eCPPT Exam – eLearnSecurity Professional Penetration Tester

I wanted to share my journal and stream of thoughts from my eCPPT exam, and my successes/failures.

eCPPT Exam – Introduction

Now, obviously my memory will be a bit hazy as it has been over three months, and I don’t want to include any exam spoilers, but I will do my best to describe the exam and my process.

The course and exam have been updated a lot since I took it, but I cannot recommend it enough.

Get Your NordVPN Offer Now!

YouTube Version of this Post

If you prefer a video over reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

Day 1 – February 14, 2014

I started off the evening with a nice, romantic Valentine’s Day dinner at Taco Bell with 2 close friends.

The exam kicks off at 9:28pm, and I have nothing but my wits, skills, and 6 Sugar Free Amp energy drinks to help me.

I perform a lot of enumeration and understanding of the network and externally facing systems. Some planning, but I’ve never been great about that.

There are also TONS OF SCREENSHOTS (Evernote is my hero).

Day 2 – February 15, 2014

Some progress as of 24 hours and 3 energy drinks in (~144 hours and 3 energy drinks remaining), but too early to tell.

According to the VM timer I spent around 10+ hours in the environment this day, and I didn’t get too burnt out (yet).

Get Your NordVPN Offer Now!

eCPPT Exam Day 3 – February 16, 2014

A bit more progress (and a lot more frustration) as of ~48 hours and 4 energy drinks in, but a lot to go.

Day 5 – February 18, 2014

(no day 4 update)

After ~76 hours and 5 energy drinks (~92 hours and 1 energy drink remaining) I did not make any more progress, other than increased frustrations.

At this point I start to go back over everything both network and lab wise, to try to decide what I might be missing or forgetting.

Additionally, I’m taking screenshots and noting everything down, to prepare for my report.

This is also the point where I start trying to randomly brute force EVERYTHING…not the best solution.

Day 6 – February 19, 2014

~122 hours and 6 energy drinks in (~46 hours and 4 energy drinks (thanks to a friend for the surprise) remain), and I’m making progress again.

Always remember that there are multiple ways to attack something, as well as different payloads…this was something that caused me no shortage of frustration (TRY MORE THAN ONE PAYLOAD NEXT TIME).

“All” that I have left at this point is some custom exploit dev and the DMZ.

Get Your NordVPN Offer Now!

eCPPT Exam Day 6 Night/Day 7 Morning

The custom exploit dev went along without too many hitches, and with a pretty interesting solution. (Shouldn’t be a spoiler) Instead of a more standard payload (was running into issues), my exploit remotely deleted a user, added that user back, made them an administrator, and then enabled RDP.

At this point I have ~18 hours left and nothing but the DMZ left.

Day 7 – February 20, 2014

As of 11am on the seventh day (~146 hours and 7 energy drinks in), I obtained root level access in the DMZ, thus completing the testing part of the exam.

At this point, I just had to perform a bit more information (AND SCREENSHOT) gathering, and verifying that I found every vulnerability on the machines instead of just one.

Then I had 7 days to write the report (had 99 pages of unformatted screenshots and notes at this point).

eCPPT Exam – Reporting

While I don’t have many notes on my report itself, I’ll try to give an understanding of how it went.

I started with 99 pages of screenshots and mostly unsorted/un-formatted notes.

From here I sorted them out, added headers, and began looking at sample Penetration Test reports.

All in all, my report ended up being 50 pages in total including an Executive Summary, Vulnerability report (including remediation steps), and source code Appendix

While writing the report wasn’t that hard with all of my notes, it was still something very new to me, and a valuable experience.

The only real advice I could give on this is to take constant screenshots and notes, make sure you have a format in mind, and don’t wait until the last-minute.

Get Your NordVPN Offer Now!

Results / Follow-up

As of March 7th @ 12:12pm, I received the following e-mail:
“Our instructors at eLearnSecurity want to congratulate with you and award you with the eLearnSecurity Certified Professional Penetration Tester certificate. You are now an eCPPT!”

eCPPT Exam - Gold Logo

eCPPT Exam – Conclusion

I know that this is an older post (that I actually updated in 2016 and 2020), but hopefully it serves as a bit of a diary into my exam experience.

I also recommend that you check-out my eCPPT review for more information.

352 thoughts on “eCPPT Exam – eLearnSecurity Professional Penetration Tester”

  1. Wow! Does the exam actually last 7 days(report writing aside)??That’s a lot more than the OSCP!Could you also tell approx. how many machines did you have to root?

    1. Yup, you get 7 days for the attacking portion and then 7 days more for the reporting portion of the exam.

      Definitely a lot more time than the OSCP, but I believe you’re expected to be a bit more thorough and not just root the box in any way possible.

      There was a website, a few internal machines, and then the machine in the DMZ. Overall, under 10 total machines still.

  2. Hello Doyle, i really enjoy your review about the eCPPT exam, it was really insightful. I will do my exam in the next week and i am study all the material where i considerer i have a little flaws, However i want you to ask you some question about it if is possible of course!

    So if you have time, i will really appreciate it if you can help me to get more insight about this!

    thank you in advance….

    Best regards…

    Alex

    1. Hi Alex,

      Sure, what in particular do you have questions about/how would you like me to contact you?

      Good luck with your exam regardless!

      (Oh, I didn’t delete your comment by the way, I just hadn’t approved it yet)

      Ray

      1. Hello Doyler, Thank you for the response, maybe it’s better if we connect through email! do you like it? and Thank you for the good vibes 🙂 !!

        Best regards…

        Alex

        1. I do, the eCPPT definitely changed my methodology and the way that I think about my penetration tests. It is also a great foot in the door to put on your resume, but more importantly, be able to discuss what you did during interviews etc.

    2. I tried ecppt exam but very badly stuck on system security section. I found the executable/ python files and downloaded them on captured server, where I had already uploaded immunity with mona. The rest should be a piece of cake, found the number of args to reach EIP, practically (immunity and mona pc script did not bring results), then found jmp esp with mona, constructed the entire exploit with reverse tcp payload and set my reverse handler. All fine, routed the exploit to victim machine, but never got a shell. 7 jmp/esp, call esp where returned by mona,all tried, but nothing. I disabled dep, but still nothing. null session did not give me something. Any advice?

      1. If your exploit is working locally, then it might be an issue with your payload. There could be an antivirus or firewall blocking the payload that you are trying. Have you tried more than just the one reverse tcp payload yet? That is most likely the issue.

        1. Good evening again,
          Regarding your last, indeed I insisted a lot, and that costed me in time and fail, no local buffer overflow and exploitation achieved locally; Actually, app seems to go wrong (overflow) but not manage anything more. Though I have found using alternatively python script (foophonescustomersmanager.py) and foo..manager.exe that there should be some kind of customer id policy: only numerical characters, with length up to seven. alphanumerical returned errors on py and exe file showed that was reading up to seven chars from id. Random test, returned two users. So, I wrote a bash script to bruteforce the application, feeding it with possible combinations created with crunch (actually I wrote again my own script instead of using crunch) and take all users data…. but no time left. Then I think I should try this info with net use or any other smb tool to get a connection to shares. Server is vulnerable to null session, but by that only, not much luck. I tried to sniff with wireshark, nothing. Analyzed pcaps, with tshark and bro, still nothing. There should be some other application running on server, although it warns that older web app, not has been set offline. Not clear yet, what I have to do. Now, I am writing my report and waiting for better chances next week. This phase seems very tricky, but I am optimist, if I pass it I will reach the to the end. Thank you.

  3. Thinking about taking this one, it looks really interesting.

    I read on many sites that they give you a lab with an objetive, but archiving that objetive is not the way to pass. So, are you supposed to break any thing?

    1. Hi Charly,

      It was interesting, and definitely enjoyable. As far as the labs are concerned, they are separate from the exam.

      The exam has a necessary, but not sufficient, objective that you need to reach. You still need to perform a full penetration test and report every vulnerability that you find in the network.

      That make sense?

  4. Hi Doyler,

    i just discovered your blog and i want to ask one question, i’m in my third day of my exam and i stuck on exploit development since day two, i,m a little confused and its draving me crazy, do you have some advice to approx it? maybe some resources to learn more and crack that exploit? thank you give you my email gx9293@gmail.com

      1. Hello Doyler thank you for the resources, im into them right know because i fail terrible in te exam ;( my exploit didn’t work and im was not able to compromise any other computer in the corporate network. so i came to you again hopefully you can give me one hint because i am very frustrated.
        i was able to detect the other computer in the corp-network one XP with some smb sharing open services for example IPC% but when i try to connect to digger more info, i can’t, i just simply can access, the computer told me Access denied, so my suspicious are that i can only advance in the exam if successfully write the exploit for the computer listening that service? or i can enter in the corporate network compromising another computer ? because i think i try anything but i can’t enter in any other computer thing it’s the exploit what is driving me crazy.. so if you can tell if there is a other way to enter the corporate network compromising other computer i will very appreciate that, please!!!

        regarding the post, you can delete before you authorize it, and you got my email, just i hope you can have the time to read it.

        thank you Doyler and have a nice day!!

        1. I’m sorry about that, but hopefully those resource help you brush up on your buffer overflows!

          If you are unable to connect with an SMB client for more info, then anonymous access is probably disabled. In that case, you might want to scan for SMB vulnerabilities, to see if you can find any. For example, using NMAP NSE scripts – https://nmap.org/nsedoc/scripts/smb-vuln-cve2009-3103.html (hint: smb-vuln-* will use all available NSE scripts that start with that).

          As far as the buffer overflow is concerned, yes, that is the only way to compromise the machine that is running that application.

          You’re welcome, and good luck.

          1. Hello Doyler,

            thank you for your advice, i try to use NSE but without any successful result, when you use proxy chains NSE scans will not work, i try redirecting the traffic to the specific port i want to connect so in that way a was able to use NSE, however when i try to scan for vulnerabilities the session close because the scan it’s to noisy i think.

            Maybe my routing it’s wrong and i need use something else instead of metasploit?

            thank you Doyler for your advice and happy new year!!!

          2. Yea, you might be able to get the NSE scripts to route through a proxy (I think SSHuttle might work instead).

            But yea, it could just be a routing issue.

            That said, you may be able to scan for the SMB vulnerabilities more manually with SMBclient/exploits through your proxy chains.

  5. Hi Doyler,

    I’m currently doing my eCPPT exam, and I need your help.

    So far I got the highest privilege shell on the web server, but I can’t exploit the DMZ or any machine in the corporate network. I can only scan the corporate machines and identify two Windows hosts. I also found the .exe and .py files hosted on one of the corporate machines, which I know I have to overflow the buffer.

    Do the .exe and .py files have something to do with exploiting the corporate network or are they just there for me to prove they have buffer overflow vulnerabilities?

    I’m completely stuck right now. Please…Point me in the right direction. Give me a hint. Anything.

    Thanks in advance. (Sorry I spoiled a bit so reply to this message to my private email if possible)

    1. Hi Kate,

      You haven’t spoiled too much, but I can edit your comments if you do.

      As far as the .exe and .py are concerned, they are in reference to the buffer overflow that you know you need to exploit. You’ll need to utilize them to write and test your buffer overflow. Once you have it completed, you’ll need to see if you can find a remote version of it listening somewhere…

      Good luck!

      1. Yo Doyler,

        The good news is I proceeded to root two more machines in the corporate network 🙂 The bad news is I’m now completely stuck not knowing how to root the DMZ 🙁 I got one user’s FTP credentials but when I RDP’d in there was nothing in the DMZ server. On top of that it doesn’t respond to port scans so I have no way of fingerprinting it, meaning I can’t run a backdoor on the DMZ server’s behalf. Please Doyler…Guide me.

        Am I supposed to mount password and MitM attacks against the DMZ or something? Oh man am I lost…

        1. Awesome, that’s some good progress at least.

          You definitely don’t need to perform any password or MiTM attacks.

          If you have FTP creds, and you can RDP, then that’s a great start. If you couldn’t actually get RDP to work, then maybe you need to try a different venue. Also make sure to exfiltrate as much information as possible from the machines that you do manage to exploit.

          1. Hi Kate,

            You can reach me at <redacted>. That said, I’m not willing to discuss any spoilers or overt hints, but always glad to help!

  6. HI Man
    Congratulations for your cert.
    I am doing the exam, and I want to ask you some things. I don’t want to spoiler here !
    Can you write to me at my email?

    Thanks a lot

  7. Does ecppt as a required for oscp exam? I failed oscp once i attempted for first time. Should I extend lab and try again ? or should I get ecppt first? Appreciate ur help!

    Thanks in advance,
    – eric

    1. Hi Eric,

      No, the eCPPT isn’t required for the OSCP. That said, I think the eCPPT is definitely a good lead-in for the OSCP. It would depend on how you felt you did in the labs as well as the OSCP exam. If you felt out of your depth entirely, then the eCPPT would probably be a good bet. If you felt that you were close and just need to brush up on a few more things, then extending your lab time and trying again would probably be better.

      Good luck though!

      1. Thanks,

        I only got one box, but it was limited shell. I didn’t gain other boxes in OSCP exam. For labs, I didn’t get any boxes. Now my feeling is like losing my money in spending OSCP. How to do? Can you give me advices, please?

        Regards

        1. wow eric…you actually had the guts to walk into the oscp exam without being able to root any of the lab machines? xD

        2. Hi Eric,

          Haha, yea, I’ll have to go with what Kate said. I got 44/50 boxes in the lab environment before I took my exam.

          If you only got limited shell on one box in the exam, I’d definitely look into the eCPPT or even the eJPT to get started. From there + some self study, you’ll definitely be able to work your way towards the OSCP!

          1. hi doyler,

            haha! yeah . How long does it takes to get eCPPT? Thanks for ur advice. I would pay by installment for ecppt. Because of my budget.

          2. The exam itself is 14 days; 7 days are spent in the virtual environment and then you have 7 days to complete your report. As far as the course itself, it will depend on how quickly you go through the material and the labs.

          3. Yea, I’d start with some self learning as well Eric, to save your money.

            Other than reaching out to Kate, I can recommend the following:

            If you learn better from books, you cannot go wrong with some/all of the following:

            Practice wise, you could also look into the vulnerable VMs or applications such as these:

            I’m personally fairly partial to downloading a random VM off of https://www.vulnhub.com/ and trying to do it without looking at any walkthroughs etc.

            If you might learn better from other people, you can also try your hand at some CTFs with the Reddit OpenToAll team. I have only done two so far, but it is a good group of people that are more concerned with learning and having fun than winning.
            https://www.reddit.com/r/opentoallctfteam

            Other than that, if you learn best from actual guided instruction, than either Cybrary/OpenSecurityTraining, something like Pentester Academy/Security Tube, or more specific instruction such as Corelan’s exploit development series. Which one you pick will largely depend on where you think you are deficient so far though.

        1. Doyler,

          I’m not sure if you read my email, but could you please remove all of my comments on this thread?

          Thanks.

  8. Hi Doyler,

    Great post and well done.

    I appreciate it if you could send me an email to ask you a question.

    Thanks.

  9. Wow! I’ve already taken the eJPT cert and now i am studying to obtain e eCPPT.
    I have to admit i’m going slow with the course but personally i need a lot to re-elaborate things.
    As i work as web developer, the web app part of the couse was much much easier than the system security section. I’m a bit struggling with that, i admit it! Any general tips to understand better the BOF and the shellcoding?
    I hope i can take the exam before october, i can’t wait to have obtain the cert.
    Ps. i’ve discovered this blog 10 minutes ago and i really enjoyed the article and the comments.
    Bye,
    Mapo

    1. Good luck with the eCPPT!

      For the buffer overflow, there are plenty of resources you can take a look at. First, I always recommend going over their examples and reproduce it in the lab. Other than that, here are a few links you can check out.

      Linux – https://www.doyler.net/security-not-included/lasactf-simple-rop
      Linux – https://www.doyler.net/security-not-included/multiple-vulnerabilites-in-gohttp-1-0
      Windows – https://www.doyler.net/security-not-included/easy-rm-to-mp3-converter-2-7-3-buffer-overflow-exploit-tutorial

      External Tutorial – https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
      External Tutorial – https://www.exploit-db.com/docs/28475.pdf
      External Tutorial – http://www.primalsecurity.net/0x0-exploit-tutorial-buffer-overflow-vanilla-eip-overwrite-2/
      External Tutorial – http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/

      You do not need to know much/any shellcoding for the eCPPT, so just worry about using publicly available stuff/generating some with metasploit.

      Good luck, and let me know how it goes.

      Thanks for visiting the blog, and hopefully you learn some cool stuff!

  10. Hi Doyler,

    Can I say, great article and really kind of you to respond to everyone’s comments. I’m looking to sit the PTP exam this weekend, not sure I’m ready but thought I’d give it a go. I made notes of all the lab solutions but have’t had time to go through them again and also noted all the important commands from various sections which I’m hoping to use during the exam.

    Any last minute tips before the exam? Would be good to have some useful advice as I’m a little worried I won’t know where to start and then try everything instead of using a structured approach, nerves does that to a person!
    The other concern I have is around the Buffer Overflow, finding it and then creating a script from scratch to talk to an application if this isn’t similar to what we’ve been taught in the labs.

    Looking forward to your wisdom 🙂

    Thanks

    1. Hi Tai,

      I’m always glad to help people, and best of luck with the exam!

      I think just going over everything in the course, this post, and any common questions that people might have (see the comments) would be more than enough.

      Make sure you stick to your workflow as best as possible, and keep good notes.

      The buffer overflow isn’t difficult as long as you follow the steps that the course taught. Additionally, there is a comment here with a TON of resources for more practice if you’d like.

      Good luck again!

      1. Hi Doyler,

        I’ve made some good progress, managed to get through to the end location (don’t want to give too much) but cant seem to find a way to exploit the device.
        I’ve not tackled the buffer overflow as yet, I’m just a little confused as how I’m meant to do it without being able to put the server into immunity and see it overwriting EIP. Any suggestions?
        The labs taught us to use the graphical ftp client application which then connects to a server with malicious payload within a script.

        1. Hi Doyler,

          Thought I’d let you know I managed to root the tricky box and only now leaves me with the Buffer Overflow, will run out of time for that it looks like.

          1. Congrats, and glad to hear that!

            Hopefully you managed to get everything, or at least know what you might be missing for the retake.

            Let me know how it goes.

  11. Hello Doyler,

    Thinking about doing the course soon instead of OSCP, as per recommendation, but a little hesitant with Buffer Overflows. Was wondering, does the Buffer Overflow for the exam require you to overcome SEH, stack canary, ASLR or DEP?

    I’ve historically had problems with overcoming stack canaries in my line of work, so wanted to understand if this was the case. Also, are you tied to a particular programming language or can you use perl, c++?

    Thank You 🙂

    1. Hi Mikey,

      No where near anything for this buffer overflow (or the OSCP to be honest). Both of them are functionally the same:

      Overflow buffer, control EIP, find JMP, make simple JMP to shellcode, win.

      The OSCE is going to be the first course offered by either that will start with any of those topics.

      As far as languages are concerned, you aren’t constrained to any. A lot of the examples will be in Python or C depending on relevance, but anything you write (or use) can be in the language of your choice.

      1. Thanks Doyler!

        A little less scared now! I’m assuming you have a suitable machine without security parameters, such as XP (based on some stuff I’ve read) to run the exploit from or are you expected to do this in Kali? I’ve obviously only practised this on Windows XP to date (old PTB course) and not Linux.

        I’ll try and read up as much as I can, probably wait for a voucher or discount first 🙂

        Thanks

        1. I do have an XP machine that I use for some exploit development, but you do not need it for the course.

          You’ll be provided with the VM and appropriate vulnerable software in both the lab, as well as the exam, environment.

          Good luck, and let me know how it goes!

  12. Hello Doyler,

    thanks in advance for your feedback, I already comprise web server and 3 machine on the network including dev exp, i have ftp for dmz but I got stuck on this can you give any hint,
    and should I comprise all the machine on the network.

    1. Hi John,

      I’m sorry that I can’t give you any hints, but good luck with the machine!

      You should try to compromise every machine in the network that you find, but your goal is to find every vulnerability. If you can’t get a partial, or even full compromise, then that doesn’t necessarily mean that you missed something.

  13. Hey there Doyler,

    I’ve been through OSCP & OSCE. I’m actually thinking about getting a 4 in the Box @ eLearnSecurity. Targets are eCPPT, eCRE, eNDP & eWPTX.

    Do you think this makes sense, or will i be bored?

    Thanks

    1. Hey Mokaz,

      Awesome, and grats on your OSCE! I’m hoping to have mine done by the end of this year myself.

      I love the 4 in a Box, though I’ve never taken the eNDP personally.

      eCPPT – you’ll probably be bored a little to be honest, as it is VERY similar to the OSCP. That said, if you see anything in the syllabus that you don’t know, it might be ok. Your other options for this slot would be another defensive course, eMAPT, or even eWPT.

      eCRE – I haven’t finished yet, but it should still be plenty useful and fun.

      eWPTX – you won’t be bored at all, a great course.

      1. Thanks a lot Doyler, i think i’ll give a go the 4 in the box.
        I’ll keep you posted, any chances to find you on IRC or such?

        Cheers,
        m.

      1. Thanks!

        For anyone else sitting it, down be overly stressed about the BO, providing you are familiar with the content in the lab, it will not be too different in the exam. I tackled the BO towards the end once everything became clear.

  14. Hey Doyler,

    Looking to get your opinion on a couple things, but not looking for answers or anything of the sort. More informational if you’re able to help.

    E-mail if you get a chance,

    Thanks!

  15. Hi Doyler,
    I’m on my ecppt right now.
    I’ve successfully exploited [sensitive information removed], but i’m stuck with other hosts [sensitive information removed]…i’ve nmapped them to know how service run on them and tried common vuln with metasploit but with no result…can you tell me where is my fail?

    P.s. above you said you used “more than one payload”, i tried more different payload but with no result.
    Thank you in advance!

    1. Hi Susan,

      First, I’ve removed any spoilers from your comment as to not spoil it for others. Remember, this is a penetration test, so your job is to find as many vulnerabilities as possible and then report it to the client, that’s it.

      As far as the “more than one payload” is concerned, if a different payload didn’t work, then you might be fine.

      Good luck!

  16. waqas ahmed farooqi

    Hello Doyler
    Seen your posts, loved your supporting attitude.
    Hope you will be fine. I am an information security professional and currently interested in E-Learning Security ECPPT certification. I need some help so please answer me the following questions.

    1. ECPPT paper will be given from home?
    2. After how much time of ECPPT registration paper must be given?
    1. Hi, glad you enjoy my posts, and hopefully I can help!

      You take the eCPPT exam from home, using the same VPN connectivity you use for the lab environments. There is no paper per-se, but a penetration engagement followed by the report.

      That depends on which version of the course you sign up for. The Barebone edition doesn’t have an exam, the Full gives you 180 days to complete the course from the day you begin, and there is no time limit for the Elite version.

      1. waqas ahmed farooqi

        Thanks a lot for your response, so nice of you brother. If possible please share some resources which will help in the preparation of eCPPT certification.

        1. Other than the course materials, you don’t really need anything in preparation of the course or exam.

          That said, if you struggle or think you will struggle with the buffer overflow, then the above comments should have everything you’ll need!

          Let me know when you sign up, and how it goes.

  17. Hey Doyler,

    Thank you so much for the review! I’m currently taking the course, and it’s always fun to read reviews of the course and exam. Do you have tips (without spoiling anything) to review or be a be sure to know for the exam? The labs that they provide are pretty good, but I’m probably overthinking that the exam is going to be 4x hard then the labs.

    1. Other than maybe a few of the links in the comments above, you should be good!

      The course material covers everything in the exam, you just need to make sure that you understand what you’re doing.

      Follow your process (Information Gather -> Enumerate -> Exploit -> Post Exploitation -> Information Gather), document everything, and you’ll be good to go.

      That + make sure you understand how to do a basic stack-based buffer overflow.

      1. Hi Doyler,

        I got the email I passed the eCPPT exam! After two weeks of being a little worried are finally over.

        I wanted to come back and say thank you for the review, and honestly I went through same emotions as you each day… So it was pretty cool to see each day making progress or being completely stuck.

        My next certification I’ll be doing is OSCP, and I’m pretty scared about this one; due to the rumors and intimidation. Did you do eCPPT before OSCP? Through the exam and labs in eCPPT, majority of the tool using was Metasploit. I feel like I’ll be re-learning everything again, but doing everything manually. How did you overcome that?

        1. Congratulations! It’s a great feeling seeing that you finally passed and that it is over.

          You’re welcome, and I’m so glad that it actually helped and/or motivated you. The progress is fun, except when you think you’re completely stuck.

          Awesome, and that’s definitely a great one. I did do my eCPPT before my OSCP. Go into OSCP and expect to learn a lot of things new, don’t try to cut corners because you finished your eCPPT. Also, whenever possible, don’t use Metasploit at all. In the end I think I only used it for 3-4 lab machines and 1 exam machine.

          Let me know how it goes, and feel free to read my reviews/notes/ideas on it here as well!

  18. Thanks for the write-up,

    I recall reading some of your other posts as well in the past.
    Stumbled upon this one whilst being stuck at my expoit dev for the eCCPT and fancied reading some horror stories in a desperate attempt to cool down. It’s not working 🙂

    Could you reach me by mail please? I think I just need another point of view on the matter that might get me back on track ..
    Thank you in advance,
    Kindest,
    Björn

    1. You’re welcome, and hopefully it’s able to help!

      Yea, the exploit dev is super straightforward if you just follow the steps in the course. That said, you can also look over some of the other links in the comments for more write-ups or practices.

      How did it end up going in the end though?

      1. Hi,
        well, finally managed to find the vulnerability and create an exploit.
        However, just got the result in and I failed.
        I know there’s one part from the course I didn’t use and that might be the one that was lacking to get the full result. I’ll look into that part before reading the comments on my report since I’m short in time for the next days and I’d miss valuable time in the lab ..

        1. That’s good at least!

          I’m sorry you failed, but hopefully you are able to figure out where you were lacking and finish it up next attempt.

          Understandable, but definitely read the comments on your report. They are usually short and sweet, and will definitely help you focus your efforts in the lab.

          1. Hi,
            the comments indeed were indicative of what I was lacking. Fortunately enough not that much 🙂 so got a positive note a couple of days later.

            Kindest

  19. Hello Raymond Doyle, my name is Rafael, I’m following your blog about security certifications, I’m doing eCPPT, I’m lost in the first phase of the test, I can not identify the way to go through the initial site, can you give me any tips?

    1. Hi Rafael,

      If you are stuck on the first part, then make sure you are going through all of your proper steps.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.

      As the first step is a web application, make sure to check the server as well as the application layer for vulnerabilities.

        1. Hi,

          I do not want to give spoilers over email or the blog. If you think that you are stuck, make sure to go over each of the important steps, and don’t forget to check every possible vector.

          1. Hi Doyler,
            i’m currently stuck from yesterday in the ecppt exam environment.
            May i ask to you some questions via email?

            Thanks
            M

            Update: im missing just the dmz root. Can you help me?

  20. Hi doyler,

    i have some question regarding BOF. Can i contact you for some direction?

    Thanks and deeply appreciated.

    1. Hi,

      I won’t be able to help you with the BoF, but if you follow all of the steps in the course material it will be super simple.

      That said, there are also a few links in the comments section here if you want to read or practice some more.

      Good luck!

      1. Hi doyler,

        Thanks for the reply. I’,m aware that i will need to obtain the source code in order to perform the BOF. Generally i have no much problem in doing BOF as i tried on few vulnerable applications and have successful attempts. Right now, is more like i have problem getting the vulnerable application from the machine in order to debug. I have some credentials gotten from some of the machines *trying not to disclose too much info* and successful use it gain access into the corporate network. Rest of the credentials does not seems to work on the smb shares. Do I have to brute force my way through or do some hash cracking from the previous machines ? Really appreciate if you can shed some lights.

        1. You actually don’t necessarily NEED the source code to perform the buffer overflow. Having the executable itself is more important, so that you can attach a debugger to it.

          If you need to get the vulnerable application itself, maybe you need to get it from a different machine than the one you need to exploit it on…

  21. curious.
    In the BOF ftpclient course materials we are given an ‘ftp.py’ and an ‘ftp.exe’ client. You are able to connect the client to the python ftp server using the localhost address. This allows you to test and send your payload to the ‘ftp.exe’ client in order to find and test offset, eip, jmp esp, shellcode. Pretty straight forward and easy

    Is this method of testing possible for the ‘c.exe’ & ‘c.py’? I am having trouble trying to figure out how to go about testing from ‘c.py’ to ‘c.exe’ , Do I stick to modifying the py in order to send my payload to the exe? and is the exe suppose to communicate to the py in order to test, similar to the ftpclient32 scenario in the course material?

    thanks! and please redact anything unnecessary. I tried to be crypted as possible.

    1. Hi Chris,

      The only thing I did was slightly rename your files, but you aren’t being too spoiler heavy.

      That said, you can perform the exact same manner of testing in the Exam as you did in the lab. You just need to modify the payload to send wherever your EXE is listening, and attach a debugger to it. The exe may or may not communicate back, but that is largely irrelevant as long as you are able to crash it.

      Good luck!

  22. Thanks Doyler for the reply. I think I am going about this wrong. As I analyze both files mentioned earlier, the both do the same thing as in communicate to the same destination ip and port. In order to get an EIP you need to load the target application you are trying to crash and in this case, I am not even there yet as I don’t have access to the host running the destination app. Is this correct?

    1. Hi Chris,

      Yea, you are going about it slightly wrong. If you were going to try and find a vulnerability in Apache, you wouldn’t just start attacking google.com and hoping to get access to it. You’d download the executable yourself first, and attach the debugger locally.

      You need to do the same in this case, only the executable cannot just be downloaded from the internet. In that case, you need to find it on a different host than the one you are trying to exploit.

      Good luck!

      1. I am on my second attempt now. I was able to find the needed files to do the crashing and testing within Immunity Debugger. I was able to load a calc.exe like in the course. I am now working on the shellcode. I guess I am getting stuck on the payload to send. I thought that would be the easiest part but, I am at the WTF point lol

        1. Awesome, that’s good! It should be fairly easy, but make sure the shellcode works before you send it + there are no bad characters.

          Sending it should just be as “simple” as modifying the included Python script.

          Good luck!

    1. Hi,

      I do not want to give spoilers over email or the blog. If you think that you are stuck, make sure to go over each of the important steps, and don’t forget to check every possible vector.

      If there is something generic that I can help with, then please let me know!

        1. Hi,

          I do not want to give spoilers over email or the blog. If you think that you are stuck, make sure to go over each of the important steps, and don’t forget to check every possible vector.

          If there is something generic that I can help with, then please let me know!

  23. Hey Doyer thanks for the reply. Yeah I got everything in place even the python script to send the payload. I am able to get a calc to pop up, but I am using msfvenom to create the shellcode with no bad characters, however I cannot get it to work on my test machine. I was able to get some “shellcode” examples off the interwebs and a few work where I was able to add a user and add to admin group but as you know, I need to add a little extra and those examples online are static set in stone and you cannot modify them as its a copy and paste job. I don’t want to ruin the exam here. But yeah msfvenom is pissing me off as I don’t think its working.

    If you are not too busy and I know you get this a lot but if you available through email that would be cool. If not its ok brotha no worries. I don’t have twitter etc.

    1. What I would recommend you to do chris
      – set up an environment mimicking the target you have at hand
      – looks like you have everything you need, so run whatever you need to run in that environment
      – create your shellcode that you want, I can assure you, msfvenom did what it was supposed to
      – focus on what you want to achieve with your shellcode, I find it hard to imagine you want to have calc popping up on the target 😉
      – be sure you have the right bad characters omitted, no need to overcomplicate and define half of the characterset as bad …
      – in relation to the above and the ‘push’ of your shellcode to your target: be wary of how python 3 and 2 function .. I kind of lost a couple of days to figure that out

      1. Hey Nessie, thanks for the reply. Like you mentioned I have my testing environment both local to my machine and on the user network. As far as the “bad” characters, those N… are taken care of. And obviously the calc was just to test that my offset,jmp are working on XP, and it works fine, I know I have the correct off and jmp esp call. The problem is when I generate anything on mfsvenom be it “regular conn payloads” or “other” payloads to perform of local tasks. Adding it to the python script is easy too, but I hit send and nothing lol

        Perhaps I am running into the python 2 v 3 thing. I have been using Python2. Going to give P3 a shot. Do you have articles or further studies I can check out that will help me with this whole python2 vs 3 issue? I am coming across some stuff about bytearray vs bytes.

        You are right, msfvenom is doing its job. I was using a traditional online HEX to ASCII editor and comparing the values of a simple input between the two. I was getting the same HEX values so that showed me things were fine with msfvenom.

        I have lost 3 days now. Ok I am off to test.

        1. No worries chris,
          If you’re on 2, that should be fine .. I ran into trouble because I started off with 3 .. it’s indeed a ‘bytes’ thing 😉
          Yet I still wonder what kind of payload you want to execute on the target .. I believe there’s a kind you’re overlooking when I read ‘perform local tasks’ and ‘regular conn payload’ .. don’t look too far ..

          1. Gotcha, thanks Nessie. I went back to v2 as I spend the day researching the incidents people were having having when v3 encoded their shellcodes to strings instead of bytes. I even went to the PTS course in the Python module to verify if that was covered lol

            You wouldn’t happened to have an article, tutorial, or even the slides from the PTP course that I can research that will point me to the proper payload? I guess I am having a bit of a stump here.

            Thanks for your help 🙂

          2. just rooted .55 OMG!!!!!!!!!!!

            This whole time!!!!! in my face!!!!!

            More than one way to skin a CAT and I think I had the space time stone (Avengers) and tried all 14 milliion ways like Dr Strange, instead of the simplest method which nailed me root access.

            Ok DMZ is left and I have 2 days left to go! I got this!

            I start PWK/OSCP June 2nd too lol!

            thanks Nessie & Doyler!

          3. GAME OVER!!!!! I just rooted DMZ!

            Wow what a mission fellas! Now its time to redo my report. I was told I wrote an attack narrative and I need to fix it lol. DOH! I will spend some hours tonight and all day tomorrow to write it. Its due Monday morning, so I have time. Do you guys have any recommended reports I should look at to get an idea of the proper way to write it?

            On another note, I just got my PWK course pdf and videos. Hopefully things go well and I can complete OSCP in September that way I can jump straight into CTP/OSCE.

          4. Congratulations Chris!

            Sorry I wasn’t on this weekend, but looks like it went pretty well.

            Haha, yea. This was supposed to be a “pentest” for a client, so you have to send in an actual report.

            I sort of made my own, but there are some great examples here.

            That said, always remember to try different payloads if one doesn’t seem to be working for some reason! (Which I’m guessing you did).

            Good luck with the OSCP, as that is definitely a challenge. I’ll start my OSCE pretty soon here as well.

          5. Thanks Doyler! I just got my email today that I am eCPPT certified. So glad I went through the eCPPT and got my butt kicked there. I learned so much and I am sure this journey will help me on my new OSCP journey. I appreciate your help and I will be following your OSCE journey and coming back to lookup your OSCP journey as well.

  24. Hey doyler, congratulations!

    Like most, I am completely stuck on the BOF. I have popped calc.exe, have the correct jmp address and all of that but finding the right payload is costing me so much time.

    -omitted bad characters
    -Utilizing NOP sled
    -Have tried windows,linux, and php reverse and bind payloads
    -using msf listener, running script locally
    -tried attacking the obvious server/port but tried additional IPs and ports.

    Yeah I have no idea!!

    RIP

    1. Hi Bean,

      Thanks!

      Understandable, and I think a lot of people get stuck here.

      First, you don’t want to try different OS payloads, as that will waste a ton of time. That said, if Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

      If it is working for you, then it is likely just a payload or bad character issue.

      Good luck!

  25. Doyler,

    Thanks so much for taking the time to share your experiences with us. I started off in OSCP and managed to root a dozen boxes in the OSCP lab, but stumbled on eLearnSecurity’s eJPT and eCPPT certifications (and their respective courses). I ended up focusing my time on eJPT, which I earned recently, and decided to invest my time in eCPPT before I go back into OSCP.

    I plan on taking the exam in about a month. In your opinion, what are the subjects that current and future students should focus on? The coursework has a lot of material in it and I was hoping you can help me focus my time and efforts a little bit.

    1. Thanks, and glad to share my experience and knowledge!

      eJPT -> eCPPT -> OSCP is a great progression if you have the time (and money), but not the experience.

      As far as the eCPPT is concerned, the course material has everything you need. That said, if you don’t understand the basics of a buffer overflow attack, you should brush up on those. As you can see from this comments section, there are quite a few people who got stuck at that point.

      The material will walk you through the steps, and you just need to follow them exactly though!

      In the meantime, let me know if you run across any other topics or concepts that you find confusing. Good luck!

  26. Doyler,

    Thank you very much for sharing your experience with the exam. May I ask if shellcoding-knowledge is of importance for this exam? If I have the tools and knowledge to discover bufferoverflows, would I be able to get by utilizing payloads from MSFvenom after discovering the correct offset and JMP/CALL address?

    1. Hey Patrick,

      You will actually need 0 knowledge of shellcode or shellcoding for the exam. As long as you can follow the buffer overflow steps, you will be fine.

      That said, don’t forget to check for bad characters, or try different payloads if one SHOULD be working!

  27. Hey Doyle,
    Started the eCPPT exam. already have system on the webserver. Having difficulty getting any further. keeping it to a minimal, i was expecting traffic from corporate IP’s to visit either of the sites where i have shell waiting, but its been a full 24hrs and not a single visitor. Am i knocking on the wrong door?
    Any hints to proceed. simple what i should be looking for.

  28. Doyler,

    First off, thank you for sharing your experience. I am currently doing the ECPPT and am having a rough go at the webserver. Any pointers you could give would be greatly appreciated. If its easier please dont hesitate to email me. Thanks.

      1. Doyler,

        So here is my predicament. I have no issue with building a buffer overflow exploit from a proof of concept (did it under an hour for my OSCP). However I normally have a service to attach my debugger to. I have the .exe and .py files from the one place but cannot locate the service. Is it located on the server that was captured or am I supposed to download it from a different one? Or do I have everything that I need and Im just not seeing it? Dont want any answers just a tip to point me in the right direction. Thanks

  29. I dont want to give anything away but if that was the case I would not be having any issue. I got both the .exe and the .py from the same place. I could go into more detail through email.

    1. I already know what you are referring to, and my answer from before is still the same. If you have an .exe and a .py then you have the server/service, and you have the client.

  30. Ok so Im on my last day and the few hours. I have found an oddly named .exe file on a Win7 box, but when trying run it I get gobbledygook.exe is not a valid Win32 application. I have tryed running it on every compatability mode on the server that I found it on as well as other servers (mine and theirs) but I get the same error every time. Am I waisting my time with this thing?

    1. If you don’t think the application is that useful, then you probably don’t have to do anything with it. Remember that this isn’t a reverse engineering course or anything like that!

      1. I was under the impression that that was the service to help me write the buffer overflow. Damn I’m at a loss where to find the buffer overflow then.

  31. doyler, congrats on the pass and the info. Like many others, I am down to the BOF and DMZ. I have the BOF working locally, but not in the exam. Would appreciate a quick email to provide more detail of what I am seeing.

    1. Thanks Mike, and glad to help!

      As far as the BoF is concerned, verify once more that it’s working locally. If it is, then there is likely a problem with your payload. In that case, you’ll want to re-verify bad characters, try other payloads (bind vs reverse and vice versa), as well as different TYPES of payloads (meterpreter vs cmd, etc.).

      As far as the DMZ is concerned, keep going at it!

      1. Doyler,

        Im trying to get the BoF but I dont recall there being a bad characters section outside of the null byte. I am trying to apply the way that I learned in the OSCP but it not even close to being similar. Also when tying to track down the JMP instruction the only instruction not protected by safeSEH is an .exe with a null byte in the address. Any pointers?

  32. Hi Doyler and others,

    I’m almost down to the BOF and DMZ too. I have a question that is bugging me…I add the static routes on the Web server for DMZ and one for Corp and got the boxes for Corp responding. But DMZ shows nothing up and have tried all manner of nmap scans to compensate. Do I need to add the whole /23 as one entry? The provided map shows I don’t need to double pivot to get to DMZ. Perhaps some broad guidance? Thanks!

    1. Hi John,

      What do you mean when you say you added static routes? You will need to discover hosts from more machines than just the initial foothold, I can definitely tell you that.

    1. John,

      Because they are in different networks Nmap will not work the same way as if you had direct access. I would advise using one of the meterpreter scanning modules or netcat in conjunction with proxychanes. Vary disappointed that the course material didn’t do a better job at covering pivoting.

      1. There is a bit on Proxychains, but I agree that it could have been more in-depth. That said, it would have been nice had it covered the “easier” options like meterpreter autoroute etc.

  33. Hey Doyler,

    I am having trouble find the additional vulnerabilities on the web server. If you could email me I cold explain what I have tried.

    1. Unfortunately, I cannot. That said, if you are still missing vulnerabilities, make sure to follow your attack process completley.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.

      As the first step is a web application, make sure to check the server as well as the application layer for vulnerabilities.

  34. Hey Doyler,

    I’m a bit stuck on BoF.
    I do have all the info like how many junk bytes, i have jmp esp.
    Seems like I have an issue with hex to ascii and etc
    Could we connect via email? It’s just about python script …
    I would be grateful.
    Thx

    1. Great, if you are able to hit your JMP ESP, then you’re almost there!

      As far as Hex and Ascii are concerned, you should be fine if the JMP ESP is being hit. You’ll want to encode your shellcode the same as everything else: “\x90” etc.

      That said, if Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

      If it is working for you, then it is likely just a payload or bad character issue.

      1. Hey,

        I have managed to reach DMZ.
        And stuck 🙂
        I’m on a box…… just don’t know in what direction I should look……checked a lot of things …
        Any small tiny hint?

        1. What have you been doing at each system you get a mere access to ?
          Recall it’s a process you conduct whether it be Windows, IOS, Android, *ux …

          Exactly: enumerate enumerate enumerate 🙂

          1. I couldn’t have said it better myself! Remember to follow your entire process on every box, during every phase of the engagement.

            Also, don’t forget, like the real world, you might not be always able t compromise/fully compromise every target!

          2. Hey nessie,

            I think I know what I have to do I’m just running in a problem how to reach it, don’t want to spoil too much.
            Is the burp suite required?
            I could explain you a bit more over the email if you don’t mind that?

          3. NEVERMIND GUYS rooted DMZ hahaha i was watching that and i thought i hit the wall 😛 and it was in my face 🙂

            ……so happy !!!

          4. And one more thing to nessie, actually your hint to enumerate enumerate was bad.
            You can enumerate all week but if you don’t know how to reach resources than your enumeration won’t help

          1. Hi Mike,

            If bind isn’t working on a target (any target, not just the one you are working on now), then there are a NUMBER of issues that could be causing it.

            Host based firewalls or intrusion detection/prevention systems, network configuration, etc. That said, you should always try more than one different payload (bind/reverse, meterpreter vs not, command vs C2, etc.) if you are certain that your exploits should be working.

          2. Hey Doyle,

            I have used bind and reverse shell on several others without issue. I am just having a time on the BoF system. My script with the JMP ESP seems to work on multiple systems within my own PoC; to include “bad characters”. Also, I have tested my connection from the attack system and can communicate with the system prior to launching the script. If you want to PM me, I can go into greater detail.

          3. Hi Mike,

            Correct, exactly. If a bind (or reverse) shell doesn’t work on a specific target, then the payload is likely the culprit. Just because you can connect to a box doesn’t mean that a firewall or host based protection isn’t stopping you. In this case, you might want to try some different payload types.

    2. Python 3 sends data over the wire in Unicode, which is why you are getting the C2 issue. If you where to rewrite it in a different version of Python (or figure out the differences) it might work better.

  35. Hey Doyler,

    Thanks for the input. I think I have a networking issue at this point. I understand the concept of connecting from my system via another system to a non-routed system, but not sure of the reverse. Would appreciate some guidance, if possible.

  36. Hello all,

    I am a PTS seeking to take the eCPPT exam soon. How much time is needed for an unemployed student to properly exploit all machines during the test?

    I have done 60 days of OSCP lab time and exploited 15 machines in addition to completing all the coursework. I have also recently passed the CISSP exam. I have CEH, Sec+, and Net+. I have some experience but when it comes to pentesting, I am new but I can exploit machines. In addition to my OSCP notes, I have 35 pages of notes from my PTS studies.

    1. Hi Jay,

      It will honestly depend on you, your time, and general skill. That said, there aren’t a ton of machine during the test, and you have a total of 7 days.

      If you knock out all of the material and labs, you should be fine. Just make sure to follow your entire process on every machine that you encounter.

      I was working the entire time, and 7 days was definitely more than enough.

  37. I have been banging my head against the wall with this BOF, if you could confirm some things so I don’t feel absolutely insane that would awesome…my exam ends Friday around 5pm and I’ve been up until about 2am the last couple nights and then going to work – already took Monday off :/

    So I have two addresses from !mona…are there the two correct addresses? I have a Win7 lab machine that it works on and survives reboots so those are the two I’ve been playing with. I do think it’s odd that it’s the location of the exe itself though. Theres three payloads that work flawlessly against my lab machine, two of which I’ve tried against the vulnerable machine. Will end up trying another one or two tonight.

    Just wondering if there are two addresses mainly I guess, idk.

    1. Like many posters before, don’t forget to try different things.

      If you have it working on your test environment, then your JMP is likely correct (assuming you don’t have ASLR on or anything). In that case, it means that your payload is the issue.

      In that case, you’ll want to try different payloads (Meterpreter, non Meterpreter, bind vs reverse, command execution that still gives you access).

      Good luck!

  38. Hi Doyler,

    Thanks for the reply, you’re a saint!

    I ended up getting it at 3am last night, so that’s a win 🙂 Now just the goal machine and then it’s report time.
    It’s funny, the payload that didn’t work on my lab VM was the one that worked and it was kind of a last resort – I just thought hey why not try it, it makes the most sense given the environment. I did read through your other advice but because I was trying more complex payloads I missed the simple one.

    Cheers

  39. Hi again Doyler,
    I’m completely stuck on the DMZ box priv escalation…there’s something interesting running on a localhost port that seems to be suspicious but I haven’t been able to get anything out of it.

    Am I on the right track?

    Thanks!

          1. You’ll need to remember to follow all of your steps if you’re having trouble finding server/services or exploiting them!

            Make sure you are going through all of your proper steps.

            Perform Information Gathering – see what can be attacked, what is open, etc.
            Enumeration – discover services, applications, possible attack surface.
            Exploitation – once you have some possible attack surfaces, try to exploit them.
            Post Exploitation – more information gathering etc. on the local host.

  40. Man, reading through your writeup and all the comments it seems no one had any trouble with the part I’m stuck on! I thought I was going to breeze through it after nailing the BOF.

    I rooted the initial server, got system on the machines in the corporate network that I found and identified the DMZ server along with how I assume we’re meant to connect to it. But I do not have credentials for it! I feel like I must have gone meticulously through every folder on every machine multiple times, found a few files obviously planted there by the eLS admins but nothing containing the right info to take me to the next step. I’ve tried looking for keys in registry, using findstr to search for keywords in all files, using sessiongopher powershell script..

    I’ve been stuck at this point for 3 days now and have 2 days left. Frustrated! I bet I’m missing something right in-front of my face too.

    (Not really asking for a hint as it would be a spoiler, just venting into the ether whilst I wait for inspiration)

    1. Haha, yea, seems like a lot of people have issues with the overflow.

      I edited a few things from your post, but not too much.

      That said, if you have figured out how to connect to something, you might want to think about what you’d use to connect to it, and go from there.

      1. I found the credentials <redacted> but also not working . Do i need to find vulnerbilty to enter or find another key ?

  41. I managed to get in in the end, boy it was frustrating but when I finally got it.. well that feeling is why we do it all right?

    Took a day off afterwards, now I just need to get this report done and cross my fingers that I didn’t miss any big vulns!

  42. Hi Doyler, can you send me an email to discuss something about the eCPPT (need no hint but just have a question which I can’t post here). Thanks!

  43. Congrats on clearing the exam bro.

    I am doing the exam now i have been stuck in BoF part for the past 2 days and still one more day to go, I am getting the shell session on the Test Environment, but when i send the same in the exam it doesn’t work , tried different payloads and removed the bad chars, yet didn’t get through, i am using ruby instead on python.

    what am i doing wrong? can you send me your email to discuss. thanks

    1. Hi Yati,

      Thanks, and it was a fun one.

      As far as the BoF is concerned, verify once more that it’s working locally. If it is, then there is likely a problem with your payload. In that case, you’ll want to re-verify bad characters, try other payloads (bind vs reverse and vice versa), as well as different TYPES of payloads (meterpreter vs cmd, etc.).

      If it’s working locally, but not on the target, then think about what might be stopping it. There are firewalls (port bindings or port connections), AV etc. (blocking meterpreter but not reverse_shell), and general bad characters.

      Also, I recommend using the provided Python script, unless you are certain that your Ruby script is working locally.

  44. I don’t want to put too much detail in, so i don’t spoil anything but i’ve compromised a host (found a couple others too), enumerated the hell out of it, found some references to files on a web server but cannot get to them, cannot get rdp access, and cannot access any additional shares. I’m getting to the paralysis by analysis point and don’t know which machine to focus on. Any hints would be appreciated.

    1. Hi Greg,

      Based on the filenames, those are likely related to the buffer overflow portion of the exam (which is basically public knowledge). At this point, I would try and find those files, or get access to them. Once you do, you should be able to work on that exploit as well!

      1. Thanks Doyler,

        Do you mind sending me an email to follow up on this question? I don’t want to put spoiler details here but I think some additional information would help clarify what I was saying.

  45. Hi Doyler,

    I had one question… I’m doing eCPPT right now and I was wondering if you need the sniffing & MiTM part (Wireshark, etc) for the exam.

    eLearnSec says that WiFi hacking is not required for the exam, but I couldn’t find out if the sniffing & MiTM lesson (Network Security) is part of the exam.

    Thank you very much for answering everybody’s questions on your website 🙂

    Tim

    1. Hi Tim,

      You will not need to perform any wireless attacks, but there might be network attacks on the exam! That said, everything is fairly straightforward as long as you go through the material.

      You’re welcome, and glad to help!

        1. Unfortunately, I can’t give you any additional advice other than what is already covered in this post/comments.

          You’ll need to remember to follow all of your steps if you’re having trouble finding servers/services or exploiting them!

          Perform Information Gathering – see what can be attacked, what is open, etc.
          Enumeration – discover services, applications, possible attack surface.
          Exploitation – once you have some possible attack surfaces, try to exploit them.
          Post Exploitation – more information gathering etc. on the local host.

  46. Hi Doyler,

    I’m a newbie to the Pentest field. Although I have 12+ years of experience in InfoSec, with a CISSP, I have nada knowledge in scripting/pentesting. I plan on enrolling in eJPT followed by eCPPT. There are ton of videos in Udemy and other websites that talk about into to ethical hacking from scratch to intermediate. They all last for several hours. Would you recommend I reviewing those, rather than focusing my efforts on just the material provided by elearning for eJPT and ECPPT?
    Also, is eJPT a pre-requisite for eCPPT?

    1. Hi Jason,

      Awesome, and best of luck with getting into pentesting!

      I think if you’ve already started/plan on starting the eJPT, then that’s sufficient for now. The eJPT isn’t a pre-requisite, but it can definitely help if you have zero experience. That said, I went straight for the eCPPT.

  47. Hi All,

    able to give tips on whether proxy chain is needed?

    autorouted from the webserver used pingsweep and found 2 host but cant nmap them.all is denied.

    1. You will need to use proxychains in any situation where you want to route from one network to another.

      That said, if you can connect to/see an additional host, then it never hurts to attempt to connect to it from a previously compromised host.

      1. Hi! I’m stuck in BOF. I receive a error reset socket connection when I overflow the input with exactly offset but in the immunity debugger, the client “.exe” doesn’t overflow and it cannot be possible for generate a crash and perform an payload’s injection. Can anybody help me?
        I am testing with .exe and py locally and remotely (always with the clients).

        Thanks

        1. If you are using the offset, then you need to make sure you are overwriting EIP.

          Also, if there is an “exe” you are debugging, then it is likely a server and not a client.

          Make sure to follow all of the steps in the material!

  48. Hi doyler. I am stuck in BOF. I don’t understand how can i debug (immunity debugger) a client exe. Should I create a a py receiver program for client communication?

    1. Hi Nick,

      If you have an EXE, it’s more than likely the server, similar to the course material. In that case, you want to debug the server that you’re trying to crash. You can create a Python client though.

      Good luck!

      1. Thanks!

        I can root BOF box and one more machine in the corporate network!. Now I am stuck on how i can access inside DMZ network.

          1. Make sure you are going through all of your proper steps.

            Perform Information Gathering – see what can be attacked, what is open, etc.
            Enumeration – discover services, applications, possible attack surface.
            Exploitation – once you have some possible attack surfaces, try to exploit them.

  49. the bof server contains an exe. but no python scripts found even when using meterpreter search function? only a c++

    Another question is if i pu t immunity debugger on my kali and extract the exe out there shouldnt be any issue right?

    1. If you have a server, then you can always write your own client! That said, meterpreter search isn’t going to help you at all if you’re writing a custom exploit.

      Make sure to follow all of the steps in the course material!

      No, that won’t work at all, since Immunity is a Windows application.

  50. Hello all,

    I am in need of help regarding BOF. During my last attempt of the exam, I was faced with a problem. The steps and processes described throughout the course material and videos did not work. Pease help.
    n00b13 at protonmail

    And congrats to all of you who conquered the test. Doyler, much respect man; youre a beast.

    1. Hi n00b,

      If you’ve followed the steps and processes exactly, then you should not have any problems at all. Were you able to replicate the steps and get to the point where your payload was executing? If not, then you might have missed an important step.

      If you did, then I recommend reading through these comments for suggestions regarding trying various payloads.

      Thanks a lot!

      1. Hey,

        I am able to get calc to open but not able to use any payload even add user. Would you mind pointing me in the right direction

        1. If you are able to get calc to open, then it means your entire exploit is working. In that case, you’ll just want to make sure that you try different payloads. Example: if Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

          1. Yes but all address are alsr…so in theory it wont work on the remote host correct ? am i setting up my test env wrong?

            Thanks for the reply !

          2. You do not need to worry about ASLR, so that is not the issue.

            If it works on your test environment, then it will work on the target! At that point, it’s just a matter of getting a working payload. Remember things like firewalls/antivirus, potential bad characters, etc.

          3. Sorry im not sure im understanding correctly. Ill need to use a dll address to make sure my calc opens. If the memory address isnt the same as the remote one than how to proceed?

            How would I be able to control EIP to point to the shellcode ?

            Once again thanks for taking the time to answer.

          4. You already have the DLL address if you’re making it pop locally. There is no ASLR, and the operating systems are exactly the same. In this case, you just need a more useful payload and execute it, just like the course taught.

          5. I dont have dll. Even on corp networks all modules show alsr enabled. Thank you for the help i will keep trying.

          6. I promise you that if you didn’t learn about ASLR in the course, then it is irrelevant on the exam. Again, if you can execute shellcode on the dev system with an exploit, then your exploit will work just fine on either system. At this point, it’s a matter of your payload. Follow the course instructions, and don’t be afraid to try different things!

  51. Hey, I’m currently passing the exam, got access to most machines but I’m curious to know if all discoverable machines are exploitable ?

    1. Try to treat the exam as an actual penetration test. Try to find as many vulnerabilities on as many machines as possible. Some might not give you a shell on the machine, and some machines you may never end up compromising.

  52. Hi Doyler.
    After a couple of very challenging weeks, well, I got (redacted progress on the) DMZ machine…

    Can you confirm me that you need to obtain access as the root user?

    Thanks
    Rob

    1. Hi Rob,

      Remember what the rules of engagement state. Obtaining root is a necessary, but not sufficient, requirement for passing the exam.

      Good luck!

  53. Hi Sir Doyle,

    Welcome and trust you are doing great!

    I’m about to start the exam but a bit nervous.

    Will MITM skill or client side exploitation be required for this exam?

    Would also appreciate if you can inbox me your email.

    Thanks bro

    (ADDITION)

    Hi, Doyle, I just started the exam and i have been able to exploit the webserver. Unfortunately i have not been able to obtain root.

    Any hint on what to do next? I have been on it for 3days. Please SOS. Thanks

    1. Hi Roti,

      I combined, redacted, and deleted one of your comments (sorry it took so long, but manual process).

      As far as what is required during the exam, just what you will learn/have learned during the course!

      For privilege escalation, make sure to follow all of the steps you have learned in the course. Additionally, it is always important to follow your process (Information Gather -> Enumerate -> Exploit -> Post Exploitation -> Information Gather), document everything, and you’ll be good to go!

      Best of luck!

  54. Thanks Sir.

    I have started and exploited the webserver but i am finding dificult excalation to root.
    The best i achieved is to get access to the /etc/shadow file but i am unable to crack the root password.

    Any advise will be appreciated.

    Thanks once again

    1. I’m using proxychains from the web server into the corp network, found several hosts, but I’m unable to get nmap to work, all ports are filtered, I’ve tried changing the timing to T1 and -Pn but still no luck.

      Was thinking about sshuttle but I’m not sure it work on windows..

      Anyone help please?

      1. How were you able to find these hosts. If you are sure they are up, nmap scans could be blocked. You could either try a different scan type, or some ports that you aren’t checking.

  55. Hey doyler/all,

    Im strugging with the overflow part of the exam, i have got it to work locally and got the application to crash in the exam enviroment, i know my machine cannot talk directly to the vulnerable machine, but even with autoroute/portfwd, and multiple payloads, i still cant get it to connect..

    Happy to chat further to anyone: xess1@outlook.com

    1. If you are able to get calc to open, then it means your entire exploit is working. In that case, you’ll just want to make sure that you try different payloads. Example: if Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

  56. Hello Doyler,

    Thanks for this review for eCPPT exam. This inspired me while taking this certification. I am on my last 3 days of the exam and I am stocked in the windows machine. I already know the DMZ server but I think I needed to know first the servers involved in BOF, I am excited for the BOF part but still need to find the server(I found maybe, but still not rooted). May I email you ask some guidance?

    Thank you very much in advance!

    1. Thanks, and good luck with the exam!

      You’ll need to remember to follow all of your steps if you’re having trouble finding server/services.

      Make sure you are going through all of your proper steps.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.
      Post Exploitation – more information gathering etc. on the local host.

  57. Hey mate,
    Thanks for the article, good read as I’m prepping for the exam.

    I have one simple, no spoiler question… Is everything in the exam included in the course materials (Labs, Videos & Slides) ? Would you suggest doing additional research on any particular topics?

    I’ve done the Labs 2-3 times, and been through the other materials thoroughly, Done some OSCP like BOF labs, setup proxy chaining on local VMs, etc. I feel ready, I just don’t like curve balls that weren’t (or barely) taught (Kinda like the WAPTX exam)

    Cheers
    JF

    1. You’re welcome, and thanks for reading it!

      There is definitely no need to do any additional research outside of the course work. I had no previous pentesting experience, and only went through the labs once when I took the course.

      There aren’t really any curve balls, and if you understood everything you should be good to go.

      Good luck!

      1. While I’m awaiting my result, I’m pretty confident I passed, and only really took 4 days, (rest of the time was confirming, optimizing and reporting).
        The biggest curve ball was preparing the BOF thinking I only had 1 chance (would have to reset the lab).

        Thanks for the info and the reply!

        1. Awesome, and hopefully you passed!

          Yea, you’ll have more than one chance during the exam as well as most real world scenarios.

          Glad I was able to help, and best of luck.

  58. Hello doyler,
    can i ask you a question about the eCPPT? Would you be so kind and send me an email? 🙂

    Best Regards

  59. Hey Doyler/all,

    I am currently really struggling with finding the credentials to log into the DMZ Machine. lt;redacted> Would appreciate a little hint to make a step closer.
    Best Regards

    1. You’ll need to remember to follow all of your steps if you’re having trouble finding useful information.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.
      Post Exploitation – more information gathering etc. on the local host.

  60. Hi, I do need your help .
    I’m struggling to solve a knotty problem concerning web application penetration test.
    I’d like to get in touch with you in person through email.

    thanks a lot
    Carl

  61. Hi doyler,

    Great post thanks. Can you send me email I would like to ask you something about lab. Not sure if It’s tehnical issue or this is how it should be?

    Kind regard,
    Tom

    1. Hi Tom,

      If it’s just a technical issue and not spoilers, then it might even be faster to post it here. Plus other people could run into the problem in the future!

      Thanks.

  62. Hey Doyler,

    Great article! Have you ever ran into any issues with Metasploit’s shell_to_meterpreter module? I already know the exploit path for (redacted), but running into issues not being able to upgrade my command shell to meterpreter.

    Feel free to email me if you get a chance. Also, if I included any spoilers then feel free to redact them.

    Thanks!

    1. Hi David,

      Thanks for reaching out to me! I haven’t, but I haven’t used it a lot in the past to be honest. That said, if you’ve got a standard reverse shell, you should be able to perform most of the Meterpreter functionality with a bit of modification or extra files.

      No real spoilers though, and thanks for keeping them out!

  63. Hey Doyler,

    I’m on the BOF part right now and I have a local exploit working on my WIN7 machine. I’m confused on how exactly to reach the host where the buffer overflow service is listening.

    I’m unable to ping it from the corporate machines I’ve exploited and I’ve tried adding static routes to it as well. I see it in the arp table of one host.

    Any advice would be much appreciated.

    1. You should be able to reach the BOF service fairly directly, the same way you were able to hit any of the other hosts.

      That said, if you’re unable to ping it from ANY host, then I might reach out in case there is an issue with the networking.

      Good luck!

      1. Thanks!

        Yeah currently unable to ping it from any host, but I am able to execute my exploit against it and connect to its port through proxychains so assuming it works fine? lol

        Just need to figure out the proper shellcode to send, I’ve tried a few so far with no luck, but may need to just keep trying like you mentioned in your other comments 🙂

  64. Hello, congratulations for your blog and all your certificates.
    I would like to ask you since I am about to access the ecppt exam, do I have a doubt about the kali operating system if in VM or clean installation with partition on a clean machine?

    1. Thanks! As far as the eCPPT was concerned, you will be just fine if you use Kali inside of a VM. You don’t even really need to worry about a clean installation either if you already have one.

      Good luck!

        1. The latest version will be just fine, and should have all of the tools you want or need! If you run into slight issues with command/flag differences, then make sure to check Google or the man pages.

          1. hello and I’m sorry, if you can give me some info about it:
            the traces given in the laboratory are similar to the exam, let me explain myself better; all the course material without comparing other material outside the course (tips, manual, etc. that are not e-learning) is suitable to take the exam or do you need to deepen it even outside the normal teaching of the course?

          2. All of the course materials will be more than sufficient to pass the exam! You just need to make sure you understand all of the information and how to perform the steps.

  65. Hey doyler,

    Wold you be able to shoot me an email? I’m having issues with the BOF part of the exam. I have multiple working payloads on another machine in the corporate network that I was using to test, but nothing works on the actual target for this exploit. Thanks!

    1. Like many posters before, don’t forget to try different things.

      If you have it working on your test environment, then your JMP is likely correct (assuming you don’t have ASLR on or anything). In that case, it means that your payload is the issue.

      In that case, you’ll want to try different payloads (Meterpreter, non Meterpreter, bind vs reverse, command execution that still gives you access).

      Good luck!

  66. Hi Doyler!
    I have a question I can’t figure out.
    I am at the BoF part. I have my .exe and my .py. I modified the .py and I can display the calculator, everything is fine so far. But I did it on my local machine which is Win10.
    I generated a payload which is not working, but why not, I will change it until I ve got a shell on my Kali. The part I don’t understand is: how is going to work on the final target? the eip I chose matches with a DLL address which changes when I reboot my machine.

    Regards and thanks for your help!

    1. Your DLL address should not be changing locally, unless you have ASLR enabled/are attacking an ASLR enabled library. Make sure to follow the course recommendations and test on a similar system (the provided VM). Once you get a working overwrite and JMP, then it will work 100% of the time!

  67. good afternoon, one thing intrigues me about the exam if there is MITM attack or not?
    Generally for this type of attack there should be other users logged in for the data interchange

    1. As far as the exam is concerned, you will only be tested on topics in the course material.

      If there is any network traffic required to complete an attack, then it will be simulated (this is true for any course like this that you’ll take)!

  68. Hi, Doyler!
    First of all, congrats and thank you for your post.

    I would be very grateful if you could help me a little bit with the exam, cause I feel I’m getting nervous. I got a ‘semi-interactive shell’ (somewhere), but I’m not able to make any full reverse work (neither Empire, nor crackmapexec or just using msfvenom), cause the machine won’t reach mine. I must be forgetting something obvious, but I can’t notice it right now. I have also reviewed all provided material and still nothing. Is there anything you can suggest?

    Please, feel free to edit my comment if you see I am spoiling something. Also, I hope I made it understable (I tried not to spoil).

    Thank you in advance and happy new year.

    Regards

    1. Thanks, and good luck with the exam!

      If you have a connection to a host, then you don’t necessarily need a full reverse shell. Remember that there can always be firewalls or host-level defenses preventing you from obtaining a full reverse shell.

      In that case, you will either need to avoid those defenses, or stick with the foothold that you’ve already obtained.

      You too, and thanks again.

      1. Hi again, Tom.

        Thank you for your help. Finally, I was able to get an RDP session with Administrator rights, which I think is not bad 🙂

        I also compromised a few more machines (REDACTED). However, there are still some machines that I haven’t been able to exploit. Should I care about this?

        Thank you very much.

        Kind regards.

        1. Congrats, and best of luck!

          I removed a few things that could have been spoilers or close to them.

          That said, try to treat the exam as an actual penetration test. Try to find as many vulnerabilities on as many machines as possible. Some might not give you a shell on the machine, and some machines you may never end up compromising.

  69. Hi Doyler,

    First of all I just wanted to say your writeup was amazing! Also congrats on all of the certs that you’ve got, I hope to get that many one day!

    I was wondering if you could help me a bit regarding the exam. I’ve managed to get into the corporate network and seen a machine running a service which I can connect to, although I can’t find any credentials! If possible could you please email me ?? Thanks :):)

    1. Thanks, and good luck!

      I edited a few things from your post, but not too much.

      That said, if you have figured out how to connect to something, you might want to think about what you’d use to connect to it, and go from there.

    1. You’ll need to remember to follow all of your steps if you’re having trouble finding server/services or exploiting them!

      Make sure you are going through all of your proper steps.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.
      Post Exploitation – more information gathering etc. on the local host.

  70. Hey Doyler,

    Appreciate the review. Did you choose to write your report by vulnerability type or list the vulnerabilities per host/node? Just wondering what your recommendation is.

    1. Thanks!

      I prefer to write my reports based on severity and denote which host(s) it applies to. That said, reporting on a host-by-host basis works well also!

  71. Hi I do need to ask you a few questions regarding eCPPT certification (elearnsecurity.com)
    THANKS
    I hope to hear from you soon
    Luigi

  72. Hi doyler,

    Thank your for this amazing review.

    I am currently doing the exam (day 6) and I am running quite anxious at this point.

    I rooted 3 machines and am still working on the exploit dev part (got it working on my test machine but I must still figure out the good payload for the exam machine…).

    My question is the following: < redacted >

    1. Thanks, and good luck with the exam!

      Unfortunately, I cannot answer your question. That said, if you are still missing vulnerabilities, make sure to follow your attack process completely.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.

  73. Hi Doyler,
    Thnak you for your post and congrats.

    I tried the ecppt exam, but I’ve got completely stuck on the first box.
    I could just only get a persistent connection from it on 1st day.
    I did keep enumerating again and again for all of 7 days…
    I read the course materials around Linux related thoroughly, did trial and error, step by step, take notes, and so on.
    But I didn’t get any insights to get the root on it.
    Do you have any advice?

    1. Thanks, and best of luck!

      I do not want to give spoilers over email or the blog. If you think that you are stuck, make sure to go over each of the important steps, and don’t forget to check every possible vector.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.
      Post Exploitation – more information gathering etc. on the local host.

  74. another_script__k1ddy

    I failed miserably my first attempt (got only 2 machine), then at the second, following the instructor hints and your suggestion here, I am quite confident to pass the exam (I will submit my report tomorrow). Even if I don’t personally know you I spend quite a lot of time here, reading silently late at night, so in a way I feel you like a friend :), so thak you very much to find the time to help us, I want let you know that without this help I also quite confident that I would not be able to achive this result.
    I wanto to wish a good life to all in this dark period. Stay at home && learn!
    *Philip*

    1. That’s awesome, and congratulations!

      I’m so glad that you read my blog, and that it helped. I love hearing stories about something I posted helping people, so thanks.

      I hope you are staying home and healthy as well, and hopefully I can spend a little more time on the learning.

  75. How did you go about testing the different payloads for the buffer overflow? I have the buffer overflow working locally using some fairly basic payloads. At this point, should I just go down the list of windows payloads from msfvenom? I’ve already tried a bunch thus far, but I’m out of ideas. I also suspect I might be completely overthinking this.

    1. You can test the buffer overflow payloads on the provided debugging machines. After that, you can just fire off different payloads against the target system.

      If Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

      If it is working for you, then it is likely just a payload or bad character issue.

      1. I think I probably tried around 30 or so payloads (non Meterpreter, bind vs reverse, command execution), but none ended up working, unfortunately.

  76. Doyler, and others, my e-mail is “marco.j.brutus@gmail.com” if someone wants to keep in touch.

    Would somebody give me an advice about how to keep meterpreter sessions stable or how to use proxychains without socks4a ?

    1. Hi Marco,

      What sort of instability are you seeing with your sessions? If it’s the process dying/being killed, then you’ll want to make sure you migrate to a different process. If it is a connectivity issue, establishing some sort of persistence will help.

      Proxychains needs some sort of proxy to travel through (hence the name), and socks4a tends to be the easiest to setup.

  77. Hello Doyler,
    Thanks for your write up. It is very interesting and informative. Please can you send me a mail? I want to ask you a question.

    1. Hi,

      I’m not willing to discuss any spoilers or overt hints, but always glad to help!

      That said, everything you need to easily pass the course is in the course materials, with more hints on this post.

  78. In the end, I ended up getting the payload to work on my buffer overflow and also get access to (redacted). My recommendation is to not overthink the payload and keep it simple.

    Is what is needed to escalate the privileges in (redacted) covered in the course? I found (redacted). However, I’m haven’t been able to get anything to work after going through the relevant courseware or labs again. I have a feeling it is something simple that I’m overthinking.

    1. Hi Jeff,

      Yup, everything you need to complete every objective of the exam is covered in the course materials! Make sure to follow your entire process and think through everything logically.

  79. Do we need to root all the machines on (redacted) to get to DMZ? I’ve been stuck on (redacted) can’t figure out how to get a foothold on DMZ. I got (redacted). Do I ened more machines?

    1. The exam has a necessary, but not sufficient, objective that you need to reach. You still need to perform a full penetration test and report every vulnerability that you find in the network.

      If you are stuck, then make sure you are going through all of your proper steps.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.
      Post Exploitation – more information gathering etc. on the local host.

  80. Hi Doyler,

    i am in the middle of the exams , stuck on the bof. could u give me some guide. the exploit could work in my test vm but cannot work in the exam environment. in the test vm, i can pop calc.exe and bind shells (reverse shell will crash it) Coming to the exam environment, i execute it, nothing happens, so i tried all bind shells, no results. can i confirmed that my jmp esp and bad chars are correct since i can pop calc.exe and bind shells? will be thankful if u replied me some guides.
    thanks.

    1. Like many posters before, don’t forget to try different things.

      If you have it working on your test environment, then your JMP is likely correct (assuming you don’t have ASLR on or anything). In that case, it means that your payload is the issue.

      In that case, you’ll want to try different payloads (Meterpreter, non Meterpreter, bind vs reverse, command execution that still gives you access).

      Good luck!

  81. Mr. Doyler, your review of the eCPPT exam was a great read, motivational and a great help during my own exam. I have pretty much completed the testing phase of the exam (4 and a half days into the 14) and I’m starting the reporting phase today. I was wondering if you have any good tips/resources to help ensure that the my report meets the exam requirements? I have the course provided material and a copy of The Cyber Mentor’s example report. Any input that you might have to improve upon these resources would be greatly appreciated, not going to lie a little concerned on this part of the exam. Thanks in advance.

  82. I don’t know if you will see this in time, but if you could email me that would be great. My exam is over soon.

    The BOF is destroying me. I can get it to work on my personal lab. I can do all sorts of things to my lab machine, but nothing seems to work on the exam machine. I know I have the right bad chars, at least according to immunity/mona. I even created a ruby module for metasploit to perform the BOF. no matter the payload, nothing works. I don’t want to spoil anything so I can be more detailed in the email, but I have tried some possible AV evasion techniques and it doesn’t seem to have any success. I would like a sanity check if possible.

    At this rate my report is going to be light on accomplishment, but I figured I’ll just fill it out with all of my failures so they’ll see what I tried at least.

    1. Like many posters before, don’t forget to try different things.

      If you have it working on your test environment, then your JMP is likely correct (assuming you don’t have ASLR on or anything). In that case, it means that your payload is the issue.

      In that case, you’ll want to try different payloads (Meterpreter, non Meterpreter, bind vs reverse, command execution that still gives you access). Also, since AV evasion wasn’t REALLY covered much in the course, you don’t have to worry too heavily about it.

      And definitely include what you try in any report like this!

      Good luck!

      1. On the last night before my exam was over I was able to finally verify to myself that the exploit WAS working on the exam, and probably had been working for quite some time, so I spent a lot of extra time on it for nothing (multiple days). Once I found that out, then I just needed to figure out how to get a payload that would work. I unfortunately ran out of time before finding out how to get a payload that would work for the situation.

        ….an hour or so after the time was up, I finally figured out how to use the payload properly, but it was too late. I’ll be writing up the failure report and looking forward to the retake. It shouldn’t take very long to get back to where I was, so hopefully I won’t run into another roadblock like that again, and I’ll have plenty of time to get the rest of the way.

        1. That’s rough, but it definitely seems like you figured it out.

          Hopefully the next attempt goes better, and good job writing up everything that you did or tried!

  83. Hey Everyone,

    I am currently in the exam and working on the BOF. I have been trying to compile the code so I can adjust the LHOST to set up a connection. However, I keep getting an error message about the headers in the code. Am I missing something here? I am not sure how to fix this issue or how to proceed. Any tips or advice would be very much appreciated. I have tried using gcc and visual studio code to compile, and I cannot seem to get it to work.

    1. The vulnerable application is provided for you, there is no code that you will need to compile. That said, normally googling the header issue points me in the right direction.

  84. Hi Doyler , really enjoyed reading your experience as im going through it as we speak. I was able to compromise (redacted)

    Am i doing something wrong or over complicating things ? Your advise is much appreciated

    1. I’ve removed any and all spoilers from your post, so as to not ruin it for anyone! That said, I can’t give you any additional advice other than what is already covered in this post/comments.

      You’ll need to remember to follow all of your steps if you’re having trouble finding servers/services or exploiting them!

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.
      Post Exploitation – more information gathering etc. on the local host.

  85. Hi Doyler,
    Great review that you did on your day to day journey through the eCPPT certification process. Also, great discussions in the comments and without giving anything away. I’m currently on my 3rd attempt unfortunately. While I did progress and get further on each attempt, I am now stuck (redacted). One thing I would say to people is to not give up and keep pushing. I don’t look at my first two attempts as failing, but instead as learning. Keep pushing forward. Thanks again Doyler for the review and best of luck to everybody.

    1. Thanks for this comment, and the great feedback! I agree completely that it should be a learning experience, and people need to keep pushing. Best of luck, and hopefully you are able to pass this time!

  86. Hi Doyler,

    I just got started on PTP.

    Any advice or tips on the BOF part of the training as well as on the exam? I am guessing the exam would be a lot harder than the 32bit FTP BOF shown in the lab. Any recommendations? Perhaps a lab/box that is quite same with the exam? Appreciate any inputs from you.

  87. I know many have asked, but regarding the BOF on the exam, I have it working locally on my win10 machine and win7 VM. However, it doesnt seem to work on the exam. I have tried various payloads as suggested, “Reverse, Bind, Meterpreter, non-Meterpreter” and even tried some Veil framework payloads. I am just really at a loss at this point as I have been stuck here for the last 2 days…

  88. Dear Doyler,

    Great post, I got a couple of questions if you can help, please. If possible kindly contact me at my email address? Thank you

    Lisa

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.