I'm officially on the OSCP grind. I've always wanted this certification - ever since I can remember learning anything about cyber, I've wanted this cert. Now, I finally have made the steps to make it happen. I've committed to getting it done. Because of the TOS of OffSec, I can't share much about the actual content of the course, but I can share some of the plan and my thoughts on the course. I plan on using this blog to track my progress and share more content on the HTB machines I'm playing on during this time.
12/22/2025 - Just finished my first challenge lab! Challenge 0 - Secura is complete. If I learned one thing, it's this: Enumerate, enumerate, enumerate! Seriously, that 80% rule is no joke. Most of my time was spent digging through output, following leads, and just poking around to see what I could find.
Tools that worked well: nmap for the initial port scans (obviously), WinRM with pywinrm for remote access, secretsdump.py for dumping hashes and LSA secrets, BloodHound for mapping the domain relationships, and pyGPOAbuse for the final GPO attack. The real game-changer was finding credentials stored in a MySQL database on one of the machines - definitely not where I expected to find them. Also used netsh portproxy for pivoting, which was cleaner than I thought it would be.
What didn't work: I initially tried to exploit CVE-2020-10189 on ManageEngine Applications Manager, but the vulnerable servlets weren't present. Tried using S4U2Self tickets for GPO abuse, but that approach hit a wall - the self-ticket couldn't be used for LDAP/SMB authentication. Had to pivot to finding the actual password instead, which led me to that MySQL database discovery.
The full domain compromise chain was satisfying - initial access, credential extraction from RDCMan settings, pivoting through machines, finding those MySQL credentials, then GPO abuse to get domain admin. Each step built on thorough enumeration of the previous step. On to Challenge 1 - Medtech next!
Update - I've now completed reading chapters 1-19 of the PEN-200 content and finished my first two lab machines. Here's the reality check: my original plan and where I actually am don't quite match up. I had this ambitious goal of crushing through all the lab machines before attempting the exam, but honestly? That's probably not happening. I'm being realistic with myself here.
I'll definitely finish reading the rest of the course material - that's non-negotiable. But I'm also being honest about where I'm at. I could be way further along than I am right now. I set some pretty high expectations for myself, thinking I could power through everything in these three months. The truth is, I've been spending a lot of time with family, soaking up every moment with my newborn and my wife, and honestly just enjoying the holidays. And you know what? I don't regret that at all. This time is precious, and I'm not going to look back and wish I'd spent less of it with them.
For the rest of this month, my plan is straightforward: finish the remaining reading content and try to knock out 3 or 4 more lab machines. I'm probably going to fail my first exam attempt - and I'm okay with that. Having this time off and three months to dive into the content has been an incredible opportunity, even if I'm not where I originally thought I'd be. Sometimes the journey teaches you more than just checking boxes, you know?
8 hours/day (split into 3-4 sessions around baby duties), 12 weeks to get this done:
The Focus: PEN-200 content. That's it. All 27 modules, all exercises, all 11 Challenge Labs. Nothing else until this is complete.
Bonus (if time permits): After finishing PEN-200 coursework, prior to taking the exam, I'll supplement with TJ Null's HTB list and Proving Grounds for extra reps before scheduling the exam.
Here's where my background comes into play. For the HTB machines (bonus phase only), I'm collecting forensic triages before and after my attack chain using Velociraptor (Windows) and UAC (Linux). This creates a dataset showing exactly what artifacts my offensive actions leave behind.
After I pass OSCP, I'll analyze these datasets to build "mock investigations" - timelines, TTPs, and artifacts from the defender's perspective. The HTB boxes become training data for DFIR.
Mac M4 workstation, containerized tools via Docker, Obsidian for notes. VPN connected to OffSec labs. Ready to grind.
ð Progress Tracker (Click to Expand)
PEN-200 Modules: Chapters 1-19 Complete
Challenge Labs:
| Lab | Status |
|---|---|
| Challenge 0 - Secura | â Complete (12/22/2025) |
| Challenge 1 - Medtech | ⎠Not Started |
| Challenge 2 - Relia | ⎠Not Started |
| Challenge 3 - Skylark | ⎠Not Started |
| Challenge 4 - OSCP A | ⎠Not Started |
| Challenge 5 - OSCP B | ⎠Not Started |
| Challenge 6 - OSCP C | ⎠Not Started |
| Challenge 7 - Zeus | ⎠Not Started |
| Challenge 8 - Poseidon | ⎠Not Started |
| Challenge 9 - Feast | ⎠Not Started |
| Challenge 10 - Laser | ⎠Not Started |
HTB Boxes (Phase 2): 0/62
ð Exam Rules & Restrictions
â Allowed: Nmap, Gobuster, Nikto, Burp Community, sqlmap, Hydra, John, Hashcat, Impacket, BloodHound, LinPEAS/WinPEAS, MSFvenom (unlimited)
â ïļ Limited: Metasploit - ONE machine only!
â Prohibited: AI chatbots, Nessus/OpenVAS, Burp Pro, auto-exploitation tools, spoofing attacks
Scoring: AD Set (40pts) + 3 Standalones (20+20+20pts) = 100 total. Need 70 to pass.
ð§ Tools & Resources
Knowledge Bases
- HackTricks - Comprehensive pentesting knowledge
- GTFOBins / LOLBAS - Binary exploitation
- IppSec.rocks - Searchable HTB walkthroughs
- Exploit-DB + searchsploit
Enumeration
- Nmap, Gobuster/Feroxbuster, Nikto, enum4linux, smbmap
- DNS: dig, dnsrecon, dnsenum | SNMP: snmpwalk, onesixtyone
Privilege Escalation
- LinPEAS/WinPEAS, PowerUp.ps1, Seatbelt
- PrintSpoofer, GodPotato, JuicyPotato (token impersonation)
Active Directory
- BloodHound/SharpHound, Rubeus, Mimikatz, Impacket, CrackMapExec
DFIR (My Dual Methodology)
- Velociraptor - Windows triage
- UAC - Linux triage
ð Study Methodology
- Cornell Notes - Cue, notes, summary sections
- Retrieval Practice - Flashcards for command syntax
- Spaced Practice - Spread sessions, no cramming
- Feynman Technique - Explain concepts simply to find gaps
My Methodology
- Recon: nmap -p- --min-rate=1000, then -sC -sV
- Enumerate: 80% of the work. Web, SMB, DNS, SNMP...
- Exploit: Try simple things first, read exploit code
- Privesc: sudo -l, SUID, cron, services, tokens
- Document: Screenshot EVERYTHING with IP + hostname + whoami + flag
ðïļ Long-Term Plan (Post-OSCP)
| Phase | Timeline | Focus |
|---|---|---|
| OSCP Grind | Dec 2025 - Mar 2026 | PEN-200 + exam |
| DFIR Analysis | ~1 month post-OSCP | Process collected forensic datasets |
| HTB Sherlocks | Ongoing | DFIR-focused challenges |
| GREM Exam | TBD | Already studied - just need to schedule |
| GCFA | After GREM | Forensic Analyst certification |
This post will be updated as my journey continues. Check back for progress updates!