Search Pass4Sure

cybersecurity

How to study for OSCP with limited lab time: a structured approach

OSCP study guide for working professionals: 5-phase preparation path, TryHackMe to HackTheBox progression, TJNull list, 85% benchmark, and 90 vs 180 day lab access decision.

Kalenux Team·March 12, 2026
9 min read·300 views
How to study for OSCP with limited lab time: a structured approach

Eight hours a week. That's what most people working full-time can realistically dedicate to OSCP preparation without burning out or neglecting their families. At that pace, passing OSCP in 12-16 months is achievable — but only with a structured progression that builds skills in the right order. Buying 90 days of PEN-200 lab access when you're still figuring out what a reverse shell is wastes money and demoralizes you. Here's the sequence that works.

The realistic timeline at 8-12 hours per week

Before anything else, set accurate expectations. OSCP is not a weekend certification. The typical candidate who passes on first attempt has:

  • 200-400 hours of total study time before the exam
  • Compromised 40+ machines across various platforms before attempting the exam
  • Active Directory exploitation experience (not just standalone machines)
  • A note-taking and documentation system developed through practice

At 8 hours per week, 200 hours takes 25 weeks (about 6 months). At 12 hours per week, 200 hours takes 17 weeks (about 4 months). But those hours need to be the right hours — not just time spent in a lab looking confused.

Preparation Phase Timeline (8hrs/wk) Hours Required Primary Platforms
Phase 1: Foundations Months 1-3 100 hours TryHackMe
Phase 2: Intermediate Months 4-7 150 hours HackTheBox, TCM courses
Phase 3: Pre-OSCP Months 8-10 100 hours HTB, PEN-200 preview labs
Phase 4: PEN-200 Labs Months 11-16 180-250 hours PEN-200 official labs
Phase 5: Exam prep Final 4-6 weeks 50 hours Mock exams, weak area review

Phase 1: TryHackMe foundations (months 1-3)

TryHackMe is the right starting point for candidates who aren't yet comfortable with Linux, Nmap, or basic web application concepts. The guided paths reduce cognitive load — you're not staring at a blank terminal wondering what to type.

The specific TryHackMe paths that matter for OSCP:

  1. Complete Beginner path — Linux fundamentals, Nmap, Metasploit basics, web fundamentals
  2. Jr Penetration Tester path — Enumeration, web application testing, network exploitation, privilege escalation
  3. Pre-Security path — If your networking fundamentals are weak

TryHackMe's premium subscription costs $14/month and is worth it for the access to all rooms. Free-tier rooms are limited.

By the end of Phase 1, you should be able to:

  • Run a full Nmap port scan and interpret the results
  • Use Gobuster or Feroxbuster to enumerate web directories
  • Execute basic Linux privilege escalation (SUID, cron jobs, sudo misconfigurations)
  • Set up a Netcat listener and catch a reverse shell

If you can't do these things independently at the end of Phase 1, extend Phase 1 before moving on.

Phase 2: HackTheBox and TCM Security (months 4-7)

HackTheBox is where the training wheels come off. HackTheBox machines don't give you hints or guided prompts — you enumerate, you research, you exploit, and you escalate, or you don't. The difficulty gap between TryHackMe and HackTheBox is real and expected.

TCM Security courses for Phase 2

Complete these TCM Security courses during Phase 2 (total cost approximately $30/month subscription or individual course purchases):

  1. Practical Ethical Hacking — Full penetration testing methodology including Active Directory attacks
  2. Linux Privilege Escalation for Beginners — Systematic coverage of common Linux privesc techniques
  3. Windows Privilege Escalation for Beginners — Service misconfigurations, DLL hijacking, token impersonation
  4. Active Directory for Beginners — Kerberoasting, AS-REP Roasting, BloodHound, Pass-the-Hash

The Active Directory course is critical. OSCP's 40-point AD component is where most people either pass or fail, and TCM Security's practical AD content is more relevant to OSCP than most commercial courses.

The TJNull HackTheBox list

TJ Null, an OSCP holder and offensive security instructor, maintains a public list of HackTheBox machines that most closely resemble OSCP exam machines. The list is available at netsecfocus.com and on GitHub. Working through the retired machines on this list (available to HackTheBox VIP subscribers at $14/month) is the most efficient use of Phase 2 time.

"The TJNull list exists because OSCP-style machines have a specific character — they're usually one or two vulnerabilities with clear enumeration signals, not esoteric exploitation chains. The list filters out the HackTheBox machines that are deliberately unrealistic for exam prep." — TJ Null, offensive security professional

Target machines to practice on from the TJNull retired list include (in approximate difficulty order):

  1. Blue (Windows, EternalBlue)
  2. Jerry (Windows, Tomcat)
  3. Legacy (Windows, SMB vulnerabilities)
  4. Nibbles (Linux, web application CVE)
  5. Bashed (Linux, command injection)
  6. Shocker (Linux, Shellshock)
  7. Lame (Linux, Samba vulnerability)
  8. Beep (Linux, web application multiple vectors)

Aim to complete 20-25 machines from the TJNull list in Phase 2, including at least 5 Windows machines with privilege escalation practice.

The 85% HackTheBox benchmark before PEN-200

Before purchasing PEN-200 lab access, you should be able to complete at least 85% of the medium-difficulty machines from the TJNull list with minimal external help (reading a writeup only after you've been stuck for 90+ minutes with no progress).

This benchmark matters because PEN-200 lab access is expensive ($1,499 for 90 days). Wasting lab time doing foundational enumeration practice that you should have mastered before purchasing is a real risk.

Signs you're ready for PEN-200:

  • You can compromise a medium HackTheBox machine within 3-4 hours unassisted
  • You have a working methodology for both Linux and Windows privilege escalation
  • You've completed at least two full Active Directory attack chain exercises
  • You have a consistent note-taking system that captures commands, screenshots, and methodology
  • You can write a basic penetration testing report from your HackTheBox notes

Signs you're not ready yet:

  • You frequently need to look at writeups for easy machines
  • You haven't practiced any Active Directory attacks
  • You don't have a note-taking system
  • You can enumerate services but get stuck on what to do with what you find

Phase 3: Pre-PEN-200 preparation (months 8-10)

During Phase 3, continue working through HackTheBox machines while incorporating two additional practice elements:

ProLabs: HackTheBox offers ProLabs — multi-machine networks that simulate corporate environments. The "Offshore" ProLab specifically is recommended by OSCP community members for Active Directory practice. At $28/month for VIP+ access (required for ProLabs), it's a cost-effective way to practice multi-machine attack chains.

Mock exam setup: Practice the exam format by setting up personal timed mock exams. Take 3-4 easy/medium HackTheBox machines or OSCP-style platforms (Proving Grounds Practice from OffSec costs $19/month), set a 24-hour timer, document everything as if it were an exam, and then write a mock report in 2 hours. Doing this twice before your actual exam removes the format anxiety.

90-day vs 180-day lab access: which to buy

The choice between 90 and 180 days of PEN-200 lab access is the biggest financial decision of OSCP preparation.

Choose 90 days if:

  • You've completed Phase 1-3 thoroughly and are confident in your methodology
  • You can dedicate 15+ hours per week during the lab period
  • You've scored above 85% on the HackTheBox benchmark machines

Choose 180 days if:

  • You have scheduling uncertainty (you might travel, get sick, or have work demands during the lab period)
  • You learn at a slower pace and know it
  • You want to complete the bonus point lab exercises (80% of exercises + 30 lab machines) without feeling rushed

Most people who complete Phase 1-3 properly can work through PEN-200 content and complete the lab work in 90 days at 12-15 hours per week. Candidates who skip Phase 1-3 and jump straight to PEN-200 often find 90 days insufficient.

Note-taking systems for technique documentation

Your notes are your personal exploit database. Across the entire preparation journey, you're building a searchable reference of every technique, command, and vulnerability type you've encountered.

The recommended structure for OSCP preparation notes:

  1. Cheat sheets per attack category: Linux privilege escalation techniques, Windows privilege escalation techniques, Active Directory attacks, web application attacks, buffer overflow steps
  2. Per-machine notes: For every HackTheBox/PEN-200 machine, document enumeration results, exploitation path, privilege escalation method, and flag hashes
  3. Command library: Every command you use regularly, with the exact syntax and example output
  4. Methodology reference: Your personal step-by-step process for approaching a new target

Obsidian is the most popular choice for OSCP candidates because it stores notes as markdown files locally, supports bidirectional linking between notes (linking your "Kerberoasting" cheat sheet to every machine where you used it), and doesn't require internet access during the exam.

The Bonus Points Calculation: Worth Your Time

PEN-200 offers 10 bonus points on the exam if you complete 80% of the module exercises plus 30 lab machines. With 70 points required to pass, these 10 bonus points can be the difference between failing and passing on a borderline attempt.

The exercise calculation: PEN-200 modules contain hundreds of exercises across the course. 80% completion requires consistent work through the material, not skimming. Each exercise teaches a specific technique — they're not busywork. The exercises are also the most efficient way to build technique depth because they're structured around the specific skills the exam tests.

The lab machine calculation: 30 lab machines out of 57+ available. With 90 days of access, that's less than 1 machine per 3 days if spread evenly — very achievable for a full-time candidate. For a part-time candidate at 10 hours/week, completing 30 machines alongside exercises is feasible with the 180-day access option.

The risk calculation: spending 3-4 weeks on exercises and 30 lab machines before the exam earns bonus points that may prevent needing a $1,499 second attempt. The math is clear — complete the exercises.

Troubleshooting the Most Common Stumbling Block: Getting Stuck

Every OSCP candidate hits walls. Getting stuck on a machine for 3-4 hours without progress is normal. Getting stuck for 12+ hours suggests you need a different approach.

The structured 45-minute rule: if you've been attempting one attack vector for 45 minutes without meaningful progress, force yourself to:

  1. Review your enumeration — have you identified every open port and service version?
  2. Check for version-specific exploits on Exploit-DB (searchsploit [service] [version])
  3. Look for low-privilege footholds you might be exploiting too aggressively
  4. Switch to a different machine and return fresh

When to use hints during lab practice: OffSec provides hints for lab machines through the student Discord and forum. The recommended approach: try for at least 3 hours before looking at any hint. Read only the first hint, implement it, continue independently. This builds the problem-solving habit the exam demands while preventing pure frustration from halting momentum.

The methodology checklist: before declaring yourself stuck, systematically verify you've completed each enumeration step. Many apparent stucks are actually incomplete enumerations. A structured checklist prevents the mistake of scanning port 80 and assuming there's nothing else interesting while port 8443 hosts the actual attack vector.

"The candidates who succeed with limited lab time are disciplined about methodology. They run the same enumeration process on every machine, every time. They don't skip steps because they think they know what the vulnerability will be. Consistency in the process is what makes the difference when you only have 10 hours a week to practice." — Tib3rius, OSCP holder and Windows and Linux privilege escalation course author

See also: OSCP exam strategy: the 24-hour lab and report methodology, eJPT and PNPT: entry-level offensive security certs worth pursuing

References

  1. OffSec. (2024). PEN-200 / OSCP Course. https://www.offsec.com/courses/pen-200/
  2. Null, T. (2023). OSCP-Like HackTheBox Machines. https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PWK_PEN_200_and_the_OSCP_Exam.html
  3. TCM Security. (2024). Practical Ethical Hacking Course. https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course
  4. TryHackMe. (2024). Jr Penetration Tester Learning Path. https://tryhackme.com/path/outline/jrpenetrationtester
  5. HackTheBox. (2024). OSCP-like Machine List. https://www.hackthebox.com/hacker/pro-labs
  6. Weidman, G. (2021). Penetration Testing: A Hands-On Introduction to Hacking, 2nd Edition. No Starch Press. ISBN: 978-1718501812

Tags

OSCP PEN-200 penetration testing HackTheBox TryHackMe

Frequently Asked Questions

How long does it take to prepare for OSCP while working full-time?

At 8-10 hours per week of consistent study, most candidates need 12-18 months of total preparation before attempting the OSCP exam. This includes 3-4 months on TryHackMe foundations, 4-5 months on HackTheBox, and 3-4 months in the PEN-200 official labs. Candidates who study 15+ hours per week can compress this to 6-9 months.

What is the TJNull HackTheBox list?

The TJNull list is a curated collection of retired HackTheBox machines selected by OSCP holder TJ Null for their similarity to OSCP exam machines. The list focuses on machines with clear enumeration signals and one to two exploitation steps, filtering out machines with unrealistic exploitation chains. Working through this list on HackTheBox VIP is widely considered the best exam preparation available.

Should I buy 90 or 180 days of PEN-200 lab access?

If you've completed Phase 1-3 preparation (TryHackMe, TCM courses, HackTheBox TJNull machines) and can dedicate 12-15 hours per week, 90 days is usually sufficient. Choose 180 days if your schedule is unpredictable, you need time for the bonus point exercises, or you've skipped earlier preparation phases and need more learning time in the official lab environment.

What should I know before starting PEN-200 lab access?

Before purchasing PEN-200 access, you should be able to independently compromise medium-difficulty HackTheBox machines in 3-4 hours, perform both Linux and Windows privilege escalation without consulting guides for common techniques, have completed at least two Active Directory attack chain exercises, and have a working note-taking system for documenting exploitation methodology.

What note-taking tool is best for OSCP preparation?

Obsidian is widely recommended for OSCP preparation because it stores notes as local markdown files (no internet dependency during exams), supports bidirectional linking between technique notes and machine notes, and handles code blocks and screenshots cleanly. CherryTree is the traditional alternative with a tree structure that maps well to per-machine documentation.

Share this article

Continue Reading