Hakluke’s Ultimate OSCP Guide: Part 3 — Practical hacking tips and tricks

Luke Stephens (@hakluke)
14 min readMar 31, 2018
Man walks through door with large shadow. OFFENSIVE security logo dramatically appears in a red abyss.

So, you’ve finally signed up, paid the money, waited for the start date, logged in to the VPN, and are suddenly hit in the face with a plethora of vulnerable boxes and you have no idea where to start.

This part of the guide will show the general process I tend to use when approaching a new target in the OSCP labs. This is by no means a replacement for reading the PWK manual and doing the exercises, it’s a brief overview of some major vulnerability types and a few tips. You can always refer back to this post later, using it as a cheat sheet for command syntax.


First of all, we need to know what boxes exist on the network nmap run a ping scan:

nmap -sn

The above command will test whether all machines in the subnet are alive (– You may need to change this for the lab network.

Once I have chosen a host, the first thing I always do is:

nmap -A -oA nmap $targetip

This will scan the 1024 most common ports, run OS detection, run default nmap scripts, and save the results in a number of formats in the current directory.