Preparing for the OSCP can be overwhelming, I totally get it. There are moments where self-doubt creeps in, especially when things don’t go as planned in exam. In this post, I’ll share some tips that helped me push through and pass the exam.
Why You Shouldn’t Doubt Yourself While Giving OSCP
The OSCP exam is as much a mental battle as it is a technical one. If you’ve ever doubted yourself during this journey, I’ve been there too and this post is for you. I’ll walk you through how I went from completely underprepared to finally cracking the exam after a focused sprint. Maybe this will help you see that it’s never too late to shift gears and get it done.
Jan to June 2025
I purchased the OSCP Learn One subscription in January 2025 during the New Year offer. Since the labs were valid for a full year, I took it for granted and didn’t really dive in. Occasionally, I’d solve a box or two from HTB, but I had no structured study plan.
After graduating in May 2025, reality hit hard.
I started getting calls from vendors and contract positions, and every single one of them insisted on OSCP, despite the fact that I already held certifications like CRTP. Slowly, it dawned on me: I was missing real opportunities just because of that one exam.
ft July “I’m Cracking This; No Matter What”
On July 7th, I made the decision: I had to pass the OSCP at any cost.
With prior experience in Active Directory from CRTP and even CARTP, plus hands on time with Hack The Box, I knew I had the foundational skills. But I also knew that confidence on standalone Linux/Windows boxes was lacking.
So I did what I had to do:
- Revisited CRTP notes to solidify AD concepts.
- Followed TJNull’s OSCP preparation list — 15 Linux & 15 Windows machines.
- I didn’t focus on fully solving them.
- Instead, I focused on approach, methodology, and building a consistent process.
- Documented everything: my notes, commands, pivot techniques, payloads, and methodologies.
Challenge Labs & Final Preparation
I took all three OSCP Challenge Labs OSCP-A, OSCP-B, and OSCP-C and fully completed them, especially focusing on the AD portions.
For the standalone boxes, I reviewed my notes and refined my enumeration and exploitation flow.
Two days before the exam:
- I finalized my entire arsenal: tools, scripts, notes, custom payloads.
- Made sure my Ligolo-ng setup was ready for pivoting.
- Practiced quick Nmap scan automation & note taking workflow.
I wasn’t 100% confident, but I knew I had done everything I could in fukin 1 month.
Battle Day
The exam day didn’t start smooth.
The AD environment had an issue. Although I found the misconfiguration early, I wasn’t able to exploit it. Panic attacks started from somewhere in body hahaha. I honestly thought I was going to fail before even starting.
I reported the issue to the proctor and waited for confirmation. Eventually, I tried again… and this time, it worked.
From that point on, everything clicked.
- ✅ Finished the entire AD environment in 3 hours, including the troubleshooting.
- ✅ Submitted all 3 flags from AD.
- ✅ While working on AD, I had already started Nmap scans on all standalone hosts and had Ligolo-ng setup for lateral movement.
I started my exam at 8 AM EST on Sunday 20th July, I was able to pwn full AD within first 3 hours , I had 40 points secured. I wanted to go for at least 80, just to be safe.
| Time Stamp | Flags Pwned | Flag Type |
|---|---|---|
| 2025-07-20 10:15AM | 1 | AD High Privilege |
| 2025-07-20 10:47AM | 0 | AD Low Privilege (2nd) |
| 2025-07-20 11:00AM | 1 | AD High Privilege (2nd) |
| 2025-07-20 11:13AM | 1 | AD DC High Privilege (3rd) |
PS I took hell lot of breaks for foood hehehe
After lunch break I moved on to one of the standalone machines and spotted a promising low-privilege escalation vector. Anyone can directly spot from the nmap scan results.
I would suggest let
Nmaprun full scan on the host don’t run aggresive scan.
I did dome googling and saw how I can access the service, trust me no matter how much notes you have you, need to really good at googling things and having a situational awareness. Yeah, so I was able to pwn 1 low-privilege escalation on Standlone machine 2.
Similarly, from Nmap scans from the Standlone 1, there was something that I can bruteforce. This is not strainght forward tho. I had brainstorm for atleast 20 mins to see which service can be abused. After 25 mins, I started bruteforcing services using Hydra with 10 million wordlist, I found something that can be used to login into the machine.
| Time Stamp | Flags Pwned | Flag Type |
|---|---|---|
| 2025-07-20 3:00 PM | 1 | Low Privilege (2nd) |
| 2025-07-20 5:20 PM | 1 | Low Privilege (1st) |
Finally, I have 60 points in bag, I need more 20 to be on safe side and I know the last standalone is hell.
Slowly, my eyes started burning, and I felt like I needed to take a break, but my adrenaline was so high that I wanted to pwn at least 1 high priv before I chill for a bit.
I hopped on the 2nd Standlone machine, I tried to check what privilehes that the user own and what access he has (Local User Enumeration). Most of them are useless tho, but I spend almost 50 mins on escalating the privileges but no luck :(
Remember recon/enumeration helps a lot in moving forward by connecting dots
I ran Linpeas and the output was so bad that I couldn’t read it properly. So, I got a reverse shell to my attacker machine and ran the Linpeas again, this time the output was much better. I found a lead, I did googling to confirm the version. Yeah the service had a public exploit. But when I tried to exploit it, nothing worked. I checked my steps and exploit the machine back to back but I don’t know why I failed to exploit the machine.
So, I reached out to the proctor again.
They reviewed the machine, reverted it twice, and finally confirmed everything was working as expected.
I took break after informing proctor!!!
I tried the exploit again… and hell yes, it worked flawlessly.
✅ +10 points. The exploit was straightforward, straight from Exploit-DB. Easy win, once the environment cooperated.
Rule 1, don’t doubt yourself too quickly. Sometimes it’s not you, it’s the lab(sounds like your ex hahah). Trust your process.
| Time Stamp | Flags Pwned | Flag Type |
|---|---|---|
| 2025-07-20 7:11 PM | 1 | High Privilege (2nd) |
Golden Drop hahaha
With 70 points now in the bag, I needed just 10 more on safe side.
I already had a low priv shell on the 1st machine. I thought I’d take a quick nap before tackling the final high privilege escalation on 1st standlone machine…
Bad. Idea.
That nap made me even more sleepy, and getting back into the flow was a struggle. My brain felt like it had been rebooted without saving any tabs 😅
But I pushed through, ran my usual post exploitation checks and this is some what similar to the box I solved in Offsec challenge labs, and I initially thought it’s a pitfall but I don’t want to take a chance.
I reviewed my notes and looking at the scans/leads that I have. I confirmed that I found a high priv escalation path. I tried to follow the steps and after hell lot troubleshooting and reverting the machine mutiple times. I got a admin shell tho it’s not stable.
Remember if you have issues with shell stability, try with other way around it using NetExec, PsExec, WMI, WINRM, SSH try every last thing that you can.
I used Impacket’s PsExec and the shell is stable and I was able to recover the flag.
| Time Stamp | Flags Pwned | Flag Type |
|---|---|---|
| 2025-07-20 9:16 PM | 1 | High Privilege (1st) |
✅ Last 10 points — done.
I gave the 3rd standalone a shot, but the more time I spent on it, the less progress I saw. Like staring into a digital void. Still, I bashed my head against it for another 2 hours but no luck.
| Time Stamp | Flags Pwned | Flag Type |
|---|---|---|
| 2025-07-20 10:15AM | 1 | AD High Privilege |
| 2025-07-20 10:47AM | 0 | AD Low Privilege (2nd) |
| 2025-07-20 11:00AM | 1 | AD High Privilege (2nd) |
| 2025-07-20 11:13AM | 1 | AD DC High Privilege (3rd) |
| 2025-07-20 3:00 PM | 1 | Low Privilege (2nd) |
| 2025-07-20 5:20 PM | 1 | Low Privilege (1st) |
| 2025-07-20 7:11 PM | 1 | High Privilege (2nd) |
| 2025-07-20 9:16 PM | 1 | High Privilege (1st) |
Finally, I was able to pwn 80 points after spending 12 hours. I do have time but, I know I spend my time in reporting too so felt I’ll submit the flags.
P.S. At this point, my eyes and brain were exhausted. My brain to heart, Mr. Stark, I don’t feel so good….
End Game
Exhausted, I messaged the proctor:
“I’m done. Submitting the flags and going for sleep.”
I uploaded everything, closed my notes, and finally after a wild ride that tested not just my technical skills but my patience.
IDk why I was not able to sleep I have some fear that I misplaced flags or I missed submitting the flags lol
Final Thoughts
Looking back, here’s what really stood out:
Don’t underestimate your own preparation. If you’ve put in the work, trust your process.
I had CRTP, CARTP, HTB experience, and solid notes. But I still doubted myself, especially when things broke or didn’t go as expected.
If you’re prepping for OSCP:
- Focus more on methodology than “solving” boxes.
- Practice documenting and replicating your approach.
- Don’t skip your arsenals, prepare your toolkits well before the exam.
- And above all: Never let doubt make decisions for you.
- Remember, If your Evil-winrm is not able to spawn shell properly try via PSexec or SSH if the port is open. I mean try every last thing that you can!!
Change my mind, NetExec is GOAT.
I used Sysreptor for my reporting..
I got my result on July 22
Thanks for sticking around. If you’re on this journey too, feel free to hit me up — I’ll be more than happy to share my notes, resources, quick tips too.
Happy hacking! 💻🔒