I passed OSCP+ in December 2025, while working full-time as an IT Security Analyst conducting enterprise VAPT engagements — including a 1,500+ IP core banking infrastructure audit. I prepared over 18 months alongside a demanding job. This post is not about what resources to study. This post is about the exam itself — what actually happens in those 24 hours, what broke me at hour 14, and what brought me back.

If you are sitting your OSCP exam in the next few weeks, read this carefully. I want you to pass on your first attempt.

The exam doesn't test what you know. It tests whether you can think clearly under pressure.

What the OSCP+ exam actually looks like

You get 23 hours 45 minutes to compromise a set of machines in a private VPN lab. There is a full Active Directory set (3 machines) plus standalone Windows and Linux targets. The AD chain alone gives you enough points to pass — that is not an accident. OffSec wants you to show you can work through a real AD environment end-to-end.

After the exam ends, you have another 24 hours to write and submit your report. The report is not optional. People have fully compromised the exam and still failed because their report was weak. I have seen this happen. Do not let it happen to you.

The night before — what I did

Most OSCP guides tell you to rest. That is half the advice. Here is what I actually did the night before my exam:

💡 Folder structure matters. Create this before the exam starts:
exam/ → AD_machine1/ → AD_machine2/ → AD_DC/ → standalone1/ → standalone2/
Each folder has a screenshots/ subfolder. Every command you run — screenshot it immediately. You will thank yourself at 2 AM.

My hour-by-hour exam strategy

Hour 1–2
Enumerate everything before touching anything. Run full nmap scans on all targets simultaneously. While scans run, read every result carefully. Take notes. Do not rush to exploit.
Hour 2–6
Attack the AD chain first. This is where your biggest point return is. Get initial foothold, enumerate AD with BloodHound/PowerView, find the attack path. Document every step.
Hour 6–12
Move to standalone machines. Apply your methodology consistently. If stuck on one machine for more than 90 minutes, move to the next and come back later with fresh eyes.
Hour 12–16
This is the danger zone. Fatigue sets in. Your brain will convince you there is nothing left to find. Take a 20-minute break, eat something, walk. Come back and re-enumerate from scratch.
Hour 16–20
Consolidate and verify. Once you have enough points, verify every flag is correctly captured. Re-screenshot your proof files. Do not assume — confirm.
Hour 20–24
Start your report immediately. Do not wait until the exam ends. Use this time to start structuring your writeup while everything is fresh in your mind.

The AD chain — how I approached it

The Active Directory set is three machines: two workstations and a domain controller. You are given initial credentials — this simulates a breach scenario. Your job is to escalate from that low-privilege user to Domain Admin.

My exact enumeration flow

# Step 1: Basic AD recon
Get-NetDomain
Get-NetUser | select cn,description
Get-NetComputer
Find-LocalAdminAccess

# Step 2: BloodHound — always
Import-Module .\Sharphound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\temp

# Step 3: Look for these attack paths in BloodHound
# - Kerberoastable accounts
# - AS-REP Roastable accounts
# - GenericAll rights
# - WriteDACL permissions
# - Path to Domain Admin

In the exam, BloodHound will almost always show you the path. People fail not because they cannot run BloodHound — they fail because they do not know how to read what BloodHound is showing them. Spend time learning BloodHound queries before your exam, not just how to collect data.

⚠️ Do not run automated exploitation tools on the AD set without understanding what they do. Metasploit usage is restricted in OSCP. Know exactly what you are running and why.

When you get stuck — the exact process I used

At hour 14 of my exam, I was stuck. I had the AD chain completed and one standalone rooted. I could not find the foothold on the second standalone. My brain was fried. Here is what I did:

  1. Stepped away from the screen for 20 minutes. Not 5 minutes — 20 minutes. Drank water, ate something.
  2. Came back and re-ran my initial nmap scan. Full port scan. Found a port I had not checked.
  3. Enumerated that port methodically. Found a service version. Searched for exploits. Got my foothold.

The answer is almost always in enumeration you missed. When you are stuck, do not dig deeper into what you have already tried. Go back to the beginning and look at what you have not tried yet.

💡 My stuck-on-machine checklist:
Have I run a full port scan including UDP? · Have I checked every web port for directory traversal and LFI? · Have I looked at the version numbers and searched for CVEs? · Have I checked for default credentials? · Have I tried SMB enumeration? · Have I checked for anonymous FTP or LDAP?

The report — where people fail without knowing

Your report must be submitted within 24 hours of your exam ending. It needs to cover every machine you compromised, with a clear attack narrative for each. OffSec is very specific about what they want — read the exam guide before your exam, not after.

For each machine, your report should include: initial enumeration findings, identified vulnerability or misconfiguration, exploitation steps with screenshots, post-exploitation and privilege escalation, proof file screenshot with whoami and hostname visible in the same screenshot.

⚠️ The proof screenshot must show whoami, hostname, and the flag in the SAME screenshot. A flag alone is not enough. I have seen people fail because of this exact mistake.

Report writing tip from my VAPT experience

In my job I write VAPT reports for banking CISOs. The discipline I learned from enterprise reporting — clarity, structure, evidence — directly helped me write a strong OSCP report fast. Even if you are not doing enterprise VAPT, practice report writing during your lab time. Do not treat it as an afterthought.

Mindset — the thing nobody talks about

The OSCP exam is long. Twenty-four hours tests your psychology more than your technical skills at some point. You will hit moments where you feel like you know nothing. That feeling is normal. It happens to everyone — including people who pass on the first try.

The people who fail are not usually less skilled. They are the ones who panic, lose their methodology, and start randomly trying things. Keep your methodology. Trust your process. Enumerate first. Always.

Methodology beats luck every single time.

Practical checklist for exam day

One last thing

I sat my OSCP exam while conducting a 1,500+ IP core banking infrastructure audit onsite. I know what it is like to prepare under pressure. If you are working full-time and preparing for OSCP — it is absolutely possible. It requires consistency, not talent.

Prepare your methodology. Know your tools. Practise your report writing. And on exam day — stay calm, enumerate thoroughly, and trust yourself.

Good luck. You have got this.

— Anshil Dev, OSCP+ | Delhi, India

OSCP OSCP+ Exam Exam Guide 2026 Active Directory Penetration Testing India OSCP Tips Career Report Writing
Related resources
📋
My complete OSCP cheatsheet
All commands I used — Nmap, AD, PrivEsc, Impacket, Mimikatz
 🎯
How I passed OSCP+ — full preparation journey
18 months of prep, resources I used, what worked and what didn't
Anshil Dev
Anshil Dev — OSCP+
IT Security Analyst with 3+ years of enterprise VAPT experience. 400+ engagements across banking, fintech and healthcare. Currently conducting CERT-IN empanelled core banking security audits. All content shared freely for the Indian security community.

If this guide helped your OSCP prep, a coffee keeps me writing more of these.

☕ Buy me a coffee