OSCP practice,
one technique at a time.
Make the primitives automatic before exam day. The OSCP rewards one thing under a 24-hour clock: recognising the foothold or privesc primitive fast and executing it without fumbling. PwnKata turns each PEN-200 technique into repeatable reps so recognition becomes reflex — then composes them into exam-shaped boxes and timed sprints.
The OSCP skills, as drillable reps.
Each exam area maps to a set of single-technique drills you can grind until recognition is automatic.
Linux privilege escalation
Linux Privilege Escalation →sudo, SUID, cron, capabilities, writable config — the bread-and-butter root paths.
File Capability Privilege Escalation
Linux file capabilities can grant one binary more power than intended. Drill finding and abusing that mistake.
easysudo -l Privilege Escalation
A misconfigured sudo rule is one of the most common real-world Linux privesc paths. Drill it until `sudo -l` is the first thing your fingers type.
easySUID Binary Privilege Escalation
A stray SUID bit on the wrong binary is an instant root. Drill enumerating and abusing SUID binaries until it's automatic.
easyWeb application attacks
Web Exploitation →SQLi, command injection, file upload, traversal, SSRF — the usual foothold sources.
SQL Injection: Auth Bypass
Drill authentication-bypass SQL injection by matching the payload to the query context.
easyOS Command Injection
Find where user input reaches a shell, then pick a payload form that survives the filter and response style.
mediumSSRF via URL Parameter
Make the server fetch what it shouldn't. Internal targets are simulated safely inside the drill.
mediumActive Directory
Active Directory →Kerberoasting, AS-REP roasting, and the AD set that decides many OSCP attempts.
Kerberoasting
Kerberoasting is a workflow: identify the right SPN, request the ticket, crack offline, and prove the credential works.
hardAS-REP Roasting
Find the account with Kerberos pre-authentication disabled, then turn that misconfiguration into a credential.
mediumAD Graph Enumeration Simulator
AD Graph Enumeration Simulator distilled into repeatable single-technique reps on isolated targets.
mediumEnumeration & service attacks
Network Services →Methodical service enumeration — the step that finds the way in.
SNMP Community Strings
A valid community string is only the first step. Walk the tree and identify the OID that proves impact.
easySMB Share Enumeration and Loot
SMB Share Enumeration and Loot distilled into repeatable single-technique reps on isolated targets.
easyFTP Anonymous Enumeration
FTP Anonymous Enumeration distilled into repeatable single-technique reps on isolated targets.
easyKnow you're ready — don't guess.
When the techniques feel automatic, run an Exam Sprint: a timed battery of unseen, blind items weighted to the OSCP blueprint. It returns a readiness report by skill area, so you find your weak spot here instead of in the exam.
- Blind items — identify the weakness yourself, like the real thing
- Solved-vs-attempted by skill area, with time outliers flagged
- A readiness verdict you can actually act on
Start your OSCP reps
Free to start — live isolated targets, a fresh variant every rep.
Still choosing between the two? Read the honest 2026 comparison. →