A Systematic Approach to Passing the OSCP in 2025

Blog by RAD COP Cooperative

Category: Information Security – Tutorial

Introduction

The widely known (in narrow circles) organization Offensive Security is a flagship in the cybersecurity field, offering specialists unique educational programs and certification courses aimed at deep immersion in penetration testing.

The most popular and well-known of these is the Offensive Security Certified Professional OSCP certification. This September, I successfully passed the exam and want to share my preparation experience, including mistakes made along the way.

First, let me provide some context about the conditions under which I prepared for the exam. Starting point:

• 6 years in offensive security at the time of preparation;
• 2–3 work projects running simultaneously, so I could only study in the evenings or on weekends;
• 3 months of paid lab access (included in the standard $1649 bundle);
• A strong desire to learn.

2. Preparation

As David Allen mentions in his book Getting Things Done, any task that requires more than one action should be considered a project. So, preparing for and taking the OSCP became a full-fledged project for me — requiring a comprehensive approach.

2.1 Gathering Information About the Exam

Like any standard penetration testing project, I began with information gathering. Sure, I had heard plenty about OSCP — the challenges, the memes (like “Try Harder”), etc. — but I realized my understanding was still surface-level and needed improvement.

Here’s what I did:

• Synergy effect: I created a Telegram group, organized it by topics, and invited colleagues from both pentesting and other fields. One of the participants was an OSCP holder (shoutout to Anya!), which was incredibly helpful. The group became a mutual support and knowledge-sharing environment.
• Analyzing existing resources: I watched about ten YouTube videos with OSCP tips and took notes (links shared at the end of the article).
• Strategic planning: We held an internal seminar on effective learning, outlined next steps, and prepared for possible failure scenarios and counter-strategies. Thanks to RAD COP chairman Rustam Guseinov for sharing his experience. The seminar resulted in a high-level plan:
• Assess the overall scope to identify what to learn, then go deep into unknown topics first;
• Practice conscious reading as a key tool;
• Talk to those who’ve already passed and make a step-by-step learning plan;
• Set timeframes for learning specific topics;
• Don’t cram the day before the exam — rest well instead;
• Burn bridges (lock in the exam date!);
• Use the Feynman technique to explain concepts in your own words;
• Consider failure scenarios, such as:
• False sense of ease at the start;
• Bad time management;
• Wrong tactics on exam day;
• Falling into procrastination or overthinking;
• Take a mock exam if possible;
• Prepare a comfortable exam environment (rest, food, stable internet, hydration);
• Plan for fatigue, know when to take breaks.
• Compiling official resources: I collected all related articles from the OffSec site, extracted key takeaways, and made thorough notes. This was a continuous process — I kept finding useful materials during lab work thanks to the Baader–Meinhof effect (noticing what you just learned everywhere).

2.2 Studying the Theory

After paying for the exam, I got access to the official theory material. The student portal had an interactive topic selector and downloadable PDF (about 600 pages). Each section included theory, practical questions, and end-of-section exercises (completing these gave bonus points).

Some key insights:

• The 600-page manual took about 2 months to read. It’s very well written.
• It covers essential topics: web attacks, Linux/Windows privilege escalation, hash and Kerberos attacks, AD exploitation, and public exploit customization.
• The Effective Learning section is especially valuable — not only for pentesters but for all professionals using the PDCA cycle. Highly recommended.
• I read slowly, skipping known content and focusing on web pentesting and effective learning techniques.

I also recommend an external article that gives a high-level overview of everything that could be on the OSCP, along with a 6-hour breakdown video I watched.

2.3 Lab Work

Labs are a critical component of OSCP prep. In the OffSec article A Path to Success in the PWK Labs, they discuss success probability based on machines solved:

• Solving fewer than 11 machines = <30% chance of passing.

2.3.1 First Lab

At first, I skipped the theory thinking I knew enough. But OSCP labs were different from what I was used to — and it showed.

• Took 16 days to complete.
• You must exploit specific machines to reach the internal network. Frustrating but valuable.
• I often needed help from the official Discord server due to non-obvious attack vectors.
• No cheat sheet at the start — I eventually built one from scratch, which I recommend.
• No structured note-taking system — early chaos made it hard to track progress.
• No credentials table — yet tracking discovered logins/hashes is essential.

After the first lab, I had:

• A cheat sheet of common commands;
• A proper note-taking system;
• A credentials tracker for local/domain accounts, passwords, proof.txt, etc.

Other blockers:

1. Rabbit hole in a static web app delayed me — switched machines and quickly found SQLi. Lesson: Set time limits per vector.
2. Wasted time on faulty pivoting using Chisel — switched to Ligolo-ng, which worked reliably.
3. Issues with WinRM commands — resolved by wrapping commands in powershell -c "command".

These lessons dramatically increased my speed.

2.3.2 Second Lab

By now, about a month had passed. The second lab was more diverse and interesting — 5–6 external perimeter machines (vs. 3 in the first). Fewer dead ends, more recon work. VPN issues persisted, but confidence was growing.

Two weeks to the exam. Try Harder.

2.4 Taking the Demo Exam

Demo exams simulate the real environment. Key advice: No hints — time yourself.

I liked them a lot. Easier than the real thing. Each had:

• 6 machines (3 standalone, 2 AD machines + 1 domain controller);
• Completed in 8–9 hours;
• Familiar and understandable attack vectors.

2.5 Earning Bonus Points

Bonus points require completing practical tasks — mostly tedious and frustrating.

• Each task needed a VPN connection;
• Loading tasks took several minutes;
• Took 4–5 full workdays (~6–8 hours each) to complete;
• I cleared my schedule and committed to it.

2.6 Preparing the Report Template

The final report is critical. You get 23:45 hours to exploit, and 24 hours for the report.

OffSec provides a Word/OpenOffice template, but I used Obsidian. I converted the DOCX into Markdown and built a template to streamline my note transfer.

3. First Attempt

I scheduled the exam three weeks in advance — slots fill fast.

My original plan: Work from 9:00 to 21:00, sleep, then finish fresh in the morning. But...

• My sleep schedule was broken a month before the exam;
• No bonus points yet;
• I fixed my schedule through morning workouts, cold showers, and reading.

Disclaimer: I cannot disclose exam details, only impressions.

• OSCP includes proctoring: camera and screen sharing required;
• Setup involves ID verification, system checks, and official scripts.

Result: I failed.

• Gained admin on one machine — not enough;
• Reached AD network but got stuck after privilege escalation;
• Exploited another machine but couldn’t get shell execution.

Lessons:

• Prepared food in advance — helpful;
• Pulled a full 24-hour session — big mistake;
• Hit a rabbit hole, lost track of time and strategy;
• OSCP doesn’t use complex 10-step vectors — it’s about 4–5 steps max;
• Internal critic kicked in — “you’re failing,” “you should have passed by now.”

I didn’t submit the report. No point. My friends offered great support. I resolved to retake the exam as soon as the cooldown ended (~1 month).

4. Second Attempt

1.5 months later, I tried again — this time with a new strategy:

• Used Pomodoro timer (25 min focus / 5 min rest);
• Scheduled exam at 11:00, not 9:00 — better rest;
• Monitored all timings closely.

This time, breaks helped gain new perspectives. Got stuck on a passworded archive — tried Hashcat instead of JohnTheRipper and succeeded.

Again, frustration hit, but I persisted.

Having a report template was a lifesaver — the write-up took ~6 hours. I reviewed the report 5–6 times. Created an archive, calculated MD5, uploaded, and sent…

5. Conclusion

I already shared some reflections in my Telegram channel, but this article dives deeper.

I absolutely do not regret the time and money invested in OSCP. It’s valuable not only for tenders or reputation, but also personally empowering.