Nerd Level Tech logo
Lesson 24 of 24

Active Directory & Exam Simulation

OSCP Exam Strategy & Simulation

5 min read

The OSCP exam is a 23-hour 45-minute practical test plus 24 hours for reporting. Strategy and time management are as important as technical skills.

Exam Structure Recap

OSCP Exam Breakdown:
├── 3 Standalone machines (60 points total)
│   ├── Machine 1: 20 points (10 local + 10 proof)
│   ├── Machine 2: 20 points (10 local + 10 proof)
│   └── Machine 3: 20 points (10 local + 10 proof)
├── 1 Active Directory Set (40 points)
│   ├── 2 Clients + 1 Domain Controller
│   ├── Full chain required for points
│   └── All or nothing scoring
└── Passing: 70 points minimum

Time Management Strategy

Hour 0-2:   Scan ALL machines, gather info
Hour 2-6:   AD set (40 points, high priority)
Hour 6-12:  Standalone machines (hardest first)
Hour 12-18: Continue standalones, revisit stuck
Hour 18-23: Final attempts, screenshot verification

The 90-Minute Rule

If stuck for 90 minutes:
├── Document everything tried
├── Move to next target
├── Return with fresh perspective
└── Often, breaks lead to breakthroughs

AD Set Strategy

The AD set is 40 points and should be prioritized.

AD Attack Flow

1. Enumerate domain from first foothold
   └── BloodHound data collection

2. Find attack paths
   └── Kerberoastable? AS-REP? Shares?

3. Get credentials
   └── Crack hashes, harvest creds

4. Move to Client 2
   └── PtH, tickets, WinRM

5. Escalate privileges
   └── Local admin → Domain Admin

6. Compromise DC
   └── DCSync, secretsdump, proof.txt

Common AD Exam Patterns

Typical AD Chain:
└── Web app on Client 1
    └── Initial shell
        └── Local privesc
            └── Credentials found
                └── Lateral to Client 2
                    └── Domain Admin path
                        └── DC compromise

Standalone Machine Strategy

Difficulty Assessment

Quick Assessment:
├── Many open ports = More attack surface
├── Web apps = Common entry point
├── Outdated services = Known exploits
├── Custom apps = Manual exploitation
└── Minimal services = Harder

Enumeration Checklist Per Machine

# Run immediately on each machine
nmap -sC -sV -oA nmap/TARGET $IP &
nmap -p- --min-rate=1000 -oA nmap/full $IP &

# While full scan runs:
# Check HTTP if port 80/443 open
# Check SMB if port 445 open
# Check FTP if port 21 open (anonymous?)

Documentation During Exam

Screenshot Requirements

Required Screenshots:
├── local.txt with IP and hostname
│   └── type local.txt && hostname && ipconfig
├── proof.txt with IP and hostname
│   └── type proof.txt && hostname && ipconfig
├── Initial foothold proof
└── Privilege escalation proof

Note-Taking Template

# Machine Name - IP Address

## Enumeration
- Port scan results
- Service versions
- Web directories found

## Foothold
- Vulnerability exploited
- Steps to reproduce
- Payload used

## Privilege Escalation
- Vector identified
- Exploit/technique used
- Commands executed

## Flags
- local.txt: [hash]
- proof.txt: [hash]

## Screenshots
- [ ] local.txt with IP/hostname
- [ ] proof.txt with IP/hostname

Common Exam Mistakes

Mistake Impact Prevention
Poor time management Miss easy points Use timer, 90-min rule
Insufficient enumeration Miss attack vectors Enumerate thoroughly
Not documenting Report gaps Note everything
Rabbit holes Wasted hours Set time limits
Forgetting screenshots Lost points Screenshot immediately
Skipping UDP Miss SNMP, TFTP Always scan UDP

Exam Day Checklist

Before Exam

□ VPN tested and working
□ Kali VM snapshot taken
□ Tools updated (searchsploit -u)
□ Notes organized
□ Cheat sheets ready
□ Snacks and water prepared
□ Phone silenced
□ 8+ hours sleep

During Exam

□ Start all nmap scans immediately
□ Enumerate while scans run
□ Take screenshots of EVERYTHING
□ Document all steps
□ Regular breaks (every 2-3 hours)
□ Save work frequently
□ Don't panic—methodical approach

After Exploitation

□ Screenshot local.txt with IP
□ Screenshot proof.txt with IP
□ Note all commands used
□ Verify screenshots are clear
□ Document the full chain

Practice Resources

1. PG Practice (Play/Practice)
   └── Closest to OSCP

2. HackTheBox (Easy/Medium)
   └── TJ Null's OSCP-like list

3. TryHackMe
   └── OSCP learning paths

4. VulnHub
   └── OSCP-like VMs

Mock Exam Simulation

Create your own mock exam:
├── 3 standalone machines (PG/HTB)
├── Set 24-hour timer
├── No hints or writeups
├── Document everything
└── Write practice report

Report Writing Tips

Report Structure

OSCP Report Structure:
├── Executive Summary
├── Methodologies
├── Machine Findings
│   ├── Service Enumeration
│   ├── Initial Access
│   ├── Privilege Escalation
│   └── Post-Exploitation
└── Appendices (code, screenshots)

Key Report Elements

Each Machine Section:
├── Screenshots with timestamps
├── Commands used (copy-paste ready)
├── Vulnerability description
├── Proof of exploitation
└── Remediation recommendations

Final Exam Tips

Success Factors:
├── Enumerate harder, exploit smarter
├── Take breaks to avoid burnout
├── Easy points first when stuck
├── Trust your methodology
├── Don't overthink—basics work
└── Stay calm and systematic

Conclusion

Congratulations on completing this OSCP Study Guide! You now have a solid foundation in:

  • Network enumeration and scanning
  • Web application attacks
  • Linux and Windows privilege escalation
  • Post-exploitation and pivoting
  • Active Directory attacks
  • Exam strategy and methodology

Remember: OSCP tests methodology as much as technical skill. Stay systematic, enumerate thoroughly, and document everything.

Good luck on your exam—Try Harder!

::: cta Want to continue your security journey? Check out our Security Engineer Interview Preparation course to prepare for technical security interviews, or explore our DevSecOps Fundamentals course to learn how to integrate security into the development lifecycle. :::

:::

Quiz

Module 6: Active Directory & Exam Simulation

Take Quiz
FREE WEEKLY NEWSLETTER

Stay on the Nerd Track

One email per week — courses, deep dives, tools, and AI experiments.

No spam. Unsubscribe anytime.