Skip to main content
Arbaaz breaks stuff | Incident Response, Threat Modeling, offensive security, CTF writeups, Security Projects, Certifications, Log analysis, SIEM
  1. Writeups/

How I passed my OSCP on my first attempt with 3 months prep

·9 mins·
Arbaaz Jamadar
Author
Arbaaz Jamadar
Table of Contents
New Article!!

Overview
#

Hi erveryone, recently I passed OSCP certification in first attempt after preparing for it within 3 months. I will be giving an brief overview on what resources I used to prepare, my methodologies, etc and how I prepared for the exam and finished it within 3 months.

Sections to Study & Resources
#

So in OSCP there are multiple topics you should have knowledge about, following are the sections and resources I used to prepare for it.

Initial Access
#

The most annoying and time consuming part is initial recon and access. The attack surface is vast as there are many services and endpoints running and too much of information to go through to verify true and false positivies. This for sure makes you overthink and focus on the wrong vectors. This might be the most hardest thing you may face initially.

Initial access is typically achieved through either web exploitation or network exploitation, and in some cases through phishing as well.

Therefore, it is important to prepare for both web and network penetration testing to effectively cover these attack vectors.

In my case, due to prior professional experience and coursework, I did not need to study these areas separately and was already confident in my skills. However, for beginners or intermediate learners, I strongly recommend focusing on these topics, as there are many high-quality resources available online. In particular, gaining a solid understanding of server-side vulnerabilities is crucial, since the ultimate objective of initial access is usually to obtain remote code execution (RCE) on the target system.

Some of the vulnerabilities which you must know (get hands-on as well) are:

OS Command Injection & RCE File Inclusion Vulnerabilities (LFI & RFI) File Upload Vulnerabilties (Bypasses as well) SSRF SSTI SQL Injection (Manual Exploitation of both In band & Blind) Reconnaissance ( Not a vulnerabiltiy, but more like a process of initial enumeration) CVE Hunting (Again, not a vulnerabilty but more like a process of finding the accurate CVEs after identifying the services being used in machine) Here are some resources you can refer to get started:

Portswigger: https://portswigger.net/web-security/all-labs (great resource to practice web based attacks and SQL attacks)

For network service exploitation: https://book.hacktricks.xyz/network-services-pentesting ( A very great resource on how you can enumerate and exploit services)

Tools I used for recon and enumeration:

  1. Rustscan for fast and reliable port scans.
  2. Nmap for deep scan on perviously enumerated ports.
  3. LDAPDomainDump
  4. Bloodhound-Python
  5. smbclient
  6. smbmap
  7. nxc
  8. enum4linux

Lastly, the main thing about this section is Hands-on-Experience, so try to solve as many boxes you can from HTB for starters, as once your mind gets trained, you would be able to find the attack vector for initial access very fast. First you may come across that sone machines take too much time and you may refer the writeups. But, with practice and patience you will soon learn to solve machines on your own without refering any walkthroughs and writeups.

Windows & Linux Privilege Escalation
#

The aim is to escalate to the root/admin user after getting the initial foothold. The end goal is to be the root/admin user instead of just dumping the flags.

Following are the resources which I used for preparing for this section

TCM Windows Privesc: https://academy.tcm-sec.com/p/windows-privilege-escalation-for-beginners

TCM Linux Privesc: https://academy.tcm-sec.com/p/linux-privilege-escalation

Tryhackme Privilege Escalation path: https://tryhackme.com/module/privilege-escalation

Active Directory Pentesting: Active directory pentesting is a required skill if you wish to pass OSCP as 40/100 points are for AD set alone.

Following are the resources I used to prepare for this section:

Cybermentor has very great video on intro to AD and some attack vectors and how they work: https://www.youtube.com/watch?v=VXxH4n684HE

Compromising Active Directory: https://tryhackme.com/module/hacking-active-directory

Internet All Things has very in detail attack vector explanation for AD: https://swisskyrepo.github.io/InternalAllTheThings/

Active Directory: https://www.hackingarticles.in/

Timeline
#

In my first month of starting preparation, I used all the above resources mentioned to gain knowledge about different sectors required (mentioned above) and making notes for them. Also at the same time, I solved the HTB Boxes and Proving grounds boxes from Lainkusanagi’s List.

I used to aim to solve at least 3 boxes per day. While solving boxes I would create a short walkthrough kind of notes for my own reference. I used notion for organizing my notes. Creating these kind of notes helps you keep a track of techniques and tools used for solving boxes. This habbit of note taking will slowly help you get better at solving boxes faster. Focus on solving machine without referring any walkthroughs. (Like if you contribute 5 hours daily towards your prep, try to solve the machine for atleast 4 hours and if you are unable to solve it even after trying everything then and only then go for walkthrough.)

  1. HackTheBox

    Solved 40 Boxes from HTB

    10/15/2025-11/15/2025
    HackTheBox Thumbnail
    HackTheBox

  2. Proving Grounds

    Solved 56 Boxes from Proving Grounds

    11/15/2025-12/05/2025
    Proving Grounds Practice Thumbnail
    Proving Grounds Practice

  3. OSCP/OSCP+ Challenge Labs

    Solved the 10 Challenge Labs. These labs come included with the exam voucher

    12/10/2025-12/27/2025

  4. Exam

    I had scheduled the exam at 10 in the morning

    01/05/2026-01/06/2026
    Cooked

Now I will tell you about what are the things I did and how proceeded in each month.

1st Month
#

In the first month I completed around 40 HTB boxes, if you fail to solve the complete boxes, it is completely fine, all of us do. But also keep in mind the steps when you are not able to solve boxes, check write up for those boxes (0xdf preferred) and understand the steps or see ippsec walkthrough videos to understand not just the steps taken to solve but also WHY was that step taken. The WHY is really important to make sure you progress further. After understanding, try again to solve them on your own based on the things you have understood from resources.

2nd Month
#

In the 2nd month I completed 56 boxes from proving grounds section of list. Most of the box were simple and had simple initial access and privilege escalation vectors. However, some boxes had some interesting vectors to exploit. So if you are stuck on one box I would recommend you to complete the easy boxes first and then proceed to intermmediate and hard boxes. So that you can finish this set as soon as possible. The key here is to learn not to be just trying to finish the boxes. It would be really beneficial for you if you complete boxes with persistence and patience.

3rd Month
#

I bought my exam subscription, after buying the subsription I went through offsec’s PEN-200 material and focused on sections where I felt I was lacking.

The sections I would suggest you to focus on are as follows:

  1. Client Side attacks.
  2. Manual exploitation of Databases and web services.
  3. Email and Phishing attacks.
  4. AD Parent-Child relation.

After completing the section’s I went ahead with challenge labs. This is the flow I followed:

  1. Secura
  2. Medtech
  3. Relia
  4. OSCP-A
  5. OSCP-B
  6. OSCP-C
  7. Zeus
  8. Poseidon
  9. Feast
  10. Laser

Exam Day
#

Cooked

Finally it was exam day and everything went wrong in the starting as it could. A day before my laptop gave up on me, it got stuck in a bootloop because of an corrupted windows update. However, I had exported and uploaded a copy of my VM to cloud just in case.

Standalone-1
#

I first started with standalone-1, I was breezing through the machine, from getting the initial access to privilege escalation. I completed standalone within an hour. Yay!! Got first 20 points.

AD-set
#

Now that I had secured 20 points. I proceeded towards AD-set as I was very confident with AD, it was an assumed breach attack where I was provided credentials of user and I had to privesc from least privilege user to domain admin to fully compromise the AD. The first machine in AD set was full compromised in 30 mins.

Now the part where I almost lost my confience. For pivoting I was struggling with setting up ligolo-ng. For some reason my ligolo proxy wasn’t accepting connection requests from agents. I first thought that it must be a problem with ligolo-ng version I had as I was using an alpha release (least stable). However, that wasn’t the reason. I spend almost 6 hours trouble shooting the problem nothing seemed to work. By this time I had almost spent close to 8-9 hours and I had just earned 30 points. Keep in mind that I was taking 20 minutes break after every 1 hour. This time I took a break of 1 hour. Before taking the break I informed the proctor that I will be diconnecting and reconnecting my VPN and then reverting the whole AD set. The proctor informed me that these actions are well with the guidelines and I can proceed with doing all the above mentioned actions. I reset my connection and reverted the machine and then took a break.

After coming from my break, I was able to setup ligolo and connect my agent to it and now I was able to pivot to the AD’s internal network. Turns out it was some problem with the machine, after reverting and restarting my VM it sorted the problem. After a successful connection I was able to fully compromise AD in 1 hour.

Standalone-2
#

So now within 12 hours I had gained 60 points all I needed was to solve one standalone to successfully pass the exam. I was able to solve the standalone-2 within 2 hours helping me get 80 points and successfully passing the exam. By this time I was tired and exhausted. I was ready to submit all the flags and end the exam. But, it was 1 last standalone, I decided to give it 1 hour of time, if I get initial access within 1 hours I will solve the whole machine or I will end the exam after that.

calm

Standalone-3
#

Luckily I was able to solve the stadalone-3 within half hour securing 100 points. I was very elated I submitted all the flags took the screenshots of every step and then ended my exam at 6:00 in the morning.

Certificate
#

OSCP OSCP+

Suggestions
#

  1. Use writeups as the last resort or else you will not learn anything.
  2. Get to know the vulnerability and attack path instead of just using tools blindliy and following commands.
  3. Try to participate in CTF’s of challenge labs released, I used to solve hacksmarter weekly challenges.
  4. Join the Offsec discord and contribute in the community and be active. You can put your doubts there the mentors and community is very helpful.

Thanks For Reading 😁

Profile Links #

LinkedIn: https://www.linkedin.com/in/arbaazz/

Discord: https://discord.gg/JpCACGdN/

Official Website: http://arbaazjamadar.com/

Related

Offsec Certified Professional (OSCP/OSCP+)
·1 min
Needle In A Haystack: Deep dive into subdomain enumeration using OSINT Tools
·4 mins
eJPTv2 Exam Cheat Sheet
·26 mins