OSCP Exam Strategy and Report Writing Preparation

Earning the Offensive Security Certified Professional (OSCP) certification is a defining milestone for penetration testers, validating not just technical skill but also endurance, methodology, and professional discipline. Success hinges on two equally critical pillars: a sound strategy for conquering the 23-hour 45-minute exam environment and the meticulous ability to document your findings in a clear, standardized report. This guide synthesizes the tactical mindset and procedural rigor required to navigate both challenges effectively.

Understanding the OSCP Exam Format and Scoring

The OSCP exam is a practical, hands-on assessment conducted in a remote proctored lab environment. You are given access to a network containing several independent target machines. The modern exam typically includes a mix of standalone machines and an Active Directory (AD) set, with each target carrying a specific point value. The exact configuration varies, but a common structure involves multiple standalone machines worth 10-25 points each, and an AD domain worth multiple machines totaling 40-50 points. You must accumulate a minimum of 70 points (out of 100) to pass.

This scoring system dictates your strategy. The AD set is often the highest point-value objective on the network, representing a complex, multi-step attack chain. However, it can also be the most time-consuming. The standalone machines offer crucial opportunities to rack up points and build momentum. A key strategic insight is that you do not need to compromise every machine; you need to efficiently accumulate enough points from a combination of targets. Your first hour should involve rapid, high-level reconnaissance to identify all targets and their potential difficulty, allowing you to create a prioritized attack plan based on point yield and perceived complexity.

A Granular Time Management Strategy for the 23h45m Exam

You have twenty-three hours and forty-five minutes of exam time, followed by an additional 24 hours for report writing. This is an endurance test as much as a technical one. A rigid, self-imposed schedule is non-negotiable. A proven framework breaks the exam period into distinct phases.

Hours 0-1: Reconnaissance & Planning. Don't touch an exploit. Use this time to run broad, non-intrusive scans against the entire target range. Map out all live hosts, open ports, and potentially interesting services. Document everything in your notes. Based on initial fingerprints and the point matrix, draft your attack order.

Hours 1-14: The First Assault. Target your chosen initial machines, typically starting with a standalone box to secure your first points and confidence. Apply a systematic enumeration methodology for each target: service version identification, searching for public exploits, and conducting manual configuration testing. When you hit a roadblock on one machine, have a strict rule to pivot to another after a set time (e.g., 90 minutes). This prevents burnout on a single target.

Hours 14-20: The Core Push. This is your deep work period, often focused on the multi-machine AD set. Here, the strategy shifts to understanding trust relationships, user roles, and lateral movement paths. Exploit modification becomes crucial, as public proof-of-concept code often needs adjustment for the specific target environment.

Hours 20-23:45: The Final Sprint. If you are close to 70 points, this is for one final push on an incomplete vector. If you are comfortably past 70, this time is for post-exploitation documentation. Ensure you have all required proofs (flags, screenshots) for every compromised machine. If you are short, make a calculated decision: attempt a new machine or solidify points from a partially completed one. The worst mistake is to have points you didn't properly document.

The Report Window: The separate 24-hour report period is for writing, not hacking. Your exam time notes must be so complete that report writing is a pure transcription and formatting exercise.

From Enumeration to Proof: The Technical Methodology

Your technical approach must be relentless and repeatable. Every machine begins with comprehensive enumeration using tools like Nmap, Gobuster, and manual inspection of web applications. The goal is to create a detailed attack surface map. When you identify a potential vulnerability, your next step is research and exploitation.

Systematic enumeration is your primary tool. Never assume a service is secure because of its default state. Test for default credentials, misconfigurations, and insecure file permissions manually. Exploit modification is an expected skill. You will frequently encounter exploits that require you to change parameters like the return address, shellcode, target IP, or port. Practice editing Python, C, and PowerShell exploits in your lab time.

Once you gain access, post-exploitation documentation begins immediately. The exam requires specific proof: a text file "flag" from each compromised machine (usually in /home/user or C:\Users\Administrator\Desktop) and accompanying screenshots. Your screenshot must show the command used to retrieve the flag and the flag's contents in the same terminal. Do not rely on memory; take screenshots for every privilege escalation step and critical discovery. Organize these in real-time into folders named by the target IP.

Mastering Proof Requirements and the Standardized Report

The report is your professional deliverable and is graded on strict criteria. Offensive Security provides a formal report template; using it is mandatory. The report must document only the steps that led to successful compromise for each target you are claiming points for.

Proof requirements are absolute. For each compromised machine, you must include:

1. The contents of the unique flag file.
2. A screenshot showing the command used to obtain the flag and the flag itself.
3. Screenshots documenting the exploitation process and privilege escalation.

Screenshot documentation needs to be clear and conclusive. Ensure terminal text is readable. The screenshot should tell a visual story: the command you ran and its successful output. The standardized report format typically includes an Executive Summary, Methodology, and a detailed Findings section for each target. In the Findings section, you will walk through your attack path step-by-step, embedding the required screenshots as evidence. The narrative should be concise and technical, explaining what you did, why it worked, and the impact.

Common Pitfalls

Poor Time Allocation and Target Lock: Spending six hours on a 25-point machine while ignoring other targets is a catastrophic failure in resource management. Set hard time limits for each engagement and stick to them. Pivot early and often.

Incomplete or Unconvincing Proof Documentation: A screenshot of just the flag text is insufficient. A screenshot of a cat flag.txt command that doesn't show the flag output is useless. The examiner must see the action and the result in one image. Failing to document a privilege escalation step can cost you the points for that machine.

Neglecting the Report Until the End: Treating the 24-hour report window as your first time organizing notes is a recipe for disaster. Your exam-time notes should be so detailed that writing the report is essentially copying them into the template and inserting screenshots. If you have to reconstruct your steps from memory, you will fail.

Over-Reliance on Automation: While tools are essential, the exam tests your ability to think manually. Blindly running automated exploitation frameworks without understanding the underlying vulnerability or modifying public exploits will leave you stranded when they inevitably fail against the exam's nuanced targets.

Summary

• The OSCP exam is a 23-hour 45-minute practical test followed by a 24-hour report period, requiring you to score 70 points from a blend of standalone machines and an Active Directory set.
• A minute-by-minute time management strategy is critical, dividing your effort into reconnaissance, focused assaults, and final proof-gathering phases to maintain momentum and avoid burnout.
• A systematic, manual enumeration methodology is the foundation of discovery, and you must be proficient in modifying public exploit code to suit target environments.
• Proof documentation is non-negotiable; you must capture screenshots in real-time showing both the command and its successful output for flag retrieval and privilege escalation.
• The final report must use the official template and present a clear, evidence-based narrative of your successful attacks; your exam-time notes should be comprehensive enough to make report writing a straightforward formatting task.