From Zero to OSCP
Nine modules. Thirteen machines. Every technique that shows up on the exam. Work through them in order โ each module builds on the last.
Exam Strategy
Four principles that separate passing attempts from failing ones.
1 โ Enumerate First, Always
The single biggest cause of OSCP failures is running exploits before finishing enumeration. Run full nmap TCP + UDP, then service-specific scripts before touching Metasploit or exploit-db. Every machine in this path is broken by information you can find with standard tools โ no zero-days required.
nmap -sC -sV -p- -T4 -oA full_tcp TARGET
nmap -sU --top-ports 200 -oA top_udp TARGET2 โ Keep a Playbook
Build a personal cheat-sheet as you go through these labs. Write down every command that worked, every privesc vector you found, and every service quirk. On exam day you will not have time to think โ you need to execute. The best playbook is the one you wrote yourself while rooting real machines.
# Suggested structure
notes/
enum/ recon outputs per target
privesc/ local enum, sudo, SUID, cron
shells/ working reverse shell one-liners
flags/ user.txt + root.txt per machine3 โ Master PrivEsc Patterns
Getting a foothold is the easy half. Escalating to root is where most candidates get stuck. Learn to run LinPEAS and read the output critically. The five most common vectors on OSCP: sudo misconfiguration, writable cron jobs, SUID binaries, world-writable service scripts, and weak file permissions on config files.
sudo -l # always first
find / -perm -4000 -type f 2>/dev/null # SUID binaries
cat /etc/crontab && ls /etc/cron* # cron jobs
ls -la /etc/passwd /etc/shadow /etc/sudoers4 โ AD + BOF Are Mandatory
The OSCP exam always includes at least one Active Directory set and (historically) a buffer overflow machine. Module 8 (Active Directory) and Module 9 (Buffer Overflow) are the two modules most candidates skip โ and the reason they fail. Allocate 40 % of your study time to these two modules alone.
# BOF drill goal: under 25 minutes start-to-shell
# AD drill goal: enumerate โ foothold โ DA in one session
# Both must be muscle memory before exam dayThe Nine Modules
Complete them in order. Each module has paced assignments โ finish all assignments before moving on.
Recon & Enumeration
Every engagement starts with protocol-aware reconnaissance. These labs force you to extract live data from DNS and SNMP before touching an exploit.
PEN-200 Module 5 โ Information Gathering- Zone transfers & DNS brute-forcing (dig, dnsenum, fierce)
- SNMP community string enumeration (snmpwalk, onesixtyone)
- Service fingerprinting with nmap -sV / --script
- Building an accurate target asset inventory
Hands-on assignments for this module are available to Premium members.
Cleartext Protocol Exploitation
Telnet and TFTP represent the bottom of the authentication security ladder. These labs teach credential capture, anonymous file retrieval, and pivoting from weak services.
PEN-200 Module 9 โ Attacking Network Services- Telnet credential brute-force and session hijacking
- TFTP directory traversal and unauthenticated file retrieval
- Hydra / Medusa against TCP auth services
- Service-to-shell chains with shared credential reuse
Hands-on assignments for this module are available to Premium members.
File Share Exploitation
Misconfigured rsync modules and anonymous SMB shares remain common in real enterprise targets. Learn to extract secrets from both.
PEN-200 Module 9 & 12 โ Network Services / Windows Exploitation- Rsync anonymous module enumeration and download
- SMB null session enumeration (smbclient, enum4linux)
- FTP anonymous access and writable directory abuse
- Credential extraction from synced configuration files
Hands-on assignments for this module are available to Premium members.
Email Service Attacks
SMTP VRFY/EXPN leaks usernames that feed password sprays. Understanding mail service footprinting is a consistent OSCP exam theme.
PEN-200 Module 9 โ Attacking Network Services- SMTP user enumeration via VRFY, EXPN, RCPT TO
- Open relay detection and abuse
- Banner grabbing for version-based CVE lookup
- Building user lists for downstream password spray campaigns
Hands-on assignments for this module are available to Premium members.
Web Exploitation โ Foundations Locked
Command injection via PHP applications is the most common initial foothold on OSCP. This lab isolates the pattern, from parameter discovery to reverse shell.
Unlock this module free after a 24-hour wait, or get instant access with Premium.
Web Exploitation โ Advanced Locked
Chain SQLi โ command injection โ file upload in a realistic portal application. Mirrors the multi-stage web machines that appear in OSCP exam sets.
Unlock this module free after a 24-hour wait, or get instant access with Premium.
Database & Directory Services Locked
MySQL, LDAP, and Redis each store credentials and configuration data. These labs teach extraction, lateral movement via credential reuse, and privesc via service trust.
Unlock this module free after a 24-hour wait, or get instant access with Premium.
Active Directory Locked
The CorpNet pair simulates a small Windows domain: DC plus workstation. Enumerate AD objects, escalate via Kerberoasting or AS-REP roasting, then move laterally.
Unlock this module free after a 24-hour wait, or get instant access with Premium.
Linux Privilege Escalation โ Project Meridian Locked
Five machines inside SolarGate Energy's network. Each teaches a distinct Linux privesc technique: SUID binaries, cron job hijacking, sudo vim, sudo awk, and Linux capabilities. Work through them in order โ difficulty climbs from Easy to Hard.