OSCP Subject Knowledge: Tools, Skills, and Exam Domains

What Is OSCP and What Subject Knowledge Does It Test?

The Professional (OSCP) is a hands-on penetration testing certification issued by Offensive Security. Unlike multiple-choice exams, the OSCP requires you to compromise a set of machines in a 23-hour 45-minute lab exam — demonstrating real technical skills rather than theoretical knowledge. This makes the subject knowledge required for OSCP fundamentally different from other certifications: you can't study flashcards into a passing score.

The certification sits within the PWK (Penetration Testing with Kali Linux) course, now updated as PEN-200. The course and exam cover the full offensive security lifecycle: reconnaissance, scanning, enumeration, exploitation, post-exploitation, and reporting. Each phase demands a different set of tools and techniques, and the tests whether you can apply them under time pressure against hardened targets with realistic configurations.

Most candidates are security analysts, IT administrators, or developers who want to transition into offensive security roles. The OSCP is widely regarded as a baseline credential for penetration tester positions, and many job postings in the red team and pen test space list it as a preferred or required qualification. Understanding the specific subject domains and technical skills the exam tests helps candidates focus their preparation on the areas that matter most for exam success.

The OSCP credentialing process begins with the PEN-200 course, which combines video content, PDF material, and hands-on lab machines. The course covers the full offensive security methodology in a structured progression, moving from basic Kali Linux usage through advanced Active Directory attacks. Completing the course exercises and lab report submission earns 10 bonus points added to your exam score — a meaningful advantage that many candidates underutilize. Prioritizing the labs over passive video consumption is the most common advice from OSCP holders, and it reflects how the credential is fundamentally designed: to be earned through doing, not watching.

OSCP Exam Domains and Subject Areas

The PEN-200 curriculum and cover a structured set of offensive security domains. Understanding each domain's scope helps you prioritize study time and identify knowledge gaps before the exam. Active Directory (AD) exploitation is particularly important in the current version of the exam — the AD set is worth 40 of the 100 available points, making it the single highest-value target in the exam environment.

Reconnaissance covers both passive techniques (OSINT, DNS lookups, certificate transparency) and active techniques (port scanning, service version detection, OS fingerprinting). The doesn't reward speed in initial scanning — it rewards thoroughness. Candidates who miss open ports or running services during enumeration frequently fail because they can't identify the correct attack vector. Running full-port scans with version detection before moving to exploitation is a non-negotiable habit for OSCP success.

Buffer overflow exploitation was historically a major OSCP topic and remains part of the curriculum, though its weight in the current exam has shifted. Understanding stack-based buffer overflows — EIP control, bad character identification, shellcode delivery, and return address selection — remains valuable both for the exam and for real-world assessments. The BOF methodology, when practiced, becomes systematic and reliable even under exam-day pressure.

Web application attacks represent another core domain. SQL injection, local file inclusion (LFI), remote file inclusion (RFI), command injection, and authentication bypass are common attack vectors on OSCP exam machines. Burp Suite proficiency is essentially mandatory — candidates who haven't used Burp's intercepting proxy, repeater, and scanner features before the exam are at a significant disadvantage on web-based targets.

Post-exploitation reporting is the final phase of every successful machine compromise in the OSCP exam. You must document your attack chain — from initial access through privilege escalation — with supporting screenshots, commands run, and proof of compromise (proof.txt contents). The 24-hour report submission window after the lab exam tests your ability to produce professional documentation under time pressure.

Candidates who take notes and screenshots throughout the lab exam rather than waiting until the end produce dramatically better reports. A well-documented attack chain that clearly explains the reasoning behind each step is what the OSCP report graders evaluate — not just the final proof screenshot.

Windows Exploitation and Privilege Escalation Skills

Windows privilege escalation is one of the most-tested skill areas in the . After gaining initial access to a Windows machine, you need to escalate from a low-privileged user to SYSTEM or Administrator to capture the proof.txt flag. The OSCP exam rewards methodical enumeration over guessing — running tools like WinPEAS or PowerUp to systematically identify misconfigured services, unquoted service paths, weak permissions, and stored credentials is the correct approach.

Common Windows privilege escalation vectors tested in OSCP include: service binary hijacking (replacing a service executable with a malicious payload), unquoted service paths (exploiting Windows service path resolution), DLL hijacking (placing a malicious DLL in a directory the target process searches), token impersonation (using SeImpersonatePrivilege via tools like Printspoofer or GodPotato), and scheduled task exploitation. Knowing when each technique applies and how to identify it through enumeration output is a practical skill that only comes from hands-on lab practice.

Windows credential harvesting is equally important. Extracting credentials from SAM files, LSASS dumps, and credential manager stores gives you material for lateral movement. PowerShell history, configuration files, and registry keys frequently contain cleartext credentials on OSCP lab machines and real-world engagements. The habit of searching for credentials as part of every post-exploitation phase — not just when stuck — consistently reveals attack paths that purely technical exploitation might miss.

Antivirus evasion is covered in PEN-200 but is less critical for the exam environment, which doesn't run modern endpoint detection and response (EDR) tools. That said, understanding basic payload obfuscation and the concept of in-memory execution versus on-disk payloads prepares candidates for real-world engagements where EDR is present. OSCP holders moving into professional penetration testing quickly find that evasion skills separate adequate testers from exceptional ones.

The methodical nature of OSCP Windows exploitation rewards candidates who develop a consistent post-exploitation checklist. Running WinPEAS, reviewing its output section by section, checking file permissions on service executables, reviewing scheduled tasks, searching for config files with credentials, and checking group memberships all happen in sequence — not randomly. Candidates who internalize this checklist as a habitual sequence rather than a lookup list can execute it under exam pressure without forgetting steps. Building the checklist during lab practice by reviewing what you missed after each successful compromise creates a personalized methodology that reflects the actual OSCP exam environment's common vectors.

Linux Exploitation and Enumeration Skills

Linux privilege escalation on OSCP requires the same methodical enumeration approach as Windows. LinPEAS is the standard automated enumeration tool, but understanding what it finds — and why certain findings are exploitable — matters more than running the tool blindly. SUID binaries with known exploits, writable cron jobs running as root, sudo misconfigurations, and kernel exploits are common Linux privilege escalation paths in the OSCP lab and exam environments.

GTFOBins is an essential reference for Linux privilege escalation. This curated list documents how standard binaries like find, vim, less, python, and wget can be abused to escape restricted environments or gain elevated privileges. OSCP exam targets frequently have sudo permissions configured to allow running one specific binary as root — checking GTFOBins for that binary is often the fastest path to privilege escalation once you identify the sudo configuration.

Linux enumeration extends beyond privilege escalation vectors. Looking at running processes, active network connections, listening ports, configuration files in /etc, application directories in /var/www, home directories, and bash history often reveals information useful for further exploitation. The discipline of reading the output from enumeration tools carefully — rather than immediately running exploits — is a habit that distinguishes experienced OSCP candidates from those who rush and miss critical findings.

Kernel exploits are a tempting shortcut for Linux privilege escalation but carry significant risk in the OSCP exam environment. Kernel exploits can crash the target machine, requiring an exam proctor to revert it and costing you time. The OSCP exam is designed so that kernel exploits are rarely the intended path — misconfigured services, weak permissions, and application vulnerabilities almost always represent cleaner routes to root.

Save kernel exploits as a last resort after exhausting all other enumeration findings. If a machine does require a kernel exploit, test it in the lab first and confirm the target kernel version precisely before deploying it in the exam.

Understanding the relationship between file permissions, SUID bits, and process ownership is foundational for Linux privilege escalation. When a binary with the SUID bit set runs as root and you can influence its execution, you can gain a root shell. GTFOBins documents which SUID binaries are exploitable and exactly how — making it a reliable first reference whenever SUID enumeration reveals an interesting binary.

Essential OSCP Tools and When to Use Them

Knowing which tool solves which problem quickly is a practical skill the OSCP exam rewards directly. The 23h 45m window is tight for 3–6 machines — spending 45 minutes misconfiguring a tool costs you a potential flag. Building tool fluency in the lab before the exam, to the point where commands run from muscle memory rather than documentation lookup, is what exam preparation means in practice for OSCP.

Nmap is the foundational reconnaissance tool. The standard OSCP workflow starts with a fast full-port TCP scan (nmap -p- --min-rate 5000), followed by a targeted service scan on discovered ports (nmap -sV -sC -p [ports]). Running Nmap scripts against identified services — SMB scripts, HTTP scripts, SSL scripts — often reveals the specific vulnerability or misconfiguration that serves as the entry point. Skipping thorough Nmap enumeration is one of the most common failure patterns in OSCP exam attempts.

Gobuster and Feroxbuster handle web directory and file brute-forcing. Both tools are fast enough for exam use, and knowing which wordlist to use for each target type matters — SecLists has purpose-built lists for common web technologies, APIs, and CMS platforms. For web applications running CMS platforms like WordPress, WPScan provides plugin vulnerability enumeration that general directory scanners miss.

CrackMapExec (CME) is one of the most versatile tools in the OSCP Active Directory toolkit. It allows password spraying across domain-joined machines, verifying credential validity against SMB and WinRM, executing commands on accessible machines, and dumping SAM and NTDS databases. The tool's ability to scan an entire subnet for valid credentials in a single command makes it invaluable during lateral movement phases.

For pivoting scenarios — where internal network segments are only reachable through a compromised machine — chisel and ligolo-ng create SOCKS proxies that route tool traffic through the pivot host. Mastering at least one pivoting tool before the exam is essential for machines on isolated segments, which appear consistently in the current OSCP exam format.

Netcat remains one of the most versatile tools in the OSCP toolkit despite its age. Catching reverse shells (nc -lvnp 4444), transferring files between machines, and establishing bind shells all use netcat in scenarios where more complex tools aren't available. Knowing how to stabilize a netcat shell — using Python's pty module or socat to get a fully interactive TTY — prevents accidental shell drops during post-exploitation and lets you run commands that require a terminal.

Web Application Attack Knowledge for OSCP

Web application exploitation is a consistent presence in OSCP exam environments. Most candidates encounter at least one web-based initial access vector per exam session, and some exam machines are almost entirely web-focused. SQL injection, command injection, file inclusion vulnerabilities, and authentication bypass are the most frequently tested web attack types in PEN-200 lab machines and historical exam configurations.

Manual SQL injection proficiency matters more than tool fluency for OSCP. SQLmap can automate exploitation, but understanding the manual process — identifying injection points, determining the database type, extracting schema and data, and reading files or writing shells — teaches you to exploit databases that automated tools mishandle. OSCP exam machines are sometimes configured in ways that trip up automated tools, making manual exploitation the reliable fallback.

Local file inclusion (LFI) vulnerabilities allow attackers to read arbitrary files on the target system. In OSCP contexts, LFI vulnerabilities in PHP applications can be chained with log poisoning (contaminating web server logs with PHP code, then including the log file) to achieve remote code execution. Understanding this attack chain — LFI → log poisoning → RCE → reverse shell — is a practical skill directly applicable to OSCP exam machines. Remote file inclusion (RFI) vulnerabilities, where the target fetches and executes code from an attacker-controlled server, are rarer but equally important to understand.

File upload vulnerabilities are another reliable OSCP attack path. Web applications that allow file uploads frequently fail to validate file type, content, or extension properly. Uploading a PHP webshell or reverse shell disguised as an image or document, then navigating to the uploaded file's URL, converts a file upload feature into remote code execution. OSCP candidates should practice multiple upload bypass techniques — double extensions, MIME type manipulation, null bytes, and content-type header modification — because exam machines may filter specific approaches.

Directory traversal vulnerabilities allow attackers to access files outside the web root by manipulating path parameters. On Linux targets, traversal to /etc/passwd reveals valid usernames; traversal to SSH private key files can provide direct authentication without cracking passwords. On Windows targets, traversal to web.config or application configuration files frequently exposes credentials.

Knowing the encoding variations that bypass traversal filters — double URL encoding, Unicode encoding, using forward vs. backslashes — expands the attack surface against web applications that appear to filter basic traversal attempts. These techniques, practiced in PEN-200 lab machines, become second nature by the time candidates sit the exam and encounter web-based targets in their allotted time.