I wasn’t sure how to start this, but if you are looking for OSCP experience summaries, you must already have some understanding of OSCP. Below, I have listed some official requirements and relevant links for those interested.
OSCP+ Introduction:
https://help.offsec.com/hc/en-us/articles/29840452210580-Changes-to-the-OSCP
Exam Changes Introduction:
https://help.offsec.com/hc/en-us/articles/29865898402836-OSCP-Exam-Changes
OSCP Report Requirements (Just for reference, usually everyone uses the following project):
https://help.offsec.com/hc/en-us/articles/360046787731-PEN-200-Reporting-Requirements
Report Project Link:
https://github.com/noraj/OSCP-Exam-Report-Template-Markdown
The template I used:
OSCP-exam-report-template_OS_v2.md
Exam Guide (If you are taking the exam, this is a must-read):
https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide-Newly-Updated
The links above provide the official requirements. Keep in mind that the exam guide may be updated frequently, so always check for the latest version. Now, let me share my OSCP certificate. I have blurred my name and QR code as I don’t want to disclose my identity for now. (The built-in CDN had some issues where images were served over HTTP and forced a redirect to HTTPS. After fixing it, it no longer uses HTTPS, but the images cannot load in the source code. It’s quite odd. On PC, click on the blank space where the image should be, and you’ll be redirected. Mobile works fine.)
During my learning journey, the following blog has been incredibly helpful. I was not very skilled in Active Directory environments, and this blog summarizes many domain penetration techniques. You can follow each section, build a test environment, and search for relevant tutorials to replicate the attacks. This blog serves as a structured directory with exploitation methods, and it has helped me immensely. Huge thanks to 0r@nge.
Domain Penetration Blog:
https://0range-x.github.io/2022/01/26/Domain-penetration_one-stop/
My Learning Journey
In 2022, while doing an internship, I wanted to obtain a certification. I searched extensively but found that most certifications lacked strong recognition. By chance, I discovered OSCP and set it as my goal. Initially, I practiced mainly on VulnHub labs, albeit intermittently.
From 2022 to 2023, and even sporadically in early 2024, I kept working on VulnHub labs. However, I only took serious action in October 2024. The HW season had ended a month prior, and my work primarily involved security services, blue team operations, and penetration testing—never provincial-level red teaming. I had interacted with many people, mostly provincial-level red teamers but not at the national level. (After all, those with true GH-level skills wouldn’t join the blue team.)
Currently, I am a senior undergraduate student graduating in 2025. I can take an internship in early 2025, so I decided to obtain OSCP and look for a red team internship in my preferred field.
My Thoughts on VulnHub, HackTheBox, and OSCP Challenge Labs
Most of my practice was based on TJ NULL’s recommended labs: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit?gid=530535513#gid=530535513
- VulnHub: Primarily CTF-oriented. Many challenges involve hiding information within source code, abnormal web pages, or cryptographic puzzles—techniques that rarely appear in HTB or OSCP. However, it’s a great free resource to learn about Linux services, commands, and penetration testing basics (e.g., UDP FTP, NFS, SMB). While highly CTF-focused, it’s useful for reinforcing fundamentals. Downsides: only Linux targets, requires manual setup.
- HackTheBox (HTB): Less CTF-heavy. Most machines focus on a single vulnerability or exploitation chain, providing a well-thought-out, realistic learning experience. Logical flow is crucial, and sometimes deep technical knowledge is needed to understand exploits fully. Advantages: excellent learning structure, real-world vulnerability scenarios. Downsides: requires a subscription, and some say it’s harder than OSCP. I agree it’s a good supplementary resource for OSCP.
- PG Practice Labs (PG): I didn’t practice on PG but reviewed some Windows Privilege Escalation writeups. Compared to HTB, PG appears more sophisticated, aligning with OSCP’s Try Harder mindset. HTB is about specific vulnerabilities, whereas PG emphasizes logic and lateral movement within AD environments.
- OSCP Challenge Labs: More realistic penetration testing environments without predefined vulnerabilities. Each lab represents a simulated company network. Some labs, like Skylark, are particularly challenging. Unlike HTB’s methodical approach, Challenge Labs require a mindset shift—treating the environment as a real-world assessment. Completing these labs with peer and instructor guidance was invaluable.
For those preparing for OSCE³, there are additional OSCP Challenge Labs beyond the exam scope.
My OSCP Exam Experience
From registration to certification, it took exactly one month—31 days.
- Registered: December 11
- Completed 7 Challenge Labs: January 1
- Exam: January 8, 12 PM
- Report Submitted: January 10, 3 AM
- Certification Received: January 11
Most of my OSCP practice focused on Linux, but OSCP emphasizes Windows. I recommend shifting focus toward Windows exploitation.
Exam Challenges
My final score was 70, just passing the threshold. The AD section differs from OSCP A-C; the entry point was easier, but the second AD host required complex privilege escalation. My biggest challenge was unstable tunneling (Ligolo-ng and Chisel). Nmap scans failed, forcing me to rely on intuition.
I spent nine hours troubleshooting AD privilege escalation. I suspected a Jenkins vulnerability but couldn’t find credentials, and my tunnel kept crashing. Retrospectively, I should have enumerated directories more aggressively.
Ultimately, I leveraged my Linux expertise to secure a passing score. Out of five machines:
- Two independent Windows hosts (required non-standard privesc)
- One Linux host (quick root)
- AD Entry (very easy)
- AD Internal (unsolved)
Final Thoughts
I regret not owning the domain controller, but passing matters more. As with driving tests, a pass means you’re qualified. The real challenge is refining skills post-certification.
During my exam, exhaustion set in. At 30 points, I struggled with doubts, questioning if my OSCP journey was worthwhile. By prioritizing Linux escalation and Windows privesc, I secured a passing score. Proper documentation was crucial—my PC blue-screened after the exam, but I had backups.
OSCP’s Value
OSCP sets a baseline competency: independent penetration testing under time constraints. While some critique its marketing, many employers recognize OSCP as proof of fundamental skills. It establishes a lower bound but doesn’t define one’s upper limits.
Lastly, I previously shared my learning journey on CSDN but switched to Yuque. Inspired by other OSCP bloggers, I finally built my own website for documentation and learning records. This will also help in securing a red team internship.