Documentation Index
Fetch the complete documentation index at: https://rootea.es/llms.txt
Use this file to discover all available pages before exploring further.
OSCP Roadmap — curated machines
Editorial list of 30 machines ordered by difficulty and vector type, designed to reach the OSCP with the muscle trained. If you own these, the exam won’t surprise you.Block 1 — Fundamentals (10 machines, all easy Linux/Windows)
Basic vectors: enumeration, classic buffer overflow, LFI/RFI, SMB.| # | Machine | OS | Why |
|---|---|---|---|
| 1 | Lame | Linux | First step: enumerate and attack SMB. |
| 2 | Legacy | Windows | MS17-010 without having to fight it. |
| 3 | Devel | Windows | Anonymous FTP + ASPX upload. Classic. |
| 4 | Beep | Linux | Multiple LFI paths, forces enumeration. |
| 5 | Optimum | Windows | HFS RCE + kernel exploit privesc. |
| 6 | Bashed | Linux | phpbash + cron abuse. Two gems. |
| 7 | Shocker | Linux | Real Shellshock, not in the lab. |
| 8 | Blue | Windows | EternalBlue to warm up the hand. |
| 9 | Mirai | Linux | Default credentials + USB forensics. |
| 10 | Granny | Windows | WebDAV upload + Windows privesc. |
Block 2 — Active Directory (10 machines)
The modern OSCP weighs heavily on AD. If this trips you up, you fail.| # | Machine | OS | Why |
|---|---|---|---|
| 11 | Active | Windows | GPP + basic Kerberoasting. The intro to AD. |
| 12 | Sauna | Windows | AS-REP Roasting + autologon. |
| 13 | Forest | Windows | Full AD: BloodHound + DCSync. |
| 14 | Resolute | Windows | DnsAdmins + DLL hijacking. |
| 15 | Monteverde | Windows | Azure AD Connect, less common vector. |
| 16 | Cascade | Windows | LDAP + credential decryption. |
| 17 | Intelligence | Windows | DNS dynamic update + delegation. |
| 18 | Blackfield | Windows | Advanced Kerberoasting + shadow credentials. |
| 19 | Search | Windows | Exhaustive AD enum, almost like an exam. |
| 20 | Acute | Windows | PowerShell Web Access + complex AD chain. |
Block 3 — Heavy web (5 machines)
The exam’s web points often decide pass or fail.| # | Machine | OS | Why |
|---|---|---|---|
| 21 | Bountyhunter | Linux | Classic XXE, well explained. |
| 22 | Knife | Linux | PHP backdoor RCE, easy but fast. |
| 23 | Schooled | Linux | Full Moodle chain. |
| 24 | Validation | Linux | SQLi to RCE via INTO OUTFILE. |
| 25 | Backendtwo | Linux | API enum + JWT abuse. |
Block 4 — Linux privesc (5 machines)
Sudo, SUID, capabilities, kernel.How to use this roadmap
- Don’t skip blocks. Block 2 (AD) assumes you’ve warmed up on basic Linux and Windows.
- Time yourself. If a machine takes more than 4h without hints, read the writeup and move on. The goal is patterns, not pride.
- Take notes. A solved machine yields 1-2 pages of personal notes; without notes, you’ll review it in 3 weeks and won’t remember.
- After each block: re-do a machine from the previous block without hints. If you stumble, repeat it.
This roadmap is opinionated and editorial. If you think a machine
is missing or one shouldn’t be there, open a PR against
docs/en/roadmap-oscp.mdx.