OSCP Preparation and My Journey to 90 Points

Passed on my third attempt – here's the full story.

My Background

Before beginning the PEN-200 course, I already had a solid foundation in offensive security:

• Two years of hands-on military experience in the cyber field.

• Completed most of TryHackMe’s Offensive Pentesting and Red Team paths.

• Completed several VulnHub boxes and various Udemy courses.

• Finished a well-known and structured offensive cyber course in my country, marketed as a preparation path for the OSCP.

What is the OSCP?

The Offensive Security Certified Professional (OSCP) is a hands-on penetration testing certification, known for its grueling 24-hour exam that simulates a real-world black box engagement. It's one of the most respected certifications in the offensive security industry — not just because of the knowledge it requires, but because of the mental and strategic discipline it demands.

What is a Black Box Engagement?

A black box engagement is a type of penetration test where the tester has no prior knowledge of the environment. This simulates a real-world attack scenario, forcing you to enumerate from scratch, think creatively, and adapt rapidly — exactly what the OSCP exam aims to replicate.

Who are OffSec?

Offensive Security (OffSec) is the organization behind the OSCP, known for their high standards, rigorous training, and no-nonsense approach to offensive security education. Their goal: train professionals to think like real attackers — methodical, patient, and precise.

The PEN-200 LearnOne Bundle

I purchased the PEN-200 LearnOne bundle, which gave me:

• 1 full year of access to the PEN-200 course

• Full access to PG Practice machines (highly recommended — more on that below)

• Access to the OSWP (PEN-210) course and exam

• Access to the KLCP course and exam (I chose not to take this)

What Are PG Practice Machines?

These are additional machines provided by OffSec that go beyond the standard course labs. They simulate real-world environments, offering practical and diverse scenarios to improve enumeration, exploitation, and post-exploitation techniques. They're tougher than the regular course labs and highly representative of what to expect in the exam.

A Note on the Exam Format I Took

I passed the OSCP (Offensive Security Certified Professional) exam on October 5, 2024, before the "assumed breach" format was introduced.

At the time:

• The exam was 24 hours long, followed by 24 hours for reporting.

• It consisted of six targets:

  • Three standalone Linux/Windows machines (10-20 pts each)

    Each of the three machines is completely isolated — you start from scratch on every one of them. Partial points are awarded: 10 points for gaining low-privileged user access and another 10 points for achieving administrative or root access.

    
    

  • An Active Directory set with two machines and a DC (40 pts total)

    The Active Directory environment includes three interconnected machines, with the ultimate goal being full compromise of the Domain Controller — the central authority of the AD setup. To reach it, you must first work your way through the two other machines. If you don’t manage to take over the Domain Controller, you won’t score any points for this section.

    
    

There was also a bonus 10 points available by completing the required PEN-200 coursework on the OffSec platform:

These 10 points ended up being crucial for many OSCP holders I know.

First Attempt – Total: 40 Points (Fail)

Date: August 1, 2024

Prep Journey Before the First Attempt

I didn’t go in cold.

From the second I bought the PEN-200 course, the entire learning process took me one year to complete.

In this process, I did the following:

• Read the entire courseware three times

• Completed all labs, capstone challenges, and challenge labs including Skylark (which is considered beyond the scope of the OSCP exam)

• Followed the official OffSec Prep Guide: Click Here

  Completed all the PG Practice machines in the "Supplemental Learning" section

• I followed this two OSCP Preparation lists of machines on platforms such as HackTheBox, VulnLab, TryHackMe and PG Practice also:

  Lainkusanagi list: Click Here

  TJ Null list: Click Here

For My first exam, I finished all the PG Practice machines from these lists, and some of the TryHackMe and HackTheBox ones. I bought premium accounts on TryHackMe and on HackTheBox in order to solve some of the boxes.

After all of this, I felt ready. My methodology was solid, I could root medium HTB boxes in ~2 hours, and my toolset was sharp.

So I chose to schedule my exam.

Exam Day:

Things started off okay — I got initial access and privilege escalation on the first machine in the AD set within 30 minutes.

Then, I got stuck.

I wasted 7.5 more hours trying to pivot laterally to the next box in the AD set. The tunnel vision kicked in, and my confidence tanked.

Eventually, I moved to the standalone machines — too late. I managed to fully root one and get initial access on another, totaling 40 points, including my bonus 10.

What went wrong:

• Tunnel vision on the AD set — I should have moved on much sooner.

• Enumeration skills weren’t sharp enough — I missed an obvious low-hanging fruit.

• Burned too much time instead of timeboxing.

  
  

What I learned:

• OSCP isn’t about proving your technical worth — it’s about thinking like a real-world pentester.

• Have a plan: if you’re stuck for more than 2 hours on a box, move on.

• Automate where possible so you can focus your brainpower where it matters.

  
  

Second Attempt – Total: 50 Points (Fail)

Date: August 29, 2024

My Preparation

Finished TJ Null list and more of the Lainkusanagi list

• Learned new automation tools

• Built mock exams (Using HackTheBox/PG Practice Machines):

  • 3 standalones + 1 AD set

  • 24-hour timer

  • No hints allowed

Mock exams helped a lot with mental conditioning and stress management.

Exam Day:

• AD set: initial access but no privilege escalation

• Rooted two standalone boxes

• Couldn’t get initial access the third standalone machine.

• Total: 50 points

  
  

What went wrong:

• Again, I couldn’t finish the AD set

• Three full standalones are extremely tough to root in one exam

  
  

What I learned:

• AD set is make-or-break — it’s the biggest chunk of points

• Being technically capable isn’t enough — you need speed, triage, and clear attack chains

Third Attempt – Total: 90 Points (PASS)

Date: October 3, 2024

This time, it clicked. Every setback, every reset box, every hour spent reading writeups paid off.

My strategy:

• Focus first on fully compromising the AD set

• Then root one standalone (combined with bonus points = pass)

  
  

What worked:

• Pwned the entire AD set in 6 hours

• Rooted one standalone easily after that

• Reset boxes mid-exam when I was confident in the exploit

• Wrote the report during the exam — screenshots + notes live

• Had enough time left to root another standalone

• Total: 90 points

  
  

Tools & Habits That Saved My Life

• Enumeration:

  • Automating the enumeration phase using Tib3rius's AutoRecon (which was allowed by the time I took the exam)

  • Scanning all open ports not missing a single one

  • Using HackTricks like a checklist for every service/port

    
    

• AD Enumeration:

  • bloodhound-python - bloodhound-python is a Python-based ingestor for BloodHound, designed to run from a Linux system. Unlike the original BloodHound ingestors (SharpHound.exe or SharpHound.ps1), which run on Windows, bloodhound-python lets you perform remote Active Directory enumeration from Linux — making it ideal for red teamers and pentesters operating from Kali or another Linux distro.

• PE Scripts:

  • linpeas, winpeas - for automated local PE checks

  • pspy - pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

  • Manual validation of every PE vector

  
  

• Timeboxing + Enumeration Templates:

  • Followed my personal checklist every single time

  • Reviewed every open port hourly for missed vectors

    
    

• Documentation:

  • Used Obsidian for structured note-taking and screenshots

  • Report template was mostly filled by exam end

    
    

Final Advice for OSCP Candidates

• Don’t rush into scheduling your exam. Make sure you can consistently root boxes without Metasploit.

• Do mock exams — test yourself under real pressure.

• Document every single step of your preparation.

• Learn to fail fast: if something doesn’t work in 45–60 minutes, try a different path.

• The exam is absolutely beatable — if you train not just your skills, but your discipline.

If you've made it this far, I hope this post gave you real insight — not just another generic OSCP review. The grind is real, but so is the reward. Good luck, and hack the box.