[Study] A 12-Week, Hands-On Study Plan for PWK/OSCP

Last updated on 28 Sep 2025

If you’re self-studying for Offensive Security’s PWK/OSCP and you want a focused, reproducible plan that balances reading, practice, and reporting, use this post as your weekly roadmap. It assumes ~12–15 hours/week, access to Kali Linux, and a safe, legal lab environment.

Why this plan?

Action first. Every week ends with artifacts you can reuse (notes, checklists, and report snippets).
OSCP-style mindset. Enumeration discipline, timeboxing, and evidence collection from day 1.
Windows + Kali friendly. Works well on a Windows host with a Kali VM; integrates Dockerized targets or a VPN’d homelab.

Prerequisites

A virtualization setup (e.g., Kali in VirtualBox/VMware/Hyper-V; optional Windows 10/11 VM).
A note system (Obsidian/Notion). Create a repeatable note template: Goal → Steps → Commands → Evidence → Findings → Fix.
Strict adherence to legality and scope. Only attack systems you own or are explicitly authorized to test.

The 12-Week Plan (Reading → Practice → Output → Review)

Each week targets a theme. Allocate roughly: Reading 2–3h → Practice 7–9h → Output/Review 2–3h.

Week 1 — Foundations & Workflow

Goal: Set up your environment and your reporting habits.
Do:

Install/update Kali; create snapshot. Prepare a Windows VM if possible.
Create a pentest report template (executive summary, methodology, findings, proof, remediation).
Dry-run: capture screenshots, sanitize commands, export to PDF.

Deliverable: Your report template + a one-page “evidence capture” SOP.

Week 2 — Information Gathering I (Passive + Light Active)

Goal: Build a repeatable recon baseline.
Do:

WHOIS, certificate transparency, basic Google dorks.
DNS enum (zone transfers when allowed), nmap top-ports scan; service banner checks.

Deliverable: Recon checklist v1 (inputs → tools → expected artifacts).

Week 3 — Information Gathering II + Vulnerability Scanning

Goal: Turn recon into prioritized attack surface.
Do:

Structured nmap runs: fast top-ports → full TCP → service/version → NSE targeting.
Compare nmap NSE vs a vuln scanner (if allowed). De-duplicate and score findings.

Deliverable: “Scan to Action” rubric (how a service leads to specific attacks).

Week 4 — Web Fundamentals & Tooling

Goal: Establish a web testing pipeline.
Do:

Fingerprint tech stack; wordlists; content discovery (gobuster, ffuf).
Burp Suite pipeline: Proxy → Repeater → Intruder; session handling, logging.

Deliverable: Burp reusable profile + wordlist policy.

Week 5 — Common Web Attacks (File Handling, LFI/RFI, Cmd Injection)

Goal: Land at least two web shells across two targets.
Do:

Practice upload bypasses (extension, MIME, magic bytes).
LFI/RFI → log poisoning → RCE chains; command injection findings to privileged execution.

Deliverable: Web Attack Playbook v1 (payloads + preconditions + proof steps).

Week 6 — SQL Injection (Error/Union/Boolean/Time-based)

Goal: Master hand-crafted and automated flows.
Do:

One target by manual SQLi (enumerate DB, dump creds, pivot to file/RCE).
One target by sqlmap; compare false positives and operational risk.

Deliverable: SQLi decision tree (detection → extraction → code exec → persistence).

Week 7 — Client-Side & AV Evasion (Awareness + Minimal Lab)

Goal: Understand the attack surface; practice only in controlled labs.
Do:

Office macro PoC in an isolated VM.
Memory-only execution PoC to learn telemetry and controls.

Deliverable: Risk/Compliance checklist (what not to do in exam environments).

Week 8 — Passwords & Hashes (Cracking, Relaying, Passing)

Goal: Build your credential attack toolkit.
Do:

Compile a custom ruleset and mask strategies; gpu/cpu trade-offs.
Practice NTLM/Net-NTLMv2 capture (legal lab) → crack → reuse (relay/PTH/PTT where appropriate).

Deliverable: Curated dictionaries + rules + a quick “choose-this-attack-when…” table.

Week 9 — Privilege Escalation (Linux & Windows)

Goal: Turn initial footholds into SYSTEM/root reliably.
Do:

Scripted enumeration (e.g., linpeas, winPEAS; plus manual checks).
Practice 3+ Linux and 3+ Windows paths: SUID/sudo misconfigs, service abuse, scheduled tasks, kernel CVEs.

Deliverable: Priv-Esc cheat sheet (indicator → exploit path → command blocks).

Week 10 — Tunneling, Port Forwarding, and Metasploit

Goal: Reach hidden services and pivot safely.
Do:

ssh local/remote/dynamic forwarding; socat single-hop and multi-hop; HTTP/DNS tunnels (e.g., chisel, dnscat2) in lab.
Metasploit for enumeration/auxiliary and controlled post-exploitation (mind OSCP usage rules).

Deliverable: Pivot runbook with ASCII topology and one-liners.

Week 11 — Active Directory: Enum → Auth Attacks → Lateral Movement

Goal: Build the AD kill-chain muscle memory.
Do:

BloodHound/SharpHound graphing; PowerView enumeration.
Execute at least one: AS-REP roast, Kerberoast, constrained delegation abuse (lab).
Lateral movement: WMI, WinRM, or PsExec; then small persistence demo (lab).

Deliverable: AD “battle card” (fields to capture, common paths, detection considerations).

Week 12 — End-to-End Simulation & Exam Prep

Goal: Full chain from external entry to DA/root (in a legal lab) with a production-quality report.
Do:

Time-box enumeration/ exploitation; switch targets decisively when stuck.
Produce a complete penetration test report with evidence, reproduction steps, and remediation guidance.

Deliverable: Final report + personal exam game plan.

Milestones (Self-Checks)

End of Week 4: Close a full Recon → Web foothold loop and write a brief report section.
End of Week 8: Demonstrate one Windows and one Linux stable priv-esc chain with clean notes.
End of Week 10: Show a working pivot across subnets and describe traffic flow.
End of Week 12: One end-to-end compromise + final report at “client-ready” standard.

Your Core Toolkit (suggested)

Recon/Scanning: nmap, amass/assetfinder (where allowed), whatweb, httpx, ffuf/gobuster.
Web: Burp Suite (Proxy/Repeater/Intruder), payload lists, wordlists.
Creds: hashcat/john, cewl, rsmangler, rules/masks.
Windows/AD: PowerView/SharpHound/BloodHound, Impacket, CME (CrackMapExec).
Tunneling/Pivoting: ssh (L/R/D), socat, chisel, dnscat2.
Post-exploitation: (As permitted) Metasploit auxiliary/post modules; living-off-the-land where possible.
Note-Taking & Reporting: Obsidian/Notion + your report template; screenshot SOP.

Timeboxing & Evidence Discipline (OSCP Mindset)

Stop the spiral. Hard cap enumeration per host/port. If no movement, switch.
Evidence first. Pop a shell → screenshot proof → stabilize access → document commands → only then explore.
Repeatability. Always be able to rebuild an attack path from your notes and one-liners.

Bonus: Reusable Checklists

Daily Quick Start

Restore clean Kali snapshot
Update tools/wordlists if needed
Review yesterday’s blockers → pick a fresh target

Per-Target Flow

Recon baseline (DNS/ports/services)
Hypotheses → top 3 attack paths
Exploit attempt(s) with time caps
Priv-esc pathway(s)
Lateral/pivot (if applicable)
Evidence + notes + cleanup

Tips for the Final Stretch

Run two full 24-hour simulations with strict timeboxing and reporting.
Prepare a one-page exam playbook: host prioritization, Metasploit usage constraints, proof capture commands, and fallback strategies.
Sleep, hydrate, and keep snacks within reach. Clarity beats panic.

Adaptation Notes (Windows Host + Kali + Homelab/VPN)

Use a Windows host with Kali VM; add a Windows VM to practice client-side and AD.
For a portable lab, spin up Dockerized targets on a small server or your NAS.
If you maintain a WireGuard or similar VPN, segment subnets to safely practice pivoting without touching your home LAN.

Wrap-Up

This plan gives you a cadence that compounds: each week you bank checklists, wordlists, payloads, and report fragments. By Week 12, you’re not only exam-ready—you’ve built a personal playbook you can reuse in real engagements.