Please read this entire document carefully before beginning your exam!
This guide explains the objectives of the Offensive Security Certified Professional (OSCP) certification exam. Section 1 describes the requirements for the exam, Section 2 provides important information and suggestions, and Section 3 specifies instructions for after the exam is complete.
The OSCP certification exam simulates a live network in a private VPN, which contains a small number of vulnerable machines.
You have 23 hours and 45 minutes to complete the exam.
This means that if your exam begins at 09:00 GMT, your exam will end at 08:45 GMT the next day.
Once the exam is finished, you will have another 24 hours to upload your documentation. Details on how to submit your files are provided below.
All OSCP exams are proctored.
Please make sure to read the proctoring tool student manual and the proctoring FAQ at the following URL: https://help.offensive-security.com/hc/en-us/sections/360008126631-Proctored-Exams
3 independent targets
- 2-step targets (low and high privileges)
- Buffer Overflow may (or may not) be included as a low-privilege attack vector
- 20 points per machine
- 10 points for low-privilege
- 10 points for privilege escalation
1 domain controller
- Active Directory set
- Points are awarded only for the full exploit chain of the domain
- No partial points will be awarded
- The order in which the exam machines are documented in your exam report are the order in which the exam machines will be graded and valued
- For independant targets, points will be awarded for partial and complete administrative control of each machine
- Each machine has a specific set of objectives that must be met in order to receive full points
- You must achieve a minimum score of 70 points to pass the exam
- It is possible to achieve a maximum of 100 points on the exam
- Specific objectives and point values for each machine are located in your exam control panel
Specific instructions for each target will be located in your Exam Control Panel, which will only become available to you once your exam begins.
You are required to write a professional report describing your exploitation process for each target. You must document all of your attacks including all steps, commands issued, and console output in the form of a penetration test report. Your documentation should be thorough enough that your attacks can be replicated step-by-step by a technically competent reader.
The documentation requirements are very strict and failure to provide sufficient documentation will result in reduced or zero points being awarded. Please note that once your exam and lab report is submitted, your submission is final. If any screenshots or other information is missing, you will not be allowed to send them and we will not request them.
If you have not made any modifications to an exploit, you should only provide the URL where the exploit can be found. Do not include the full unmodified code, especially if it is several pages long.
If you have modified an exploit, you should include:
- The modified exploit code
- The URL to the original exploit code
- The command used to generate any shellcode (if applicable)
- Highlighted changes you have made
- An explanation of why those changes were made
Your objective is to exploit each of the target machines and provide proof of exploitation. Each target machine contains at least one proof file (local.txt or proof.txt), which you must retrieve, submit in your control panel, and include in a screenshot with your documentation. Failure to provide the appropriate proof files in a screenshot for each machine will result in zero points being awarded for the target.
The valid way to provide the contents of the proof files is in an interactive shell on the target machine with the
cat command from their original location.
Obtaining the contents of the proof files in any other way will result in zero points for the target machine; this includes any type of web-based shell.
On all Windows targets, you must have a shell running with the permissions of one of the following to receive full points:
- SYSTEM user
- Administrator user
- User with Administrator privileges
On all Linux targets, you must have a root shell in order to receive full points.
The exam control panel contains a section available to submit your proof files. The contents of the local.txt and proof.txt files obtained from your exam machines must be submitted in the control panel before your exam has ended. Note that the control panel will not indicate whether the submitted proof is correct or not. An example of this is provided below:
Each local.txt and proof.txt found must be shown in a screenshot that includes the contents of the file, as well as the IP address of the target by using
ip addr. An example of this is shown below:
You cannot use any of the following on the exam:
- Spoofing (IP, ARP, DNS, NBNS, etc)
- Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
- Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
- Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
- Features in other tools that utilize either forbidden or restricted exam limitations
Any tools that perform similar functions as those above are also prohibited. You are ultimately responsible for knowing what features or external utilities any chosen tool is using. The primary objective of the OSCP exam is to evaluate your skills in identifying and exploiting vulnerabilities, not in automating the process.
You may however, use tools such as Nmap (and its scripting engine), Nikto, Burp Free, DirBuster etc. against any of your target systems.
For more information regarding the allowed tools, please visit our OSCP Exam FAQ article.
Please note that we will not comment on allowed or restricted tools, other than what is included inside this exam guide.
Downloading any applications, files or source code from the exam environment to your local machine is strictly forbidden unless they're necessary for you to compromise the exam machine, and make sure to delete it after completing the exam objectives. For more information, please refer to the https://www.offensive-security.com/legal-docs/
The usage of Metasploit and the Meterpreter payload are restricted during the exam. You may only use Metasploit modules ( Auxiliary, Exploit, and Post ) or the Meterpreter payload against one single target machine of your choice. Once you have selected your one target machine, you cannot use Metasploit modules ( Auxiliary, Exploit, or Post ) or the Meterpreter payload against any other machines.
Metasploit/Meterpreter should not be used to test vulnerabilities on multiple machines before selecting your one target machine ( this includes the use of check ) . You may use Metasploit/Meterpreter as many times as you would like against your one target machine.
If you decide to use Metasploit or Meterpreter on a specific target and the attack fails, then you may not attempt to use it on a second target. In other words, the use of Metasploit and Meterpreter becomes locked in as soon as you decide to use either one of them.
Metasploit cannot be used for pivoting, because it would thereby be used on more than one target.
You may use the following against all of the target machines:
- multi handler (aka exploit/multi/handler)
All the above limitations also apply to different interfaces that make use of Metasploit (such as Armitage, Cobalt Strike, Metasploit Community Edition, etc).
Your connection to the exam is to be done with Kali Linux using OpenVPN. We are unable to provide any VPN connectivity support if you choose to use another setup. Your exam connection pack and details will be sent by email at the exact start time of your exam and not in advance.
1) Download the exam-connection.tar.bz2 file from the link provided in the exam email to your Kali machine.
2) Extract the file:
└─$ tar xvfj exam-connection.tar.bz2
3) Initiate a connection to the exam lab with OpenVPN:
└─$ sudo openvpn OS-XXXXXX-OSCP.ovpn
4) Enter the username and password provided in the exam email to authenticate to the VPN:
└─$ sudo openvpn OS-XXXXXX-OSCP.ovpn 1 ⨯
[sudo] password for kali:
2022-01-11 04:15:50 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
2022-01-11 04:15:50 OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2020
2022-01-11 04:15:50 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
🔐 Enter Auth Username: OS-XXXXXX
🔐 Enter Auth Password: ***********
2022-01-11 04:16:01 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
2022-01-11 04:16:01 UDP link local (bound): [AF_INET][undef]:1194
2022-01-11 04:16:01 UDP link remote: [AF_INET]x.x.x.x:1194
2022-01-11 04:16:01 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-01-11 04:16:02 [offensive-security.com] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
2022-01-11 04:16:03 TUN/TAP device tun0 opened
2022-01-11 04:16:03 net_iface_mtu_set: mtu 1500 for tun0
2022-01-11 04:16:03 net_iface_up: set tun0 up
2022-01-11 04:16:03 net_addr_v4_add: 192.168.xx.xx/24 dev tun0
2022-01-11 04:16:03 Initialization Sequence Completed
The exam control panel is available via a link provided in your exam email. Through the exam control panel you will be able to:
- Submit proof files
- Revert target machines
- View specific target objectives and point values
You have a limit of 24 reverts. This limit can be reset once during the exam. All of the machines have been freshly reverted at the start of your exam so you will not be required to revert the machines when you begin. Please wait patiently for the machine to revert and only click the button once per attempt. Note that reverting a target machine will cause it to return to its original state and any changes you have made to the machine will be lost.
- proof.txt - This file is only accessible to the root or Administrator user and can be found under the /root/ directory or the Administrator Desktop.
- local.txt - This file is accessible to an un-privileged user account.
Note that the targets containing these files are detailed in your exam control panel.
You will receive no points for a specific target for the following:
- Using a restricted tool
- Using Metasploit Auxiliary, Exploit, or Post modules on multiple machines
- Using the Meterpreter payload on multiple machines
- Failure to provide the local.txt and proof.txt file contents in both the control panel and in an interactive shell screenshot
- Lack of documentation
Ideally, one of the following templates should be used for the penetration test report:
You may use your own template as long as the information is presented in a structured, professional manner and follows all other requirements outlined above.
Currently, two options are available to earn ten (10) bonus points. Students must satisfy the requirements of one of the options available as we will not be accepting a combination of both methods.
Note: If you submit your exam report with the exercise and lab report, then we will grade your exam as per the old system. Otherwise, we will automatically grade it according to the new one.
Topic Exercises + 30 Lab Machines
- In order to receive ten (10) bonus points, you must submit at least 80% of the correct solutions for topic exercises in every topic in the PEN-200 course and submit 30 correct proof.txt hashes in the Offsec Platform.
- There are no restrictions on which lab machines apply to the 30 correct proof.txt hashes. This means Sandbox, Alpha, Beta, and Alice can be included.
- You can view your completed percentage of Topic Exercises under the Course Progress/ Exercise modal in the OffSec Platform.
- You can view your completed percentage of Topic Exercises for each Topic by hovering your cursor over the Exercises progress bar.
For more information about sunsetting legacy exercises and our new bonus point system, please refer to our blog post.
Legacy Exercises + 10 Lab Machines
- In order to receive ten (10) bonus points, you must complete the lab report AND the course exercises.
- We will continue to accept lab reports in the legacy format until January 31st, 2023.
- The lab report must be submitted in a separate PDF file, archived with your exam report. Failure to submit the file in the correct format will result in 0 bonus points being awarded. See below for additional details.
- The lab report must contain a description of your attack steps for a fully exploited Active Directory set (XOR or SVCorp which consists of four (4) machines each) and six (6) fully compromised unique machines for a total of ten (10) machines. Alternatively, you could include two (2) Active Directory sets and two (2) fully exploited standalone machines for a total of ten (10) machines in your lab report.
- All Information provided regarding the machines' configurations or exploits used must be correct
- Each machine's proof.txt must be shown in a screenshot that includes the contents of the file, as well as the IP address of the target by using
Offensive Security Complete Guidemachines may not be included in your report: Sandbox - Alpha - Beta - Alice. Students who enrolled for the PEN-200 course on or after 20th May 2022 are not eligible to use the Alice machine in their lab report. However, if you enrolled before 20th May 2022 you may still include it.
- All vulnerabilities exploited within the lab report must be unique. You may not use the same exploit against multiple machines
- You must successfully attack ten different targets. Documenting multiple attack vectors for the same machine will not grant additional points
- The course exercises must be appended to the end of your lab report
- The course exercises must ALL be complete and correct, with the exception of those which explicitly state otherwise
For more information about PEN-200 reporting requirements, please refer to the PEN-200 Reporting page.
This subsection of the exam guide documents what you should do in case you are unable to complete your exam due to severe external factors. Please make sure to read and understand it carefully.
The exam lab is a dedicated environment with no students connected other than yourself. The total allotted time of 23:45 hours does take life and its situations into consideration:
- You are expected to take rest breaks, eat, drink and sleep
- You are also expected to have a contingency plan in the event that there is an issue outside your control. (e.g. make sure you have access to a backup Internet connection)
If you have a legitimate issue, please send an email with your OSID to "challenges AT offensive-security DOT com" immediately. Make sure to include all the necessary details and supporting information such as a letter from your power company, ISP or any other relevant documentation.
Please note we are only able to extend the lab time if the issues were present on our side and only when the exam subnet is not immediately in use by another student following your exam. In the event of an issue on our side and the exam subnet is scheduled immediately following your exam we will provide a free exam retake attempt. We work very hard to ensure our environments are highly available and issues are very rare.
If you encounter any connectivity problems with the VPN or target machines, inform us immediately, directly in the proctoring chat. Should you not be able to access the proctoring tool, please contact us via the live chat available at https://chat.offensive-security.com or via email to "help AT offensive-security DOT com".
Please note that we will not be able to assist with, or give hints on, any exam objectives and will only be available for technical problems during the exam.
- Your exam report is in PDF format
- You have used the following format for the PDF file name "OSCP-OS-XXXXX-Exam-Report.pdf", where "OS-XXXXX" is your OSID
- Your PDF has been archived into a .7z file (Please do NOT archive it with a password)
- You have used the following format for the .7z file name "OSCP-OS-XXXXX-Exam-Report.7z", where "OS-XXXXX" is your OSID
- You have made sure that your archive is not more than 300MB and the extracted files are not more than 400MB
- You have uploaded your .7z file to https://upload.offsec.com
Note that the filename is case sensitive. Students must submit their exam file following the exact filename format structure above. If your file does not follow the exact filename format and structure, the application will not accept it.
The following subsections provide details on each of these requirements.
Your exam report must be submitted in PDF format archived into a .7z file. Please make sure to include all your scripts or any PoCs as text inside the exam/lab report PDF file itself. No other file formats will be accepted within the .7z file other than PDF file format.
If you submit your report in any other file format, we will not request or remind you to send a PDF report archived into a .7z file and your exam report will not be scored.
Before submitting your exam report, please review the PDF document to ensure the format and content appear as it did in your original edition document and that there are no formatting errors.
After uploading your exam file to upload.offsec.com, the site will provide you with the MD5 hash of your uploaded file.
Please make sure to verify that you have uploaded your report correctly by checking and comparing the MD5 hashes of your uploaded exam file and the file you have locally.
If the values do not match, that means your file did not upload successfully. Click on "Select a new file" and upload your archive again.
└─$ sudo md5sum OSCP-OS-XXXXX-Exam-Report.7z
If you are submitting a lab report as well, you may use the following format for the file name: "OSCP-OS-XXXXX-Lab-Report.pdf" and it must be archived along with your exam report into one archive in the "OSCP-OS-XXXXX-Exam-Report.7z" naming format.
Please do not archive your .7z and PDF(s) files with a password. Our system will not accept should you upload a password-protected files.
You must submit your documentation in a .7z file. Please use your Kali machine to create your .7z file.
└─$ sudo 7z a OSCP-OS-XXXXX-Exam-Report.7z OSCP-OS-XXXXX-Exam-Report.pdf
7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Updating archive OSCP-OS-XXXXX-Exam-Report.7z
Everything is Ok
Please submit your .7z file via https://upload.offsec.com within 24 hours of completion of the exam and follow the provided instructions in order to upload your archived exam report.
The size limit for extracted files is 400MB and the archive is 300MB. If the size constraints are not met, you would not be able to upload your archive. If you are unable to meet the size constraints, we suggest looking at ways to reduce your file size using techniques such as image compression.
After the file has been uploaded, you will be presented with a "Submit File" button where a MD5 hash of your exam report will be displayed. Make sure to click the "Submit File" button after verifying your MD5 hash to submit your files successfully.
If you do not upload your exam-report via https://upload.offsec.com , it will not be graded.
Once the report is uploaded successfully, a confirmation email will be sent immediately acknowledging the receipt. If you have not received the email, please ensure that you uploaded your report and clicked the Submit File button on the final page of https://upload.offsec.com after verifying your MD5 hash. We also recommend you to check your email spam and junk folders in case the confirmation email has been flagged as spam.
In the unlikely event that we require additional clarification on your exam report, we will get in contact with you via email. You must submit the requested information within 24 hours from the time we have requested it.
You will receive an email with your certification exam results (pass/fail) within ten (10) business days after submitting your documentation.