grounds Labs - other labs that Offsec provides access to as part of the paid training I purchased. At this point, I’d recommend just doing as many labs as possible to fill in your notes! Every machine you complete can teach you something new. I followed a list on this excel sheet (the Proving Grounds Practice section on row 47) and got through about 30 of them before the exam.

If you didn’t purchase the full training, you can still go through some of the labs in that list or purchase lab access separately for a much more reasonable price. There are also a lot of OSCP-like machines on HackTheBox and TryHackMe, as seen on the excel sheet and in TJNull’s list. Ideally, you’d have more than a month to go through all of these; I felt a bit rushed at this point.

Key Points

• I’d recommend giving yourself at least 1 - 2 months of daily practice. I tried to complete 2-4 labs every day (after the Challenge Labs)
• Refine your testing process. You should be using and refining your notes for every lab. This is your cheatsheet and your playbook!
• Try not to use metasploit

Phase 3: Pre-Exam Preparation

About 2 weeks before the exam, I began paying more attention to my setup. I checked their operating system requirements for proctoring and scheduled several test sessions to ensure their proctoring software worked on my machine. I read all their guidelines; they want screenshots and flags to be submitted in a very particular way. And I created a Google Doc (I do not recommend LibreOffice - mine frozed when I added too many screenshots) following their recommended report template.

I ensured my playbook/cheatsheet/notes were ready for the exam and could be easily accessed. At this point you should already have a dedicated playbook that you’ve been using for all your labs. It should be familiar and rich with commands and suggestions. I host my notebook in this repo if you want an idea of what I’m talking about, but you should definitely create your own.

On the day-of, you’re going to want every little thing accounted for and out of the way. Make sure you’re ready so you don’t waste any time with setup once the clock starts!

Key Points

• Treat your labs as the actual test. Take notes and use your cheatsheet as you would on test day.
• Ensure your environment is ready according to their guidelines

Phase 4: Exam Day

Schedule your exam early if you’re like me and can’t sleep the night before important events. I probably got 2 hours of sleep and barely choked down breakfast at 7am, and still had to wait until 10am to start.

At 10am I got the login email, logged into the proctor portal, followed their instructions, and started at 10:15am. By 3:50pm, I only had 10 points. And by 7:30pm, I had 70. It’s okay to get stuck and then come back. I waited to do the AD set after I had tried all the standalones, but the order doesn’t really matter.

• Take a deep breath and rely on your notes
• Enumerate, enumerate, enumerate
• You’re not allowed to record your screen, so give yourself time to check your screenshots and flags during the exam

Final Recommendations

There is a lot of amazing advice on r/OSCP; check out the top posts on there.

My favorite tools:

• Ligolo-ng
• Winpeas/linpeas
• Bloodhound

Looking back, I genuinely enjoyed the process and feel infinitely more capable than when I started¹. If you’re planning on taking the test soon, I wish you the best of luck!!