OSCP Roadmap — curated machines
Editorial list of 30 machines ordered by difficulty and vector type, designed to reach the OSCP with the muscle trained. If you own these, the exam won’t surprise you.Before starting: read the professional methodology
and keep the tactical glossary handy. If you don’t
know what an LFI or Kerberoasting is when looking at a machine,
you’re wasting time with it. Review the learning
resources first.
🚨 What changed in November 2024 (OSCP+)
If you’re studying with old guides, they’re outdated. OffSec rebranded the exam as OSCP+ and rewrote the format.⚠️ Structural changes — post Nov-2024 exam
Buffer Overflow eliminated. Active Directory now mandatory
and worth 40% of the exam. 10-point bonus for exercises eliminated.
The new OSCP+ expires after 3 years (the “old” OSCPs
remain lifetime).
Sources: OffSec — OSCP Exam Changes, OffSec — OSCP+ blog, Cyberphinix analysis.
Active Directory: the real exam filter
The AD set is worth 40 points, it’s 3 chained machines (10 + 10 + 20) and failing #1 blocks the next two. The assumption is “assumed compromise” — they give you user+password of a standard user and you must reach Domain Admin. Baseline techniques (not optional):- Kerberoasting + AS-REP Roasting + password spraying
- BloodHound (“Shortest Path to DA from Owned” query appears in nearly every successful writeup)
- Pass-the-Hash / Pass-the-Ticket
- DCSync
- Pivoting with Ligolo-ng / chisel (the AD set forces moving between subnets — without this you stay on machine #1)
- ACL abuse, delegations and GPP cpassword
OSCP vs modern alternatives (2026 matrix)
Recommended path with flexibility: PNPT first (cheap,
realistic) → OSCP (brand weight) → CRTP (AD depth). The
official PEN-200 course covers ~30% of what’s needed per
community consensus — HTB + TJNull list are mandatory to
pass.
Sources: HackerDNA OSCP+ guide, Netguardia — OSCP in 2026, TJ Null Prep List.
Typical 2025-2026 candidate mistakes (different from old exam)
- Poor pivoting/tunneling — without Ligolo-ng/chisel you don’t pass AD #1.
- Kerberos gaps — Kerberoasting / AS-REP / PtH are baseline, not extras.
- No BloodHound — not knowing what query to run = nearly guaranteed fail.
- Rabbit-holing — without 10 bonus pts, no margin left.
- Poor notes — incomplete report = lost points even on compromised machines.
- Jumping to PEN-200 without fundamentals — wastes lab time learning Linux basics.
⏱️ The stopwatch rule
The OSCP candidate’s #1 mistake is falling in love with a useless vector. If after X minutes a vector hasn’t produced any sign of progress, pivot. Come back later with more context.
4× rule: if you’ve spent 4× the target time on a vector, your
initial enumeration was incomplete. Go back to step 1.
🔗 Exploit chaining: the trick to passing
A single-vector HTB solve rarely earns the 60 points of the exam. Real OSCP machines require chaining 2-3 vulnerabilities:
Active practice: after solving a machine, rewind the writeup
and draw the full chain in a diagram. If you can’t diagram it,
you didn’t understand it. Full detail at
/en/metodologia#exploit-chaining.
Block 1 — Fundamentals (10 machines, all easy Linux/Windows)
Basic vectors: enumeration, classic buffer overflow, LFI/RFI, SMB.Block 2 — Active Directory (10 machines)
The modern OSCP weighs heavily on AD. If this trips you up, you fail.Block 3 — Heavy web (5 machines)
The exam’s web points often decide pass or fail.Block 4 — Linux privesc (5 machines)
Sudo, SUID, capabilities, kernel.How to use this roadmap
- Don’t skip blocks. Block 2 (AD) assumes you’ve warmed up on basic Linux and Windows.
- Time yourself. If a machine takes more than 4h without hints, read the writeup and move on. The goal is patterns, not pride.
- Take notes. A solved machine yields 1-2 pages of personal notes; without notes, you’ll review it in 3 weeks and won’t remember.
- After each block: re-do a machine from the previous block without hints. If you stumble, repeat it.
- For each machine, complete the professional checklist (not just “got the flag”):
✅ Per-machine checklist
HTB machine solved without these 7 points = a line on your CV. HTB machine solved with these 7 points = real case for your professional portfolio.- Do I know the CVE (if any) or CWE of the flaw?
- Do I know the CVSS score I’d assign?
- Can I write the business impact in non-technical language?
- Do I have the exact remediation code/config block?
- Do I know what alerts would fire in a real SOC (defensive footprint)?
- Do I have the MITRE ATT&CK ID mapped for each technique used?
- Did I document which vectors failed and why (cemetery of vectors)?
This roadmap is opinionated and editorial. If you think a machine
is missing or one shouldn’t be there, open a PR against
docs/en/htb/oscp-roadmap.mdx.