eCPPT Exam

Now, obviously my memory will be a bit hazy as it has been over three months, and I don't want to include any exam spoilers, but I will do my best to describe the exam and my process.

Day 1 (2/14)
I started off the evening with a nice, romantic Valentine's Day dinner at Taco Bell with 2 close friends.

The exam kicks off at 9:28pm, and I have nothing but my wits, skills, and 6 Sugar Free Amp energy drinks to help me.

A lot of enumeration and understanding of the network and externally facing systems. Some planning, but I've never been great about that.

TONS OF SCREENSHOTS (Evernote is my hero)

Day 2
Some progress as of 24 hours and 3 energy drinks in (~144 hours and 3 energy drinks remaining), but too early to tell.

According to the VM timer I spent around 10+ hours in the environment this day, and didn't get too burnt out (yet).

Day 3
A bit more progress (and a lot more frustration) as of ~48 hours and 4 energy drinks in, but a lot to go.

Day 5
(no day 4 update)
After ~76 hours and 5 energy drinks (~92 hours and 1 energy drink remaining) I did not make any more progress, other than increased frustrations.

At this point I start to go back over everything both network and lab wise, to try to decide what I might be missing or forgetting.

Additionally, I'm taking screenshots and noting everything down, to prepare for my report.

This is also the point where I start trying to randomly brute force EVERYTHING...not the best solution.

Day 6
~122 hours and 6 energy drinks in (~46 hours and 4 energy drinks (thanks to a friend for the surprise) remain), and I'm making progress again.

Always remember that there are multiple ways to attack something, as well as different payloads...this was something that caused me no shortage of frustration (TRY MORE THAN ONE PAYLOAD NEXT TIME).

"All" that I have left at this point is some custom exploit dev and the DMZ.

Day 6 night/7 morning
The custom exploit dev went along without too many hitches, and with a pretty interesting solution. (Shouldn't be a spoiler) Instead of a more standard payload (was running into issues), my exploit remotely deleted a user, added that user back, made them an administrator, and then enabled RDP.

At this point I have ~18 hours left and nothing but the DMZ left.

Day 7
As of 11am on the seventh day (~146 hours and 7 energy drinks in), I obtained root level access in the DMZ, thus completing the testing part of the exam.

All that was left at this point was a bit more information (AND SCREENSHOT) gathering, and verifying that I found every vulnerability on the machines instead of just one.

Then I had 7 days to write the report (had 99 pages of unformatted screenshots and notes at this point).

While I don't have many notes on my report itself, I'll try to give an understanding of how it went.

I started with 99 pages of screenshots and mostly unsorted/un-formated notes.

From here I sorted them out, added headers, and began looking at sample Penetration Test reports.

All in all, my report ended up being 50 pages in total including an Executive Summary, Vulnerability report (including remediation steps), and source code Appendix

While writing the report wasn't that hard with all of my notes, it was still something very new to me, and a valuable experience.

The only real advice I could give on this is to take constant screenshots and notes, make sure you have a format in mind, and don't wait until the last-minute.

As of March 7th @ 12:12pm, I received the following e-mail:
"Our instructors at eLearnSecurity want to congratulate with you and award you with the eLearnSecurity Certified Professional Penetration Tester certificate. You are now an eCPPT!"

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Common passed on this blog, I made it to a jam.


Filed under Security Not Included

306 Responses to eCPPT Exam

  1. Alex

    Wow! Does the exam actually last 7 days(report writing aside)??That’s a lot more than the OSCP!Could you also tell approx. how many machines did you have to root?

    • doyler

      Yup, you get 7 days for the attacking portion and then 7 days more for the reporting portion of the exam.

      Definitely a lot more time than the OSCP, but I believe you’re expected to be a bit more thorough and not just root the box in any way possible.

      There was a website, a few internal machines, and then the machine in the DMZ. Overall, under 10 total machines still.

  2. PincoPallino

    Can you write to me at my email?

    I want ask you some questions!

  3. Sasha

    I want to ask a few questions.
    Can you write to me at my email?

  4. Alessandro Rocchi

    Hi Ray
    Can I ask you some questions?
    Can you contact me at my email address?
    Thank you 😉

  5. Joel

    Hi, can i ask you some questions?

    Hope you reply to my email.
    Thank you!

  6. Alejandro

    Hello Doyle, i really enjoy your review about the eCPPT exam, it was really insightful. I will do my exam in the next week and i am study all the material where i considerer i have a little flaws, However i want you to ask you some question about it if is possible of course!

    So if you have time, i will really appreciate it if you can help me to get more insight about this!

    thank you in advance….

    Best regards…


    • Hi Alex,

      Sure, what in particular do you have questions about/how would you like me to contact you?

      Good luck with your exam regardless!

      (Oh, I didn’t delete your comment by the way, I just hadn’t approved it yet)


    • John

      I tried ecppt exam but very badly stuck on system security section. I found the executable/ python files and downloaded them on captured server, where I had already uploaded immunity with mona. The rest should be a piece of cake, found the number of args to reach EIP, practically (immunity and mona pc script did not bring results), then found jmp esp with mona, constructed the entire exploit with reverse tcp payload and set my reverse handler. All fine, routed the exploit to victim machine, but never got a shell. 7 jmp/esp, call esp where returned by mona,all tried, but nothing. I disabled dep, but still nothing. null session did not give me something. Any advice?

      • If your exploit is working locally, then it might be an issue with your payload. There could be an antivirus or firewall blocking the payload that you are trying. Have you tried more than just the one reverse tcp payload yet? That is most likely the issue.

        • John

          Good evening again,
          Regarding your last, indeed I insisted a lot, and that costed me in time and fail, no local buffer overflow and exploitation achieved locally; Actually, app seems to go wrong (overflow) but not manage anything more. Though I have found using alternatively python script ( and foo..manager.exe that there should be some kind of customer id policy: only numerical characters, with length up to seven. alphanumerical returned errors on py and exe file showed that was reading up to seven chars from id. Random test, returned two users. So, I wrote a bash script to bruteforce the application, feeding it with possible combinations created with crunch (actually I wrote again my own script instead of using crunch) and take all users data…. but no time left. Then I think I should try this info with net use or any other smb tool to get a connection to shares. Server is vulnerable to null session, but by that only, not much luck. I tried to sniff with wireshark, nothing. Analyzed pcaps, with tshark and bro, still nothing. There should be some other application running on server, although it warns that older web app, not has been set offline. Not clear yet, what I have to do. Now, I am writing my report and waiting for better chances next week. This phase seems very tricky, but I am optimist, if I pass it I will reach the to the end. Thank you.

  7. Charly

    Thinking about taking this one, it looks really interesting.

    I read on many sites that they give you a lab with an objetive, but archiving that objetive is not the way to pass. So, are you supposed to break any thing?

    • Hi Charly,

      It was interesting, and definitely enjoyable. As far as the labs are concerned, they are separate from the exam.

      The exam has a necessary, but not sufficient, objective that you need to reach. You still need to perform a full penetration test and report every vulnerability that you find in the network.

      That make sense?

  8. Diego

    Hi Doyler,

    i just discovered your blog and i want to ask one question, i’m in my third day of my exam and i stuck on exploit development since day two, i,m a little confused and its draving me crazy, do you have some advice to approx it? maybe some resources to learn more and crack that exploit? thank you give you my email

      • Diego

        Hello Doyler thank you for the resources, im into them right know because i fail terrible in te exam ;( my exploit didn’t work and im was not able to compromise any other computer in the corporate network. so i came to you again hopefully you can give me one hint because i am very frustrated.
        i was able to detect the other computer in the corp-network one XP with some smb sharing open services for example IPC% but when i try to connect to digger more info, i can’t, i just simply can access, the computer told me Access denied, so my suspicious are that i can only advance in the exam if successfully write the exploit for the computer listening that service? or i can enter in the corporate network compromising another computer ? because i think i try anything but i can’t enter in any other computer thing it’s the exploit what is driving me crazy.. so if you can tell if there is a other way to enter the corporate network compromising other computer i will very appreciate that, please!!!

        regarding the post, you can delete before you authorize it, and you got my email, just i hope you can have the time to read it.

        thank you Doyler and have a nice day!!

        • I’m sorry about that, but hopefully those resource help you brush up on your buffer overflows!

          If you are unable to connect with an SMB client for more info, then anonymous access is probably disabled. In that case, you might want to scan for SMB vulnerabilities, to see if you can find any. For example, using NMAP NSE scripts – (hint: smb-vuln-* will use all available NSE scripts that start with that).

          As far as the buffer overflow is concerned, yes, that is the only way to compromise the machine that is running that application.

          You’re welcome, and good luck.

          • Hello Doyler,

            thank you for your advice, i try to use NSE but without any successful result, when you use proxy chains NSE scans will not work, i try redirecting the traffic to the specific port i want to connect so in that way a was able to use NSE, however when i try to scan for vulnerabilities the session close because the scan it’s to noisy i think.

            Maybe my routing it’s wrong and i need use something else instead of metasploit?

            thank you Doyler for your advice and happy new year!!!

          • Yea, you might be able to get the NSE scripts to route through a proxy (I think SSHuttle might work instead).

            But yea, it could just be a routing issue.

            That said, you may be able to scan for the SMB vulnerabilities more manually with SMBclient/exploits through your proxy chains.

        • Kate

          Hey Diego,
          What’s your email address?

  9. kate

    Hi Doyler,

    I’m currently doing my eCPPT exam, and I need your help.

    So far I got the highest privilege shell on the web server, but I can’t exploit the DMZ or any machine in the corporate network. I can only scan the corporate machines and identify two Windows hosts. I also found the .exe and .py files hosted on one of the corporate machines, which I know I have to overflow the buffer.

    Do the .exe and .py files have something to do with exploiting the corporate network or are they just there for me to prove they have buffer overflow vulnerabilities?

    I’m completely stuck right now. Please…Point me in the right direction. Give me a hint. Anything.

    Thanks in advance. (Sorry I spoiled a bit so reply to this message to my private email if possible)

    • Hi Kate,

      You haven’t spoiled too much, but I can edit your comments if you do.

      As far as the .exe and .py are concerned, they are in reference to the buffer overflow that you know you need to exploit. You’ll need to utilize them to write and test your buffer overflow. Once you have it completed, you’ll need to see if you can find a remote version of it listening somewhere…

      Good luck!

      • Kate

        Yo Doyler,

        The good news is I proceeded to root two more machines in the corporate network 🙂 The bad news is I’m now completely stuck not knowing how to root the DMZ 🙁 I got one user’s FTP credentials but when I RDP’d in there was nothing in the DMZ server. On top of that it doesn’t respond to port scans so I have no way of fingerprinting it, meaning I can’t run a backdoor on the DMZ server’s behalf. Please Doyler…Guide me.

        Am I supposed to mount password and MitM attacks against the DMZ or something? Oh man am I lost…

        • Awesome, that’s some good progress at least.

          You definitely don’t need to perform any password or MiTM attacks.

          If you have FTP creds, and you can RDP, then that’s a great start. If you couldn’t actually get RDP to work, then maybe you need to try a different venue. Also make sure to exfiltrate as much information as possible from the machines that you do manage to exploit.

      • ray

        can you send me your email address

  10. steve

    Hey Doyler

    Can you write to me at my email?

    I wan’t ask you some questions!


  11. marco

    HI Man
    Congratulations for your cert.
    I am doing the exam, and I want to ask you some things. I don’t want to spoiler here !
    Can you write to me at my email?

    Thanks a lot

  12. ericsoe

    Does ecppt as a required for oscp exam? I failed oscp once i attempted for first time. Should I extend lab and try again ? or should I get ecppt first? Appreciate ur help!

    Thanks in advance,
    – eric

  13. ericdoe

    OMG! thank u so much! Highly appreciated 🙂

  14. John

    Hi Doyler,

    Great post and well done.

    I appreciate it if you could send me an email to ask you a question.


  15. Stefano Brugis

    Hi Ray
    Can I ask you some questions?
    Can you contact me at my email address?
    Thank you

  16. mapo

    Wow! I’ve already taken the eJPT cert and now i am studying to obtain e eCPPT.
    I have to admit i’m going slow with the course but personally i need a lot to re-elaborate things.
    As i work as web developer, the web app part of the couse was much much easier than the system security section. I’m a bit struggling with that, i admit it! Any general tips to understand better the BOF and the shellcoding?
    I hope i can take the exam before october, i can’t wait to have obtain the cert.
    Ps. i’ve discovered this blog 10 minutes ago and i really enjoyed the article and the comments.

  17. Tai

    Hi Doyler,

    Can I say, great article and really kind of you to respond to everyone’s comments. I’m looking to sit the PTP exam this weekend, not sure I’m ready but thought I’d give it a go. I made notes of all the lab solutions but have’t had time to go through them again and also noted all the important commands from various sections which I’m hoping to use during the exam.

    Any last minute tips before the exam? Would be good to have some useful advice as I’m a little worried I won’t know where to start and then try everything instead of using a structured approach, nerves does that to a person!
    The other concern I have is around the Buffer Overflow, finding it and then creating a script from scratch to talk to an application if this isn’t similar to what we’ve been taught in the labs.

    Looking forward to your wisdom 🙂


    • Hi Tai,

      I’m always glad to help people, and best of luck with the exam!

      I think just going over everything in the course, this post, and any common questions that people might have (see the comments) would be more than enough.

      Make sure you stick to your workflow as best as possible, and keep good notes.

      The buffer overflow isn’t difficult as long as you follow the steps that the course taught. Additionally, there is a comment here with a TON of resources for more practice if you’d like.

      Good luck again!

  18. Tai

    Hi Doyler,

    Struggling a little here, [spoilers redacted]. Much appreciated!

    • Sorry, don’t want to give too much away, but make sure you go back over the course material and your labs!

      • Tai

        Hi Doyler,

        I’ve made some good progress, managed to get through to the end location (don’t want to give too much) but cant seem to find a way to exploit the device.
        I’ve not tackled the buffer overflow as yet, I’m just a little confused as how I’m meant to do it without being able to put the server into immunity and see it overwriting EIP. Any suggestions?
        The labs taught us to use the graphical ftp client application which then connects to a server with malicious payload within a script.

        • Tahir Hussain

          Hi Doyler,

          Thought I’d let you know I managed to root the tricky box and only now leaves me with the Buffer Overflow, will run out of time for that it looks like.

        • Tahir Hussain

          Hi Doyler,

          Thought I’d let you know I managed to successfully overflow the buffer!


          • Congrats, and glad to hear that!

            Hopefully you managed to get everything, or at least know what you might be missing for the retake.

            Let me know how it goes.

  19. Mikey

    Hello Doyler,

    Thinking about doing the course soon instead of OSCP, as per recommendation, but a little hesitant with Buffer Overflows. Was wondering, does the Buffer Overflow for the exam require you to overcome SEH, stack canary, ASLR or DEP?

    I’ve historically had problems with overcoming stack canaries in my line of work, so wanted to understand if this was the case. Also, are you tied to a particular programming language or can you use perl, c++?

    Thank You 🙂

    • Hi Mikey,

      No where near anything for this buffer overflow (or the OSCP to be honest). Both of them are functionally the same:

      Overflow buffer, control EIP, find JMP, make simple JMP to shellcode, win.

      The OSCE is going to be the first course offered by either that will start with any of those topics.

      As far as languages are concerned, you aren’t constrained to any. A lot of the examples will be in Python or C depending on relevance, but anything you write (or use) can be in the language of your choice.

      • Mikey

        Thanks Doyler!

        A little less scared now! I’m assuming you have a suitable machine without security parameters, such as XP (based on some stuff I’ve read) to run the exploit from or are you expected to do this in Kali? I’ve obviously only practised this on Windows XP to date (old PTB course) and not Linux.

        I’ll try and read up as much as I can, probably wait for a voucher or discount first 🙂


        • I do have an XP machine that I use for some exploit development, but you do not need it for the course.

          You’ll be provided with the VM and appropriate vulnerable software in both the lab, as well as the exam, environment.

          Good luck, and let me know how it goes!

  20. john

    Hello Doyler,

    thanks in advance for your feedback, I already comprise web server and 3 machine on the network including dev exp, i have ftp for dmz but I got stuck on this can you give any hint,
    and should I comprise all the machine on the network.

    • Hi John,

      I’m sorry that I can’t give you any hints, but good luck with the machine!

      You should try to compromise every machine in the network that you find, but your goal is to find every vulnerability. If you can’t get a partial, or even full compromise, then that doesn’t necessarily mean that you missed something.

  21. Tai

    Hi Doyler,

    Would it be possible to send you a PM, not necessarily about the exam.


  22. Mokaz

    Hey there Doyler,

    I’ve been through OSCP & OSCE. I’m actually thinking about getting a 4 in the Box @ eLearnSecurity. Targets are eCPPT, eCRE, eNDP & eWPTX.

    Do you think this makes sense, or will i be bored?


    • Hey Mokaz,

      Awesome, and grats on your OSCE! I’m hoping to have mine done by the end of this year myself.

      I love the 4 in a Box, though I’ve never taken the eNDP personally.

      eCPPT – you’ll probably be bored a little to be honest, as it is VERY similar to the OSCP. That said, if you see anything in the syllabus that you don’t know, it might be ok. Your other options for this slot would be another defensive course, eMAPT, or even eWPT.

      eCRE – I haven’t finished yet, but it should still be plenty useful and fun.

      eWPTX – you won’t be bored at all, a great course.

  23. Tai

    Hi Doyler,

    Thought I’d let you know, I passed my eCPPT. Thanks for your advice on this page, it was invaluable 🙂

    • Awesome, congratulations! Glad that I could at least give some advice.

      • Tai


        For anyone else sitting it, down be overly stressed about the BO, providing you are familiar with the content in the lab, it will not be too different in the exam. I tackled the BO towards the end once everything became clear.

  24. Rollix709

    Hey Doyler,

    Looking to get your opinion on a couple things, but not looking for answers or anything of the sort. More informational if you’re able to help.

    E-mail if you get a chance,


  25. Susan

    Hi Doyler,
    I’m on my ecppt right now.
    I’ve successfully exploited [sensitive information removed], but i’m stuck with other hosts [sensitive information removed]…i’ve nmapped them to know how service run on them and tried common vuln with metasploit but with no result…can you tell me where is my fail?

    P.s. above you said you used “more than one payload”, i tried more different payload but with no result.
    Thank you in advance!

    • Hi Susan,

      First, I’ve removed any spoilers from your comment as to not spoil it for others. Remember, this is a penetration test, so your job is to find as many vulnerabilities as possible and then report it to the client, that’s it.

      As far as the “more than one payload” is concerned, if a different payload didn’t work, then you might be fine.

      Good luck!

  26. waqas ahmed farooqi

    Hello Doyler
    Seen your posts, loved your supporting attitude.
    Hope you will be fine. I am an information security professional and currently interested in E-Learning Security ECPPT certification. I need some help so please answer me the following questions.

    1. ECPPT paper will be given from home?
    2. After how much time of ECPPT registration paper must be given?
    • Hi, glad you enjoy my posts, and hopefully I can help!

      You take the eCPPT exam from home, using the same VPN connectivity you use for the lab environments. There is no paper per-se, but a penetration engagement followed by the report.

      That depends on which version of the course you sign up for. The Barebone edition doesn’t have an exam, the Full gives you 180 days to complete the course from the day you begin, and there is no time limit for the Elite version.

      • waqas ahmed farooqi

        Thanks a lot for your response, so nice of you brother. If possible please share some resources which will help in the preparation of eCPPT certification.

        • Other than the course materials, you don’t really need anything in preparation of the course or exam.

          That said, if you struggle or think you will struggle with the buffer overflow, then the above comments should have everything you’ll need!

          Let me know when you sign up, and how it goes.

  27. Josh

    Hey Doyler,

    Thank you so much for the review! I’m currently taking the course, and it’s always fun to read reviews of the course and exam. Do you have tips (without spoiling anything) to review or be a be sure to know for the exam? The labs that they provide are pretty good, but I’m probably overthinking that the exam is going to be 4x hard then the labs.

    • Other than maybe a few of the links in the comments above, you should be good!

      The course material covers everything in the exam, you just need to make sure that you understand what you’re doing.

      Follow your process (Information Gather -> Enumerate -> Exploit -> Post Exploitation -> Information Gather), document everything, and you’ll be good to go.

      That + make sure you understand how to do a basic stack-based buffer overflow.

      • Josh

        Hi Doyler,

        I got the email I passed the eCPPT exam! After two weeks of being a little worried are finally over.

        I wanted to come back and say thank you for the review, and honestly I went through same emotions as you each day… So it was pretty cool to see each day making progress or being completely stuck.

        My next certification I’ll be doing is OSCP, and I’m pretty scared about this one; due to the rumors and intimidation. Did you do eCPPT before OSCP? Through the exam and labs in eCPPT, majority of the tool using was Metasploit. I feel like I’ll be re-learning everything again, but doing everything manually. How did you overcome that?

        • Congratulations! It’s a great feeling seeing that you finally passed and that it is over.

          You’re welcome, and I’m so glad that it actually helped and/or motivated you. The progress is fun, except when you think you’re completely stuck.

          Awesome, and that’s definitely a great one. I did do my eCPPT before my OSCP. Go into OSCP and expect to learn a lot of things new, don’t try to cut corners because you finished your eCPPT. Also, whenever possible, don’t use Metasploit at all. In the end I think I only used it for 3-4 lab machines and 1 exam machine.

          Let me know how it goes, and feel free to read my reviews/notes/ideas on it here as well!

  28. nessie

    Thanks for the write-up,

    I recall reading some of your other posts as well in the past.
    Stumbled upon this one whilst being stuck at my expoit dev for the eCCPT and fancied reading some horror stories in a desperate attempt to cool down. It’s not working 🙂

    Could you reach me by mail please? I think I just need another point of view on the matter that might get me back on track ..
    Thank you in advance,

    • You’re welcome, and hopefully it’s able to help!

      Yea, the exploit dev is super straightforward if you just follow the steps in the course. That said, you can also look over some of the other links in the comments for more write-ups or practices.

      How did it end up going in the end though?

      • nessie

        well, finally managed to find the vulnerability and create an exploit.
        However, just got the result in and I failed.
        I know there’s one part from the course I didn’t use and that might be the one that was lacking to get the full result. I’ll look into that part before reading the comments on my report since I’m short in time for the next days and I’d miss valuable time in the lab ..

        • That’s good at least!

          I’m sorry you failed, but hopefully you are able to figure out where you were lacking and finish it up next attempt.

          Understandable, but definitely read the comments on your report. They are usually short and sweet, and will definitely help you focus your efforts in the lab.

  29. Rafael Santos

    Hello Raymond Doyle, my name is Rafael, I’m following your blog about security certifications, I’m doing eCPPT, I’m lost in the first phase of the test, I can not identify the way to go through the initial site, can you give me any tips?

    • Hi Rafael,

      If you are stuck on the first part, then make sure you are going through all of your proper steps.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.

      As the first step is a web application, make sure to check the server as well as the application layer for vulnerabilities.

  30. rocklee

    Hi doyler,

    i have some question regarding BOF. Can i contact you for some direction?

    Thanks and deeply appreciated.

    • Hi,

      I won’t be able to help you with the BoF, but if you follow all of the steps in the course material it will be super simple.

      That said, there are also a few links in the comments section here if you want to read or practice some more.

      Good luck!

      • rocklee

        Hi doyler,

        Thanks for the reply. I’,m aware that i will need to obtain the source code in order to perform the BOF. Generally i have no much problem in doing BOF as i tried on few vulnerable applications and have successful attempts. Right now, is more like i have problem getting the vulnerable application from the machine in order to debug. I have some credentials gotten from some of the machines *trying not to disclose too much info* and successful use it gain access into the corporate network. Rest of the credentials does not seems to work on the smb shares. Do I have to brute force my way through or do some hash cracking from the previous machines ? Really appreciate if you can shed some lights.

        • You actually don’t necessarily NEED the source code to perform the buffer overflow. Having the executable itself is more important, so that you can attach a debugger to it.

          If you need to get the vulnerable application itself, maybe you need to get it from a different machine than the one you need to exploit it on…

  31. chris

    In the BOF ftpclient course materials we are given an ‘’ and an ‘ftp.exe’ client. You are able to connect the client to the python ftp server using the localhost address. This allows you to test and send your payload to the ‘ftp.exe’ client in order to find and test offset, eip, jmp esp, shellcode. Pretty straight forward and easy

    Is this method of testing possible for the ‘c.exe’ & ‘’? I am having trouble trying to figure out how to go about testing from ‘’ to ‘c.exe’ , Do I stick to modifying the py in order to send my payload to the exe? and is the exe suppose to communicate to the py in order to test, similar to the ftpclient32 scenario in the course material?

    thanks! and please redact anything unnecessary. I tried to be crypted as possible.

    • Hi Chris,

      The only thing I did was slightly rename your files, but you aren’t being too spoiler heavy.

      That said, you can perform the exact same manner of testing in the Exam as you did in the lab. You just need to modify the payload to send wherever your EXE is listening, and attach a debugger to it. The exe may or may not communicate back, but that is largely irrelevant as long as you are able to crash it.

      Good luck!

  32. Chris

    Thanks Doyler for the reply. I think I am going about this wrong. As I analyze both files mentioned earlier, the both do the same thing as in communicate to the same destination ip and port. In order to get an EIP you need to load the target application you are trying to crash and in this case, I am not even there yet as I don’t have access to the host running the destination app. Is this correct?

    • Hi Chris,

      Yea, you are going about it slightly wrong. If you were going to try and find a vulnerability in Apache, you wouldn’t just start attacking and hoping to get access to it. You’d download the executable yourself first, and attach the debugger locally.

      You need to do the same in this case, only the executable cannot just be downloaded from the internet. In that case, you need to find it on a different host than the one you are trying to exploit.

      Good luck!

      • chris

        I am on my second attempt now. I was able to find the needed files to do the crashing and testing within Immunity Debugger. I was able to load a calc.exe like in the course. I am now working on the shellcode. I guess I am getting stuck on the payload to send. I thought that would be the easiest part but, I am at the WTF point lol

        • Awesome, that’s good! It should be fairly easy, but make sure the shellcode works before you send it + there are no bad characters.

          Sending it should just be as “simple” as modifying the included Python script.

          Good luck!

  33. Hey doyler

    Can you shoot me an email?

    • Hi,

      I do not want to give spoilers over email or the blog. If you think that you are stuck, make sure to go over each of the important steps, and don’t forget to check every possible vector.

      If there is something generic that I can help with, then please let me know!

  34. chris

    Hey Doyer thanks for the reply. Yeah I got everything in place even the python script to send the payload. I am able to get a calc to pop up, but I am using msfvenom to create the shellcode with no bad characters, however I cannot get it to work on my test machine. I was able to get some “shellcode” examples off the interwebs and a few work where I was able to add a user and add to admin group but as you know, I need to add a little extra and those examples online are static set in stone and you cannot modify them as its a copy and paste job. I don’t want to ruin the exam here. But yeah msfvenom is pissing me off as I don’t think its working.

    If you are not too busy and I know you get this a lot but if you available through email that would be cool. If not its ok brotha no worries. I don’t have twitter etc.

    • nessie

      What I would recommend you to do chris
      – set up an environment mimicking the target you have at hand
      – looks like you have everything you need, so run whatever you need to run in that environment
      – create your shellcode that you want, I can assure you, msfvenom did what it was supposed to
      – focus on what you want to achieve with your shellcode, I find it hard to imagine you want to have calc popping up on the target 😉
      – be sure you have the right bad characters omitted, no need to overcomplicate and define half of the characterset as bad …
      – in relation to the above and the ‘push’ of your shellcode to your target: be wary of how python 3 and 2 function .. I kind of lost a couple of days to figure that out

      • chris

        Hey Nessie, thanks for the reply. Like you mentioned I have my testing environment both local to my machine and on the user network. As far as the “bad” characters, those N… are taken care of. And obviously the calc was just to test that my offset,jmp are working on XP, and it works fine, I know I have the correct off and jmp esp call. The problem is when I generate anything on mfsvenom be it “regular conn payloads” or “other” payloads to perform of local tasks. Adding it to the python script is easy too, but I hit send and nothing lol

        Perhaps I am running into the python 2 v 3 thing. I have been using Python2. Going to give P3 a shot. Do you have articles or further studies I can check out that will help me with this whole python2 vs 3 issue? I am coming across some stuff about bytearray vs bytes.

        You are right, msfvenom is doing its job. I was using a traditional online HEX to ASCII editor and comparing the values of a simple input between the two. I was getting the same HEX values so that showed me things were fine with msfvenom.

        I have lost 3 days now. Ok I am off to test.

        • nessie

          No worries chris,
          If you’re on 2, that should be fine .. I ran into trouble because I started off with 3 .. it’s indeed a ‘bytes’ thing 😉
          Yet I still wonder what kind of payload you want to execute on the target .. I believe there’s a kind you’re overlooking when I read ‘perform local tasks’ and ‘regular conn payload’ .. don’t look too far ..

          • chris

            Gotcha, thanks Nessie. I went back to v2 as I spend the day researching the incidents people were having having when v3 encoded their shellcodes to strings instead of bytes. I even went to the PTS course in the Python module to verify if that was covered lol

            You wouldn’t happened to have an article, tutorial, or even the slides from the PTP course that I can research that will point me to the proper payload? I guess I am having a bit of a stump here.

            Thanks for your help 🙂

          • chris

            just rooted .55 OMG!!!!!!!!!!!

            This whole time!!!!! in my face!!!!!

            More than one way to skin a CAT and I think I had the space time stone (Avengers) and tried all 14 milliion ways like Dr Strange, instead of the simplest method which nailed me root access.

            Ok DMZ is left and I have 2 days left to go! I got this!

            I start PWK/OSCP June 2nd too lol!

            thanks Nessie & Doyler!

          • chris

            GAME OVER!!!!! I just rooted DMZ!

            Wow what a mission fellas! Now its time to redo my report. I was told I wrote an attack narrative and I need to fix it lol. DOH! I will spend some hours tonight and all day tomorrow to write it. Its due Monday morning, so I have time. Do you guys have any recommended reports I should look at to get an idea of the proper way to write it?

            On another note, I just got my PWK course pdf and videos. Hopefully things go well and I can complete OSCP in September that way I can jump straight into CTP/OSCE.

          • Congratulations Chris!

            Sorry I wasn’t on this weekend, but looks like it went pretty well.

            Haha, yea. This was supposed to be a “pentest” for a client, so you have to send in an actual report.

            I sort of made my own, but there are some great examples here.

            That said, always remember to try different payloads if one doesn’t seem to be working for some reason! (Which I’m guessing you did).

            Good luck with the OSCP, as that is definitely a challenge. I’ll start my OSCE pretty soon here as well.

          • Chris

            Thanks Doyler! I just got my email today that I am eCPPT certified. So glad I went through the eCPPT and got my butt kicked there. I learned so much and I am sure this journey will help me on my new OSCP journey. I appreciate your help and I will be following your OSCE journey and coming back to lookup your OSCP journey as well.

          • Congratulations!

            Definitely, and good luck with the OSCP journey. Feel free to drop in if you have questions or ideas.

  35. Bean

    Hey doyler, congratulations!

    Like most, I am completely stuck on the BOF. I have popped calc.exe, have the correct jmp address and all of that but finding the right payload is costing me so much time.

    -omitted bad characters
    -Utilizing NOP sled
    -Have tried windows,linux, and php reverse and bind payloads
    -using msf listener, running script locally
    -tried attacking the obvious server/port but tried additional IPs and ports.

    Yeah I have no idea!!


    • Hi Bean,


      Understandable, and I think a lot of people get stuck here.

      First, you don’t want to try different OS payloads, as that will waste a ton of time. That said, if Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

      If it is working for you, then it is likely just a payload or bad character issue.

      Good luck!

  36. Sam


    Thanks so much for taking the time to share your experiences with us. I started off in OSCP and managed to root a dozen boxes in the OSCP lab, but stumbled on eLearnSecurity’s eJPT and eCPPT certifications (and their respective courses). I ended up focusing my time on eJPT, which I earned recently, and decided to invest my time in eCPPT before I go back into OSCP.

    I plan on taking the exam in about a month. In your opinion, what are the subjects that current and future students should focus on? The coursework has a lot of material in it and I was hoping you can help me focus my time and efforts a little bit.

    • Thanks, and glad to share my experience and knowledge!

      eJPT -> eCPPT -> OSCP is a great progression if you have the time (and money), but not the experience.

      As far as the eCPPT is concerned, the course material has everything you need. That said, if you don’t understand the basics of a buffer overflow attack, you should brush up on those. As you can see from this comments section, there are quite a few people who got stuck at that point.

      The material will walk you through the steps, and you just need to follow them exactly though!

      In the meantime, let me know if you run across any other topics or concepts that you find confusing. Good luck!

  37. Patrick


    Thank you very much for sharing your experience with the exam. May I ask if shellcoding-knowledge is of importance for this exam? If I have the tools and knowledge to discover bufferoverflows, would I be able to get by utilizing payloads from MSFvenom after discovering the correct offset and JMP/CALL address?

    • Hey Patrick,

      You will actually need 0 knowledge of shellcode or shellcoding for the exam. As long as you can follow the buffer overflow steps, you will be fine.

      That said, don’t forget to check for bad characters, or try different payloads if one SHOULD be working!

  38. Mani

    Hey Doyle,
    Started the eCPPT exam. already have system on the webserver. Having difficulty getting any further. keeping it to a minimal, i was expecting traffic from corporate IP’s to visit either of the sites where i have shell waiting, but its been a full 24hrs and not a single visitor. Am i knocking on the wrong door?
    Any hints to proceed. simple what i should be looking for.

  39. Bryan


    First off, thank you for sharing your experience. I am currently doing the ECPPT and am having a rough go at the webserver. Any pointers you could give would be greatly appreciated. If its easier please dont hesitate to email me. Thanks.

  40. Bryan


    Never mind. I found my way in.

      • Bryan


        Thanks for the reply. Could you send me an email I have some questions about the bof portion.
        Thanks again.

      • Bryan


        So here is my predicament. I have no issue with building a buffer overflow exploit from a proof of concept (did it under an hour for my OSCP). However I normally have a service to attach my debugger to. I have the .exe and .py files from the one place but cannot locate the service. Is it located on the server that was captured or am I supposed to download it from a different one? Or do I have everything that I need and Im just not seeing it? Dont want any answers just a tip to point me in the right direction. Thanks

  41. Bryan

    I dont want to give anything away but if that was the case I would not be having any issue. I got both the .exe and the .py from the same place. I could go into more detail through email.

    • I already know what you are referring to, and my answer from before is still the same. If you have an .exe and a .py then you have the server/service, and you have the client.

  42. Bryan

    I guess Ill look at it again. Thanks pointing me in the right direction.

  43. Bryan

    Ok so Im on my last day and the few hours. I have found an oddly named .exe file on a Win7 box, but when trying run it I get gobbledygook.exe is not a valid Win32 application. I have tryed running it on every compatability mode on the server that I found it on as well as other servers (mine and theirs) but I get the same error every time. Am I waisting my time with this thing?

    • If you don’t think the application is that useful, then you probably don’t have to do anything with it. Remember that this isn’t a reverse engineering course or anything like that!

      • Bryan

        I was under the impression that that was the service to help me write the buffer overflow. Damn I’m at a loss where to find the buffer overflow then.

  44. Mike

    doyler, congrats on the pass and the info. Like many others, I am down to the BOF and DMZ. I have the BOF working locally, but not in the exam. Would appreciate a quick email to provide more detail of what I am seeing.

    • Thanks Mike, and glad to help!

      As far as the BoF is concerned, verify once more that it’s working locally. If it is, then there is likely a problem with your payload. In that case, you’ll want to re-verify bad characters, try other payloads (bind vs reverse and vice versa), as well as different TYPES of payloads (meterpreter vs cmd, etc.).

      As far as the DMZ is concerned, keep going at it!

      • Bryan


        Im trying to get the BoF but I dont recall there being a bad characters section outside of the null byte. I am trying to apply the way that I learned in the OSCP but it not even close to being similar. Also when tying to track down the JMP instruction the only instruction not protected by safeSEH is an .exe with a null byte in the address. Any pointers?

  45. John

    Hi Doyler and others,

    I’m almost down to the BOF and DMZ too. I have a question that is bugging me…I add the static routes on the Web server for DMZ and one for Corp and got the boxes for Corp responding. But DMZ shows nothing up and have tried all manner of nmap scans to compensate. Do I need to add the whole /23 as one entry? The provided map shows I don’t need to double pivot to get to DMZ. Perhaps some broad guidance? Thanks!

    • Hi John,

      What do you mean when you say you added static routes? You will need to discover hosts from more machines than just the initial foothold, I can definitely tell you that.

  46. John

    Do you mind contacting me directly or let me contact you?
    I can describe the situation.

    Thank you!

  47. Bryan

    Hey Doyler,

    I am having trouble find the additional vulnerabilities on the web server. If you could email me I cold explain what I have tried.

    • Unfortunately, I cannot. That said, if you are still missing vulnerabilities, make sure to follow your attack process completley.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.

      As the first step is a web application, make sure to check the server as well as the application layer for vulnerabilities.

  48. Sebastian

    Hey Doyler,

    I’m a bit stuck on BoF.
    I do have all the info like how many junk bytes, i have jmp esp.
    Seems like I have an issue with hex to ascii and etc
    Could we connect via email? It’s just about python script …
    I would be grateful.

    • Great, if you are able to hit your JMP ESP, then you’re almost there!

      As far as Hex and Ascii are concerned, you should be fine if the JMP ESP is being hit. You’ll want to encode your shellcode the same as everything else: “\x90” etc.

      That said, if Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

      If it is working for you, then it is likely just a payload or bad character issue.

      • Sebastian


        I have managed to reach DMZ.
        And stuck 🙂
        I’m on a box…… just don’t know in what direction I should look……checked a lot of things …
        Any small tiny hint?

        • nessie

          What have you been doing at each system you get a mere access to ?
          Recall it’s a process you conduct whether it be Windows, IOS, Android, *ux …

          Exactly: enumerate enumerate enumerate 🙂

          • I couldn’t have said it better myself! Remember to follow your entire process on every box, during every phase of the engagement.

            Also, don’t forget, like the real world, you might not be always able t compromise/fully compromise every target!

          • Sebastian

            Hey nessie,

            I think I know what I have to do I’m just running in a problem how to reach it, don’t want to spoil too much.
            Is the burp suite required?
            I could explain you a bit more over the email if you don’t mind that?

          • Sebastian

            NEVERMIND GUYS rooted DMZ hahaha i was watching that and i thought i hit the wall 😛 and it was in my face 🙂

            ……so happy !!!

          • Sebastian

            And one more thing to nessie, actually your hint to enumerate enumerate was bad.
            You can enumerate all week but if you don’t know how to reach resources than your enumeration won’t help

        • Mike

          Would appreciate a hint. Bind works in my lab, but not on the exam.

          • Hi Mike,

            If bind isn’t working on a target (any target, not just the one you are working on now), then there are a NUMBER of issues that could be causing it.

            Host based firewalls or intrusion detection/prevention systems, network configuration, etc. That said, you should always try more than one different payload (bind/reverse, meterpreter vs not, command vs C2, etc.) if you are certain that your exploits should be working.

          • Mike

            Hey Doyle,

            I have used bind and reverse shell on several others without issue. I am just having a time on the BoF system. My script with the JMP ESP seems to work on multiple systems within my own PoC; to include “bad characters”. Also, I have tested my connection from the attack system and can communicate with the system prior to launching the script. If you want to PM me, I can go into greater detail.

          • Hi Mike,

            Correct, exactly. If a bind (or reverse) shell doesn’t work on a specific target, then the payload is likely the culprit. Just because you can connect to a box doesn’t mean that a firewall or host based protection isn’t stopping you. In this case, you might want to try some different payload types.

    • Bryan

      Python 3 sends data over the wire in Unicode, which is why you are getting the C2 issue. If you where to rewrite it in a different version of Python (or figure out the differences) it might work better.

    • Mike


      Can we connect via email?

  49. Mike

    Hey Doyler,

    Thanks for the input. I think I have a networking issue at this point. I understand the concept of connecting from my system via another system to a non-routed system, but not sure of the reverse. Would appreciate some guidance, if possible.

  50. jay

    Hello all,

    I am a PTS seeking to take the eCPPT exam soon. How much time is needed for an unemployed student to properly exploit all machines during the test?

    I have done 60 days of OSCP lab time and exploited 15 machines in addition to completing all the coursework. I have also recently passed the CISSP exam. I have CEH, Sec+, and Net+. I have some experience but when it comes to pentesting, I am new but I can exploit machines. In addition to my OSCP notes, I have 35 pages of notes from my PTS studies.

    • Hi Jay,

      It will honestly depend on you, your time, and general skill. That said, there aren’t a ton of machine during the test, and you have a total of 7 days.

      If you knock out all of the material and labs, you should be fine. Just make sure to follow your entire process on every machine that you encounter.

      I was working the entire time, and 7 days was definitely more than enough.

  51. jay

    Thanks alot for the reply. You think I can ask you a question in private?

  52. Jordan

    I have been banging my head against the wall with this BOF, if you could confirm some things so I don’t feel absolutely insane that would awesome…my exam ends Friday around 5pm and I’ve been up until about 2am the last couple nights and then going to work – already took Monday off :/

    So I have two addresses from !mona…are there the two correct addresses? I have a Win7 lab machine that it works on and survives reboots so those are the two I’ve been playing with. I do think it’s odd that it’s the location of the exe itself though. Theres three payloads that work flawlessly against my lab machine, two of which I’ve tried against the vulnerable machine. Will end up trying another one or two tonight.

    Just wondering if there are two addresses mainly I guess, idk.

    • Like many posters before, don’t forget to try different things.

      If you have it working on your test environment, then your JMP is likely correct (assuming you don’t have ASLR on or anything). In that case, it means that your payload is the issue.

      In that case, you’ll want to try different payloads (Meterpreter, non Meterpreter, bind vs reverse, command execution that still gives you access).

      Good luck!

  53. Jordan

    Hi Doyler,

    Thanks for the reply, you’re a saint!

    I ended up getting it at 3am last night, so that’s a win 🙂 Now just the goal machine and then it’s report time.
    It’s funny, the payload that didn’t work on my lab VM was the one that worked and it was kind of a last resort – I just thought hey why not try it, it makes the most sense given the environment. I did read through your other advice but because I was trying more complex payloads I missed the simple one.


  54. Jordan

    Hi again Doyler,
    I’m completely stuck on the DMZ box priv escalation…there’s something interesting running on a localhost port that seems to be suspicious but I haven’t been able to get anything out of it.

    Am I on the right track?


    • Jack

      Hey, do you still need help? what is your email address?

      • Roti

        Hi Jack,

        Please i need tips as i am currently not able to excalate my privilege on the webserver on ecppt exam. Any hints will be appreciated . my email is

        Thank you.

        • Quentin Hovasse

          I am stuck at the same point? Any tips

          • You’ll need to remember to follow all of your steps if you’re having trouble finding server/services or exploiting them!

            Make sure you are going through all of your proper steps.

            Perform Information Gathering – see what can be attacked, what is open, etc.
            Enumeration – discover services, applications, possible attack surface.
            Exploitation – once you have some possible attack surfaces, try to exploit them.
            Post Exploitation – more information gathering etc. on the local host.

  55. Bryan

    Hey Jordan,

    When doing priv escalation I like to start with the basics and move on from there. Here is a link that I relied on heavily when taking the OSCP.
    Good luck.

  56. John

    Doyler anyway you can email me at if you have a second to talk about the exam.

  57. Oli

    Man, reading through your writeup and all the comments it seems no one had any trouble with the part I’m stuck on! I thought I was going to breeze through it after nailing the BOF.

    I rooted the initial server, got system on the machines in the corporate network that I found and identified the DMZ server along with how I assume we’re meant to connect to it. But I do not have credentials for it! I feel like I must have gone meticulously through every folder on every machine multiple times, found a few files obviously planted there by the eLS admins but nothing containing the right info to take me to the next step. I’ve tried looking for keys in registry, using findstr to search for keywords in all files, using sessiongopher powershell script..

    I’ve been stuck at this point for 3 days now and have 2 days left. Frustrated! I bet I’m missing something right in-front of my face too.

    (Not really asking for a hint as it would be a spoiler, just venting into the ether whilst I wait for inspiration)

    • Haha, yea, seems like a lot of people have issues with the overflow.

      I edited a few things from your post, but not too much.

      That said, if you have figured out how to connect to something, you might want to think about what you’d use to connect to it, and go from there.

  58. Oli

    I managed to get in in the end, boy it was frustrating but when I finally got it.. well that feeling is why we do it all right?

    Took a day off afterwards, now I just need to get this report done and cross my fingers that I didn’t miss any big vulns!

  59. roeland

    Hi Doyler, can you send me an email to discuss something about the eCPPT (need no hint but just have a question which I can’t post here). Thanks!

  60. Yati

    Congrats on clearing the exam bro.

    I am doing the exam now i have been stuck in BoF part for the past 2 days and still one more day to go, I am getting the shell session on the Test Environment, but when i send the same in the exam it doesn’t work , tried different payloads and removed the bad chars, yet didn’t get through, i am using ruby instead on python.

    what am i doing wrong? can you send me your email to discuss. thanks

    • Hi Yati,

      Thanks, and it was a fun one.

      As far as the BoF is concerned, verify once more that it’s working locally. If it is, then there is likely a problem with your payload. In that case, you’ll want to re-verify bad characters, try other payloads (bind vs reverse and vice versa), as well as different TYPES of payloads (meterpreter vs cmd, etc.).

      If it’s working locally, but not on the target, then think about what might be stopping it. There are firewalls (port bindings or port connections), AV etc. (blocking meterpreter but not reverse_shell), and general bad characters.

      Also, I recommend using the provided Python script, unless you are certain that your Ruby script is working locally.

  61. Greg

    I don’t want to put too much detail in, so i don’t spoil anything but i’ve compromised a host (found a couple others too), enumerated the hell out of it, found some references to files on a web server but cannot get to them, cannot get rdp access, and cannot access any additional shares. I’m getting to the paralysis by analysis point and don’t know which machine to focus on. Any hints would be appreciated.

    • Hi Greg,

      Based on the filenames, those are likely related to the buffer overflow portion of the exam (which is basically public knowledge). At this point, I would try and find those files, or get access to them. Once you do, you should be able to work on that exploit as well!

      • Greg

        Thanks Doyler,

        Do you mind sending me an email to follow up on this question? I don’t want to put spoiler details here but I think some additional information would help clarify what I was saying.

  62. Tim

    Hi Doyler,

    I had one question… I’m doing eCPPT right now and I was wondering if you need the sniffing & MiTM part (Wireshark, etc) for the exam.

    eLearnSec says that WiFi hacking is not required for the exam, but I couldn’t find out if the sniffing & MiTM lesson (Network Security) is part of the exam.

    Thank you very much for answering everybody’s questions on your website 🙂


    • Hi Tim,

      You will not need to perform any wireless attacks, but there might be network attacks on the exam! That said, everything is fairly straightforward as long as you go through the material.

      You’re welcome, and glad to help!

  63. Jason

    Hi Doyler,

    I’m a newbie to the Pentest field. Although I have 12+ years of experience in InfoSec, with a CISSP, I have nada knowledge in scripting/pentesting. I plan on enrolling in eJPT followed by eCPPT. There are ton of videos in Udemy and other websites that talk about into to ethical hacking from scratch to intermediate. They all last for several hours. Would you recommend I reviewing those, rather than focusing my efforts on just the material provided by elearning for eJPT and ECPPT?
    Also, is eJPT a pre-requisite for eCPPT?

    • Hi Jason,

      Awesome, and best of luck with getting into pentesting!

      I think if you’ve already started/plan on starting the eJPT, then that’s sufficient for now. The eJPT isn’t a pre-requisite, but it can definitely help if you have zero experience. That said, I went straight for the eCPPT.

  64. es

    Hi All,

    able to give tips on whether proxy chain is needed?

    autorouted from the webserver used pingsweep and found 2 host but cant nmap them.all is denied.

    • You will need to use proxychains in any situation where you want to route from one network to another.

      That said, if you can connect to/see an additional host, then it never hurts to attempt to connect to it from a previously compromised host.

      • MN

        Hi! I’m stuck in BOF. I receive a error reset socket connection when I overflow the input with exactly offset but in the immunity debugger, the client “.exe” doesn’t overflow and it cannot be possible for generate a crash and perform an payload’s injection. Can anybody help me?
        I am testing with .exe and py locally and remotely (always with the clients).


        • If you are using the offset, then you need to make sure you are overwriting EIP.

          Also, if there is an “exe” you are debugging, then it is likely a server and not a client.

          Make sure to follow all of the steps in the material!

  65. Nick

    Hi doyler. I am stuck in BOF. I don’t understand how can i debug (immunity debugger) a client exe. Should I create a a py receiver program for client communication?

    • Hi Nick,

      If you have an EXE, it’s more than likely the server, similar to the course material. In that case, you want to debug the server that you’re trying to crash. You can create a Python client though.

      Good luck!

  66. ES

    the bof server contains an exe. but no python scripts found even when using meterpreter search function? only a c++

    Another question is if i pu t immunity debugger on my kali and extract the exe out there shouldnt be any issue right?

    • If you have a server, then you can always write your own client! That said, meterpreter search isn’t going to help you at all if you’re writing a custom exploit.

      Make sure to follow all of the steps in the course material!

      No, that won’t work at all, since Immunity is a Windows application.

  67. Hi there Doyler,
    I can email you? I’m not looking for an answer, but I want to ask you something.


  68. n00b13

    Hello all,

    I am in need of help regarding BOF. During my last attempt of the exam, I was faced with a problem. The steps and processes described throughout the course material and videos did not work. Pease help.
    n00b13 at protonmail

    And congrats to all of you who conquered the test. Doyler, much respect man; youre a beast.

    • Hi n00b,

      If you’ve followed the steps and processes exactly, then you should not have any problems at all. Were you able to replicate the steps and get to the point where your payload was executing? If not, then you might have missed an important step.

      If you did, then I recommend reading through these comments for suggestions regarding trying various payloads.

      Thanks a lot!

  69. Bleon

    I wanted to ask some questions. Would you mind writing at my email?


    • Hi,

      I’ve sent you an e-mail. That said, I’m not willing to discuss any spoilers or overt hints, but always glad to help!

      • Guy


        I am able to get calc to open but not able to use any payload even add user. Would you mind pointing me in the right direction

        • If you are able to get calc to open, then it means your entire exploit is working. In that case, you’ll just want to make sure that you try different payloads. Example: if Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

          • Guy

            Yes but all address are alsr…so in theory it wont work on the remote host correct ? am i setting up my test env wrong?

            Thanks for the reply !

          • You do not need to worry about ASLR, so that is not the issue.

            If it works on your test environment, then it will work on the target! At that point, it’s just a matter of getting a working payload. Remember things like firewalls/antivirus, potential bad characters, etc.

          • Guy

            Sorry im not sure im understanding correctly. Ill need to use a dll address to make sure my calc opens. If the memory address isnt the same as the remote one than how to proceed?

            How would I be able to control EIP to point to the shellcode ?

            Once again thanks for taking the time to answer.

          • You already have the DLL address if you’re making it pop locally. There is no ASLR, and the operating systems are exactly the same. In this case, you just need a more useful payload and execute it, just like the course taught.

          • Guy

            I dont have dll. Even on corp networks all modules show alsr enabled. Thank you for the help i will keep trying.

          • I promise you that if you didn’t learn about ASLR in the course, then it is irrelevant on the exam. Again, if you can execute shellcode on the dev system with an exploit, then your exploit will work just fine on either system. At this point, it’s a matter of your payload. Follow the course instructions, and don’t be afraid to try different things!

  70. elbanador

    Hey, I’m currently passing the exam, got access to most machines but I’m curious to know if all discoverable machines are exploitable ?

    • Try to treat the exam as an actual penetration test. Try to find as many vulnerabilities on as many machines as possible. Some might not give you a shell on the machine, and some machines you may never end up compromising.

  71. Roberto C.

    Hi Doyler.
    After a couple of very challenging weeks, well, I got (redacted progress on the) DMZ machine…

    Can you confirm me that you need to obtain access as the root user?


    • Hi Rob,

      Remember what the rules of engagement state. Obtaining root is a necessary, but not sufficient, requirement for passing the exam.

      Good luck!

  72. Roti

    Hi Sir Doyle,

    Welcome and trust you are doing great!

    I’m about to start the exam but a bit nervous.

    Will MITM skill or client side exploitation be required for this exam?

    Would also appreciate if you can inbox me your email.

    Thanks bro


    Hi, Doyle, I just started the exam and i have been able to exploit the webserver. Unfortunately i have not been able to obtain root.

    Any hint on what to do next? I have been on it for 3days. Please SOS. Thanks

    • Hi Roti,

      I combined, redacted, and deleted one of your comments (sorry it took so long, but manual process).

      As far as what is required during the exam, just what you will learn/have learned during the course!

      For privilege escalation, make sure to follow all of the steps you have learned in the course. Additionally, it is always important to follow your process (Information Gather -> Enumerate -> Exploit -> Post Exploitation -> Information Gather), document everything, and you’ll be good to go!

      Best of luck!

  73. Roti

    Thanks Sir.

    I have started and exploited the webserver but i am finding dificult excalation to root.
    The best i achieved is to get access to the /etc/shadow file but i am unable to crack the root password.

    Any advise will be appreciated.

    Thanks once again

    • I’m using proxychains from the web server into the corp network, found several hosts, but I’m unable to get nmap to work, all ports are filtered, I’ve tried changing the timing to T1 and -Pn but still no luck.

      Was thinking about sshuttle but I’m not sure it work on windows..

      Anyone help please?

      • How were you able to find these hosts. If you are sure they are up, nmap scans could be blocked. You could either try a different scan type, or some ports that you aren’t checking.

  74. craig

    Hey doyler/all,

    Im strugging with the overflow part of the exam, i have got it to work locally and got the application to crash in the exam enviroment, i know my machine cannot talk directly to the vulnerable machine, but even with autoroute/portfwd, and multiple payloads, i still cant get it to connect..

    Happy to chat further to anyone:

    • If you are able to get calc to open, then it means your entire exploit is working. In that case, you’ll just want to make sure that you try different payloads. Example: if Meterpreter payloads aren’t working, think about some other payloads that you might be able to use (non Meterpreter, bind vs reverse, command execution that still gives you access).

  75. gRoot

    Hello Doyler,

    Thanks for this review for eCPPT exam. This inspired me while taking this certification. I am on my last 3 days of the exam and I am stocked in the windows machine. I already know the DMZ server but I think I needed to know first the servers involved in BOF, I am excited for the BOF part but still need to find the server(I found maybe, but still not rooted). May I email you ask some guidance?

    Thank you very much in advance!

    • Thanks, and good luck with the exam!

      You’ll need to remember to follow all of your steps if you’re having trouble finding server/services.

      Make sure you are going through all of your proper steps.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.
      Post Exploitation – more information gathering etc. on the local host.

  76. Jason Ford

    Hey mate,
    Thanks for the article, good read as I’m prepping for the exam.

    I have one simple, no spoiler question… Is everything in the exam included in the course materials (Labs, Videos & Slides) ? Would you suggest doing additional research on any particular topics?

    I’ve done the Labs 2-3 times, and been through the other materials thoroughly, Done some OSCP like BOF labs, setup proxy chaining on local VMs, etc. I feel ready, I just don’t like curve balls that weren’t (or barely) taught (Kinda like the WAPTX exam)


    • You’re welcome, and thanks for reading it!

      There is definitely no need to do any additional research outside of the course work. I had no previous pentesting experience, and only went through the labs once when I took the course.

      There aren’t really any curve balls, and if you understood everything you should be good to go.

      Good luck!

      • Jason Ford

        While I’m awaiting my result, I’m pretty confident I passed, and only really took 4 days, (rest of the time was confirming, optimizing and reporting).
        The biggest curve ball was preparing the BOF thinking I only had 1 chance (would have to reset the lab).

        Thanks for the info and the reply!

        • Awesome, and hopefully you passed!

          Yea, you’ll have more than one chance during the exam as well as most real world scenarios.

          Glad I was able to help, and best of luck.

  77. fago

    Hello doyler,
    can i ask you a question about the eCPPT? Would you be so kind and send me an email? 🙂

    Best Regards

  78. goid

    Hey Doyler/all,

    I am currently really struggling with finding the credentials to log into the DMZ Machine. lt;redacted> Would appreciate a little hint to make a step closer.
    Best Regards

    • You’ll need to remember to follow all of your steps if you’re having trouble finding useful information.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.
      Post Exploitation – more information gathering etc. on the local host.

  79. carl

    Hi, I do need your help .
    I’m struggling to solve a knotty problem concerning web application penetration test.
    I’d like to get in touch with you in person through email.

    thanks a lot

  80. Tom

    Hi doyler,

    Great post thanks. Can you send me email I would like to ask you something about lab. Not sure if It’s tehnical issue or this is how it should be?

    Kind regard,

    • Hi Tom,

      If it’s just a technical issue and not spoilers, then it might even be faster to post it here. Plus other people could run into the problem in the future!


  81. David

    Hey Doyler,

    Great article! Have you ever ran into any issues with Metasploit’s shell_to_meterpreter module? I already know the exploit path for (redacted), but running into issues not being able to upgrade my command shell to meterpreter.

    Feel free to email me if you get a chance. Also, if I included any spoilers then feel free to redact them.


    • Hi David,

      Thanks for reaching out to me! I haven’t, but I haven’t used it a lot in the past to be honest. That said, if you’ve got a standard reverse shell, you should be able to perform most of the Meterpreter functionality with a bit of modification or extra files.

      No real spoilers though, and thanks for keeping them out!

  82. Dave

    Hey Doyler,

    I’m on the BOF part right now and I have a local exploit working on my WIN7 machine. I’m confused on how exactly to reach the host where the buffer overflow service is listening.

    I’m unable to ping it from the corporate machines I’ve exploited and I’ve tried adding static routes to it as well. I see it in the arp table of one host.

    Any advice would be much appreciated.

    • You should be able to reach the BOF service fairly directly, the same way you were able to hit any of the other hosts.

      That said, if you’re unable to ping it from ANY host, then I might reach out in case there is an issue with the networking.

      Good luck!

      • Dave


        Yeah currently unable to ping it from any host, but I am able to execute my exploit against it and connect to its port through proxychains so assuming it works fine? lol

        Just need to figure out the proper shellcode to send, I’ve tried a few so far with no luck, but may need to just keep trying like you mentioned in your other comments 🙂

  83. Daniel

    Please contact me!! I have some questions regarding the eCPPT. Thanks!

  84. gerard

    Hello, congratulations for your blog and all your certificates.
    I would like to ask you since I am about to access the ecppt exam, do I have a doubt about the kali operating system if in VM or clean installation with partition on a clean machine?

    • Thanks! As far as the eCPPT was concerned, you will be just fine if you use Kali inside of a VM. You don’t even really need to worry about a clean installation either if you already have one.

      Good luck!

      • gerard

        what version of kali do you recommend? the last one or someone in particular?
        Thanks in advance

        • The latest version will be just fine, and should have all of the tools you want or need! If you run into slight issues with command/flag differences, then make sure to check Google or the man pages.

          • gerard

            hello and I’m sorry, if you can give me some info about it:
            the traces given in the laboratory are similar to the exam, let me explain myself better; all the course material without comparing other material outside the course (tips, manual, etc. that are not e-learning) is suitable to take the exam or do you need to deepen it even outside the normal teaching of the course?

          • All of the course materials will be more than sufficient to pass the exam! You just need to make sure you understand all of the information and how to perform the steps.

  85. Samuel Faubert

    Hey doyler,

    Wold you be able to shoot me an email? I’m having issues with the BOF part of the exam. I have multiple working payloads on another machine in the corporate network that I was using to test, but nothing works on the actual target for this exploit. Thanks!

    • Like many posters before, don’t forget to try different things.

      If you have it working on your test environment, then your JMP is likely correct (assuming you don’t have ASLR on or anything). In that case, it means that your payload is the issue.

      In that case, you’ll want to try different payloads (Meterpreter, non Meterpreter, bind vs reverse, command execution that still gives you access).

      Good luck!

  86. Quentin

    Hi Doyler!
    I have a question I can’t figure out.
    I am at the BoF part. I have my .exe and my .py. I modified the .py and I can display the calculator, everything is fine so far. But I did it on my local machine which is Win10.
    I generated a payload which is not working, but why not, I will change it until I ve got a shell on my Kali. The part I don’t understand is: how is going to work on the final target? the eip I chose matches with a DLL address which changes when I reboot my machine.

    Regards and thanks for your help!

    • Your DLL address should not be changing locally, unless you have ASLR enabled/are attacking an ASLR enabled library. Make sure to follow the course recommendations and test on a similar system (the provided VM). Once you get a working overwrite and JMP, then it will work 100% of the time!

  87. gerard

    good afternoon, one thing intrigues me about the exam if there is MITM attack or not?
    Generally for this type of attack there should be other users logged in for the data interchange

    • As far as the exam is concerned, you will only be tested on topics in the course material.

      If there is any network traffic required to complete an attack, then it will be simulated (this is true for any course like this that you’ll take)!

  88. Tom

    Hi, Doyler!
    First of all, congrats and thank you for your post.

    I would be very grateful if you could help me a little bit with the exam, cause I feel I’m getting nervous. I got a ‘semi-interactive shell’ (somewhere), but I’m not able to make any full reverse work (neither Empire, nor crackmapexec or just using msfvenom), cause the machine won’t reach mine. I must be forgetting something obvious, but I can’t notice it right now. I have also reviewed all provided material and still nothing. Is there anything you can suggest?

    Please, feel free to edit my comment if you see I am spoiling something. Also, I hope I made it understable (I tried not to spoil).

    Thank you in advance and happy new year.


    • Thanks, and good luck with the exam!

      If you have a connection to a host, then you don’t necessarily need a full reverse shell. Remember that there can always be firewalls or host-level defenses preventing you from obtaining a full reverse shell.

      In that case, you will either need to avoid those defenses, or stick with the foothold that you’ve already obtained.

      You too, and thanks again.

      • Tom

        Hi again, Tom.

        Thank you for your help. Finally, I was able to get an RDP session with Administrator rights, which I think is not bad 🙂

        I also compromised a few more machines (REDACTED). However, there are still some machines that I haven’t been able to exploit. Should I care about this?

        Thank you very much.

        Kind regards.

        • Congrats, and best of luck!

          I removed a few things that could have been spoilers or close to them.

          That said, try to treat the exam as an actual penetration test. Try to find as many vulnerabilities on as many machines as possible. Some might not give you a shell on the machine, and some machines you may never end up compromising.

  89. Rileyyy

    Hi Doyler,

    First of all I just wanted to say your writeup was amazing! Also congrats on all of the certs that you’ve got, I hope to get that many one day!

    I was wondering if you could help me a bit regarding the exam. I’ve managed to get into the corporate network and seen a machine running a service which I can connect to, although I can’t find any credentials! If possible could you please email me ?? Thanks :):)

    • Thanks, and good luck!

      I edited a few things from your post, but not too much.

      That said, if you have figured out how to connect to something, you might want to think about what you’d use to connect to it, and go from there.

  90. Gres

    Hi Doyler,
    I, too, am completely stuck with privilege escalation <redacted>
    Am I on the right track? very little time left)

    • You’ll need to remember to follow all of your steps if you’re having trouble finding server/services or exploiting them!

      Make sure you are going through all of your proper steps.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.
      Post Exploitation – more information gathering etc. on the local host.

  91. Hyd3

    Hey Doyler,

    Appreciate the review. Did you choose to write your report by vulnerability type or list the vulnerabilities per host/node? Just wondering what your recommendation is.

  92. LUIGI

    Hi I do need to ask you a few questions regarding eCPPT certification (
    I hope to hear from you soon

  93. Nico

    Hi doyler,

    Thank your for this amazing review.

    I am currently doing the exam (day 6) and I am running quite anxious at this point.

    I rooted 3 machines and am still working on the exploit dev part (got it working on my test machine but I must still figure out the good payload for the exam machine…).

    My question is the following: < redacted >

    • Thanks, and good luck with the exam!

      Unfortunately, I cannot answer your question. That said, if you are still missing vulnerabilities, make sure to follow your attack process completely.

      Perform Information Gathering – see what can be attacked, what is open, etc.
      Enumeration – discover services, applications, possible attack surface.
      Exploitation – once you have some possible attack surfaces, try to exploit them.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.