OSCP Cheat Sheet 2026

The 30 highest-yield OSCP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

75 questions
90 min time limit
70.00% to pass
  1. Which tool is commonly used during OSCP to enumerate web application directories using a wordlist? Dirb
  2. During an OSCP lab, you find port 111 open on a Linux target. What service is most likely running? Portmapper/RPC
  3. In a Local File Inclusion (LFI) vulnerability, which of the following payloads is used to traverse directories and read /etc/passwd? ../../../etc/passwd
  4. Which HTTP method is most commonly exploited to upload a malicious web shell to a vulnerable web server? PUT
  5. What tool can dump Windows NTLM password hashes from the SAM database when running as SYSTEM? Mimikatz
  6. Which Windows registry key stores hashed credentials for locally cached domain accounts? HKLM\SECURITY\Cache
  7. Which hashcat attack mode uses a wordlist to crack password hashes? Mode 0 (Straight/Wordlist attack)
  8. Which Burp Suite feature allows an attacker to intercept and modify HTTP requests between a browser and a web server? Proxy
  9. What is DLL hijacking in the context of Windows privilege escalation? Placing a malicious DLL in a directory searched before the legitimate DLL location
  10. A _________ is a sequential section of memory that has been set aside for holding data, like a character string or an array of numbers. buffer
  11. Which Nmap output format is most useful for importing results into other tools during OSCP? -oX (XML)
  12. Where system binaries (programs) are stored /sbin
  13. What Nmap script can identify anonymous FTP login on a target? --script=ftp-anon
  14. When exploiting a Remote File Inclusion (RFI) vulnerability, what does the attacker typically host on their server? A malicious PHP web shell
  15. What Windows privilege escalation technique abuses the SeImpersonatePrivilege token right? Juicy Potato / PrintSpoofer token impersonation
  16. What procedure deletes a folder? rmdir
  17. What does an attacker gain when they successfully exploit an XML External Entity (XXE) vulnerability? Ability to read arbitrary local files or perform SSRF
  18. What is the purpose of the 'rpcinfo -p ' command during enumeration? Enumerate all RPC services and their port numbers on the target
  19. Where .so (Library file, stands for "shared object") are stored (basically like Windows .dll files). /lib
  20. What does the '--os-shell' flag in SQLmap attempt to do? Obtain an interactive OS shell via SQL injection
  21. What Hydra command would brute-force SSH on host 10.10.10.10 using username 'admin' with the rockyou wordlist? hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.10 ssh
  22. Which vulnerability occurs when user-supplied input is reflected in a web page without proper sanitization and executes in a victim's browser? Cross-Site Scripting (XSS)
  23. In a UNION-based SQL injection attack, what must be true about the injected SELECT statement? It must have the same number of columns as the original query
  24. What tool is commonly used in OSCP to brute-force SSH, FTP, and HTTP login services? Hydra
  25. What command in Windows lists all scheduled tasks with their run-as users? schtasks /query /fo LIST /v
  26. When enumerating NFS shares during OSCP, which command shows available exports on a target? showmount -e
  27. What Windows command displays all locally stored credentials and cached tokens? cmdkey /list
  28. Buffer-overflow may remain as a bug in apps if __________ are not done fully boundary checks
  29. What type of hash does Windows use by default for local account authentication in modern systems? NTLM (NT hash)
  30. Which Nmap flag combination is commonly recommended for a comprehensive initial OSCP scan? -sV -sC -p- -T4
Turn these facts into recall: