OSCP Practice Exam Writeups

In this blog post I want to give an overview of my experience doing an OSCP practice exam, and share the strategy I took and the lessons I learned. I hope this article, and the attached reports (at the end of this post), will be useful for people looking to sit the exam in future.



As part of my prep for OSCP I wanted to do a fully simulated practice exam. I wanted a chance to test my methodology, get a feel for the timings of the exam, and most importantly just get a confidence boost before the real thing.

I highly recommend doing this - it gives you a sense of the scope of boxes you might face, and will teach you valuable lessons.

Perhaps most valuable were the lessons I learned about the report writing, and what to capture as I went along. When I came to write it up, there were several screenshots I wish I had (and I take pretty comprehensive notes).

I did my first practice exam on 21/08/21, starting at 09:45. I started as close to my real start time as possible, which would end up moving after I extended my lab time. At this point I’d done just under 20 boxes, and wasn’t feeling super confident. I’d also not done a lot of the course content, and read the Buffer Overflow content the night before having never done one from scratch.

Safe to say, the exam didn’t go brilliantly, but I learnt a lot of valuable lessons. I failed with 55 points, having failed to get a foothold on the 25 point machine, and failing to root a 20 pointer. Within half an hour of the exam ending I’d finished the 20 pointer and would have passed, but it wasn’t to be. I may have gotten partial points for the low-privilege shell I obtained, but it’s hard to guess how many.

In my second attempt I wanted to have an experience closer to what I’d have on the actual exam - I intended to practice Buffer overflows a few times before I did it to get the methodology down. Unfortunately this didn’t happen with work and other extracurricular commitments (this cert isn’t friendly to people with lots of hobbies and a full time job), but I did root 12 more boxes in the labs in this time. I extended my lab time to 90 days to give myself a better chance to practice.

My second attempt was on 15/09/21, and I was feeling much more confident. Despite struggling after finishing the BOF and bouncing between several boxes without a foothold, I ended up passing with 75 points, only missing out on the non-BOF 25 point machine. After the exam I continued to finish several more boxes in the labs, and I’m now feeling pretty confident ahead of my exam in early October.

Exam 1

Date Start Time Points
21/08/21 09:45 55

I spent the days before the exam migrating to my new computer and setting up Kali the way I liked it, as well as getting used to zsh, tmux, and their irritating quirks when used with Obsidian.

I’ll give a spoiler free overview of how the exam panned out here, but you can read the report which I’ll attach if you’re interested in how the boxes were solved.

Considering how little I’d prepared, the Buffer Overflow went surprisingly smoothly. I followed the PDF pretty strictly, and after getting used to Immunity had finished it within ~3 hours. I’m glad I tackled it first and got it out of the way - however the next few hours were painful and without much progress.

I took plenty of breaks, and towards the end of the night I got some footholds. The ‘easy’ box took longer than I expected, and was probably a bit more involved than Grandpa/Granny/Netmon would have been (the other 10 pointers that were recommended). I would definitely pick one of these machines over Buff, depending on whichever ones you haven’t done - they’re more similar in style to the easier OSCP Lab machines (but I can’t speak for the real exam 10 pointers).



Pre Exam


Exam Start - Tackling Brainpan

First Attempt at Kotarak




At 09:30 the exam was over, and I had 55 points. I may have gained a few partial points from Bastard, but I don’t know how many.

Report Writing

Lessons Learned

General Exam Efficiency Advice:

Privilege Escalation:

New Tricks, Tools, and Skills:

Note Taking for Report:

Exam 2

Date Start Time Points
15/09/21 10:00 75

For the second exam I was feeling a lot more confident, and had rooted a few extra boxes in the labs. However, despite intending to complete the Buffer Overflow Prep Room on TryHackMe, I had only done one Buffer Overflow from scratch.

I picked non-HTB machines for this exam, and tried to go for ones that were custom-made to be similar to OSCP machines. Lemonsqueezy, for example, is modelled on a combination of two 20-point boxes. I thought that custom OSCP-style boxes would be better practice than HTB, as sometimes the style is wildly different.

The exam went much more smoothly, and although I did not finish the 25 point machine I felt like my methodology was much better this time around and I enumerated much more thoroughly. One major improvement was the use of autorecon, which I’d fallen out of favour with for a few reasons earlier in my OSCP preparation. However it pulled through on this exam and found a lot of useful information, namely around enumerating filesharing services.



Again, I spent the morning setting up (which was a lot less stressful this time as I wasn’t trying to spend it learning Buffer Overflows and Tmux from scratch).

I was up at 8:00, and had connected via RDP to the TryHackMe room by 09:55 ready to start.

My strategy was as follows:


Exam Start - dostackbufferoverflowgood

Trying Lazysysadmin

Trying Lemonsqueezy

Trying Mercy & Getting Stuck

Trying Stapler

Reviewing Boxes & Finishing lazysysadmin

More Enumeration and Giving up on Stapler

Breakthrough on Lemonsqueezy

Rooting Mercy and Finishing the Exam

Report Writing

Lessons Learned

General Methodology:

New Tricks, Tools, and Skills:

Privilege Escalation:

Note Taking for Report:

Exam Efficiency:

General Lessons Learned

These are some of the more generic lessons I learned that weren’t tied specifically to one of my practice exams:

I tried to do both exams as close to my exam start time as possible, as it was already booked. Morning starts work well for me, as I’m nice and alert once I’ve eaten. However, there is definitely a slump in the afternoon, so if you have the time to do so I’d recommend trying a practice exam with a morning start and one with an afternoon start to see what you like best, then book your exam.


I hope you enjoyed these writeups. I know this is a long blog post, but I always enjoy posts about people’s strategies and timings for the exam.

I hope that the Lessons Learned sections are useful - I try to do something similar for every machine I tackle, especially highlighting mistakes in methodology that can apply to multiple boxes, rather than specific vulnerabilities. It’s a valuable activity to undertake while revising.

I have also uploaded my report for each exam. There are lots of report templates out there (I borrowed from this one), but not many example reports, so hopefully seeing one will be useful.

Exam 1: Report

Exam 2: Report

I will add the caveat that I’ve not yet passed the OSCP - my report writing style might be completely wrong, so take it with a pinch of salt.

Thanks for reading, and good luck to anyone taking the exam!