OSCP-like Practice Machines for PEN-200 and OSCP

LainKusanagi list of OSCP like machines

Whoami
What is this list for
Practice platforms for OSCP-like machines
HackTheBox
TryHackMe
HackSmarter
Proving Grounds Practice
VulnLab
The real OSCP like boxes
Post-OSCP Red Teaming Machines
New platform notes

---

What is this list for

Before and while doing PEN 200 course and after failing my first attempt I completed multiple machines in multiple hacking platforms.
I did all the PEN 200 course along with all the challenge labs that where introduced in the 2023 version of the PEN 200 (including the challenge lab network other people skip).
I failed my first attempt with 60 points and then passed my second attempt with 90 points. I experienced completely different exam sets in each attempt.
I also did the challenge labs added on October 2024 before my learn one subscription ended.
All of this experience gave me a good sense of what is OffSec style of boxes and what is important to know in the exam
Have feedback or suggestions? Let me know here:
https://x.com/unknownseeker99
https://www.reddit.com/user/JosefumiKafka/
https://www.linkedin.com/in/luis-moret-4a42ab246/
This is a list of machines I consider good for practice before doing the PEN 200 course, challenge labs and OSCP exam however this is not a replacement for the actual course and I recommend you to go through all of the course, exercises and challenges before attempting the exam.
The machines in this list were selected because either they teach important techniques and concepts found in the course and labs, have similar style to machines made by OffSec or were in a way crucial to helping me develop my methodology and help me pass my exam.
This list overlaps a lot with the famous TJ Null list however it also filters out boxes that may be too outside of the scope of the PEN 200 and OSCP exam and includes boxes from other hacking platforms such as Tryhackme and VirtualHackingLabs, still I added some boxes in this list that may have elements harder than OSCP but I believe are worth doing as they may have some other aspect that is crucial to know and practice
Support me: https://buymeacoffee.com/lainkusanagi
Useful forks made by the community (I do not maintain these forks so they may not reflect latest changes):
List with difficulty ratings made by Jubba402 https://docs.google.com/spreadsheets/d/13YoNQuY6HC5ot-lZiX2tY9pR5mvwnp3xV6lHs78DlqQ/
Study tracker combining this list and TJ Null list with difficulty ratings made by Obeyeater https://docs.google.com/spreadsheets/d/1nzEN0G6GzneWCfs6qte6Qqv-i8cV_j6po-tFlZAOx1k/

Hackthebox Tryhackme

Start learning to Try harder here. Don’t fully skip hackthebox some boxes have important concepts that are rare even in PG practice like SNMP and Keepass also AD ones are pretty good practice even if harder than OSCP in some ways. At the very least watch ippsec videos and take notes.

More guided and friendly approach for some rooms but still great boxes and rooms for prep. Active Directory ones here are very good practice for the OSCP.

Linux Windows Active Directory and Networks Linux Windows Active Directory and Networks
Other recommended rooms
Sea Markup
Active
Mr Robot
Year of the Owl
Attacktive Directory
Red Teaming
Learning Path
Blunder
Aero
Forest
Grep (OSINT)
Blaster
Attacking Kerberos
Cyber Defense Learning Path
Solidstate
Weasel
Wreath
Network
OhSINT
Delivery
Atom
Cascade
Hack Smarter Security
Corp
Perfection
Compiled
Monteverde
Reset
Alert
Acute
Blackfield
Vulnnet: Active
Sniper
Fuse
Enterprise
Luke
Visual Return
Ledger
Trickster
Giddy
Timelapse
Cat
Control
StreamIO
Backfire
Heist
Flight
Cypher
Worker
Office
Gofer
Freelancer
Blazorized
Authority
Manager
Escape
BankSmarter
Slayer
ShareThePain
Scrambled
Ascension
Evasive
Sysco
Resolute
Talisman
Mantis
AWS (Wip)
Reel
Building
Magic
Epsilon
Outdated
PivotSmarter (small network)
Gobox
Certified (Assumed breach)
Arasaka
Bucket
Welcome
Stacked
Vintage (Assumed Breach)
Sink
Search
Networks:
Axlle
Anomaly (harder)
Hospital (Windows/Linux)
EscapeTwo (Assumed breach)
TheFrizz
Haze
Scepter
Puppy (Assumed breach)
Certificate
TombWatcher
RustyKey (Assumed breach)
Infiltrator
Mirage
Anubis
Nanocorp
ProLabs:
Zephyr
Proving Grounds Practice VulnLab
Linux Windows Windows Active Directory Linux Windows Active Directory and Networks
Postfish
Kevin
Forgotten
Escape
Baby
Thor
Butch
Resourced
Down
Job Baby2
Megavolt
Craft
Nagoya
Bamboo
Job2
Breach
Craft2
Hokkaido
Lock
Phantom
Hepet
Heist
Media Sweep
Vector
Nara
Delegate
Symbolic
Vault
Sendai
Monster
Hutch
Retro
Shibuya
AWS (Not in the exam)
Walla
Monster
Pathway
Cockpit
AuthBy
Anomaly (harder)
Escape Baby
Trickster
Giddy
Timelapse
Cat
Control
StreamIO
Backfire
Heist
Flight
Cypher
Worker
Office
Gofer
Freelancer
Blazorized
Authority
Manager
Escape
BankSmarter
Slayer
ShareThePain
Scrambled
Ascension
Evasive
Sysco
Resolute
Talisman
Mantis
AWS (Wip)
Reel
Building
Magic
Epsilon
Outdated
PivotSmarter (small network)
Gobox
Certified (Assumed breach)
Arasaka
Bucket
Welcome
Stacke d
Vintage (Assumed Breach)
Sink
Search
Networks:
Axlle
Anomaly (harder)
Hospital (Windows/Linux)
EscapeTwo (Assumed breach)
TheFrizz
Haze
Scepter
Puppy (Assumed breach)
Certificate
TombWatcher
RustyKey (Assumed breach)
Infiltrator
Mirage
Anubis
Nanocorp
ProLabs:
Zephyr
Proving Grounds Practice VulnLab
Linux Windows Windows Active Directory Linux Windows Active Directory and Networks
Postfish
Kevin
Forgotten
Escape Baby
Trickster
Trickster
etc.

The bottom lines enumerate a large variety of platforms and rooms across HackTheBox, TryHackMe, VulnLab, and ProLabs with many named targets; this section is a living, evolving list of OSCP-like practice targets used to build methodology and familiarity with exam-style challenges.

The following list captures a representative set of machines and rooms that are consistently cited as OSCP-like practice targets across platforms, including: Sea Markup, Mr Robot, Year of the Owl, Attacktive Directory, Red Teaming paths, and many other rooms and labs that emphasize technique, enumeration, privilege escalation, and post-exploitation concepts.

This list also notes that many targets from the Hack Smarter and Proving Grounds ecosystems have been integrated into broader prep curricula and serve as a bridge to more advanced red teaming techniques.

Additional references include resources and learning paths on malware research, AD abuse, C2 concepts, MSSQL, OSINT, and client-side attack vectors, which help in broadening exposure beyond OSCP-only content.

For those who want to support creators or explore further, there are options to donate or follow the author on social platforms and community forks. These are optional and provided for context only.

The overall aim of this section is to present a curated, practical set of environments that simulate real-world tiered networks and modern Windows/Linux/AD topologies commonly encountered on OSCP-style assessments and red-team exercises.

---

HackTheBox

The OSCP-like practice list includes a mix of HackTheBox-owned and community-curated environments. Boxes are selected for their relevance to enumeration, privilege escalation, post-exploitation, and lateral movement, with a preference for scenarios that resemble real-world corporate networks and AD structures.

Boxes commonly cited within the OSCP prep community include scenarios emphasizing Windows/AD, Linux privilege escalation, network pivots, and common misconfigurations.
The HackTheBox ecosystem provides a wide array of labs, retired boxes, and challenges that complement PEN-200 topics and OSCP exam-style tasks.
The list notes that some boxes may be outside the typical OSCP scope, but they offer valuable skills that reinforce core OSCP concepts and red-team strategies.

---

TryHackMe

TryHackMe is highlighted as a valuable source for practice rooms that mirror OSCP-like workflows, especially for topics such as AD, Kerberos, cryptography challenges, and network discovery. Boxes on TryHackMe may vary in difficulty but often provide structured learning paths suitable for progressive mastery.

Notable rooms and tracks emphasize practical attack chains, lateral movement, and defense concepts that align with OSCP exam preparation.
The list recommends watching security-focused content creators (e.g., ippsec) for additional context and notes.

---

HackSmarter

Hack Smarter is presented as a newer platform with a growing catalog of rooms and paths focused on red-team techniques, network exploitation, and enterprise network simulations. The list includes references to rooms and labs that help build skills in Active Directory abuse, pivoting, credential access, and post-exploitation.

The community contributions include curated sections for Windows, Linux, and AD labs, with emphasis on practice for OSCP-like exams and red-team concepts.
The list also references updates and additions to Hack Smarter labs across various dates, indicating an actively evolving prep environment.

---

Proving Grounds Practice

This section highlights Proving Grounds Practice as a source of practice machines and labs that simulate real-world networks and corporate environments. It emphasizes practice for privilege escalation, credential access, and network pivots across mixed platforms (Linux/Windows).

The practice labs include a combination of OSCP-like targets and more advanced scenarios that align with red-team thinking.
Boxes and labs are frequently updated with new content to reflect evolving attack surfaces and techniques.

---

VulnLab

VulnLab is described as a platform focusing on red-team style labs and vulnerability exploitation practice. It includes rooms and labs that cover Windows, Linux, and AD-related topics, with scenarios ranging from basic enumeration to sophisticated privilege escalation.

The VulnLab ecosystem is closely integrated with Hack The Box and Hack Smarter, providing additional fusion opportunities for cross-platform practice.
The content notes that VulnLab boxes often require creative problem solving and multi-staged exploitation chains.

---

The real OSCP-like boxes (overview)

The list emphasizes boxes that closely resemble OSCP exam challenges, including a focus on practical enumeration, vulnerability analysis, and post-exploitation techniques. It also notes the intention to filter out boxes that are primarily designed for OSEP or OSED that sit outside the OSCP exam scope. The aim is to retain boxes that offer realistic OSCP-like experiences while excluding boxes that are too advanced or not aligned with PEN-200/OSCP objectives.

Examples and categories include boxes and scenarios centered on privilege escalation, client-side attacks, and internal network movements.
The list acknowledges that some boxes may be harder but still valuable for advanced study and method development.

---

New platform notes

Acknowledges ongoing platform development within the Hack Smarter ecosystem and the addition of boxes and rooms that are considered valuable for OSCP-like practice.
The community-contributed updates include the addition of new targets, as well as re-classification of rooms to reflect their relevance to OSCP-style practices.
The list is intended to remain a living document that evolves with new labs, tracks, and practice opportunities across multiple platforms.

---

Post-OSCP Red Teaming Machines

Whoami

What is this list for

Aside from OSCP I have also done Active Directory and Red Teaming related certifications such as PNPT, CRTP and CRTO. I also like to research about malware and evasion and post it on my Medium: https://medium.com/@luisgerardomoret_69654
This is a list for those interested in Red Teaming related topics that go beyond the scope of the OSCP such as more advanced Active Directory techniques, OSINT, Evasion, Command and Control, Client side attacks, MSSQL and other related topics. A lot of these topics and certifications i've taken overlap with topics covered in PEN-300 (OSEP) and this list may be used as preparation for it but this list is not meant to be only for OSEP it is for those interested in Red Teaming in general and goes beyond the contents of Red Teaming certifications.

Hackthebox Tryhackme
Linux Windows Active Directory and Networks Linux Windows Active Directory and Networks
Other recommended rooms
ScriptKiddie
Querier
Sauna
Mr Robot
Year of the Owl
Attacktive Directory
Red Teaming Learning Path
Blunder
Aero
Forest
Grep (OSINT)
Blaster
Attacking Kerberos
Cyber Defense Learning Path
Solidstate
Mailing Intelligence Weasel Wreath Network OhSINT
Delivery Atom Cascade Hack Smarter Security Corp
Perfection Compiled Monteverde Reset
Alert Acute Blackfield Vulnnet: Active
Mailroom Sniper Fuse Enterprise
Luke Visual Return Ledger
Trickster Giddy Timelapse
Cat Control StreamIO
Backfire Heist Flight
Cypher Worker Office
Gofer Freelancer
Blazorized HackSmarter
Authority Manager
Escape BankSmarter
Slayer ShareThePain
Scrambled Ascension Evasive Sysco
Resolute Talisman Mantis
AWS (Wip) Reel
Building Magic
Epsilon Outdated PivotSmarter (small network)
Gobox Certified (Assumed breach) Arasaka
Bucket Administrator (Assumed breach) Welcome
Stacked Vintage (Assumed Breach)
Sink Search Networks:
Axlle Anomaly (harder)
Hospital (Windows/Linux)
EscapeTwo (Assumed breach)
TheFrizz
Haze
Scepter
Puppy (Assumed breach)
Certificate
TombWatcher
RustyKey (Assumed breach)
Infiltrator
Mirage
Anubis
Nanocorp
ProLabs:
Zephyr
Proving Grounds Practice VulnLab
Linux Windows Windows Active Directory Linux Windows Active Directory and Networks
Postfish Kevin Access Forgotten Escape Baby
Thor Butch Resourced Down Job Baby2 Megavolt Craft Nagoya Bamboo Job2 Breach
Craft2 Hokkaido Lock Phantom
Hepet Heist Media Sweep
Vector Nara Delegate
Symbolic Vault Sendai Monster Hutch Retro
Compromised Kyoto (has Buffer overflow) Retro2
Bruno
Lustrous2
Shibuya
AWS Chains:
Pathway Trusted
Reflection
Hybrid
Lustrous
Heron (Assumed breach)
Tengu
Puppet (Assumed breach with C2)
Red Teaming Labs:
Ifrit

The OSCP-like hardening by red team research includes many more rooms and labs spanning Linux, Windows, and AD topologies, with a focus on realistic enterprise networks. The list is intended to help learners practice detection, privilege escalation, lateral movement, and post-exploitation techniques relevant to Red Team engagements and OSCP-style labs.

---

LainKusanagi list of Post-OSCP Red Teaming Machines

Overview
Practice platforms referenced
Red Teaming topics covered
Selected boxes and rooms
Notable mentions

---

Overview

Aside from OSCP I have also done Active Directory and Red Teaming related certifications such as PNPT, CRTP and CRTO. I also like to research about malware and evasion and post it on my Medium: https://medium.com/@luisgerardomoret_69654
This is a list for those interested in Red Teaming related topics that go beyond the scope of the OSCP such as more advanced Active Directory techniques, OSINT, Evasion, Command and Control, Client side attacks, MSSQL and other related topics. A lot of these topics and certifications i've taken overlap with topics covered in PEN-300 (OSEP) and this list may be used as preparation for it but this list is not meant to be only for OSEP it is for those interested in Red Teaming in general and goes beyond the contents of Red Teaming certifications.

Practice platforms referenced

Hackthebox, Tryhackme, VulnLab, ProLabs, Proving Grounds, AWS, and other labs are cited as practical sources for deepening red-teaming capabilities and AD abuse scenarios. The list emphasizes a mix of platforms to broaden exposure to different lab topologies and attack surfaces.

Red Teaming topics covered

Topics include Active Directory abuse, Kerberos attacks, credential access, lateral movement, C2, OSINT, and post-exploitation chains. The material notes that many topics align with PEN-300 (OSEP) and extend beyond OSCP scope.

Selected boxes and rooms

The collection enumerates numerous rooms on HackTheBox, TryHackMe, VulnLab, and ProLabs focusing on AD mastery, privilege escalation, network pivoting, and enterprise scenario simulations. Names include Sea Markup, Mr Robot, Year of the Owl, Attacktive Directory, Red Teaming Learning Path, and many others across multiple platforms.

Notable mentions

It highlights the value of including dedicated rooms for AD abuse, phishing simulations, credential harvesting, and network service exploitation while filtering out boxes aimed strictly at OSEP or unrelated advanced topics.

---

Additional notes and resources

The document acknowledges the evolving nature of OSCP-like prep resources and red-team labs, with frequent updates to paths, rooms, and challenges.
For readers seeking to explore beyond OSCP boundaries, the collection provides guidance on AD theory, incident response concepts, and red-team lifecycle stages across platforms.
The author shares social links and community resources to connect with like-minded learners and contributors.

---

LainKusanagi list of OSCP like machines

Whoami
What is this list for
Practice platforms for OSCP-like machines
HackTheBox
TryHackMe
HackSmarter
Proving Grounds Practice
VulnLab
The real OSCP like boxes
Post-OSCP Red Teaming Machines
New platform notes

---

Whoami

LainKusanagi list of OSCP like machines

What is this list for

Before and while doing PEN 200 course and after failing my first attempt I completed multiple machines in multiple hacking platforms.
I did all the PEN 200 course along with all the challenge labs that where introduced in the 2023 version of the PEN 200 (including the challenge lab network other people skip).
I failed my first attempt with 60 points and then passed my second attempt with 90 points. I experienced completely different exam sets in each attempt.
I also did the challenge labs added on October 2024 before my learn one subscription ended.
All of this experience gave me a good sense of what is OffSec style of boxes and what is important to know in the exam
Have feedback or suggestions? Let me know here:
https://x.com/unknownseeker99
https://www.reddit.com/user/JosefumiKafka/
https://www.linkedin.com/in/luis-moret-4a42ab246/
This is a list of machines I consider good for practice before doing the PEN 200 course, challenge labs and OSCP exam however this is not a replacement for the actual course and I recommend you to go through all of the course, exercises and challenges before attempting the exam.
The machines in this list were selected because either they teach important techniques and concepts found in the course and labs, have similar style to machines made by OffSec or were in a way crucial to helping me develop my methodology and help me pass my exam.
This list overlaps a lot with the famous TJ Null list however it also filters out boxes that may be too outside of the scope of the PEN 200 and OSCP exam and includes boxes from other hacking platforms such as Tryhackme and VirtualHackingLabs, still I added some boxes in this list that may have elements harder than OSCP but I believe are worth doing as they may have some other aspect that is crucial to know and practice
Support me: https://buymeacoffee.com/lainkusanagi
Useful forks made by the community (I do not maintain these forks so they may not reflect latest changes):
List with difficulty ratings made by Jubba402 https://docs.google.com/spreadsheets/d/13YoNQuY6HC5ot-lZiX2tY9pR5mvwnp3xV6lHs78DlqQ/
Study tracker combining this list and TJ Null list with difficulty ratings made by Obeyeater https://docs.google.com/spreadsheets/d/1nzEN0G6GzneWCfs6qte6Qqv-i8cV_j6po-tFlZAOx1k/

Hackthebox Tryhackme

More guided and friendly approach for some rooms but still great boxes and rooms for prep. Active Directory ones here are very good practice for the OSCP.

Linux Windows Active Directory and Networks Linux Windows Active Directory and Networks
Other recommended rooms
Sea Markup
Active
Mr Robot
Year of the Owl
Attacktive Directory
Red Teaming
Learning Path
Blunder
Aero
Forest
Grep (OSINT)
Blaster
Attacking Kerberos
Cyber Defense Learning Path
Solidstate
Weasel
Wreath
Network
OhSINT
Delivery
Atom
Cascade
Hack Smarter Security
Corp
Perfection
Compiled
Monteverde
Reset
Alert
Acute
Blackfield
Vulnnet: Active
Sniper
Fuse
Enterprise
Luke
Visual Return
Ledger
Trickster
Giddy
Timelapse
Cat
Control
StreamIO
Backfire
Heist
Flight
Cypher
Worker
Office
Gofer
Freelancer
Blazorized
Authority
Manager
Escape
BankSmarter
Slayer
ShareThePain
Scrambled
Ascension
Evasive
Sysco
Resolute
Talisman
Mantis
AWS (Wip)
Reel
Building
Magic
Epsilon
Outdated
PivotSmarter (small network)
Gobox
Certified (Assumed breach)
Arasaka
Bucket
Welcome
Stacked
Vintage (Assumed Breach)
Sink
Search
Networks:
Axlle
Anomaly (harder)
Hospital (Windows/Linux)
EscapeTwo (Assumed breach)
TheFrizz
Haze
Scepter
Puppy (Assumed breach)
Certificate
TombWatcher
RustyKey (Assumed breach)
Infiltrator
Mirage
Anubis
Nanocorp
ProLabs:
Zephyr
Proving Grounds Practice VulnLab
Linux Windows Windows Active Directory Linux Windows Active Directory and Networks
Postfish
Kevin
Forgotten
Escape
Baby
Thor
Butch
Resourced
Down
Job Baby2
Megavolt
Craft
Nagoya
Bamboo
Job2
Breach
Craft2
Hokkaido
Lock
Phantom
Hepet
Heist
Media Sweep
Vector
Nara
Delegate
Symbolic
Vault
Sendai
Monster
Hutch
Retro
Shibuya
AWS (Not in the exam)
Walla
Monster
Pathway
Cockpit
AuthBy
Anomaly (harder)
Escape Baby
Trickster
Giddy
Timelapse
Cat
Control
StreamIO
Backfire
Heist
Flight
Cypher
Worker
Office
Gofer
Freelancer
Blazorized
Authority
Manager
Escape
BankSmarter
Slayer
ShareThePain
Scrambled
Ascension
Evasive
Sysco
Resolute
Talisman
Mantis
AWS (Wip)
Reel
Building
Magic
Epsilon
Outdated
PivotSmarter (small network)
Gobox
Certified (Assumed breach)
Arasaka
Bucket
Welcome
Stacke d
Vintage (Assumed Breach)
Sink
Search
Networks:
Axlle
Anomaly (harder)
Hospital (Windows/Linux)
EscapeTwo (Assumed breach)
TheFrizz
Haze
Scepter
Puppy (Assumed breach)
Certificate
TombWatcher
RustyKey (Assumed breach)
Infiltrator
Mirage
Anubis
Nanocorp
ProLabs:
Zephyr
Proving Grounds Practice VulnLab
Linux Windows Windows Active Directory Linux Windows Active Directory and Networks
Postfish
Kevin
Forgotten
Escape Baby
Trickster
Trickster
etc.

The bottom lines enumerate a large variety of platforms and rooms across HackTheBox, TryHackMe, VulnLab, and ProLabs with many named targets; this section is a living, evolving list of OSCP-like practice targets used to build methodology and familiarity with exam-style challenges.

The following list captures a representative set of machines and rooms that are consistently cited as OSCP-like practice targets across platforms, including: Sea Markup, Mr Robot, Year of the Owl, Attacktive Directory, Red Teaming paths, and many other rooms and labs that emphasize technique, enumeration, privilege escalation, and post-exploitation concepts.

This list also notes that many targets from the Hack Smarter and Proving Grounds ecosystems have been integrated into broader prep curricula and serve as a bridge to more advanced red teaming techniques.

Additional references include resources and learning paths on malware research, AD abuse, C2 concepts, MSSQL, OSINT, and client-side attack vectors, which help in broadening exposure beyond OSCP-only content.

For those who want to support creators or explore further, there are options to donate or follow the author on social platforms and community forks. These are optional and provided for context only.

The overall aim of this section is to present a curated, practical set of environments that simulate real-world tiered networks and modern Windows/Linux/AD topologies commonly encountered on OSCP-style assessments and red-team exercises.

---

HackTheBox

Boxes commonly cited within the OSCP prep community include scenarios emphasizing Windows/AD, Linux privilege escalation, network pivots, and common misconfigurations.
The HackTheBox ecosystem provides a wide array of labs, retired boxes, and challenges that complement PEN-200 topics and OSCP exam-style tasks.
The list notes that some boxes may be outside the typical OSCP scope, but they offer valuable skills that reinforce core OSCP concepts and red-team strategies.

---

TryHackMe

Notable rooms and tracks emphasize practical attack chains, lateral movement, and defense concepts that align with OSCP exam preparation.
The list recommends watching security-focused content creators (e.g., ippsec) for additional context and notes.

---

HackSmarter

The community contributions include curated sections for Windows, Linux, and AD labs, with emphasis on practice for OSCP-like exams and red-team concepts.
The list also references updates and additions to Hack Smarter labs across various dates, indicating an actively evolving prep environment.

---

Proving Grounds Practice

The practice labs include a combination of OSCP-like targets and more advanced scenarios that align with red-team thinking.
Boxes and labs are frequently updated with new content to reflect evolving attack surfaces and techniques.

---

VulnLab

The VulnLab ecosystem is closely integrated with Hack The Box and Hack Smarter, providing additional fusion opportunities for cross-platform practice.
The content notes that VulnLab boxes often require creative problem solving and multi-staged exploitation chains.

---

The real OSCP-like boxes (overview)

Examples and categories include boxes and scenarios centered on privilege escalation, client-side attacks, and internal network movements.
The list acknowledges that some boxes may be harder but still valuable for advanced study and method development.

---

New platform notes

Acknowledges ongoing platform development within the Hack Smarter ecosystem and the addition of boxes and rooms that are considered valuable for OSCP-like practice.
The community-contributed updates include the addition of new targets, as well as re-classification of rooms to reflect their relevance to OSCP-style practices.
The list is intended to remain a living document that evolves with new labs, tracks, and practice opportunities across multiple platforms.

---

Post-OSCP Red Teaming Machines

Whoami

What is this list for

Aside from OSCP I have also done Active Directory and Red Teaming related certifications such as PNPT, CRTP and CRTO. I also like to research about malware and evasion and post it on my Medium: https://medium.com/@luisgerardomoret_69654
This is a list for those interested in Red Teaming related topics that go beyond the scope of the OSCP such as more advanced Active Directory techniques, OSINT, Evasion, Command and Control, Client side attacks, MSSQL and other related topics. A lot of these topics and certifications i've taken overlap with topics covered in PEN-300 (OSEP) and this list may be used as preparation for it but this list is not meant to be only for OSEP it is for those interested in Red Teaming in general and goes beyond the contents of Red Teaming certifications.

Hackthebox Tryhackme
Linux Windows Active Directory and Networks Linux Windows Active Directory and Networks
Other recommended rooms
ScriptKiddie
Querier
Sauna
Mr Robot
Year of the Owl
Attacktive Directory
Red Teaming Learning Path
Blunder
Aero
Forest
Grep (OSINT)
Blaster
Attacking Kerberos
Cyber Defense Learning Path
Solidstate
Mailing Intelligence Weasel Wreath Network OhSINT
Delivery Atom Cascade Hack Smarter Security Corp
Perfection Compiled Monteverde Reset
Alert Acute Blackfield Vulnnet: Active
Mailroom Sniper Fuse Enterprise
Luke Visual Return Ledger
Trickster Giddy Timelapse
Cat Control StreamIO
Backfire Heist Flight
Cypher Worker Office
Gofer Freelancer
Blazorized HackSmarter
Authority Manager
Escape BankSmarter
Slayer ShareThePain
Scrambled Ascension Evasive Sysco
Resolute Talisman Mantis
AWS (Wip) Reel
Building Magic
Epsilon Outdated PivotSmarter (small network)
Gobox Certified (Assumed breach) Arasaka
Bucket Administrator (Assumed breach) Welcome
Stacked Vintage (Assumed Breach)
Sink Search Networks:
Axlle Anomaly (harder)
Hospital (Windows/Linux)
EscapeTwo (Assumed breach)
TheFrizz
Haze
Scepter
Puppy (Assumed breach)
Certificate
TombWatcher
RustyKey (Assumed breach)
Infiltrator
Mirage
Anubis
Nanocorp
ProLabs:
Zephyr
Proving Grounds Practice VulnLab
Linux Windows Windows Active Directory Linux Windows Active Directory and Networks
Postfish Kevin Access Forgotten Escape Baby
Thor Butch Resourced Down Job Baby2 Megavolt Craft Nagoya Bamboo Job2 Breach
Craft2 Hokkaido Lock Phantom
Hepet Heist Media Sweep
Vector Nara Delegate
Symbolic Vault Sendai Monster Hutch Retro
Compromised Kyoto (has Buffer overflow) Retro2
Bruno
Lustrous2
Shibuya
AWS Chains:
Pathway Trusted
Reflection
Hybrid
Lustrous
Heron (Assumed breach)
Tengu
Puppet (Assumed breach with C2)
Red Teaming Labs:
Ifrit

The OSCP-like hardening by red team research includes many more rooms and labs spanning Linux, Windows, and AD topologies, with a focus on realistic enterprise networks. The list is intended to help learners practice detection, privilege escalation, lateral movement, and post-exploitation techniques relevant to Red Team engagements and OSCP-style labs.

---

LainKusanagi list of Post-OSCP Red Teaming Machines

Overview
Practice platforms referenced
Red Teaming topics covered
Selected boxes and rooms
Notable mentions

---

Overview

Aside from OSCP I have also done Active Directory and Red Teaming related certifications such as PNPT, CRTP and CRTO. I also like to research about malware and evasion and post it on my Medium: https://medium.com/@luisgerardomoret_69654
This is a list for those interested in Red Teaming related topics that go beyond the scope of the OSCP such as more advanced Active Directory techniques, OSINT, Evasion, Command and Control, Client side attacks, MSSQL and other related topics. A lot of these topics and certifications i've taken overlap with topics covered in PEN-300 (OSEP) and this list may be used as preparation for it but this list is not meant to be only for OSEP it is for those interested in Red Teaming in general and goes beyond the contents of Red Teaming certifications.

Practice platforms referenced

Hackthebox, Tryhackme, VulnLab, ProLabs, Proving Grounds, AWS, and other labs are cited as practical sources for deepening red-teaming capabilities and AD abuse scenarios. The list emphasizes a mix of platforms to broaden exposure to different lab topologies and attack surfaces.

Red Teaming topics covered

Topics include Active Directory abuse, Kerberos attacks, credential access, lateral movement, C2, OSINT, and post-exploitation chains. The material notes that many topics align with PEN-300 (OSEP) and extend beyond OSCP scope.

Selected boxes and rooms

The collection enumerates numerous rooms on HackTheBox, TryHackMe, VulnLab, and ProLabs focusing on AD mastery, privilege escalation, network pivoting, and enterprise scenario simulations. Names include Sea Markup, Mr Robot, Year of the Owl, Attacktive Directory, Red Teaming Learning Path, and many others across multiple platforms.

Notable mentions

It highlights the value of including dedicated rooms for AD abuse, phishing simulations, credential harvesting, and network service exploitation while filtering out boxes aimed strictly at OSEP or unrelated advanced topics.

---

Additional notes and resources

The document acknowledges the evolving nature of OSCP-like prep resources and red-team labs, with frequent updates to paths, rooms, and challenges.
For readers seeking to explore beyond OSCP boundaries, the collection provides guidance on AD theory, incident response concepts, and red-team lifecycle stages across platforms.
The author shares social links and community resources to connect with like-minded learners and contributors.

---

Spreadsheet

Summary & Guide

Related Topics

Spreadsheet

Summary & Guide

Related Topics