OSCP Study Guide 2026

Everything you need to pass the OSCP exam in one place: the exam format, every topic to study, real practice questions with explanations, flashcards, and full-length practice tests. Free, no sign-up needed.

📋 OSCP Exam Format at a Glance

75
Questions
90 min
Time Limit
70.00%
Passing Score

📚 OSCP Topics to Study (15)

✍️ Sample OSCP Questions & Answers

1. What is a common technique to bypass file upload filters that block PHP extensions?
Use double extensions like shell.php.jpg

Using double extensions such as shell.php.jpg can bypass naive file extension checks if the server processes the PHP extension before the final jpg extension.

2. What type of attack involves tricking a victim into sending authenticated requests to a vulnerable web application without their knowledge?
CSRF

Cross-Site Request Forgery (CSRF) forges authenticated requests from a victim's browser to perform unintended actions on a web application where they are logged in.

3. What are NTLMv2 challenge-response hashes and how are they typically cracked in OSCP?
They are captured during authentication challenges (via Responder) and cracked offline with hashcat using module 5600

NTLMv2 hashes are challenge-response authentication tokens captured from network traffic or via tools like Responder, and are cracked offline using hashcat module 5600 (NetNTLMv2).

4. Which PowerShell command checks whether the current user can modify a specific service's binary?
Get-Acl -Path 'C:\path\to\service.exe' | Format-List

Get-Acl retrieves the security descriptor (ACL) of a file, revealing which users have read, write, or modify permissions on the service binary.

5. What does the SLEEP() function in a SQL injection payload help an attacker determine?
Whether the injection point exists via time delay

SLEEP() is used in time-based blind SQLi to confirm a vulnerable injection point by causing a measurable delay in the server's response.

6. What does the Responder tool do and how is it used in OSCP for credential capture?
It poisons LLMNR/NBT-NS/mDNS broadcast queries to capture NTLMv2 hashes from network hosts

Responder responds to LLMNR, NBT-NS, and mDNS broadcast queries with poisoned responses, tricking Windows hosts into authenticating to the attacker's machine and capturing their NTLMv2 hashes.

🎯 Free OSCP Practice Tests

📖 OSCP Guides & Articles

Your OSCP Study Path
1. Learn with Flashcards → 2. Drill Practice Tests → 3. Take the Full Exam Simulation
OSCP Study Guide 2026 — Exam Format, Topics & Practice Questions