From Zero to OSCP
Nine modules. Thirteen machines. Every technique that shows up on the exam. Work through them in order — each module builds on the last.
Exam Strategy
Four principles that separate passing attempts from failing ones.
1 — Enumerate First, Always
The single biggest cause of OSCP failures is running exploits before finishing enumeration. Run full nmap TCP + UDP, then service-specific scripts before touching Metasploit or exploit-db. Every machine in this path is broken by information you can find with standard tools — no zero-days required.
nmap -sC -sV -p- -T4 -oA full_tcp TARGET
nmap -sU --top-ports 200 -oA top_udp TARGET2 — Keep a Playbook
Build a personal cheat-sheet as you go through these labs. Write down every command that worked, every privesc vector you found, and every service quirk. On exam day you will not have time to think — you need to execute. The best playbook is the one you wrote yourself while rooting real machines.
# Suggested structure
notes/
enum/ recon outputs per target
privesc/ local enum, sudo, SUID, cron
shells/ working reverse shell one-liners
flags/ user.txt + root.txt per machine3 — Master PrivEsc Patterns
Getting a foothold is the easy half. Escalating to root is where most candidates get stuck. Learn to run LinPEAS and read the output critically. The five most common vectors on OSCP: sudo misconfiguration, writable cron jobs, SUID binaries, world-writable service scripts, and weak file permissions on config files.
sudo -l # always first
find / -perm -4000 -type f 2>/dev/null # SUID binaries
cat /etc/crontab && ls /etc/cron* # cron jobs
ls -la /etc/passwd /etc/shadow /etc/sudoers4 — AD + BOF Are Mandatory
The OSCP exam always includes at least one Active Directory set and (historically) a buffer overflow machine. Module 8 (Active Directory) and Module 9 (Buffer Overflow) are the two modules most candidates skip — and the reason they fail. Allocate 40 % of your study time to these two modules alone.
# BOF drill goal: under 25 minutes start-to-shell
# AD drill goal: enumerate → foothold → DA in one session
# Both must be muscle memory before exam dayThe Nine Modules
Complete them in order. Each module has paced assignments — finish all assignments before moving on.
Recon & Enumeration
Every engagement starts with protocol-aware reconnaissance. These labs force you to extract live data from DNS and SNMP before touching an exploit.
PEN-200 Module 5 — Information Gathering- Zone transfers & DNS brute-forcing (dig, dnsenum, fierce)
- SNMP community string enumeration (snmpwalk, onesixtyone)
- Service fingerprinting with nmap -sV / --script
- Building an accurate target asset inventory
Hands-on assignments for this module are available to Premium members.
Cleartext Protocol Exploitation
Telnet and TFTP represent the bottom of the authentication security ladder. These labs teach credential capture, anonymous file retrieval, and pivoting from weak services.
PEN-200 Module 9 — Attacking Network Services- Telnet credential brute-force and session hijacking
- TFTP directory traversal and unauthenticated file retrieval
- Hydra / Medusa against TCP auth services
- Service-to-shell chains with shared credential reuse
Hands-on assignments for this module are available to Premium members.
File Share Exploitation
Misconfigured rsync modules and anonymous SMB shares remain common in real enterprise targets. Learn to extract secrets from both.
PEN-200 Module 9 & 12 — Network Services / Windows Exploitation- Rsync anonymous module enumeration and download
- SMB null session enumeration (smbclient, enum4linux)
- FTP anonymous access and writable directory abuse
- Credential extraction from synced configuration files
Hands-on assignments for this module are available to Premium members.
Email Service Attacks
SMTP VRFY/EXPN leaks usernames that feed password sprays. Understanding mail service footprinting is a consistent OSCP exam theme.
PEN-200 Module 9 — Attacking Network Services- SMTP user enumeration via VRFY, EXPN, RCPT TO
- Open relay detection and abuse
- Banner grabbing for version-based CVE lookup
- Building user lists for downstream password spray campaigns
Hands-on assignments for this module are available to Premium members.
Web Exploitation — Foundations Locked
Command injection via PHP applications is the most common initial foothold on OSCP. This lab isolates the pattern, from parameter discovery to reverse shell.
Unlock this module free after a 24-hour wait, or get instant access with Premium.
Web Exploitation — Advanced Locked
Chain SQLi → command injection → file upload in a realistic portal application. Mirrors the multi-stage web machines that appear in OSCP exam sets.
Unlock this module free after a 24-hour wait, or get instant access with Premium.
Database & Directory Services Locked
MySQL, LDAP, and Redis each store credentials and configuration data. These labs teach extraction, lateral movement via credential reuse, and privesc via service trust.
Unlock this module free after a 24-hour wait, or get instant access with Premium.
Active Directory Locked
The CorpNet pair simulates a small Windows domain: DC plus workstation. Enumerate AD objects, escalate via Kerberoasting or AS-REP roasting, then move laterally.
Unlock this module free after a 24-hour wait, or get instant access with Premium.
Training Schedule
Pace your study, not just your machine unlocks. Finish the assignments for each module before moving forward.
Free Plan — 10-Week Pace
With 3 labs/day, spread your work across 10 weeks. One module per week, with the extra weeks reserved for AD and BOF.
Week 1: Module 1 — Recon (dns-lab, snmp-lab)
Week 2: Module 2 — Cleartext (telnet-lab, tftp-lab)
Week 3: Module 3 — File Shares (rsync-lab, smb-ftp-lab)
Week 4: Module 4 — Email (smtp-lab)
Week 5: Module 5 — Web Basics (http-lab)
Week 6: Module 7 — Databases (mysql-lab, ldap-lab)
Week 7: Module 7 — Redis + review
Week 8: Module 8 — AD workstation (corp-ws)
Week 9: Module 8 — AD domain (corp-dc)
Week 10: Review all, redo two hardest boxesPremium Sprint — 3-Week Blitz
Unlimited access means you can go fast. Three weeks is enough to complete the entire path if you commit 2–3 hours per day.
Days 1-3: Modules 1-3 (all file/protocol labs)
Days 4-5: Modules 4-5 (SMTP + HTTP)
Days 6-7: Module 6 — Injectrix (web chain)
Days 8-10: Module 7 — all three DB labs
Days 11-14: Module 8 — full AD set
Days 15-17: Module 9 — BOF (repeat 3x min)
Days 18-21: Full replay of hardest 5 machinesOSCP Report Standard
Your exam report must be professional-grade. For each machine document:
## Machine: TARGET_NAME (TARGET_IP)
### Enumeration
- nmap output (full TCP + relevant UDP)
- Service versions identified
### Exploitation
- Vulnerability identified: CVE / technique name
- Proof-of-concept command / payload
- Screenshot: whoami output at foothold
### Privilege Escalation
- Vector: sudo / SUID / cron / writable script
- Exact commands used
- Screenshot: id showing root + cat root.txtWrite your notes in this format as you go — don't try to reconstruct from memory after the exam.
Timed Practice Rules
Once you've rooted all machines once, run timed sessions to simulate exam pressure.
Session rules:
- 3h30m per machine (exam budget)
- No walkthroughs — use only your own notes
- Must complete: foothold + user flag + root flag
- Must write the report section during the session
BOF drill goal: under 20 minutes start-to-root
Web chain goal: under 45 minutes
AD set goal: under 2 hours both machines
If you miss the target time:
→ identify the exact sticking point
→ drill that single technique tomorrow
→ re-run the full machine next week