90-Day OSCP Week-by-Week Roadmap

Weeks 1–3 – Reconnaissance Depth, Buffer Overflow Internals & Cross-OS Enumeration

Track 1 – Reconnaissance Mastery

Passive Recon: amass, subfinder, crt.sh, ASN mapping, CDN bypass via DNS history, Shodan/Censys correlation.
Active Recon: Nmap deep scans (service-specific NSE scripts, stealth timing), banner grabbing, full TCP/UDP sweep.
Technology Fingerprinting: Wappalyzer CLI, testssl.sh, HTTP header analysis, favicon hash matching.
Recon Data Management: Organize with Obsidian mind maps, categorize assets for future exploitation.

Track 2 – Windows Buffer Overflow

Stack-based buffer overflow: manual fuzzing, offset finding with Mona, shellcode generation with msfvenom.
SEH exploitation: Structured Exception Handler chaining, bad character analysis, DEP/ASLR bypass.
ROP chain basics: Gadget hunting via ROPgadget, chaining for VirtualProtect calls.
AV Evasion: Custom encoding, polymorphic shellcode patterns.

Track 3 – Client-Side Exploitation

Malicious DOC/XLS with macro payloads, HTML smuggling, HTA backdoors.
Multi-stage payloads: Stage 1 macro → Stage 2 stager → Stage 3 C2.
BeEF hook injection in phishing campaigns.

Track 4 – Cross-OS Enumeration

Linux: enum4linux-ng, NFS/RPC enumeration, SSH key discovery.
Windows: SMB null sessions, RPCclient SID brute-forcing, user hunting.
Mixed: Banner analysis to determine patch levels.

Weeks 4–6 – Advanced Web Exploitation & Linux Exploit Development

Track 1 – Web Application Exploitation

SQL Injection (SQLi)
- Manual exploitation: UNION-based extraction, error-based techniques with ORDER BY/GROUP BY checks.
- Blind boolean & time-based SQLi using payload tuning and sqlmap tamper scripts for WAF bypass.
- Privilege escalation via SQLi to OS-level commands (e.g., xp_cmdshell, LOAD_FILE).
Cross-Site Scripting (XSS)
- Stored, reflected, DOM-based injection in modern JS frameworks.
- Cookie theft, CSRF token stealing, and session hijacking using iframe/domain bypass tricks.
File Upload Exploits
- Bypassing extension filtering with .php%00.jpg, MIME-type tampering.
- Polyglot payloads (image + PHP shell), race conditions during upload validation.
Local/Remote File Inclusion (LFI/RFI)
- Log poisoning with PHP/Apache/Nginx access logs for code execution.
- php://filter wrapper for base64 decoding and code injection.
- Payload delivery via EXIF metadata injection in uploaded images.
Server-Side Request Forgery (SSRF)
- Accessing restricted admin panels, internal APIs, or metadata endpoints (169.254.169.254).
XML External Entity (XXE)
- Local file disclosure, internal port scanning, and OOB data exfiltration via Burp Collaborator.

Track 2 – Linux Exploit Development

Binary Security Checks
- Analyzing protections with checksec, identifying NX, PIE, RELRO status.
Stack Smashing Attacks
- ret2libc exploitation for shell spawning.
- Stack pivoting to custom shellcode stored in controlled memory.
Heap Exploitation
- Unsafe unlink, fastbin duplication for arbitrary write.
Kernel Exploitation Basics
- Identifying kernel version, mapping against CVEs, adapting public PoCs for environment.
Writing Privilege Escalation Exploits in C
- Crafting minimal local root exploits for known kernel vulnerabilities.

Track 3 – Practice Platforms

HackTheBox: Medium–Hard tier machines focusing on web + Linux exploitation.
Proving Grounds: Intermediate boxes with manual exploitation approach.
Avoid using Metasploit for initial foothold — rely on custom scripts, manual exploitation, and alternative tools to simulate OSCP exam conditions.

Weeks 7–9 – Privilege Escalation, AD Exploitation & Pivoting

Track 1 – Windows Privilege Escalation

Misconfigured Services: Service binary replacement, weak service permissions, executable path hijacking.
Unquoted Service Paths: Leveraging spaces in file paths to execute malicious binaries.
Registry Permission Abuse: Exploiting weak ACLs on registry keys for privilege escalation.
Token Impersonation: Juicy Potato, Rogue Potato, PrintSpoofer for SYSTEM-level access.
UAC Bypass Techniques: Exploiting CVE-2019-1388 and similar privilege escalation vulnerabilities.

Track 2 – Linux Privilege Escalation

SUID Binary Exploitation: Identifying and abusing misconfigured SUID binaries; using GTFOBins for known exploits.
Cron Job Exploitation: Abusing writable scripts or PATH misconfigurations in scheduled tasks.
PATH Hijacking: Placing malicious executables earlier in PATH to intercept legitimate calls.
Kernel Exploits: Exploiting Dirty COW (CVE-2016-5195), Dirty Pipe (CVE-2022-0847) for root access.
Capabilities Abuse: Exploiting cap_net_bind_service, cap_sys_admin for privilege escalation.

Track 3- Active Directory Attacks

Enumeration
- BloodHound, SharpHound
- PowerView for legacy systems
Authentication Abuse
- Kerberoasting, ASREPRoasting, silver/golden tickets
- DC impersonation & credential dumping

Lateral Movement
- WMI, WinRM, DCOM
- Pass-the-Hash, Overpass-the-Hash
Persistence
- Golden Tickets, shadow copy abuse
Final Lab Work
- Public → Internal pivot → Domain Controller takeover

Track 4 – Pivoting & Tunneling

SSH Dynamic Port Forwarding: Using ssh -D for SOCKS5 proxy creation to route traffic through compromised hosts.
SOCKS Proxying: Configuring proxychains or tsocks to tunnel tools through a pivoted connection.
Chisel HTTP Tunnels: Deploying Chisel for HTTP/WebSocket-based tunneling to bypass firewall restrictions.
Multi-Hop Pivot Chains: Chaining multiple pivots (Host → Jump Box → Internal Target) for deep network access.
VLAN Hopping Techniques (Lab): Simulating and exploiting VLAN misconfigurations (double tagging, switch spoofing) in a controlled lab environment.

Weeks 10–12 – Full-Chain Attacks, Exam Simulation & Documentation

Track 1 – Metasploit

Auxiliary Scanning: Leveraging Metasploit’s auxiliary modules for service discovery, vulnerability scanning, and environment profiling.
Post-Exploitation Modules: Gathering credentials, pivoting, establishing persistence, and exfiltrating data post-compromise.
Custom Payload Crafting: Building tailored payloads (staged and non-staged) for evasion and compatibility.
Multi-Handler Orchestration: Managing multiple sessions simultaneously across different targets.
Resource Script Automation: Automating exploitation workflows and repetitive tasks with .rc scripts.

Track 2 – Exam Simulations

Simulation 1: 5 machines in a 24-hour session:
- 1× Buffer Overflow (manual exploitation)
- 1× Linux Privilege Escalation target
- 1× Active Directory pivot chain
- 1× Web-heavy exploitation scenario
- 1× Mixed-service box with multi-vector attack surface
Simulation 2: Achieve all footholds in 6 hours, then complete privilege escalations afterwards under timed conditions.

Track 3 – Documentation

OSCP PDF Report Writing: Clear, concise documentation adhering to OffSec format.
Screenshots & Evidence: Annotated captures of each exploitation step.
Step-by-Step Commands: Exact commands used, including variations and outputs.
CVSS Scoring: Assigning severity scores to each finding.
Remediation Advice: Providing actionable, security-focused solutions for each vulnerability exploited

Track 4 – Final Review

Re-pwn all lab machines from memory.
Cheatsheet finalization.
Sleep & nutrition planning for exam.
Additional Skills You’ll Need to Learn Thoroughly
While this roadmap covers the OSCP syllabus, certain areas require deeper and more focused study to truly master:
- Mastering tool-switching under pressure without losing track of your attack chain.
- Building multi-hop pivoting labs and troubleshooting tunneling issues in complex networks.
- Writing and modifying exploits for different OS versions, architectures, and compiler protections.
- Practicing time-efficient enumeration so you can identify and prioritize high-value targets quickly.
- Performing chained attacks (e.g., LFI → SSRF → internal service RCE → pivot → domain takeover) until they become second nature.
- Developing a structured note-taking and reporting habit that supports both the exam and real-world pentests.