Veilcat

Latest

OSCP Exam Strategy

6 min read

OSCP Exam Strategy & Time Management

24-hour exam optimization guide

Pre-Exam Preparation (T-1 Day)

Environment Setup

  • VPN connection tested and stable
  • Kali VM updated and ready
  • Note-taking setup (Obsidian + this template)
  • Tool verification (AutoRecon, LinPEAS, WinPEAS, etc.)
  • Screenshots directory prepared
  • Backup plan for VM/connection issues

Hour 1: Initial Assessment (0-60 minutes)

First 15 Minutes: Triage

  • Read all machine descriptions carefully
  • Identify target IPs and add to /etc/hosts
  • Start AutoRecon on all targets simultaneously
  • Take initial screenshot of control panel

Minutes 15-45: Quick Wins

  • Check AutoRecon results as they complete
  • Identify immediate vulnerabilities (default creds, anonymous access)
  • Test quick attack vectors from your Quick Reference
  • Start with easiest-looking target for confidence

Minutes 45-60: Strategy Planning

  • Assess point values vs difficulty
  • Prioritize targets based on findings
  • Set time limits for each machine
  • Document findings in templates

Time Allocation Strategy

Machine Prioritization (Total: 70 points needed)

Target Priority Framework:
1. Easy/Medium machines (10-20 points) - 3-4 hours each
2. Hard machines (20+ points) - 6-8 hours each
3. Buffer time for documentation - 2-3 hours

Hour-by-Hour Schedule

Hours 1-4:   Machine 1 (Easy/Medium)
Hours 4-8:   Machine 2 (Easy/Medium) 
Hours 8-12:  Machine 3 (Hard) - Part 1
Hours 12-14: BREAK + Documentation
Hours 14-18: Machine 3 (Hard) - Part 2
Hours 18-22: Machine 4 (Buffer/Backup)
Hours 22-24: Final documentation + report

Decision Points: When to Move On

2-Hour Rule

If you haven’t gained initial foothold after 2 hours:

  • Switch to different target
  • Take detailed notes of attempts
  • Return later with fresh perspective

4-Hour Rule

If you haven’t achieved user access after 4 hours:

  • Seriously consider moving to different target
  • Document all findings thoroughly
  • Set specific return time if points needed

6-Hour Rule

If you haven’t achieved admin/root after 6 hours:

  • Move to next target immediately
  • User flag may be sufficient for passing
  • Better to have multiple user flags than one root

Enumeration Time Limits

Initial Scan (15-30 minutes)

  • AutoRecon complete
  • Port summary documented
  • Quick manual verification of interesting ports

Service Enumeration (30-60 minutes per service)

  • Web applications: 45-60 minutes maximum
  • SMB/AD services: 30-45 minutes maximum
  • Database services: 20-30 minutes maximum
  • Other services: 15-20 minutes maximum

When Enumeration is “Complete”

Stop enumerating when you have:

  • Identified attack vector with high success probability
  • Found credentials or sensitive information
  • Discovered known vulnerability with available exploit
  • Exhausted common attack vectors for that service

Break Management

Mandatory Breaks

  • 10 minutes every 2 hours minimum
  • 30 minutes every 4 hours for meals
  • 1 hour break at 12-hour mark
  • Eyes off screen during all breaks

Break Activities

  • Physical movement (walk, stretch)
  • Hydration and light snacks
  • Mental reset (avoid thinking about exam)
  • Documentation review (what you’ve done)

Warning Signs to Take Break

  • Making same mistake repeatedly
  • Frustration or anger building
  • Tunnel vision on single approach
  • Physical discomfort (eyes, back, etc.)

Troubleshooting: When You’re Stuck

30-Minute Stuck Protocol

  1. Step back and re-read your notes
  2. Try different approach from methodology
  3. Google the specific error/issue
  4. Ask yourself: “What am I missing?“

1-Hour Stuck Protocol

  1. Switch to different machine temporarily
  2. Review methodology for missed steps
  3. Try manual verification of automated results
  4. Consider privilege escalation if you have user access

2-Hour Stuck Protocol

  1. Take mandatory break (15-30 minutes)
  2. Start completely fresh on different target
  3. Document everything you’ve tried
  4. Plan return strategy with specific new approaches

Common Time Wasters to Avoid

Rabbit Holes (Set 30-minute limits)

  • Complex SQL injection without clear path
  • Buffer overflow attempts (not on current exam)
  • Kernel exploits as first approach
  • Brute forcing without rate limiting

Tool Obsession

  • Don’t wait for slow automated scans
  • Manual verification often faster than perfect automation
  • Use tools as starting point, not final answer
  • Multiple tools for same task wastes time

Perfectionism

  • Good enough enumeration vs perfect enumeration
  • Working exploit vs elegant exploit
  • Basic shell vs perfect shell upgrade
  • User access vs immediate root attempt

Point Optimization Strategy

Minimum Viable Exam

Scenario 1: 70 points (minimum passing)
- 2 machines with user + admin (40 points)
- 1 machine with user only (10 points)  
- 1 machine with admin only (20 points)

Scenario 2: 70 points (safer)
- 3 machines with user + admin (60 points)
- 1 machine with user only (10 points)

Point Value Decision Making

  • 10-point user flag takes 1-2 hours → usually worth it
  • 20-point admin flag takes 4+ hours → evaluate carefully
  • Multiple easier targets often better than one hard target
  • Don’t abandon user access to chase admin on same machine

Documentation During Exam

Real-Time Documentation

  • Screenshot everything important immediately
  • Copy commands that work into templates
  • Note failed attempts with reasoning
  • Time stamp major discoveries

Minimal Viable Documentation

For each finding, capture:

  • What you found (vulnerability/access)
  • How you found it (command/tool used)
  • Screenshot proof (evidence)
  • Next steps (if continuing)

Don’t Over-Document During Exam

  • Basic notes sufficient during exam
  • Detailed write-up after exam ends
  • Focus on exploitation, not perfect documentation
  • Screenshots more important than detailed notes

Final Hours Strategy (Hours 22-24)

2 Hours Remaining: Triage Mode

  • Stop starting new major attacks
  • Focus on low-hanging fruit only
  • Quick privilege escalation attempts
  • Verify point calculations

1 Hour Remaining: Documentation Mode

  • Stop all exploitation attempts
  • Organize screenshots
  • Verify proof.txt contents
  • Double-check point calculations

30 Minutes Remaining: Final Checks

  • Screenshot final proof
  • Backup all documentation
  • Submit exam attempt
  • Mental preparation for report writing

Contingency Planning

If Behind Schedule

  • Lower standards (user flags vs admin flags)
  • Switch targets more aggressively
  • Use simpler methods even if less elegant
  • Focus on known vulnerabilities vs research

If Ahead of Schedule

  • Don’t get overconfident
  • Double-check all documentation
  • Attempt bonus objectives carefully
  • Help secure already-obtained flags

Technical Issues

  • VM snapshot before major changes
  • VPN reconnection procedure ready
  • Backup note-taking method prepared
  • OffSec contact information handy

Mental Game & Stress Management

Confidence Building

  • Start with easiest target first
  • Celebrate small wins (every flag counts)
  • Remember your training (you’ve done this before)
  • Trust your methodology (it works)

Dealing with Frustration

  • Frustration is normal (everyone experiences it)
  • Take breaks when frustrated
  • Switch targets for fresh perspective
  • Focus on process not outcome

Staying Motivated

  • Track progress visually (points earned)
  • Remember your goal (70 points, not perfection)
  • Think long-term (this is just one attempt)
  • Stay hydrated and fed

Post-Exam Checklist

Immediate Actions (Within 1 hour)

  • Screenshot final control panel
  • Backup all documentation
  • Take a break (you’ve earned it)
  • Plan report writing schedule

Report Writing (Next 24 hours)

  • Start report within 12 hours
  • Use screenshots as primary evidence
  • Follow OffSec template exactly
  • Proofread before submission

Learning from Experience

  • Document lessons learned
  • Identify weak areas for improvement
  • Update methodology based on experience
  • Celebrate completion regardless of outcome

Final Reminders

The Golden Rules

  1. Time management beats perfect technique
  2. 70 points is the goal, not 100 points
  3. Working solution beats elegant solution
  4. Multiple attempts allowed if needed
  5. Learn from each attempt

Last Words of Advice

  • Trust your preparation - you’ve trained for this
  • Stay calm - panic leads to poor decisions
  • Be methodical - your templates will guide you
  • Don’t give up - many flags come in final hours
  • You’ve got this - thousands have passed before you

Good luck! 🚀

Graph View