The Do-Over: Taking the OSCP exam again, 2 years later.

In 2021, I went on un expected journey and took the OSCP. 2 years later, after massive changes to the exam structure, and with the experience I acquired since then, I go over the strategy I would use if I were to take the OSCP exam again, today.

New exam, new strategy

In 2022, the OSCP exam radically changed its structure. It now incorporates Active Directory in its curriculum, which is totally commendable given the huge number of infrastructures relying on AD. However, for us, it means we need to adapt our strategy to pass the exam.

Exam structure

The exam is now structured as follows:

• 40 pts are awarded for the full compromise of the Active Directory. No points are awarded for partial compromises.
• 3 independent targets are available. On each target, 10 points are awarded when compromising a low privileged user, 10 additional points when compromising the root user.
• 10 bonus points can be obtained by submitting a report for the training exercises and lab.

A minimum score of 70/100 is still required to pass.