lab strategy

How to actually use your 90 days of lab access without burning out or wasting time. Full post in progress.

the core principles (preview)

• Enumerate first, exploit second — always
• Notes are the product, not the shells — your methodology file will save you on exam day
• Don’t skip Windows privesc — the exam weights it heavily
• Reset often — but try again before resetting
• Know when to read a walkthrough — stuck for 2hrs? Fine. Stuck for 6? Read the hint.

Full strategy post coming — includes daily routine, when to take breaks, and the “stuck” checklist I used.

exam tips

The day-of playbook. Full post coming — here’s the essentials.

the night before

• Sleep. Do not cram.
• Prep your environment — notes app, template for the report, screenshot tool ready.
• Have snacks, water, coffee within arm’s reach.

the exam itself

• First 30 min: nmap full TCP + initial UDP on every target, start them in parallel.
• Buffer overflow (if applicable): knock it out early while your brain is fresh.
• Rotate targets — stuck for an hour? Move on. Come back with fresh eyes.
• Document as you go — not at the end. Screenshot everything.
• Take breaks — 10 minute walks save your brain.

the report

• Don’t skip it. Failing the report = failing the exam.
• Use the OffSec template. Don’t be clever.

Full post includes my actual time breakdown, meal schedule, and what I did when I almost panicked at hour 12.

faq

The questions I see asked in r/oscp and the OffSec Discord every single week. Full answers coming — short versions below.

is the PWK course enough?

No. It’s necessary but not sufficient. You need lab time on PG, HTB, or similar.

how long should I prep?

Most people: 3-6 months of consistent daily practice. Depends entirely on your starting level.

should I learn Metasploit?

Yes, but also learn to do things without it. The exam limits Metasploit usage.

prep strategy

What to study, in what order, and why. Full breakdown coming — here’s the TL;DR.

the ordered stack

1. Foundations — Linux CLI, networking basics, bash + Python
2. Web — OWASP top 10, Burp Suite, PortSwigger labs
3. Enumeration — nmap, gobuster, methodology obsession
4. Exploitation — public exploits, Metasploit (and then without Metasploit)
5. Privilege escalation — Linux and Windows. Separately. Deeply.
6. Active Directory — Kerberos attacks, BloodHound, lateral movement
7. Buffer overflows — not on the modern exam, but worth understanding

the 80/20

If you only do one thing: own a lot of boxes, take obsessive notes. PG Practice + HTB retired boxes got me further than any course.

resources

The curated list. Full annotated version coming — this is the skeleton.

labs (practice targets)

• HackTheBox — retired boxes with writeups
• OffSec Proving Grounds — closest thing to OSCP feel
• TryHackMe — structured learning paths for beginners
• Vulnhub — free, downloadable VMs

courses

• PWK (OSCP course itself) — mandatory, but not sufficient
• TCM Security’s PEH — great foundation
• IppSec’s YouTube — free, better than most paid courses

cheatsheets & references

• HackTricks — the bible
• PayloadsAllTheThings — for when you forget a payload (you will)
• GTFOBins — Linux privesc lookup
• LOLBAS — Windows equivalent

books

• The Web Application Hacker’s Handbook
• RTFM (Red Team Field Manual)
• Penetration Testing by Georgia Weidman

community

• OffSec Discord
• r/oscp subreddit
• NetSecFocus Slack

Full annotated list (what each is good for, when to use it) drops soon.