The Journey to Becoming an OSCP

The journey to becoming an OSCP is arduous and requires knowledge across multiple domains. I distill the syllabus into core areas and provide links to training to help you reach those skills

a year ago   •   11 min read

By 0xBEN
Table of contents

What is the OSCP?

    • Earned upon completion of:
    • Self-paced PEN-200 course
    • 23.75 hours simulated penetration test
    • You will learn:
      • How to think like an attacker
      • Tools and methods used by attackers

Major Changes on Jan 11, 2022

  • Points Required to Pass: 70
  • Points Possible: 100
  • No partial points for Active Directory (AD)
    • Must fully compromise the AD set

How Do People Become Hackers?

  • How to Learn Real Hacking

    • There is no one path to becoming a hacker or security professional
    • A hacker is the sum of their disparate experiences
    • The highly respected LiveOverflow talks about his journey
      HTML > VBS > Webdev > PHP > CSS > JS > MySQL > SQLi > Android Dev > Google Wave > Computer Science > Linux > HackerSpace > Arduino > CTFs
  • How the Best Hackers Learn Their Craft

    • A Carnegie Mellon professor discusses how to grow your hacking skills
    • DELIBERATE practice, autodidacticism (self-initiated learning), creativity
    • Don’t shut down when you don’t understand (Google keywords in the problem)
    • CTFs are critical to skill growth (HackTheBox, TryHackMe, etc)

Required Skills

Course Syllabus:

I will synthesize the course syllabus into core modules below. I know there is a lot, but you do not need to be an expert in all of these areas. The point is to build confidence in these core areas, so that you understand the tools, the technologies, and concepts surrounding each of them.

For example, you do not need to be a skilled web developer to start testing web applications. You just need to know about the technologies and it helps to be able to read code and understand it, so you can more easily find vulnerabilities.

Top Points from the Syllabus

When looking at the course syllabus  – linked above – there are sub-points beneath each topic. Keep that in mind when referencing this diagram.

I've taken the top points from the syllabus and distributed them into a diagram based on where the skill fits into different IT domains. Anything in the gray center box is just used to designate that it fits into multiple domains.

Core Skill Areas

  • Operating Systems
  • Networking
  • Web
  • Programming

I am maintaining a list of free training resources on these topics at this page, and will continue to add to it as I come across more quality links.

Free Training Resources for Cybersecurity and IT Professionals
I will try to keep this list up-to-date with training resources for different areas that could benefit students and professionals of cybersecurity and IT


OK. This one isn't directly mentioned in the OSCP syllabus and it isn't really even a skill, but it is the single biggest requirement to becoming a successful hacker. You need to have the mentality of:

  • "What if           ?"
  • "What would happen if I           ?"
  • "I wonder what caused             to happen."
  • "I don't know what             is. Let me research it."

Define Curiosity in this Context

Example 1

Your first instinct – when you encounter something you don't know – should be to do some research on Google, Reddit, or other areas of the Internet. There's a good chance someone on the Internet has already asked about it or written about it.

Example 2

Imagine you are looking at an application. You see an input box. The input box says that you may only enter alphanumeric characters. Your curiosity should kick in here. What would happen if you input a special character or an emoji? What would happen if you input 1,000 "A" characters?

Being an Effective Researcher

The most widely used search engine by hackers is Google. You can use whichever search engine you prefer, but Google has lots of neat tricks that can help you be a better researcher and hacker.

Google Dorks

Google's search has operators that can be used to return very specific results when performing a search. Some examples include:

  • "keyword" all results must contain this word
  • "some words" return all results with this exact phrase
  • -keyword results must not contain this word
  • -"some words" results must not contain this phrase
  • return results only from a specific site
  • site:* return results from any subdomain of a site
  • filetype:pdf return results containing PDF files
  • before:YYYY-MM-DD return results before a specific date
  • after:YYYY-MM-DD return results after a specific date
  • after:YYYY-MM-DD before:YYYY-MM-DD returns results in a date range
  • check for cached version of a site
  • inurl:keyword results must contain this word in their URL
  • intitle:keyword results must contain this word in their title
  • file:xlsx inurl:expense you can compound operators

Google Hacking Database

This is a list of Google Dorks used by the community to find vulnerabilities or misconfigurations.

Offensive Security’s Exploit Database Archive
The GHDB is an index of search queries (we call them dorks) used to find publicly available information, intended for pentesters and security researchers.

More Google Search Operators

Google Search Operators: 40 Commands to Know in 2022 (Improve Research, Competitive Analysis, and SEO)
Google search operators make searching for things online so much better. Once you’ve mastered just a few of these special commands, you’ll wonder how you

What About Certifications?

I have seen many people ask about getting certifications such as the A+, Network+, and Security+ in preparation for the OSCP. Certifications can be expensive and time-consuming and there are often costs to keep them current. Make sure the time and effort align with with your goals.

  • Depending on your experience level, certifications can:
    • Fill in knowledge gaps
    • Give you a path to follow to future goals
    • Add weight to your resume
  • It may be better to skip the certification but review the content
    • If you do not plan on using the certification to advance your career
    • If you do not have the time or money to fully certify
  • It may be better to pursue the certification
    • If you plan on using it as leverage for a job
    • And, the content in the certification is worth the investment

Developing an Attack Methodology

  • It is important to follow proven methodologies when conducting a penetration test, even when doing CTFs
  • It takes time to find your rhythm
  • The Penetration Testing Execution Standard (PTES) and Penetration Testing Framework (PTF) detail the core steps of a penetration test
    1. Client Visit and Scoping
      • For a CTF, think platform rules of engagement
      • Have an understanding of what you may and may not do
      • Be very clear on what your target is
      • Never engage out of scope without permission
    2. Intelligence Gathering
      • Passive
        • Finding information about a target in an indirect way
        • No interaction with target systems
      • Active
        • Finding infomration about a target directly
          • Query DNS servers
          • Visiting target web sites, FTP servers, mail servers, etc
    3. Threat Modeling
      • Asses the target type and determine some common weaknesses
      • For example, most web applications could use a database, which could lead to SQLi
    4. Vulnerability Analysis
      • Directly related to the quality of your intel
      • Based on your interactions with the target systems
      • Check version numbers, inputs, etc
      • What do your findings reveal?
    5. Exploitation
      • Use great care and rely on your intel
      • Is there an exploit for the target service?
        • Version-specific?
        • Architecture-specific (32-bit/64-bit)?
      • An incorrect exploit could crash the service
    6. Post Exploitation
      • Congrats, you got a shell!
      • Get a lay of the land
      • Privilege escalation, further penetration
      • Repeat the enumeration process (steps 2 through 5)
    7. Reporting
      • For a CTF, this could be a blog write-up
      • You'll want to clearly define how you exploited targets
      • Describe the vulnerability
      • Describe the exploit used and how it works
      • Describe any changes you made to an exploit
      • Describe how to prevent exploitation

Getting Hands-On Experience

This is the only reliable way to increase your knowledge and skills. You cannot spend your time studying only theory. You must apply the theory in practice in order to have a comprehensive understanding. This is the time to test and refine your attack methodology. Once you've established some confidence in the Core Skill Areas, spend plenty of time attacking a very diverse set of targets and operating systems.

Hosted Services

The benefit to using hosted services is that the lab and environment are already set up for you. Just bring your Kali VM and get to work. Some services also offer a pre-made Kali attack box for convenience.

The downside to using hosted services is that most of them will require a fee to use. Also, if you use the service's attack box, you're going to miss out on valuable experience setting up and maintaining your Kali VM.

Here's a list of some services that you can start using today practice your attack methodology.

Offensive Security Proving Grounds
Virtual Hacking Labs

Home Lab

Guides I've Written

Building a Security Lab in VirtualBox
In this post, we we will take a look at an in-detail process of setting up an entry-level cybersecurity lab using VirtualBox
  • VirtualBox is a free and open-source type 2 hypervisor
  • If you're new to virtualization, this is the best place to start
  • This guide is great for beginners and you'll get plenty of hands on experience with systems and networking

Proxmox VE 7: Converting a Laptop into a Bare Metal Server
In this post, we will take a look at an in-detail process of setting up a Proxmox home lab on a bare metal server.
  • Proxmox is a free and open-source type 1 hypervisor
  • The Proxmox guide is going to require separate server hardware
  • In the guide above, I used an old laptop and converted it into a server
  • Proxmox has far more advanced capabilities than VirtualBox or VMware and would be a great logical next step once you've gotten comfortable with something like VirtualBox
  • This guide is for more advanced users and covers systems and networking concepts in far more depth

OSCP-Like Boxes

Here's a really great list of targets that could help you prepare for the OSCP and improve your pentesting methodology.

This list contains a large number of Vulnhub targets. When combined with the home lab guides above, you can self-host the Vulnhub targets in your own network free of charge and practice any time you like.

NetSecFocus Trophy Room - Google Drive

Roadmap to OSCP

WARNING: This does not guarantee that you will pass the OSCP exam. Use this for what it is – a generalized path to preparing for your OSCP exam.

This assumes you're a complete beginner, so you can start at whichever step in the roadmap suits your skill level:

Core Skills Competency

This is not an exhaustive list of everything you need to know, but it should be a good basis of determining your proficiency.


  • You'll need to know a variety of operating systems for the OSCP
    • Windows
      • Windows XP
      • Windows7
      • Windows 10
      • Windows Server
    • Linux (Debian and RedHat derivatives)
    • BSD
    • Possibly more
  • Be comfortable in the terminal
    • Bash
    • PowerShell (and legacy command prompt)
  • Know how to list the users and groups on an operating system
  • Know the file system hierarchy on various operating systems
  • Know how to get the current operating system version on various operating systems
  • Be familiar with the Windows Registry
  • Know how to list installed hotfixes on Windows
  • Know how to check and modify permissions and ACLs
  • Know how to check, create, and modify scheduled tasks
  • Know how to list running process and services
  • Have a basic understanding of how Active Directory functions
    • Know how to work with AD in the shell and GUI
    • Know the difference between a local and network user
    • Know the difference between a local and network group
    • Know the difference between NTLM and Kerberos authentication
    • Know how to check various AD policies and configurations
    • Know how to query DNS records
    • Know how to query LDAP


  • You don't need to be a subnetting wizard
  • Given an IP address and network mask: know how to figure out your IP address space
  • Know how to query and configure network interfaces on the command line
  • Know how to read a routing table on the host
  • Know what ARP is and how to read an ARP table
  • Know how to list listening ports on a host
  • Know how to pivot to internal networks when your target has mutliple interfaces or routes
    • Proxying
    • Tunneling
  • Know how to forward individual ports
  • Be familiar with the OSI model
  • Understand the fundamentals of TCP/IP networking


  • Know the various HTTP request methods
  • Know the most common HTTP response codes
  • Know some basic HTTP headers and how they work
  • Know the basic functionality of a web server
  • Know how to make HTTP requests from the command line
  • Know how to use Burp or some other web proxy
  • Know how DNS works to resolve hostnames to IPs
  • Know how DNS hostnames correlate to virtual hosts on a web server
  • Know how to modify your hosts file on your attack box
  • Know how to modify your DNS settings on your attack box
  • Be familiar with SQL and NoSQL databases
    • Have basic proficiency in SQL
    • Understand SQL injections


  • You don't need to be a full-time engineer or a computer science wizard
  • Have some basic proficiency in AT LEAST one of these object-oriented languages:
    • PowerShell
    • Python
  • Have a basic understanding of primitive data types in programming
  • Know how to use flow control logic (conditions)
  • Know how to use loops
  • Know how to read, create, and edit Bash scripts
  • Know how to read, create, and edit public exploits
  • Know how to compile public exploits
    • 32-bit
    • 64-bit
  • Know how to read and understand error messages when your scripts fail
    • Google the error messages when you can't figure it out

Hands-On Practice

You'll want to have plenty of hands-on practice against a variety of targets and operating systems. Below is a good list to review some technical concepts in a hands-on format. I'd strongly recommend checking out the OSCP-Like Boxes list, as it contains targets from Vulnhub, as well as other paid platforms. By following this list, you'll get plenty of exposure to Linux and Windows operating systems.

Nail Down Your Attack Methodology

Target Variety

  • Get lots of practice against a variety of operating systems
  • You could use some of the hosted services mentioned above
  • You could set up a home lab and host some of your own vulnberable targets

Active Directory

  • Get comfortable with the Active Directory exploit chain
  • Active Directory is just an extension of Windows fundamentals
    • You'll need your Windows methodologies
    • And, you'll need to understand the core function of Active Directory


Attacking Active Directory

More Pages to Check Out

The Five Pillars of InfoSec
Total OSCP Guide
The Journey to Try Harder: TJnull’s Preparation Guide for PEN-200 PWK/OSCP 2.0

Spread the word

Keep reading