OSCP Cheat Sheet 2026
The 30 highest-yield OSCP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
75 questions
90 min time limit
70.00% to pass
- Which tool is commonly used during OSCP to enumerate web application directories using a wordlist? → Dirb
- During an OSCP lab, you find port 111 open on a Linux target. What service is most likely running? → Portmapper/RPC
- In a Local File Inclusion (LFI) vulnerability, which of the following payloads is used to traverse directories and read /etc/passwd? → ../../../etc/passwd
- Which HTTP method is most commonly exploited to upload a malicious web shell to a vulnerable web server? → PUT
- What tool can dump Windows NTLM password hashes from the SAM database when running as SYSTEM? → Mimikatz
- Which Windows registry key stores hashed credentials for locally cached domain accounts? → HKLM\SECURITY\Cache
- Which hashcat attack mode uses a wordlist to crack password hashes? → Mode 0 (Straight/Wordlist attack)
- Which Burp Suite feature allows an attacker to intercept and modify HTTP requests between a browser and a web server? → Proxy
- What is DLL hijacking in the context of Windows privilege escalation? → Placing a malicious DLL in a directory searched before the legitimate DLL location
- A _________ is a sequential section of memory that has been set aside for holding data, like a character string or an array of numbers. → buffer
- Which Nmap output format is most useful for importing results into other tools during OSCP? → -oX (XML)
- Where system binaries (programs) are stored → /sbin
- What Nmap script can identify anonymous FTP login on a target? → --script=ftp-anon
- When exploiting a Remote File Inclusion (RFI) vulnerability, what does the attacker typically host on their server? → A malicious PHP web shell
- What Windows privilege escalation technique abuses the SeImpersonatePrivilege token right? → Juicy Potato / PrintSpoofer token impersonation
- What procedure deletes a folder? → rmdir
- What does an attacker gain when they successfully exploit an XML External Entity (XXE) vulnerability? → Ability to read arbitrary local files or perform SSRF
- What is the purpose of the 'rpcinfo -p ' command during enumeration? → Enumerate all RPC services and their port numbers on the target
- Where .so (Library file, stands for "shared object") are stored (basically like Windows .dll files). → /lib
- What does the '--os-shell' flag in SQLmap attempt to do? → Obtain an interactive OS shell via SQL injection
- What Hydra command would brute-force SSH on host 10.10.10.10 using username 'admin' with the rockyou wordlist? → hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.10 ssh
- Which vulnerability occurs when user-supplied input is reflected in a web page without proper sanitization and executes in a victim's browser? → Cross-Site Scripting (XSS)
- In a UNION-based SQL injection attack, what must be true about the injected SELECT statement? → It must have the same number of columns as the original query
- What tool is commonly used in OSCP to brute-force SSH, FTP, and HTTP login services? → Hydra
- What command in Windows lists all scheduled tasks with their run-as users? → schtasks /query /fo LIST /v
- When enumerating NFS shares during OSCP, which command shows available exports on a target? → showmount -e
- What Windows command displays all locally stored credentials and cached tokens? → cmdkey /list
- Buffer-overflow may remain as a bug in apps if __________ are not done fully → boundary checks
- What type of hash does Windows use by default for local account authentication in modern systems? → NTLM (NT hash)
- Which Nmap flag combination is commonly recommended for a comprehensive initial OSCP scan? → -sV -sC -p- -T4
Turn these facts into recall: