How hard is the OSCP exam?
The OSCP (Offensive Security Certified Professional) is considered one of the most challenging practical cybersecurity certifications available. The exam is a 24-hour hands-on penetration testing exercise where candidates must compromise multiple machines in an isolated network and submit a professional penetration test report within 24 additional hours. Pass rates are estimated at 50-60% on first attempt for well-prepared candidates.
The OSCP (Offensive Security Certified Professional) is the gold standard penetration testing certification, widely regarded as the most technically credible hands-on security credential. Unlike CEH and Security+, OSCP requires candidates to demonstrate actual exploitation skills by compromising real machines in a controlled environment -- there are no multiple-choice questions.
OSCP holders are among the most sought-after cybersecurity professionals. The certification is a standard requirement at top-tier security consulting firms and red teams. Penetration testers with OSCP command salaries of $100,000-$160,000 in the United States. The certification exam costs $1,499 USD, which includes 90 days of lab access.
Certification Overview
| Detail | Information |
|---|---|
| Certification Name | OSCP - Offensive Security Certified Professional |
| Provider | Offensive Security (OffSec) |
| Exam Format | 24-hour hands-on hacking exercise |
| Report Submission | 24 additional hours for written report |
| Passing Score | 70 points (machines scored based on difficulty) |
| Training Course | PEN-200 (PWK - Penetration Testing with Kali Linux) |
| Training + Exam Cost | $1,499 USD (90-day lab access) |
| Validity | No expiration (lifetime certification) |
OSCP Exam Structure
The exam network contains the following target machines:
| Machine Type | Points | Count |
|---|---|---|
| Active Directory set | 40 total | 1 set (domain controller + client) |
| Independent machines | 10 each | 3 machines |
| Total available | 100 | |
| Required to pass | 70 |
Bonus points (up to 10) are available for completing 80% of course exercises and 30 of the lab machines with write-ups.
"The OSCP is the certification that separates people who can talk about hacking from people who can actually hack. No amount of memorizing commands or watching videos will prepare you for the exam -- you need to have internalized the methodology so deeply that you can apply it creatively to machines you have never seen before under significant time pressure." -- OffSec community wisdom
PEN-200 Course Structure
The PEN-200 course (Penetration Testing with Kali Linux) covers all the skills tested in the OSCP exam:
Core Skill Areas
Information gathering and enumeration:
- Passive and active reconnaissance
- Service enumeration (web, SMB, SQL, SSH, FTP)
- Vulnerability identification from enumeration findings
Vulnerability analysis:
- Identifying exploitable misconfigurations
- Finding publicly known vulnerabilities via searchsploit and exploit-db
- Understanding vulnerability severity and exploitability
Exploitation techniques:
- Password attacks (brute force, dictionary, credential stuffing)
- Web application exploitation (SQLi, LFI/RFI, command injection, file upload)
- Buffer overflow exploitation (32-bit Windows and Linux)
- Metasploit usage for known CVEs
Post-exploitation:
- Privilege escalation (Linux and Windows)
- Lateral movement within networks
- Tunneling and pivoting through networks
- Persistence and evidence collection
The OSCP Methodology
Phase 1: Enumeration
Thorough enumeration is the foundation of every OSCP machine. Experienced candidates spend 60-70% of their time on enumeration before attempting any exploitation.
Standard enumeration checklist:
# Initial port scan (fast)
nmap -sC -sV -p- --min-rate=1000 -oA initial_scan <target_ip>
# UDP scan (common services)
sudo nmap -sU -p 161,53,123,69 <target_ip>
# Web application enumeration
gobuster dir -u http://<target>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
nikto -h http://<target>/
# SMB enumeration
enum4linux -a <target_ip>
smbclient -L //<target_ip>/ -N
crackmapexec smb <target_ip>
# Service-specific: check version, look up searchsploit
searchsploit <service name and version>
Phase 2: Exploitation
Exploitation approach for OSCP machines:
- List all services found during enumeration
- For each service, look for:
- Default credentials
- Public exploits for the specific version
- Misconfigurations
- Application logic vulnerabilities (for web apps)
- Attempt easiest/highest probability exploits first
- Document all attempts (for the report)
Phase 3: Privilege Escalation
Windows privilege escalation checklist:
# System information
systeminfo
whoami /all
net user
net localgroup administrators
# Privilege escalation automation
winPEAS.exe
PowerUp.ps1
SharpUp.exe
# Manual checks
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Get-ScheduledTask | Select-Object TaskName, TaskPath, Run
Get-Service | Where-Object {$_.Status -eq "Running"}
Linux privilege escalation checklist:
# System information
id && whoami
uname -a
cat /etc/os-release
sudo -l
# Automation tools
./linpeas.sh
./linux-exploit-suggester.sh
# Manual SUID check
find / -perm -4000 -type f 2>/dev/null
# Cron jobs
cat /etc/crontab
ls -la /etc/cron.d/
Active Directory Attacks
The OSCP exam includes an Active Directory set worth 40 points. Core AD attack techniques tested:
Initial AD Foothold
- AS-REP Roasting: Requesting Kerberos AS-REP for accounts without pre-authentication; cracking the encrypted ticket offline
- Password spraying: Testing common passwords against all domain users
- SMB relay: Relaying NTLM authentication to authenticate to other services
AD Lateral Movement
- Pass-the-hash: Using NTLM hash with crackmapexec or Impacket to authenticate to other machines
- Pass-the-ticket: Using stolen Kerberos tickets for authentication
- Overpass-the-hash: Converting NTLM hash to Kerberos ticket for stealth
AD Privilege Escalation
- Kerberoasting: Requesting service tickets for service accounts and cracking offline
- DCSync: Using Domain Replication privileges to dump all password hashes from domain
- BloodHound attack paths: Using BloodHound graph to identify attack paths to Domain Admin
Lab Practice Strategy
Lab Time Management
With 90 days of lab access, effective time management is critical:
| Phase | Duration | Focus |
|---|---|---|
| Weeks 1-4 | Foundation | Complete course modules; root easy lab machines |
| Weeks 5-8 | Building skill | Root intermediate machines; work through AD labs |
| Weeks 9-12 | Exam preparation | Complete hard machines; take practice exam (Proving Grounds or HTB) |
Machine Types to Practice
TryHackMe (easiest, guided): OSCP preparation room, Pre-Security path for fundamentals.
Hack The Box (moderate to hard): OSCP-like machines (retired machines with public write-ups available).
Offensive Security Proving Grounds (best OSCP analog): OffSec-created machines similar to actual OSCP exam difficulty. Both Practice (free) and Play (subscription) tiers available.
"The biggest mistake OSCP candidates make is spending too much time on the course material and not enough time in the labs. After the first 4 weeks, you should be spending at least 4-5 hours per day trying to root machines. The course teaches you the theory; the lab teaches you the methodology under pressure." -- OSCP community preparation advice
The OSCP Report
The 24-hour report is as important as the technical compromise. Professional penetration test reports must include:
- Executive summary: Business impact of findings without technical jargon
- Methodology overview: Approach used during the assessment
- Findings for each machine: Step-by-step attack narrative with screenshots
- Proof screenshots:
local.txtandproof.txtcontents withifconfig/ipconfigvisible - Remediation recommendations: Specific guidance for each vulnerability
Frequently Asked Questions
How long should I prepare before attempting OSCP? Most candidates need 3-6 months of preparation beyond the 90-day lab period. Prerequisites include solid Linux command-line skills, basic Python scripting, understanding of networking concepts, and comfort using Kali Linux tools. Completing TryHackMe beginner paths, doing 20-30 Hack The Box easy machines, and working through the course exercises before starting your lab access maximizes the 90-day window.
What is the best order to attack machines on the OSCP exam? Most candidates recommend attempting the Active Directory set first (40 points) because it is scored as a complete set -- you get all 40 points or nothing. Completing the AD set gives you a large point base before tackling the independent machines. Among the independents, start with the two easier machines to get to passing score first, then attempt the harder machine.
Does OSCP expire? OSCP is a lifetime certification with no expiration date. Once you pass, you remain certified. Offensive Security does update the exam (OSCP+ was released in 2023 with updated content requirements), so if you earned the original OSCP you still hold the certification but may want to consider completing OSCP+ for the most current credential.
References
- Offensive Security. (2025). OSCP Certification. https://www.offsec.com/courses/pen-200/
- Offensive Security. (2025). PEN-200 Course Syllabus. https://www.offsec.com/courses/pen-200/#course-details
- Hack The Box. (2025). OSCP Preparation List. https://www.hackthebox.com/
- TryHackMe. (2025). OSCP Preparation Path. https://tryhackme.com/
- Seitz, J., & Arnold, T. (2021). Black Hat Python, 2nd Edition. No Starch Press.
- Offensive Security Proving Grounds. (2025). https://www.offsec.com/labs/individual/