eCPPT Exam

Now, obviously my memory will be a bit hazy as it has been over three months, and I don't want to include any exam spoilers, but I will do my best to describe the exam and my process.

Day 1 (2/14)
I started off the evening with a nice, romantic Valentine's Day dinner at Taco Bell with 2 close friends.

The exam kicks off at 9:28pm, and I have nothing but my wits, skills, and 6 Sugar Free Amp energy drinks to help me.

A lot of enumeration and understanding of the network and externally facing systems. Some planning, but I've never been great about that.

TONS OF SCREENSHOTS (Evernote is my hero)

Day 2
Some progress as of 24 hours and 3 energy drinks in (~144 hours and 3 energy drinks remaining), but too early to tell.

According to the VM timer I spent around 10+ hours in the environment this day, and didn't get too burnt out (yet).

Day 3
A bit more progress (and a lot more frustration) as of ~48 hours and 4 energy drinks in, but a lot to go.

Day 5
(no day 4 update)
After ~76 hours and 5 energy drinks (~92 hours and 1 energy drink remaining) I did not make any more progress, other than increased frustrations.

At this point I start to go back over everything both network and lab wise, to try to decide what I might be missing or forgetting.

Additionally, I'm taking screenshots and noting everything down, to prepare for my report.

This is also the point where I start trying to randomly brute force EVERYTHING...not the best solution.

Day 6
~122 hours and 6 energy drinks in (~46 hours and 4 energy drinks (thanks to a friend for the surprise) remain), and I'm making progress again.

Always remember that there are multiple ways to attack something, as well as different payloads...this was something that caused me no shortage of frustration (TRY MORE THAN ONE PAYLOAD NEXT TIME).

"All" that I have left at this point is some custom exploit dev and the DMZ.

Day 6 night/7 morning
The custom exploit dev went along without too many hitches, and with a pretty interesting solution. (Shouldn't be a spoiler) Instead of a more standard payload (was running into issues), my exploit remotely deleted a user, added that user back, made them an administrator, and then enabled RDP.

At this point I have ~18 hours left and nothing but the DMZ left.

Day 7
As of 11am on the seventh day (~146 hours and 7 energy drinks in), I obtained root level access in the DMZ, thus completing the testing part of the exam.

All that was left at this point was a bit more information (AND SCREENSHOT) gathering, and verifying that I found every vulnerability on the machines instead of just one.

Then I had 7 days to write the report (had 99 pages of unformatted screenshots and notes at this point).

While I don't have many notes on my report itself, I'll try to give an understanding of how it went.

I started with 99 pages of screenshots and mostly unsorted/un-formated notes.

From here I sorted them out, added headers, and began looking at sample Penetration Test reports.

All in all, my report ended up being 50 pages in total including an Executive Summary, Vulnerability report (including remediation steps), and source code Appendix

While writing the report wasn't that hard with all of my notes, it was still something very new to me, and a valuable experience.

The only real advice I could give on this is to take constant screenshots and notes, make sure you have a format in mind, and don't wait until the last-minute.

As of March 7th @ 12:12pm, I received the following e-mail:
"Our instructors at eLearnSecurity want to congratulate with you and award you with the eLearnSecurity Certified Professional Penetration Tester certificate. You are now an eCPPT!"

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.


Filed under Security Not Included

203 Responses to eCPPT Exam

  1. Alex

    Wow! Does the exam actually last 7 days(report writing aside)??That’s a lot more than the OSCP!Could you also tell approx. how many machines did you have to root?

    • doyler

      Yup, you get 7 days for the attacking portion and then 7 days more for the reporting portion of the exam.

      Definitely a lot more time than the OSCP, but I believe you’re expected to be a bit more thorough and not just root the box in any way possible.

      There was a website, a few internal machines, and then the machine in the DMZ. Overall, under 10 total machines still.

  2. PincoPallino

    Can you write to me at my email?

    I want ask you some questions!

  3. Sasha

    I want to ask a few questions.
    Can you write to me at my email?

  4. Alessandro Rocchi

    Hi Ray
    Can I ask you some questions?
    Can you contact me at my email address?
    Thank you πŸ˜‰

  5. Joel

    Hi, can i ask you some questions?

    Hope you reply to my email.
    Thank you!

  6. Alejandro

    Hello Doyle, i really enjoy your review about the eCPPT exam, it was really insightful. I will do my exam in the next week and i am study all the material where i considerer i have a little flaws, However i want you to ask you some question about it if is possible of course!

    So if you have time, i will really appreciate it if you can help me to get more insight about this!

    thank you in advance….

    Best regards…


    • Hi Alex,

      Sure, what in particular do you have questions about/how would you like me to contact you?

      Good luck with your exam regardless!

      (Oh, I didn’t delete your comment by the way, I just hadn’t approved it yet)


    • John

      I tried ecppt exam but very badly stuck on system security section. I found the executable/ python files and downloaded them on captured server, where I had already uploaded immunity with mona. The rest should be a piece of cake, found the number of args to reach EIP, practically (immunity and mona pc script did not bring results), then found jmp esp with mona, constructed the entire exploit with reverse tcp payload and set my reverse handler. All fine, routed the exploit to victim machine, but never got a shell. 7 jmp/esp, call esp where returned by mona,all tried, but nothing. I disabled dep, but still nothing. null session did not give me something. Any advice?

      • If your exploit is working locally, then it might be an issue with your payload. There could be an antivirus or firewall blocking the payload that you are trying. Have you tried more than just the one reverse tcp payload yet? That is most likely the issue.

        • John

          Good evening again,
          Regarding your last, indeed I insisted a lot, and that costed me in time and fail, no local buffer overflow and exploitation achieved locally; Actually, app seems to go wrong (overflow) but not manage anything more. Though I have found using alternatively python script ( and foo..manager.exe that there should be some kind of customer id policy: only numerical characters, with length up to seven. alphanumerical returned errors on py and exe file showed that was reading up to seven chars from id. Random test, returned two users. So, I wrote a bash script to bruteforce the application, feeding it with possible combinations created with crunch (actually I wrote again my own script instead of using crunch) and take all users data…. but no time left. Then I think I should try this info with net use or any other smb tool to get a connection to shares. Server is vulnerable to null session, but by that only, not much luck. I tried to sniff with wireshark, nothing. Analyzed pcaps, with tshark and bro, still nothing. There should be some other application running on server, although it warns that older web app, not has been set offline. Not clear yet, what I have to do. Now, I am writing my report and waiting for better chances next week. This phase seems very tricky, but I am optimist, if I pass it I will reach the to the end. Thank you.

  7. Charly

    Thinking about taking this one, it looks really interesting.

    I read on many sites that they give you a lab with an objetive, but archiving that objetive is not the way to pass. So, are you supposed to break any thing?

    • Hi Charly,

      It was interesting, and definitely enjoyable. As far as the labs are concerned, they are separate from the exam.

      The exam has a necessary, but not sufficient, objective that you need to reach. You still need to perform a full penetration test and report every vulnerability that you find in the network.

      That make sense?

  8. Diego

    Hi Doyler,

    i just discovered your blog and i want to ask one question, i’m in my third day of my exam and i stuck on exploit development since day two, i,m a little confused and its draving me crazy, do you have some advice to approx it? maybe some resources to learn more and crack that exploit? thank you give you my email

      • Diego

        Hello Doyler thank you for the resources, im into them right know because i fail terrible in te exam ;( my exploit didn’t work and im was not able to compromise any other computer in the corporate network. so i came to you again hopefully you can give me one hint because i am very frustrated.
        i was able to detect the other computer in the corp-network one XP with some smb sharing open services for example IPC% but when i try to connect to digger more info, i can’t, i just simply can access, the computer told me Access denied, so my suspicious are that i can only advance in the exam if successfully write the exploit for the computer listening that service? or i can enter in the corporate network compromising another computer ? because i think i try anything but i can’t enter in any other computer thing it’s the exploit what is driving me crazy.. so if you can tell if there is a other way to enter the corporate network compromising other computer i will very appreciate that, please!!!

        regarding the post, you can delete before you authorize it, and you got my email, just i hope you can have the time to read it.

        thank you Doyler and have a nice day!!

        • I’m sorry about that, but hopefully those resource help you brush up on your buffer overflows!

          If you are unable to connect with an SMB client for more info, then anonymous access is probably disabled. In that case, you might want to scan for SMB vulnerabilities, to see if you can find any. For example, using NMAP NSE scripts – (hint: smb-vuln-* will use all available NSE scripts that start with that).

          As far as the buffer overflow is concerned, yes, that is the only way to compromise the machine that is running that application.

          You’re welcome, and good luck.

          • Hello Doyler,

            thank you for your advice, i try to use NSE but without any successful result, when you use proxy chains NSE scans will not work, i try redirecting the traffic to the specific port i want to connect so in that way a was able to use NSE, however when i try to scan for vulnerabilities the session close because the scan it’s to noisy i think.

            Maybe my routing it’s wrong and i need use something else instead of metasploit?

            thank you Doyler for your advice and happy new year!!!

          • Yea, you might be able to get the NSE scripts to route through a proxy (I think SSHuttle might work instead).

            But yea, it could just be a routing issue.

            That said, you may be able to scan for the SMB vulnerabilities more manually with SMBclient/exploits through your proxy chains.

        • Kate

          Hey Diego,
          What’s your email address?

  9. kate

    Hi Doyler,

    I’m currently doing my eCPPT exam, and I need your help.

    So far I got the highest privilege shell on the web server, but I can’t exploit the DMZ or any machine in the corporate network. I can only scan the corporate machines and identify two Windows hosts. I also found the .exe and .py files hosted on one of the corporate machines, which I know I have to overflow the buffer.

    Do the .exe and .py files have something to do with exploiting the corporate network or are they just there for me to prove they have buffer overflow vulnerabilities?

    I’m completely stuck right now. Please…Point me in the right direction. Give me a hint. Anything.

    Thanks in advance. (Sorry I spoiled a bit so reply to this message to my private email if possible)

    • Hi Kate,

      You haven’t spoiled too much, but I can edit your comments if you do.

      As far as the .exe and .py are concerned, they are in reference to the buffer overflow that you know you need to exploit. You’ll need to utilize them to write and test your buffer overflow. Once you have it completed, you’ll need to see if you can find a remote version of it listening somewhere…

      Good luck!

      • Kate

        Yo Doyler,

        The good news is I proceeded to root two more machines in the corporate network πŸ™‚ The bad news is I’m now completely stuck not knowing how to root the DMZ πŸ™ I got one user’s FTP credentials but when I RDP’d in there was nothing in the DMZ server. On top of that it doesn’t respond to port scans so I have no way of fingerprinting it, meaning I can’t run a backdoor on the DMZ server’s behalf. Please Doyler…Guide me.

        Am I supposed to mount password and MitM attacks against the DMZ or something? Oh man am I lost…

        • Awesome, that’s some good progress at least.

          You definitely don’t need to perform any password or MiTM attacks.

          If you have FTP creds, and you can RDP, then that’s a great start. If you couldn’t actually get RDP to work, then maybe you need to try a different venue. Also make sure to exfiltrate as much information as possible from the machines that you do manage to exploit.

  10. steve

    Hey Doyler

    Can you write to me at my email?

    I wan’t ask you some questions!


  11. marco

    HI Man
    Congratulations for your cert.
    I am doing the exam, and I want to ask you some things. I don’t want to spoiler here !
    Can you write to me at my email?

    Thanks a lot

  12. ericsoe

    Does ecppt as a required for oscp exam? I failed oscp once i attempted for first time. Should I extend lab and try again ? or should I get ecppt first? Appreciate ur help!

    Thanks in advance,
    – eric

  13. ericdoe

    OMG! thank u so much! Highly appreciated πŸ™‚

  14. John

    Hi Doyler,

    Great post and well done.

    I appreciate it if you could send me an email to ask you a question.


  15. Stefano Brugis

    Hi Ray
    Can I ask you some questions?
    Can you contact me at my email address?
    Thank you

  16. mapo

    Wow! I’ve already taken the eJPT cert and now i am studying to obtain e eCPPT.
    I have to admit i’m going slow with the course but personally i need a lot to re-elaborate things.
    As i work as web developer, the web app part of the couse was much much easier than the system security section. I’m a bit struggling with that, i admit it! Any general tips to understand better the BOF and the shellcoding?
    I hope i can take the exam before october, i can’t wait to have obtain the cert.
    Ps. i’ve discovered this blog 10 minutes ago and i really enjoyed the article and the comments.

  17. Tai

    Hi Doyler,

    Can I say, great article and really kind of you to respond to everyone’s comments. I’m looking to sit the PTP exam this weekend, not sure I’m ready but thought I’d give it a go. I made notes of all the lab solutions but have’t had time to go through them again and also noted all the important commands from various sections which I’m hoping to use during the exam.

    Any last minute tips before the exam? Would be good to have some useful advice as I’m a little worried I won’t know where to start and then try everything instead of using a structured approach, nerves does that to a person!
    The other concern I have is around the Buffer Overflow, finding it and then creating a script from scratch to talk to an application if this isn’t similar to what we’ve been taught in the labs.

    Looking forward to your wisdom πŸ™‚


    • Hi Tai,

      I’m always glad to help people, and best of luck with the exam!

      I think just going over everything in the course, this post, and any common questions that people might have (see the comments) would be more than enough.

      Make sure you stick to your workflow as best as possible, and keep good notes.

      The buffer overflow isn’t difficult as long as you follow the steps that the course taught. Additionally, there is a comment here with a TON of resources for more practice if you’d like.

      Good luck again!

  18. Tai

    Hi Doyler,

    Struggling a little here, [spoilers redacted]. Much appreciated!

    • Sorry, don’t want to give too much away, but make sure you go back over the course material and your labs!

      • Tai

        Hi Doyler,

        I’ve made some good progress, managed to get through to the end location (don’t want to give too much) but cant seem to find a way to exploit the device.
        I’ve not tackled the buffer overflow as yet, I’m just a little confused as how I’m meant to do it without being able to put the server into immunity and see it overwriting EIP. Any suggestions?
        The labs taught us to use the graphical ftp client application which then connects to a server with malicious payload within a script.

        • Tahir Hussain

          Hi Doyler,

          Thought I’d let you know I managed to root the tricky box and only now leaves me with the Buffer Overflow, will run out of time for that it looks like.

        • Tahir Hussain

          Hi Doyler,

          Thought I’d let you know I managed to successfully overflow the buffer!


          • Congrats, and glad to hear that!

            Hopefully you managed to get everything, or at least know what you might be missing for the retake.

            Let me know how it goes.

  19. Mikey

    Hello Doyler,

    Thinking about doing the course soon instead of OSCP, as per recommendation, but a little hesitant with Buffer Overflows. Was wondering, does the Buffer Overflow for the exam require you to overcome SEH, stack canary, ASLR or DEP?

    I’ve historically had problems with overcoming stack canaries in my line of work, so wanted to understand if this was the case. Also, are you tied to a particular programming language or can you use perl, c++?

    Thank You πŸ™‚

    • Hi Mikey,

      No where near anything for this buffer overflow (or the OSCP to be honest). Both of them are functionally the same:

      Overflow buffer, control EIP, find JMP, make simple JMP to shellcode, win.

      The OSCE is going to be the first course offered by either that will start with any of those topics.

      As far as languages are concerned, you aren’t constrained to any. A lot of the examples will be in Python or C depending on relevance, but anything you write (or use) can be in the language of your choice.

      • Mikey

        Thanks Doyler!

        A little less scared now! I’m assuming you have a suitable machine without security parameters, such as XP (based on some stuff I’ve read) to run the exploit from or are you expected to do this in Kali? I’ve obviously only practised this on Windows XP to date (old PTB course) and not Linux.

        I’ll try and read up as much as I can, probably wait for a voucher or discount first πŸ™‚


        • I do have an XP machine that I use for some exploit development, but you do not need it for the course.

          You’ll be provided with the VM and appropriate vulnerable software in both the lab, as well as the exam, environment.

          Good luck, and let me know how it goes!

  20. john

    Hello Doyler,

    thanks in advance for your feedback, I already comprise web server and 3 machine on the network including dev exp, i have ftp for dmz but I got stuck on this can you give any hint,
    and should I comprise all the machine on the network.

    • Hi John,

      I’m sorry that I can’t give you any hints, but good luck with the machine!

      You should try to compromise every machine in the network that you find, but your goal is to find every vulnerability. If you can’t get a partial, or even full compromise, then that doesn’t necessarily mean that you missed something.

  21. Tai

    Hi Doyler,

    Would it be possible to send you a PM, not necessarily about the exam.


  22. Mokaz

    Hey there Doyler,

    I’ve been through OSCP & OSCE. I’m actually thinking about getting a 4 in the Box @ eLearnSecurity. Targets are eCPPT, eCRE, eNDP & eWPTX.

    Do you think this makes sense, or will i be bored?


    • Hey Mokaz,

      Awesome, and grats on your OSCE! I’m hoping to have mine done by the end of this year myself.

      I love the 4 in a Box, though I’ve never taken the eNDP personally.

      eCPPT – you’ll probably be bored a little to be honest, as it is VERY similar to the OSCP. That said, if you see anything in the syllabus that you don’t know, it might be ok. Your other options for this slot would be another defensive course, eMAPT, or even eWPT.

      eCRE – I haven’t finished yet, but it should still be plenty useful and fun.

      eWPTX – you won’t be bored at all, a great course.

  23. Tai

    Hi Doyler,

    Thought I’d let you know, I passed my eCPPT. Thanks for your advice on this page, it was invaluable πŸ™‚

    • Awesome, congratulations! Glad that I could at least give some advice.

      • Tai


        For anyone else sitting it, down be overly stressed about the BO, providing you are familiar with the content in the lab, it will not be too different in the exam. I tackled the BO towards the end once everything became clear.

  24. Rollix709

    Hey Doyler,

    Looking to get your opinion on a couple things, but not looking for answers or anything of the sort. More informational if you’re able to help.

    E-mail if you get a chance,


  25. Susan

    Hi Doyler,
    I’m on my ecppt right now.
    I’ve successfully exploited [sensitive information removed], but i’m stuck with other hosts [sensitive information removed]…i’ve nmapped them to know how service run on them and tried common vuln with metasploit but with no result…can you tell me where is my fail?

    P.s. above you said you used “more than one payload”, i tried more different payload but with no result.
    Thank you in advance!

    • Hi Susan,

      First, I’ve removed any spoilers from your comment as to not spoil it for others. Remember, this is a penetration test, so your job is to find as many vulnerabilities as possible and then report it to the client, that’s it.

      As far as the “more than one payload” is concerned, if a different payload didn’t work, then you might be fine.

      Good luck!

  26. waqas ahmed farooqi

    Hello Doyler
    Seen your posts, loved your supporting attitude.
    Hope you will be fine. I am an information security professional and currently interested in E-Learning Security ECPPT certification. I need some help so please answer me the following questions.

    1. ECPPT paper will be given from home?
    2. After how much time of ECPPT registration paper must be given?
    • Hi, glad you enjoy my posts, and hopefully I can help!

      You take the eCPPT exam from home, using the same VPN connectivity you use for the lab environments. There is no paper per-se, but a penetration engagement followed by the report.

      That depends on which version of the course you sign up for. The Barebone edition doesn’t have an exam, the Full gives you 180 days to complete the course from the day you begin, and there is no time limit for the Elite version.

      • waqas ahmed farooqi

        Thanks a lot for your response, so nice of you brother. If possible please share some resources which will help in the preparation of eCPPT certification.

        • Other than the course materials, you don’t really need anything in preparation of the course or exam.

          That said, if you struggle or think you will struggle with the buffer overflow, then the above comments should have everything you’ll need!

          Let me know when you sign up, and how it goes.

  27. Josh

    Hey Doyler,

    Thank you so much for the review! I’m currently taking the course, and it’s always fun to read reviews of the course and exam. Do you have tips (without spoiling anything) to review or be a be sure to know for the exam? The labs that they provide are pretty good, but I’m probably overthinking that the exam is going to be 4x hard then the labs.

    • Other than maybe a few of the links in the comments above, you should be good!

      The course material covers everything in the exam, you just need to make sure that you understand what you’re doing.

      Follow your process (Information Gather -> Enumerate -> Exploit -> Post Exploitation -> Information Gather), document everything, and you’ll be good to go.

      That + make sure you understand how to do a basic stack-based buffer overflow.

      • Josh

        Hi Doyler,

        I got the email I passed the eCPPT exam! After two weeks of being a little worried are finally over.

        I wanted to come back and say thank you for the review, and honestly I went through same emotions as you each day… So it was pretty cool to see each day making progress or being completely stuck.

        My next certification I’ll be doing is OSCP, and I’m pretty scared about this one; due to the rumors and intimidation. Did you do eCPPT before OSCP? Through the exam and labs in eCPPT, majority of the tool using was Metasploit. I feel like I’ll be re-learning everything again, but doing everything manually. How did you overcome that?

        • Congratulations! It’s a great feeling seeing that you finally passed and that it is over.

          You’re welcome, and I’m so glad that it actually helped and/or motivated you. The progress is fun, except when you think you’re completely stuck.

          Awesome, and that’s definitely a great one. I did do my eCPPT before my OSCP. Go into OSCP and expect to learn a lot of things new, don’t try to cut corners because you finished your eCPPT. Also, whenever possible, don’t use Metasploit at all. In the end I think I only used it for 3-4 lab machines and 1 exam machine.

          Let me know how it goes, and feel free to read my reviews/notes/ideas on it here as well!

  28. nessie

    Thanks for the write-up,

    I recall reading some of your other posts as well in the past.
    Stumbled upon this one whilst being stuck at my expoit dev for the eCCPT and fancied reading some horror stories in a desperate attempt to cool down. It’s not working πŸ™‚

    Could you reach me by mail please? I think I just need another point of view on the matter that might get me back on track ..
    Thank you in advance,

    • You’re welcome, and hopefully it’s able to help!

      Yea, the exploit dev is super straightforward if you just follow the steps in the course. That said, you can also look over some of the other links in the comments for more write-ups or practices.

      How did it end up going in the end though?

      • nessie

        well, finally managed to find the vulnerability and create an exploit.
        However, just got the result in and I failed.
        I know there’s one part from the course I didn’t use and that might be the one that was lacking to get the full result. I’ll look into that part before reading the comments on my report since I’m short in time for the next days and I’d miss valuable time in the lab ..

        • That’s good at least!

          I’m sorry you failed, but hopefully you are able to figure out where you were lacking and finish it up next attempt.

          Understandable, but definitely read the comments on your report. They are usually short and sweet, and will definitely help you focus your efforts in the lab.

  29. Rafael Santos

    Hello Raymond Doyle, my name is Rafael, I’m following your blog about security certifications, I’m doing eCPPT, I’m lost in the first phase of the test, I can not identify the way to go through the initial site, can you give me any tips?

    • Hi Rafael,

      If you are stuck on the first part, then make sure you are going through all of your proper steps.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.

      As the first step is a web application, make sure to check the server as well as the application layer for vulnerabilities.

  30. rocklee

    Hi doyler,

    i have some question regarding BOF. Can i contact you for some direction?

    Thanks and deeply appreciated.

    • Hi,

      I won’t be able to help you with the BoF, but if you follow all of the steps in the course material it will be super simple.

      That said, there are also a few links in the comments section here if you want to read or practice some more.

      Good luck!

      • rocklee

        Hi doyler,

        Thanks for the reply. I’,m aware that i will need to obtain the source code in order to perform the BOF. Generally i have no much problem in doing BOF as i tried on few vulnerable applications and have successful attempts. Right now, is more like i have problem getting the vulnerable application from the machine in order to debug. I have some credentials gotten from some of the machines *trying not to disclose too much info* and successful use it gain access into the corporate network. Rest of the credentials does not seems to work on the smb shares. Do I have to brute force my way through or do some hash cracking from the previous machines ? Really appreciate if you can shed some lights.

        • You actually don’t necessarily NEED the source code to perform the buffer overflow. Having the executable itself is more important, so that you can attach a debugger to it.

          If you need to get the vulnerable application itself, maybe you need to get it from a different machine than the one you need to exploit it on…

  31. chris

    In the BOF ftpclient course materials we are given an ‘’ and an ‘ftp.exe’ client. You are able to connect the client to the python ftp server using the localhost address. This allows you to test and send your payload to the ‘ftp.exe’ client in order to find and test offset, eip, jmp esp, shellcode. Pretty straight forward and easy

    Is this method of testing possible for the ‘c.exe’ & ‘’? I am having trouble trying to figure out how to go about testing from ‘’ to ‘c.exe’ , Do I stick to modifying the py in order to send my payload to the exe? and is the exe suppose to communicate to the py in order to test, similar to the ftpclient32 scenario in the course material?

    thanks! and please redact anything unnecessary. I tried to be crypted as possible.

    • Hi Chris,

      The only thing I did was slightly rename your files, but you aren’t being too spoiler heavy.

      That said, you can perform the exact same manner of testing in the Exam as you did in the lab. You just need to modify the payload to send wherever your EXE is listening, and attach a debugger to it. The exe may or may not communicate back, but that is largely irrelevant as long as you are able to crash it.

      Good luck!

  32. Chris

    Thanks Doyler for the reply. I think I am going about this wrong. As I analyze both files mentioned earlier, the both do the same thing as in communicate to the same destination ip and port. In order to get an EIP you need to load the target application you are trying to crash and in this case, I am not even there yet as I don’t have access to the host running the destination app. Is this correct?

    • Hi Chris,

      Yea, you are going about it slightly wrong. If you were going to try and find a vulnerability in Apache, you wouldn’t just start attacking and hoping to get access to it. You’d download the executable yourself first, and attach the debugger locally.

      You need to do the same in this case, only the executable cannot just be downloaded from the internet. In that case, you need to find it on a different host than the one you are trying to exploit.

      Good luck!

      • chris

        I am on my second attempt now. I was able to find the needed files to do the crashing and testing within Immunity Debugger. I was able to load a calc.exe like in the course. I am now working on the shellcode. I guess I am getting stuck on the payload to send. I thought that would be the easiest part but, I am at the WTF point lol

        • Awesome, that’s good! It should be fairly easy, but make sure the shellcode works before you send it + there are no bad characters.

          Sending it should just be as “simple” as modifying the included Python script.

          Good luck!

  33. Hey doyler

    Can you shoot me an email?

    • Hi,

      I do not want to give spoilers over email or the blog. If you think that you are stuck, make sure to go over each of the important steps, and don’t forget to check every possible vector.

      If there is something generic that I can help with, then please let me know!

  34. chris

    Hey Doyer thanks for the reply. Yeah I got everything in place even the python script to send the payload. I am able to get a calc to pop up, but I am using msfvenom to create the shellcode with no bad characters, however I cannot get it to work on my test machine. I was able to get some “shellcode” examples off the interwebs and a few work where I was able to add a user and add to admin group but as you know, I need to add a little extra and those examples online are static set in stone and you cannot modify them as its a copy and paste job. I don’t want to ruin the exam here. But yeah msfvenom is pissing me off as I don’t think its working.

    If you are not too busy and I know you get this a lot but if you available through email that would be cool. If not its ok brotha no worries. I don’t have twitter etc.

    • nessie

      What I would recommend you to do chris
      – set up an environment mimicking the target you have at hand
      – looks like you have everything you need, so run whatever you need to run in that environment
      – create your shellcode that you want, I can assure you, msfvenom did what it was supposed to
      – focus on what you want to achieve with your shellcode, I find it hard to imagine you want to have calc popping up on the target πŸ˜‰
      – be sure you have the right bad characters omitted, no need to overcomplicate and define half of the characterset as bad …
      – in relation to the above and the ‘push’ of your shellcode to your target: be wary of how python 3 and 2 function .. I kind of lost a couple of days to figure that out

      • chris

        Hey Nessie, thanks for the reply. Like you mentioned I have my testing environment both local to my machine and on the user network. As far as the “bad” characters, those N… are taken care of. And obviously the calc was just to test that my offset,jmp are working on XP, and it works fine, I know I have the correct off and jmp esp call. The problem is when I generate anything on mfsvenom be it “regular conn payloads” or “other” payloads to perform of local tasks. Adding it to the python script is easy too, but I hit send and nothing lol

        Perhaps I am running into the python 2 v 3 thing. I have been using Python2. Going to give P3 a shot. Do you have articles or further studies I can check out that will help me with this whole python2 vs 3 issue? I am coming across some stuff about bytearray vs bytes.

        You are right, msfvenom is doing its job. I was using a traditional online HEX to ASCII editor and comparing the values of a simple input between the two. I was getting the same HEX values so that showed me things were fine with msfvenom.

        I have lost 3 days now. Ok I am off to test.

        • nessie

          No worries chris,
          If you’re on 2, that should be fine .. I ran into trouble because I started off with 3 .. it’s indeed a ‘bytes’ thing πŸ˜‰
          Yet I still wonder what kind of payload you want to execute on the target .. I believe there’s a kind you’re overlooking when I read ‘perform local tasks’ and ‘regular conn payload’ .. don’t look too far ..

          • chris

            Gotcha, thanks Nessie. I went back to v2 as I spend the day researching the incidents people were having having when v3 encoded their shellcodes to strings instead of bytes. I even went to the PTS course in the Python module to verify if that was covered lol

            You wouldn’t happened to have an article, tutorial, or even the slides from the PTP course that I can research that will point me to the proper payload? I guess I am having a bit of a stump here.

            Thanks for your help πŸ™‚

          • chris

            just rooted .55 OMG!!!!!!!!!!!

            This whole time!!!!! in my face!!!!!

            More than one way to skin a CAT and I think I had the space time stone (Avengers) and tried all 14 milliion ways like Dr Strange, instead of the simplest method which nailed me root access.

            Ok DMZ is left and I have 2 days left to go! I got this!

            I start PWK/OSCP June 2nd too lol!

            thanks Nessie & Doyler!

          • chris

            GAME OVER!!!!! I just rooted DMZ!

            Wow what a mission fellas! Now its time to redo my report. I was told I wrote an attack narrative and I need to fix it lol. DOH! I will spend some hours tonight and all day tomorrow to write it. Its due Monday morning, so I have time. Do you guys have any recommended reports I should look at to get an idea of the proper way to write it?

            On another note, I just got my PWK course pdf and videos. Hopefully things go well and I can complete OSCP in September that way I can jump straight into CTP/OSCE.

          • Congratulations Chris!

            Sorry I wasn’t on this weekend, but looks like it went pretty well.

            Haha, yea. This was supposed to be a “pentest” for a client, so you have to send in an actual report.

            I sort of made my own, but there are some great examples here.

            That said, always remember to try different payloads if one doesn’t seem to be working for some reason! (Which I’m guessing you did).

            Good luck with the OSCP, as that is definitely a challenge. I’ll start my OSCE pretty soon here as well.

          • Chris

            Thanks Doyler! I just got my email today that I am eCPPT certified. So glad I went through the eCPPT and got my butt kicked there. I learned so much and I am sure this journey will help me on my new OSCP journey. I appreciate your help and I will be following your OSCE journey and coming back to lookup your OSCP journey as well.

          • Congratulations!

            Definitely, and good luck with the OSCP journey. Feel free to drop in if you have questions or ideas.

  35. Bean

    Hey doyler, congratulations!

    Like most, I am completely stuck on the BOF. I have popped calc.exe, have the correct jmp address and all of that but finding the right payload is costing me so much time.

    -omitted bad characters
    -Utilizing NOP sled
    -Have tried windows,linux, and php reverse and bind payloads
    -using msf listener, running script locally
    -tried attacking the obvious server/port but tried additional IPs and ports.

    Yeah I have no idea!!


    • Hi Bean,


      Understandable, and I think a lot of people get stuck here.

      First, you don’t want to try different OS payloads, as that will waste a ton of time. That said, if Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

      If it is working for you, then it is likely just a payload or bad character issue.

      Good luck!

  36. Sam


    Thanks so much for taking the time to share your experiences with us. I started off in OSCP and managed to root a dozen boxes in the OSCP lab, but stumbled on eLearnSecurity’s eJPT and eCPPT certifications (and their respective courses). I ended up focusing my time on eJPT, which I earned recently, and decided to invest my time in eCPPT before I go back into OSCP.

    I plan on taking the exam in about a month. In your opinion, what are the subjects that current and future students should focus on? The coursework has a lot of material in it and I was hoping you can help me focus my time and efforts a little bit.

    • Thanks, and glad to share my experience and knowledge!

      eJPT -> eCPPT -> OSCP is a great progression if you have the time (and money), but not the experience.

      As far as the eCPPT is concerned, the course material has everything you need. That said, if you don’t understand the basics of a buffer overflow attack, you should brush up on those. As you can see from this comments section, there are quite a few people who got stuck at that point.

      The material will walk you through the steps, and you just need to follow them exactly though!

      In the meantime, let me know if you run across any other topics or concepts that you find confusing. Good luck!

  37. Patrick


    Thank you very much for sharing your experience with the exam. May I ask if shellcoding-knowledge is of importance for this exam? If I have the tools and knowledge to discover bufferoverflows, would I be able to get by utilizing payloads from MSFvenom after discovering the correct offset and JMP/CALL address?

    • Hey Patrick,

      You will actually need 0 knowledge of shellcode or shellcoding for the exam. As long as you can follow the buffer overflow steps, you will be fine.

      That said, don’t forget to check for bad characters, or try different payloads if one SHOULD be working!

  38. Mani

    Hey Doyle,
    Started the eCPPT exam. already have system on the webserver. Having difficulty getting any further. keeping it to a minimal, i was expecting traffic from corporate IP’s to visit either of the sites where i have shell waiting, but its been a full 24hrs and not a single visitor. Am i knocking on the wrong door?
    Any hints to proceed. simple what i should be looking for.

  39. Bryan


    First off, thank you for sharing your experience. I am currently doing the ECPPT and am having a rough go at the webserver. Any pointers you could give would be greatly appreciated. If its easier please dont hesitate to email me. Thanks.

  40. Bryan


    Never mind. I found my way in.

      • Bryan


        Thanks for the reply. Could you send me an email I have some questions about the bof portion.
        Thanks again.

      • Bryan


        So here is my predicament. I have no issue with building a buffer overflow exploit from a proof of concept (did it under an hour for my OSCP). However I normally have a service to attach my debugger to. I have the .exe and .py files from the one place but cannot locate the service. Is it located on the server that was captured or am I supposed to download it from a different one? Or do I have everything that I need and Im just not seeing it? Dont want any answers just a tip to point me in the right direction. Thanks

  41. Bryan

    I dont want to give anything away but if that was the case I would not be having any issue. I got both the .exe and the .py from the same place. I could go into more detail through email.

    • I already know what you are referring to, and my answer from before is still the same. If you have an .exe and a .py then you have the server/service, and you have the client.

  42. Bryan

    I guess Ill look at it again. Thanks pointing me in the right direction.

  43. Bryan

    Ok so Im on my last day and the few hours. I have found an oddly named .exe file on a Win7 box, but when trying run it I get gobbledygook.exe is not a valid Win32 application. I have tryed running it on every compatability mode on the server that I found it on as well as other servers (mine and theirs) but I get the same error every time. Am I waisting my time with this thing?

    • If you don’t think the application is that useful, then you probably don’t have to do anything with it. Remember that this isn’t a reverse engineering course or anything like that!

      • Bryan

        I was under the impression that that was the service to help me write the buffer overflow. Damn I’m at a loss where to find the buffer overflow then.

  44. Mike

    doyler, congrats on the pass and the info. Like many others, I am down to the BOF and DMZ. I have the BOF working locally, but not in the exam. Would appreciate a quick email to provide more detail of what I am seeing.

    • Thanks Mike, and glad to help!

      As far as the BoF is concerned, verify once more that it’s working locally. If it is, then there is likely a problem with your payload. In that case, you’ll want to re-verify bad characters, try other payloads (bind vs reverse and vice versa), as well as different TYPES of payloads (meterpreter vs cmd, etc.).

      As far as the DMZ is concerned, keep going at it!

      • Bryan


        Im trying to get the BoF but I dont recall there being a bad characters section outside of the null byte. I am trying to apply the way that I learned in the OSCP but it not even close to being similar. Also when tying to track down the JMP instruction the only instruction not protected by safeSEH is an .exe with a null byte in the address. Any pointers?

  45. John

    Hi Doyler and others,

    I’m almost down to the BOF and DMZ too. I have a question that is bugging me…I add the static routes on the Web server for DMZ and one for Corp and got the boxes for Corp responding. But DMZ shows nothing up and have tried all manner of nmap scans to compensate. Do I need to add the whole /23 as one entry? The provided map shows I don’t need to double pivot to get to DMZ. Perhaps some broad guidance? Thanks!

    • Hi John,

      What do you mean when you say you added static routes? You will need to discover hosts from more machines than just the initial foothold, I can definitely tell you that.

  46. John

    Do you mind contacting me directly or let me contact you?
    I can describe the situation.

    Thank you!

  47. Bryan

    Hey Doyler,

    I am having trouble find the additional vulnerabilities on the web server. If you could email me I cold explain what I have tried.

    • Unfortunately, I cannot. That said, if you are still missing vulnerabilities, make sure to follow your attack process completley.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.

      As the first step is a web application, make sure to check the server as well as the application layer for vulnerabilities.

  48. Sebastian

    Hey Doyler,

    I’m a bit stuck on BoF.
    I do have all the info like how many junk bytes, i have jmp esp.
    Seems like I have an issue with hex to ascii and etc
    Could we connect via email? It’s just about python script …
    I would be grateful.

    • Great, if you are able to hit your JMP ESP, then you’re almost there!

      As far as Hex and Ascii are concerned, you should be fine if the JMP ESP is being hit. You’ll want to encode your shellcode the same as everything else: “\x90” etc.

      That said, if Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

      If it is working for you, then it is likely just a payload or bad character issue.

      • Sebastian


        I have managed to reach DMZ.
        And stuck πŸ™‚
        I’m on a box…… just don’t know in what direction I should look……checked a lot of things …
        Any small tiny hint?

        • nessie

          What have you been doing at each system you get a mere access to ?
          Recall it’s a process you conduct whether it be Windows, IOS, Android, *ux …

          Exactly: enumerate enumerate enumerate πŸ™‚

          • I couldn’t have said it better myself! Remember to follow your entire process on every box, during every phase of the engagement.

            Also, don’t forget, like the real world, you might not be always able t compromise/fully compromise every target!

          • Sebastian

            Hey nessie,

            I think I know what I have to do I’m just running in a problem how to reach it, don’t want to spoil too much.
            Is the burp suite required?
            I could explain you a bit more over the email if you don’t mind that?

          • Sebastian

            NEVERMIND GUYS rooted DMZ hahaha i was watching that and i thought i hit the wall πŸ˜› and it was in my face πŸ™‚

            ……so happy !!!

          • Sebastian

            And one more thing to nessie, actually your hint to enumerate enumerate was bad.
            You can enumerate all week but if you don’t know how to reach resources than your enumeration won’t help

        • Mike

          Would appreciate a hint. Bind works in my lab, but not on the exam.

          • Hi Mike,

            If bind isn’t working on a target (any target, not just the one you are working on now), then there are a NUMBER of issues that could be causing it.

            Host based firewalls or intrusion detection/prevention systems, network configuration, etc. That said, you should always try more than one different payload (bind/reverse, meterpreter vs not, command vs C2, etc.) if you are certain that your exploits should be working.

          • Mike

            Hey Doyle,

            I have used bind and reverse shell on several others without issue. I am just having a time on the BoF system. My script with the JMP ESP seems to work on multiple systems within my own PoC; to include “bad characters”. Also, I have tested my connection from the attack system and can communicate with the system prior to launching the script. If you want to PM me, I can go into greater detail.

          • Hi Mike,

            Correct, exactly. If a bind (or reverse) shell doesn’t work on a specific target, then the payload is likely the culprit. Just because you can connect to a box doesn’t mean that a firewall or host based protection isn’t stopping you. In this case, you might want to try some different payload types.

    • Bryan

      Python 3 sends data over the wire in Unicode, which is why you are getting the C2 issue. If you where to rewrite it in a different version of Python (or figure out the differences) it might work better.

    • Mike


      Can we connect via email?

  49. Mike

    Hey Doyler,

    Thanks for the input. I think I have a networking issue at this point. I understand the concept of connecting from my system via another system to a non-routed system, but not sure of the reverse. Would appreciate some guidance, if possible.

  50. jay

    Hello all,

    I am a PTS seeking to take the eCPPT exam soon. How much time is needed for an unemployed student to properly exploit all machines during the test?

    I have done 60 days of OSCP lab time and exploited 15 machines in addition to completing all the coursework. I have also recently passed the CISSP exam. I have CEH, Sec+, and Net+. I have some experience but when it comes to pentesting, I am new but I can exploit machines. In addition to my OSCP notes, I have 35 pages of notes from my PTS studies.

    • Hi Jay,

      It will honestly depend on you, your time, and general skill. That said, there aren’t a ton of machine during the test, and you have a total of 7 days.

      If you knock out all of the material and labs, you should be fine. Just make sure to follow your entire process on every machine that you encounter.

      I was working the entire time, and 7 days was definitely more than enough.

  51. jay

    Thanks alot for the reply. You think I can ask you a question in private?

  52. Jordan

    I have been banging my head against the wall with this BOF, if you could confirm some things so I don’t feel absolutely insane that would awesome…my exam ends Friday around 5pm and I’ve been up until about 2am the last couple nights and then going to work – already took Monday off :/

    So I have two addresses from !mona…are there the two correct addresses? I have a Win7 lab machine that it works on and survives reboots so those are the two I’ve been playing with. I do think it’s odd that it’s the location of the exe itself though. Theres three payloads that work flawlessly against my lab machine, two of which I’ve tried against the vulnerable machine. Will end up trying another one or two tonight.

    Just wondering if there are two addresses mainly I guess, idk.

    • Like many posters before, don’t forget to try different things.

      If you have it working on your test environment, then your JMP is likely correct (assuming you don’t have ASLR on or anything). In that case, it means that your payload is the issue.

      In that case, you’ll want to try different payloads (Meterpreter, non Meterpreter, bind vs reverse, command execution that still gives you access).

      Good luck!

  53. Jordan

    Hi Doyler,

    Thanks for the reply, you’re a saint!

    I ended up getting it at 3am last night, so that’s a win πŸ™‚ Now just the goal machine and then it’s report time.
    It’s funny, the payload that didn’t work on my lab VM was the one that worked and it was kind of a last resort – I just thought hey why not try it, it makes the most sense given the environment. I did read through your other advice but because I was trying more complex payloads I missed the simple one.


  54. Jordan

    Hi again Doyler,
    I’m completely stuck on the DMZ box priv escalation…there’s something interesting running on a localhost port that seems to be suspicious but I haven’t been able to get anything out of it.

    Am I on the right track?


  55. Bryan

    Hey Jordan,

    When doing priv escalation I like to start with the basics and move on from there. Here is a link that I relied on heavily when taking the OSCP.
    Good luck.

  56. John

    Doyler anyway you can email me at if you have a second to talk about the exam.

  57. Oli

    Man, reading through your writeup and all the comments it seems no one had any trouble with the part I’m stuck on! I thought I was going to breeze through it after nailing the BOF.

    I rooted the initial server, got system on the machines in the corporate network that I found and identified the DMZ server along with how I assume we’re meant to connect to it. But I do not have credentials for it! I feel like I must have gone meticulously through every folder on every machine multiple times, found a few files obviously planted there by the eLS admins but nothing containing the right info to take me to the next step. I’ve tried looking for keys in registry, using findstr to search for keywords in all files, using sessiongopher powershell script..

    I’ve been stuck at this point for 3 days now and have 2 days left. Frustrated! I bet I’m missing something right in-front of my face too.

    (Not really asking for a hint as it would be a spoiler, just venting into the ether whilst I wait for inspiration)

    • Haha, yea, seems like a lot of people have issues with the overflow.

      I edited a few things from your post, but not too much.

      That said, if you have figured out how to connect to something, you might want to think about what you’d use to connect to it, and go from there.

  58. Oli

    I managed to get in in the end, boy it was frustrating but when I finally got it.. well that feeling is why we do it all right?

    Took a day off afterwards, now I just need to get this report done and cross my fingers that I didn’t miss any big vulns!

  59. roeland

    Hi Doyler, can you send me an email to discuss something about the eCPPT (need no hint but just have a question which I can’t post here). Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.