OSCP Preparation Guide 2025 — A Realistic 90-Day Roadmap

SHADOW120

OSCP Preparation Guide 2025 — A Realistic 90-Day Roadmap

OSCP is the gold standard for practical penetration testing — and it is genuinely hard. The exam is 24 hours of live hacking with no hints, followed by a 24-hour reporting window. Most people who fail do so not because they lack technical knowledge, but because they approached the preparation without a structured plan.

This guide gives you a concrete 90-day roadmap based on what actually works: the right platforms in the right order, the techniques that come up most often, and the mindset needed to pass the exam.

Are You Ready to Start?

OSCP is not a beginner certification. Before purchasing the PWK course, you should be genuinely comfortable with the following:

Linux command line — file system, permissions, processes, networking commands
Basic networking — TCP/IP, DNS, HTTP, ports and services, reading packet captures
At least 20 rooted machines on TryHackMe or HackTheBox
Basic scripting in Python or Bash — reading and modifying existing scripts at minimum
Understanding of common web vulnerabilities — SQLi, LFI, XSS, command injection

💡 Quick Self-Test: Root at least 5 HackTheBox machines rated “Easy” without looking at writeups. If you cannot, spend another month on TryHackMe’s learning paths before buying lab time. Purchasing PWK before you are ready is the single most expensive mistake people make.

Phase 1 — Foundations (Days 1 to 30)

Before touching the PWK labs, build a solid foundation across all key domains. This phase is about developing the reflexes you will need when the exam clock is running.

Days 1 to 10 — Linux and Networking

Complete TryHackMe: Linux Fundamentals Parts 1, 2, and 3
Practice daily: file permissions, SUID binaries, cron jobs, /etc/passwd and /etc/shadow
Networking: Wireshark basics, reading nmap output, understanding service banners
Set up Kali or Parrot OS as your daily driver — get comfortable in the environment
Learn to read and modify Python and Bash scripts — you will need to customise exploits

Days 11 to 20 — Web Application Attacks

TryHackMe: OWASP Top 10 path and Web Fundamentals path
PortSwigger Web Security Academy — free, world-class labs for SQLi, XSS, LFI, SSRF, IDOR
Learn Burp Suite properly: intercept, repeater, intruder, decoder, comparer
Understand how to identify and manually exploit: SQLi, XSS, LFI, RFI, file upload bypass, command injection
Read and understand HTTP requests and responses in raw form

Days 21 to 30 — Privilege Escalation

This is the most important phase. OSCP machines are rooted through privesc more than any other technique.

Linux PrivEsc: TryHackMe room + TCM Security’s course (free on YouTube)
Windows PrivEsc: TryHackMe room — focus on token impersonation, AlwaysInstallElevated, unquoted service paths, weak service permissions, and DLL hijacking
Run linpeas.sh and winpeas.exe on intentionally vulnerable VMs — learn to read every section of the output
Practice on VulnHub: Basic Pentesting 1 and 2, Kioptrix series (1 through 5)
Build a personal privesc cheatsheet as you go — you will reference it in the exam

Phase 2 — Labs and Core Techniques (Days 31 to 70)

Start your PWK subscription at Day 31. The labs are where the real learning happens — not the PDF.

Days 31 to 45 — PWK Material and Initial Lab Machines

Read the PDF and watch the videos — do not skip the exercises, they teach methodology
Do not jump straight to hard machines. Root 10 easy machines first to build confidence
Keep detailed notes for every machine: IP address, open ports, services, exploitation path, flags, and lessons learned. Use Obsidian or CherryTree.
Focus on your enumeration methodology — it should become automatic by the end of this phase
Standard enumeration flow: nmap full port scan → service enumeration → web directory brute force → searchsploit → manual testing

# Full port scan
nmap -p- -sV -sC -oA full_scan TARGET_IP
 
# UDP scan (often missed)
nmap -sU --top-ports 20 TARGET_IP
 
# Web directory fuzzing
gobuster dir -u http://TARGET_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
 
# Check for known exploits
searchsploit "service name" "version"

Days 46 to 60 — Exploit Research and Buffer Overflows

Master Windows x86 stack-based buffer overflows — OSCP always includes one standalone BOF machine
Practice the TryHackMe Buffer Overflow Prep room — complete all 10 examples until you can do each in under 20 minutes
The BOF process: fuzzing → finding the offset → controlling EIP → finding bad characters → finding a JMP ESP → generating shellcode → exploiting

# Standard BOF skeleton — fuzz phase
import socket
 
ip = "TARGET_IP"
port = 1337
buffer = "A" * 100
 
while True:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((ip, port))
        s.send(bytes(buffer + "\r\n", "latin-1"))
        s.close()
        print(f"Sent {len(buffer)} bytes")
        buffer += "A" * 100
    except:
        print(f"Crashed at {len(buffer)} bytes")
        break

Learn the searchsploit and Exploit-DB workflow for finding public exploits
Understand when to use a public exploit as-is versus when you need to modify it
Practice exploiting common services: SMB (EternalBlue, pass-the-hash), FTP, SSH, RDP

Days 61 to 70 — Active Directory Basics

Active Directory is a significant portion of the current OSCP exam. Do not skip this phase.

AD enumeration: BloodHound, PowerView, net commands, ldapsearch
Key attacks to understand: Kerberoasting, AS-REP Roasting, Pass-the-Hash, Pass-the-Ticket, DCSync
TryHackMe: Attacktive Directory room
HackTheBox retired machines: Forest, Active, Sauna — excellent AD practice at OSCP difficulty
Understand the attack chain: foothold → enumerate AD → find path to Domain Admin → escalate

# PowerView — enumerate AD
Get-NetUser | select samaccountname, description
Get-NetGroup "Domain Admins" | select member
Find-LocalAdminAccess
 
# Kerberoasting
Get-NetUser -SPN | select samaccountname, serviceprincipalname
Invoke-Kerberoast -OutputFormat Hashcat | fl

Phase 3 — Exam Preparation (Days 71 to 90)

Days 71 to 80 — Mock Exam Runs

Work through TJnull’s OSCP-like HackTheBox machine list — target at least 20 machines
Time yourself on each machine. If you cannot root an easy machine in 2 hours, identify exactly what stopped you and fix that gap.
Practice writing your report as you work — not after. The exam report needs to be submitted within 24 hours of the exam ending.
The rule when you are stuck: if you have spent 30 minutes without progress, enumerate more — not harder. You are almost always missing an open port, a hidden directory, or a service version with a known exploit.

Days 81 to 90 — Final Consolidation

Review every machine’s notes. Build a personal methodology document covering: initial access, privilege escalation (Linux and Windows), AD attacks
Redo any machines you struggled with in Phase 2
Practice the buffer overflow until you can root the machine in under 20 minutes reliably
Read the official OSCP exam guide carefully — understand exactly what is and is not permitted, how the proctoring works, and what the report must contain
Schedule your exam. Having a fixed date creates the urgency that turns preparation into results.

Essential Tools

Category	Tool	Use
Enumeration	nmap	Port scanning, service detection, NSE scripts
Web	Burp Suite	Intercept, fuzz, scan web applications
Web	gobuster / ffuf	Directory and vhost fuzzing
Exploitation	Metasploit	One allowed use in exam — use wisely
PrivEsc	linpeas / winpeas	Automated privilege escalation checks
AD	BloodHound	Attack path visualisation for Active Directory
Password	hashcat / john	Offline hash cracking
Shells	netcat / pwncat-cs	Reverse and bind shell handling
Notes	Obsidian / CherryTree	Structured note-taking with search
Exploits	searchsploit	Offline Exploit-DB searching

Exam Day Tips

Start with the buffer overflow machine. It is the most predictable challenge — the technique is always the same and the machine is worth significant points. Knock it out first for easy marks and a confidence boost.

Take screenshots constantly. You cannot go back after the exam ends. Screenshot every command you run, every piece of output, every flag, every proof.txt. Use a naming convention: machine_ip_step_description.png.

Enumerate before you exploit. If you are stuck, the answer is almost always better enumeration — check every port, every service version, every web directory, every found credential against every service. Most rabbit holes exist because enumeration was incomplete.

Do not rabbit-hole. Set a timer for 45 minutes on any approach. If you have no progress when the timer goes off, move to a different machine and come back later with fresh eyes.

Sleep if you need to. You have 24 hours. A 2-hour sleep mid-exam will recover more cognitive function than 24 hours of diminishing returns. Make this decision before you start so you are not tempted to push through exhaustion.

Write your report as you go. Do not leave 8+ hours of reporting until the end. Document each machine in the report template as you complete it.

Scoring

You need 70 points to pass. The exam format typically includes:

3 standalone machines worth 10, 20, and 25 points
1 Active Directory set worth 40 points

Getting all of AD (40 pts) plus rooting 2 standalone machines (10 + 20 pts) = 70 points = pass. This is the most realistic target for most candidates.

Free Resources

TryHackMe — best beginner-friendly platform, guided learning paths
HackTheBox — OSCP-difficulty machines, use TJnull’s list
PortSwigger Web Security Academy — free, world-class web app labs
PayloadsAllTheThings — payload reference for every attack type
GTFOBins — Unix binary privilege escalation reference
Techonquer — oscp training
LOLBAS — Windows living-off-the-land binaries
TCM Security YouTube channel — free Linux and Windows PrivEsc courses