How to Pass the OSCP (PEN-200): The Ultimate Hands-On Exam Guide

OSCP: The Certification That Changes Careers

The OSCP (Offensive Security Certified Professional) is the most respected hands-on penetration testing certification in the industry. Unlike multiple-choice exams, OSCP requires you to actually hack into machines during a 23-hour and 45-minute practical exam. There is no way to pass by memorization alone. You either can hack or you cannot.

The PEN-200 course provides the training; the OSCP exam is the certification. The exam awards up to 100 points — you need 70 to pass. The exam includes standalone machines (20 points each x 3 = 60 points) and an Active Directory set (40 points).

The PEN-200 Course: How to Use It

The PEN-200 course material is extensive. Do not just read it — DO the exercises. Every exercise teaches a technique you will need in the labs and exam.

Priority topics from the course:

1. Buffer overflow / binary exploitation (simplified in recent versions)

2. Web application attacks (SQL injection, file inclusion, command injection, file upload vulnerabilities)

3. Active Directory attacks (Kerberoasting, AS-REP roasting, pass-the-hash, delegation abuse, BloodHound)

4. Linux privilege escalation (SUID, cron jobs, kernel exploits, sudo misconfigurations, capabilities)

5. Windows privilege escalation (unquoted service paths, SeImpersonate, DLL hijacking, AlwaysInstallElevated, PrintNightmare)

6. Client-side attacks

7. Port forwarding and tunneling (SSH tunnels, Chisel, Ligolo-ng)

8. Enumeration methodology (the single most important skill)

The Lab: Your Training Ground

OffSec provides a lab environment with dozens of machines of varying difficulty. Your goal: root as many as possible.

Lab strategy:

1. Port scan results

2. Service enumeration findings

3. Potential attack vectors identified

4. Exploitation attempts (what worked, what did not)

5. Post-exploitation findings

6. Privilege escalation path

Target: Root at least 40 lab machines before attempting the exam. If you can consistently root medium-difficulty machines within 2-3 hours, you are ready.

The Enumeration Methodology

OSCP success is 80% enumeration and 20% exploitation. The candidates who fail are those who skip enumeration and jump to exploitation.

Your enumeration checklist:

Port scanning: Full TCP scan (all 65535 ports), top UDP ports, service version detection, script scanning on discovered ports.

Web enumeration (for every HTTP/HTTPS port): Technology identification (Wappalyzer, WhatWeb). Directory brute-forcing (Gobuster, Feroxbuster) with multiple wordlists. Virtual host discovery. Source code review. Login pages — test default credentials. File upload functionality. Parameter discovery. CMS identification (WordPress, Joomla, Drupal) and specific enumeration.

SMB enumeration: Anonymous access, share listing, user enumeration, known vulnerabilities.

SNMP: Community string testing, information disclosure.

Active Directory: Domain enumeration with BloodHound, user enumeration, SPNs for Kerberoasting, delegation settings, group policy preferences.

The 24-Hour Exam: Strategy

The exam is intimidating but manageable with the right approach:

First 30 minutes: Read all machine descriptions. Identify which looks easiest. Start full port scans on ALL machines simultaneously.

Hours 1-6: Attack the standalone machines. Start with the one that looks most approachable. Spend no more than 3 hours per standalone machine before moving on.

Hours 6-12: Focus on the Active Directory set. The AD chain follows a logical attack path — initial foothold → domain user → domain admin. BloodHound is your best friend here.

Hours 12-18: Return to any unsolved machines with fresh eyes. Try different approaches, re-enumerate with different wordlists, check for things you missed.

Hours 18-24: Begin writing your report while your access is still active. Take screenshots of EVERY step — proof of exploitation is required.

Critical Exam Tips

Take breaks. Eat proper meals. Set a timer to force yourself to step away every 2-3 hours. Mental fatigue is the real enemy in a 24-hour exam.

If stuck on a machine for more than 2 hours, MOVE ON. Return with fresh eyes later. Many OSCP candidates have failed because they spent 8 hours on one machine.

Screenshot everything. Your report must include proof of exploitation (local.txt and proof.txt flags). Missing screenshots means missing points, even if you rooted the machine.

Do not use Metasploit on more than one machine (exam restriction). Save it for the machine where you need it most.

The Report

You have 24 hours after the exam to submit your report. The report must document:

Use the OffSec report template. Write clearly. A technically correct exploitation with a poorly written report can still fail.

Supplementary Practice

Beyond the PEN-200 labs:

Target at least 3-4 months of active lab practice before attempting the exam.

Prepare your methodology and build enumeration muscle memory with CyberCertPrep's OSCP practice questions. Our questions test the decision-making and methodology knowledge that complements your hands-on practice.