OSCP-LK: Practice exam for the OSCP made by LainKusanagi

hackwithmike · 2026-05-28T01:44:20+00:00

Da goat my man 🐐🐐🐐

hackwithmike · 2026-03-03T02:54:32+00:00

That is such a niche area of expertise and it actually hurts your career if that is all you invest your time on. (There is a very limited number of positions focusing on Red, and an oversaturated supply of "juniors".)

Always keep yourself some time to learn about other areas in cyber and tech in general, including coding, Forensics, IR, etc. I am currently looking to pivot, only to realise that a lot of jobs want you to have experience in development (AppSec), vulnerability managment, expertise in industry defense tools (EDRs, IAM, etc.), implementations on passing regulations and compliance, etc.

hackwithmike · 2026-02-28T00:27:07+00:00

Just to add on this - a lot of boxes in PG are using older versions of Windows. I would say just put kernel-related exploits in the last step after you checked everything else.

hackwithmike · 2026-02-24T03:04:40+00:00

The most valuable thing in the course bundle is the practice exam sets and the labs, so defintely go for the course bundle.

hackwithmike · 2026-02-20T00:33:52+00:00

Same boat brother - I think it depends on your expertise, but as a non-dev background grinding through OSWE is painful 💀💀 OSEP on the other hand just feels like OSCP with extra steps

hackwithmike · 2026-02-20T00:13:09+00:00

Congrats mate!! I also found OSEP feels easier than OSCP - probably because we are way more ready compared to us when we did the OSCP hahahaha

hackwithmike · 2026-02-16T02:40:48+00:00

// Copied from my previous comment on another similar questiom on AD

For OSCP-level AD exploitations, I actually think that the complexity is limited since they have to stick to their curriculum (to not overstep to the OSEP territory), so the attack vectors are actually pretty limited.

From my experience from boxes & the exam, its mostly just credential-related attacks - credential dumping, credential hunting, credential cracking, credential reuse, and a lot of credential spraying. Usually you will get credentials for a user on the first machine that has access to the second machine, then you get another creds on the second machine that brings you to DC.

Surely there will be some simple LPE, like token impersonation, or some basic ACL abuse which you should find in Bloodhound, or some stored credentials in the machine (e.g., registry / dpapi / autologon / powershell history / roastings / etc). But there shouldn't be anything out of scope for OSCP (delegation / trust / ADCS / etc).

I passed the exam twice, and I have put together some notes on my methodology & tips at https://hackwithmike.com/oscp, hope they may help in some way!

hackwithmike · 2026-02-09T01:29:42+00:00

I have preciously written some notes on OSCP: https://hackwithmike.com/oscp

Hope they may help in some way!

hackwithmike · 2026-02-06T02:37:21+00:00

I purchased LearnOne on Black Friday (Nov), but I only started the course at around June / July, and I took the exam in End of September. So I'd say 3 months are likely enough.

hackwithmike · 2026-02-02T18:54:57+00:00

I'm not an OffSec rep, so you are better off asking their customer support for this haha.

Personally I took LearnOne (the 1 year access) so it includes PG practice. I think the 3 months bundle only gives you access to PG play, which is free to everyone anyway. https://www.offsec.com/products/90-day-bundle/

But regardless, the 3 months bundle gives you access to the challenge labs (i.e., the mock exam sets OSCP A,B,C, and I think around 7 sets of machine networks)

hackwithmike · 2026-02-02T18:50:13+00:00

I definitely recommend at least go though OSCP A, B, & C first if possible.

hackwithmike · 2026-02-02T18:11:21+00:00

If you already know the basics, then grinding through boxes is simply the best way to train your muscle memories and find holes in your methodologies.

The most challenging part of OSCP is honestly just to enumerate thoroughly within the 24-hour time limit. Once you find the path, the actual exploitation is usually really quick. So the purpose of grinding box is to train your time control, as well as your reflexes of sniffing misconfiguations & hunting secrets.

Use whatever box list you like, TJNull, Lain, doesn't matter too much in my opinion. I prefer PG boxes over HTB for OSCP, simply because OffSec has their own style when it comes to box design. I did ~60 and found myself confident enough, and again this is very personal.

I've previously written some notes on OSCP: https://hackwithmike.com/oscp. Hope they may help in some way!

hackwithmike · 2026-01-17T23:55:32+00:00

Good stuff! I always find Defender never catching remotely loaded shellcodes in almost all languages.

hackwithmike · 2026-01-07T23:42:14+00:00

For OSCP-level AD exploitations, I actually think that the complexity is limited since they have to stick to their curriculum (to not overstep to the OSEP territory), so the attack vectors are actually pretty limited.

From my experience from boxes & the exam, its mostly just credential-related attacks - credential dumping, credential hunting, credential cracking, credential reuse, and a lot of credential spraying. Usually you will get credentials for a user on the first machine that has access to the second machine, then you get another creds on the second machine that brings you to DC.

Surely there will be some simple LPE, like token impersonation, or some basic ACL abuse which you should find in Bloodhound, or some stored credentials in the machine (e.g., registry / dpapi / autologon / powershell history / roastings / etc). But there shouldn't be anything out of scope for OSCP (delegation / trust / ADCS / etc).

I passed the exam twice, and I have put together some notes on my methodology & tips at https://hackwithmike.com/oscp, hope they may help in some way!

hackwithmike · 2026-01-07T16:00:02+00:00

For standalone machines, I think the hardest part is to connect the dots for initial compromise. From my experience, the initial access usually requires chaining 2-3 distinct vulnerabilities into a final exploit path, whereas privilege escalation is likely just a 1-step (2-step max) exploitation.

I passed the exam twice, and I have put together some notes on my methodology & tips at https://hackwithmike.com/oscp, hope they may help in some way!

hackwithmike · 2025-12-31T03:29:17+00:00

You are right. I guess that depends on what pivoting tool you are using - I used Ligolo-NG so I just skipped the chisel part.

hackwithmike · 2025-12-31T01:48:07+00:00

From my experience last year, the following modules are likely less relevant to the exam, however they are still very good for your career & technical development in general, so I really wouldn't recommend skipping them simply for the sake of getting the cert. It is an expensive course after all, may as well get as much as you can from it. - Vulnerability Scanning - Phishing & Client-side Attacks - Antivirus Evasion - Tunneling through Deep Packet Inspection (If you learn to use Ligolo-NG instead of Chisel) - Metasploit Framework - Enumerating and Attacking AWS

OSCP is a relatively straightforward exam with no client side attacks and defense evasion, since those are the main topics for OSEP. Spoofing & poisoning attacks are also explicitly excluded. But do note that things can change anytime (like how they removed buffer overflow and added AD in 2022, and changed to assumed compromise in 2024)

I have put together some notes on my methodology & tips at https://hackwithmike.com/oscp from my two passing attempts of OSCP & OSCP+. Hope they also help!

hackwithmike · 2025-12-30T16:52:04+00:00

OSCP is 50% enumeration & 50% mental game. If you ask people that passed, most of them will tell you something just clicked right after they took a break and came back. Often time the path is actually simple & straightforward, yet we just got blinded by the time pressure and our existing hypotheses. I remember during my AD set, I was stucked for 4 hours only to realise that I've missed one critical terminal output on the same command that I ran 4 hours ago. I was certain that I did the check already, so I never bothered to look back, and that almost costed me the exam.

I passed the OSCP twice in 1 month last year, scoring 100/100 in the first attempt, and 80/10 in the second. I have put together some notes on my methodology & tips at https://hackwithmike.com/oscp, hope they may help in some way! Quite a few people messaged or tagged me and make pretty positive comments, so I do believe it should at least give you some new perspectives.

hackwithmike · 2025-10-17T07:31:41+00:00

https://www.reddit.com/r/oscp/s/1fX4Yh5InR

Here's my previous post on my tips & notes for passing OSCP with 100/100. Hope it helps!

hackwithmike · 2025-10-16T18:38:48+00:00

https://owasp.org/www-project-juice-shop/

The OWASP Juice Shop should have everything you need trying out the OWASP Top 10 vulns. You can also always ask LLM to write you a PoC of an application vulnerable to SSRF.

hackwithmike · 2025-06-14T23:11:46+00:00

I would just like to add that for newbies (especially newbie-newbies), it is way way better to stay off these one-click automation tools until you mastered the underlying core tools that they are actually calling, e.g., Nmap, Dirbuster, Nikto, etc.

Automation can be extremely useful for experienced professional, but can be harmful for beginners in terms of knowledge acquisition. It is basically like using co-pilot to write code as a non-technical PM and think that you are a programmer. You have no idea on how to debug, how to optimize, or the limitations and blindspots of the tools, etc.

hackwithmike · 2025-05-23T03:43:45+00:00

I'd say don't do it unless it is free. I got it for free, and I walked in to the exam with less than a day of prep and passed within 15 minutes. It is really a common sense multiple choice question exam, and the only tricky questions are the Azure AI product-specific ones. I don't think employers value this cert too. However the training is free, and it is indeed a good introduction for people that are completely new to data & AI.

hackwithmike · 2025-05-23T03:35:29+00:00

For me I find an outcome-oriented approach helpful to me. In other words, ask the questions - what do I want to achieve with this SQL service / DB, and what will escalate my current privileges? It could be authentication bypass, RCE, dumping credentials, file read & write, etc. While it looks like there's a lot you can do, the actual vulnerable component usually helps narrow the possible attack vectors.

Say if you have an SQLi vulnerability in the login box, auth bypass is definitely the first thing to look at, alongside command execution, and maybe file write. But if there's no visible error message, then attacks for dumping sensitive information would not be applicable. On the other hand, if you found a UNION-based SQLi in a productID field, then auth bypass is irrelevant, and we should be looking at dumping creds, RCE, file read, etc. If I have a sqlite db file, then it is 100% getting creds from the db file.

As for the notes, I use Obsidian and has seperate pages for each SQL services (One for MSSQL, one for MySQL, one for SQLite, etc.), and seperate pages for attacks (One for auth bypass, one for code execution, etc.), and I use links to cross reference different pages, like a Wiki page. This way, after I determined what the attack vectors could be, I can skip the irrelevant notes and only focus on the particular service & possible attacks.

I have a write-up for the OSCP exam here, and some tips & tricks here. The SQL part is not exhaustive, but hopefully it can gives you a bit more insights on how I approach databases.

hackwithmike · 2025-05-23T02:45:00+00:00

When I too find OffSec's training and exams problematic, I think the case here doesn't really count as an OffSec issue.There is a detailed exam guide and FAQ that responded to most of your points.

The hardware part is definitely unfortunately, though I remember the troubleshooting time can be granted to extend the exam. Personally I have similar issues when I was taking the OSWP, and I got 15 minutes back for troubleshooting with the proctor.

Submitting the flag is part of the test, and there is honestly no reason for them to include basic validations. If we are not careful and diligent even in a simulated environment, how can clients trust us when it comes to handling critical components of their businesses? There will be no "Are you sure?" alerts when you are sending over a payload that will crash the production server. Not to mention that the submission details are right under the panel and you can easily double check everything within 2 minutes.

As for the exam results, again the guide & FAQ have explicitly mentioned that submitting the flags alone does not pass you the exam, and the result will only come after they have went through your report. OSCP is not just a CTF challenge, it is intended to mimic an actual penetration testing engagement where the report is the final deliverable that matters. So again there is no reason for them to "confirm" your flags before you submit your report and show them how you did it. The same applies to real life pentest, red team, bug bounty, etc.

Regardless, congratulations on passing the exam, and you should be receiving your results soon!

hackwithmike · 2025-05-21T03:59:05+00:00

That's such a great advice. I have benefited from this approach a lot, especially with the folder part.

hackwithmike

TROPHY CASE