Setting up the Stream Deck XL for Syrinscape (and a bit of homeoffice)

So I got myself a nice streamdeck for homne office working and for playing DnD and other TTRPG online. How much it is for homeoffice and how much for Dnd is up for debate.

Lesson 1) Microsoft Teams and Shortcuts is not working as you might think ..

My best cheat so far is to use the advanced launcher to bring teams to the foreground, have a sec delay and then pipe the mute / unmute shortcut. More on that maybe later or not —

Lesson 2) Well designing a good layout was easier and harder than I thought ..

Well first I tried to do syrinscape like everyone else did in the videos you see online ..

Step 1:Log into the online player

Step 2: Show the control links

Step 3: Make a new Website Action, Get in the Background, add Link

Step 4: Repeat Step 3 a gazillion times

Step 5: Get frustrated with folders over folders of stuff

Step 6: Watch

Step 7: Remember your days ages ago as a radar operator in the navy on a old 80s Tech Radar console using a light slide menu (basically the buttons had text which was illuminated by different bulbs aka changing the text …  and since that was expensive you had like 8-10 buttons but a clever structure

Step 8: Have a insight …

Step 9: Spend some time working frantically …

Showing you my solution:

Syrinscape has some design based limitations:

-No volume control in the api

-Sounds keep on playing as long they are not a oneshot

-No plugin for streamdeck (so you don’t see what is playing on the deck -> Lacking a return api)

Design Goals:

-Having a easy setup to launch a improve scene

               -> All my complex stuff is designed before the session ..

-No programming etc

-Easy to remember

-All sounds are just 3 clicks away (-> 4 if you count starting the RPG Deck from anywere else in the Streamdeck) (2 Clicks for playing the lvl magic sounds)

Will not bother you with my default screen .. just the RPG part :

Screen 1 The RPG Landing page .. having all tools etc in the top row, my Adventure logs for my two campaigns (aka open a TXT file)  .. nothing fancy EXEPT for the 6 Buttons in the left corner:

Stop All -> Well Stopping all Syrinscape Playback .. Just to clear everything

One Shots -> Opens up the One Shot Selection Profile

Music -> Opens the Music Selection Profile

LVL -> Opens the Profile that contains the Sounds for unnamed Lvl 0-Lvl 9 Sounds from The DND Spell Sounds .. just for firing of some random no name magic if needed 

Spells –> Opens the Spells Selection Profile -> Named Spells

Camp -> Opens up the Campain Selection Profile (For selecting some of the pre made soundscapes for the campaigns I play)

The next Row over (3 from the left) Is the “sub profile selector”. This Setup is the same on all sub profiles ….

So Oneshots Selection Profile contains now Buttons to select the sub topic of generic one shot sounds …Here in the Example the next Screen would be the Doors selection

The Music (Rearanged it after the screenshots) goes to my music selection

The Spells to “DMG Spells” and “Buff spells” (Might need to split the buff spells .. depending on my players

Hope you folks found the idea helpful and this mini tutorial.


Lasse / Ucki

Feedback for Syrinscape:

-More Fight Oneshots -> Just for fights there is less selection compared to magic

– A soundset with all music would be nice (started one as community content)

-A soundset with all the oneshots (maybe by topic ) -> like the Ranger,Druid,Bard .. Spell Sets etc

-Maybe a volume api endpoint

-Maybe the button graphics for download (just to save right click save as ^^)

-Maybe a reverse api and a full elgato plugin (*insert cat eyes look here*)

OSCP: The chain to loot

piratSo you want to be a super evil pirate ninja leet hax0r ??

Well seems so, because even after I finished my oscp I still get some dm in the oscp forums and even direct email about “ Well my exam is tomorrow .. plz help”.


Well so you want the evil super s3crät l00t ? So you need to know the super s3cr3t sectret:


The Exploit chain.


The chain consist out of the following links:

The exploit

The recon

The delivery

The payload

The receiver


Let’s talk about the solitary pieces of the chain, shall we ?

The exploit

Well everybody is always crazed out about this super evil 0days.

So you are a super script kiddie who got a mad super s3crit exploit from his friends in this dark irc channel and owns now 1000 shells around the world. Great could you please step in this corner over there ? Great .. so you are this super pro nsa hacker with his pre packed ethernalblue exploit .. great step also in the corner … Ohh so you are one of this elitist guys from the offsec irc preaching that using metasploit is bad and only handcrafted manual exploits from your grandma are the real deal . .well you know where the corner is.

We don’t care about the exploit in this article .. because if you master the rest of the chain the exploit is the most unimportant piece of all. It is the weakest link of our chain. A exploit can and will fail, after all you are using a buffer overflow or some other bug in your targets software. So you are quite likely to crash or break something. If the rest of your chain is not secure well .. no shell for you.


The recon


Let’s use a Lego analogy again: You say you want a Lego brick. Great which of the 51k possible different types do you want ?  That is the reason why I made so much fun in the exploit part, imagine how much different configurations a international company with different offices around the globe has ? I bet more than a easy 51k possible versions 😉 So any more information you can get makes the job easier. So if you say a gray piece I could ask you wich type of gray Light bluish gray, Dark Gray, Light gray etc etc 😉 Any information about the age of the piece ? Because different years had different types of gray (like say Windows or Linux OS have a release date, so if you know the version of say IIS or Apache you can tell which OS will be the most likely one). PROTIP: Make a list of Apache, IIS , Windows and Linux Versions and their release date. Quite handy now and then.

You can get more precise of course, so if you say slope 2×1 with a 2/3 cutout in light bluish gray .. well we are in business. Same with a precise version number of a software. Makes finding the right exploit easier. Or finding all hidden pages on a webserver, or even the Tomcat administration interface with the default password. Good precise recon is the key to a good chain to a shell. Any information you can present in a structured way makes your chain stronger.


The delivery

What do I mean with delivery ? Well you might have a cool RFI thing on that server you are attacking but if you can’t debug your own webserver and make sure that that super evil payload is actually delivered to the target. Or if you don’t deactivate all scripting on your server you might get another shell than the one you expected. So make sure you can debug all ways you want to deliver you payload to the target. Make sure you go through the upload filter or that your payload has the right format to be working in the website etc. Or that you have the right url encoding for your sql payload etc . Or if you use a exploit script you might want to make sure with wireshark or tcpdump that the exploit actually send something to the target. Make sure that you can take the stuff you want on the target to the target. If you can’t insure that you can have the fanciest vulnerability on a server if you can’t reach it.

The payload

Well you have a fancy exploit but you let the default payload in it and now calc.exe is open on your target. Great work. You might want to be able to pick the right payload for the target. Know the difference between staged or unstaged payloads are in msfvenom. If you are in the labs it might be a good idea to spent time with a working exploit in metasploit and try every payload on the target. Make a list which payload works best on which os. What ports are working most of the time because they are open on most firewalls ? Knowing how to debug a payload or use the payload to ping all the open ports etc. Make sure you can verify that a payload is working. Juggling to many unknowns  is a disaster. Have you ever tried to solve a math problem with 5 unknowns ? It is harder than solving y=2. Just saying that you should also be able to make sure that you can pick the right payload, the right port to connect back to you and be generally able to debug your payload.

The receiver

Well the receiving part is a chain link which is often overlooked by many people. But think about it: It would be really shameful if your firewall kills the incoming shell … wouldn’t it be ? So you should be able to debug your end of the connection. Also it is common to try to catch a encrypted payload connection with nc. It can be done but not with the default settings you might expect. There is a reason why I set up msf/exploit/multi/handler for every payload. This way I can have one thing all the time I can practice and debug and have a proven method of handling my shells without fear of nc crashing on the first attempt and me forgetting of restarting it again etc.


So that was my introduction to the magic chain to the loot.


As usual feel free to give me feedback.


Greetings ucki


Book Review Ayden‘s Choice (Nele Vonlanthen Book 1)

Now to something totally different .. a book review.


First a TRIGGER WARNING: If you are a person who tends to be triggered please don’t read the book or this review. Especially if you have problems with family violence and abuse. Really don’t read on in this case.

Link to the Website of the book:

Let’s start with a little Disclaimer and then dive into the review. I got the book for free after I wrote that one of the comic panels on the twitter account to the book universe was not correct. I try to be honest while doing the review. I wouldn’t have bought the book, I normally read a lot but not from first time authors. I have had so many bad experiences with authors abandoning series, or writing bad stuff. If you watch Shads video  you see there are many ways to screw up a book.

Just go to amazon and look for free ebooks. I did two literature mistakes in my life: First one reading most of Anne Rice because our crew got the idea to choose one author and then get all the books for a deployment. Second one was to grab a lot of free ebooks from amazon for my year of travel. So now I’m super picky with my reading. You could write a total „Mary Sue Type“ of story, you know the HERO is everything. You know Dragon Ball Style etc. Or if you are a fantasy author you could try to write EPIC. You know : „They rode their Blarf to the Gnarf to drink some Snayrf.“ Because riding horses and drinking beer is not epic enough. Or you can go the full Lord of the Rings style and frontload everything with some hundred pages of „world building“. Or you can have your epic story and are not able to get the epicenes over to your reader. Which is a problem if you want to build a epic series. You have to hook persons with the first book. And to be honest how many first books of a author or a series are out there which are really good ? I’m just rereading Terry Pratchett’s Discworld. To be honest he is my top 1 author. No questions asked. But the first „high fantasy“ books of the series are not really good.

Ayden‘s Choice is the first book in a world, if you look at the WEBSITE or on the twitter account you see that there are a lot of ideas still untold.


Sam Felix tried very hard to make a GOOD FIRST BOOK. And now I’m in a hard place. The book itself looks like a book for young adults / teenagers. Not to many pages, bigger font etc. Should I review it as a standalone young person’s book ? Should I review it as a part of a imaginary 60 Book series  ?


The writing and the pacing is good, which makes the book a good quick read, quite pleasing from the word crafting aspect. Not to many CYBER CYBER TECHNOBRABBEL, ok a „Use the power of the net“ pseudo fantasy lingo here and there. No Mary Sue Super Hero, good flow. So reading the book is not hard even for a person like me not being a native English speaker (who would have guessed with that bad writing 😉 )

But unfortunately the story part is another beast.

Basically Ayden’s choice is a introduction story in the „NELEVERSE“ and a origin story of Ayden. Like all the Batman and Spiderman you get a superhero origin story. With all the classical problems.

You might know WASP ? Well Lisbeth Salander from „the girl with the dragoons tattoo“ ?. You know, this super duper hacker, with the super bad family story coming out during the series ? Just imagine all the family problems in one book. 2/3 of the book are basically family abuse. Yepp just that beating and all the other bad stuff. So reading that was unpleasant even as a hacker, just knowing persons from bad family’s and not having the problems myself. So as a setup good versus bad this works quite good, to be honest too good. Well till the author had the idea to give the reader a glimpse into the mind of the villain. This works quite well if you have such a epic series like Game of Thrones. But unfortunately this is a short teenager book. So having to slog through 1/3 of the book with all the bad stuff happening just to get to the first action just to have the villain crumbling because of that is not very pleasant.  So basic story Ayden is in hell and the crew around Nele have to rescue him because he is also a hacker talent. And this is the point where the story exploded totally for me. I’m fine with slogging through a origin story even if it is such a unpleasing one. But to have such a super talented hacker crew (the author is trying to introduce them to us, super sleeper compartmentalized opsec galore crew, the social engineer is called deceptionalist) does such blunt errors hurts. They get their surveillance gear found, they never heard about signal proof bags (they are commodity hardware this days ,. rfid, mobile signal proof bags coming in duffel size now), never heard about door locks, safe driving etc. Actually the book is 2/3 family violence and abuse and around 1/3 one of this elite crew trying to fix the problems they had because of some screw up, just to finish the book with a mc guffin. And our hero leaves the book also looking like the last unforgiving asshole.  If you would spread out the story across some books, like Ayden remembering his backstory now and then and have some flashbacks and problems etc it would work. But in this way it is just hard and not very pleasant. Which is quite a pity. The writing etc is good, the idea, world and the comic are quite good. This has the chance to be better than Tom Clancy “Net and Cyber” book series. You know a realistic cool hacker book series. But because of this I really can’t recommend the book. Because I don’t know to whom. It is not a teenager-book, not a hacker book etc. While I look forward for more comics and also other books of this universe I think I can’t give it a 5 star review like the reviewers on amazon. Well that’s all for the first book review on this blog.




The thing about hacking ships

In the last time we saw two major accidents in the us navy. Well actually there was more but the media picked up on two:

While accidents happens all the time

(btw look for the signals, this is the pre photoshoped version 😉 ) the infosec twitter is full of OMG THE RUSSIANS HACKED GPS.

Lets have a look here .. DISCLAIMER: I spent 12 years in the german navy doing it-security and administration. I have a lot of „look what I found .. why are you crying skipper ?“ to my name I will talk broudly. Security etc … Hacking ships now is more a hobby form e than a job. Some of my infos might a bit outdated or purposefully wrong …


A short introduction in navigational systems:


Most of you will have just a basic understanding how a ship operates. Most ships will bhave distinctive systems, as a simplification we will categorise systems in this function groups:

  • Going to places ( machine scada systems etc)
  • Knowing where you are (ECDISC (chart system), GPS, other navigational aids)
  • Knowing where everybody else is (Radar, AIS)
  • Living on that thing
  • Mission package (Cruise ship systems or weapons etc)


And how hard is it to hack this types of systems ?

For the machine scada stuff, well it is super easy and we have proof oft hat (Stuxnet, @viss on t twitter). Well on a ship it is harder because we have no back channel and no permanent internet connection etc, but with a usb stick you could hack this.


For the System groups 4&5 we will disregard them for now. We want to hack on a broad scope.


The navigational aids are interessting to hack. ECDISC are certified systems, with a lot of known bugs, just look at this yt channel and try to spot all the old os versions ,

GPS on the other hand is HARD. Not because of the P(Y) . encryption (btw no civilian signal no P(Y) bc of time dependencies, read up wiki) but because of physics. Spoofing is quite time sensitive, so while it is easy on a lab setting (and some universities did tests on ships) you need to be close to your target to overpower the sat on the antenna. If you jam from far away (low angle) your spoofing might not work. And since most ships have more than one reciever and one antenna it is quite annoying to spoof with a good reliability. Oh and when you can spoof, why waste it on some lousy destroyers in peace time ? Also low angle jamming would be picked up by electronic warfare systems with a good chance. And this would trigger a angry response of the kinetic type so not the best idea.

If I COULD spoof GPS without being close to the reciver I would sit in my evil bunker and lough about all the precision ammo flying past it in a war setting. to valuable in this setting to waste it for some dead sailors. Even as a test .. just grab one oft he many predator drones as a sample. Drones malfunction all the time so nobody would makle a big fuzz about it.

AIS and Radar, well Radar hacking or jamming is a thing, called electronic warfare. So proven concept. And AIS is not encripted or secure. You could imagine it more like a numberplate transponder. Nothing fancy. If you want to cause trouble with it just grab a sailboat sail close to a military exercise area and spoof some ships with a wrong GPS track inside oft he target area and watch them stop shooting. Nothing really hard. And while smuggler and military ships often operate without AIS it makes them stand out like hell on a radar pic, because a blip without AIS information = suspect.


And what happend , lets look at If I look at thew damage pictures it looks like SOMEBODY tried to pass a high traffic area without looking left or right without sending AIS because OPSEC .. so maritime jaywalking. Just my idea .. but if I have to choose between hacking (wich is possible but a hassle and some idiotic „macho man“ manuver .. well my bet is on idiots 😉 )


Still alive – Braindump 05.07.2017


Hello everybody,

I’m still there, just a lot of things going on after my OSCP finished.

I will try to blog more but based on my current assignment it will be a lot more general 😉 NDA and such.


What am I up to :

-Building my Pentest gear

-Playing a bit with the Hack5 Bash Bunny

-Building a Pentest “Go Bag” Backpack for travel and incident response

-Setting up the work machine

-Building a report system to make writing my reports easier (you know I LOVE SCRIPTING and Latex)

-Learning more about BURP

-Learning to build stuff using R.



So I will post about this topics .. mostly as a mixture to remind me about my ideas  and also to have a linkdump etc for later on. So my usual rambly braindumps with random lego  pics as usual.



Topic “Go Back”


Three years back I was first introduced to the Idea of a EDC Kit .. so using a pouch to have all your stuff in. I got myself a MAXPEDITION pouch and was quite happy till it got stolen, including my diary and fountain pens .. OUCH.

With the new job I need to travel a lot and also carry a lot of gear (pentesting feels lick a packing mule for electronics most the time) . While working in a clients site I couldn’t get glue or scissors .. because it was a paperless office with heaps of paper .. GREAT. My Goal is to have a backpack with all the MAIN office gear I would need (Part Office EDC), all the Stuff I need to get my Job done (Pentest EDC) and all my regular stuff (Personal EDC) in a organised and modular fashion. Right now I have a “regular” backpack and it is just annoying. So back to the military gear or more specialised backpacks it is.


Pouches, so far ….

For the pouches I thought about the VANQUEST ones .. but unfortunately they are “§$§”$$”§$ expensive in Europe .. 100$ products and 50$ shipping + custom fees .. this is not the eve online store boys … So maybe I will find them to a good price in Europe or I will have to find another EDC puch. The nice part of the Vanquest ones is that they have staggered loops for pens, so you get more stuff in them .. great idea.


Backpacks so far …

Vanquest has also some interesting ideas, especially their idea to make a mixture of camerabag divided and military backpack, so that each pouch could have a own divider .. nice .. but again postal cost and dutys etc

5.11 with the all hazards prime looks like the perfect solution. Internal mole webbing would mean that I can secure my modular pouches, a lot of room for other stuff (Laptops, NUCS, etc)

Then there is also the mention of the GR 1 .. but again price …

And as a last option just go with a big “dayhiking” and just accept that my stuff is not as neatly but safe 50% compared to the “mil tech” stuff.


Topic” Pentesting Gear”

Well not to0 much here .. just waiting for my new work machine and thinking about getting a NUUC as a mobile lab, or also as a thing for password bruteforcing or langer scanjobs


Topic “Bash bunny”

Not too much also .. the normal payloads are scary enough for most demos I needed .. but I want to build a payload to run around the most common dlp solutions just for fun .. but not a priority right now ….


Topic “Reporting”

Well I learned that Rstudio can process LaTex and can also build the pictures while running the code . .so NICE .. basically I just combined my public report template with some statistics to make the report a bit less technical and with more charts for management


Topic “R”

Ok R is a beast .. so much to learn … but it is cool .. basically I got it so far that I can now dump a xls from and generate my own bar graphs for the cvss score. Seems stupid  I know .. but beats my exel based workflow with ease … Only major hiccup .. you need to remember to import the score as numeric .. otherwise you will wonder why the 10.0 is not on top of the ordered stack but close to the 2.0 .. urgh …

And I buld a map of pirates .. actually I wanted to build a geo ip thing .. but with not enough ram pirates are easier .. not so many and easy t spot if you have a error in your code (not on the oceans .. maybe a error)


“R” Linkdump:




Topic“ Getting fit“

And I also started to use zombie run 5k to get a bit moving again .. so much out of shape .. well pentester 😉


General Linkdump:

Scripting the OSCP exam and getting some offsec swag

So in the last blog I hinted some other scripts. Now here is the full story:

Act 1: While I wrote my msfvenom wrapper a lot of people in our pritvate chat group started to make jokes about my scripting and that I would write uckivenom the next better metasploit. And chances was that my exam date was the 02.05 .. so one day after aprils fools day .. mmm let’s get to work. I wrote a little script muttering out nice random phrases and had some nice ASCII art.


Act 2: I started to hint the script roughly a week before aprils fools day (and had 2 other guys put in the picture) so we started to build some interest.

Act 3: The owner of the private channel got word and started to freak out because he was fearing offsec


Act 4: The people knowing that it was just a troll started to start some little riot in our party chat to get me back.

Act 5: I be back


Act 6: I put the script on the offsec forums on aprils fools day. It was gone in 5 min (and I started to freak out, bearing a ban one day before exam)


Act 7: The forum post was back after 2h and normal students started to get fooled.

Act 8: After passing my exam I went to twitter and some friends congratulated me ^^ I mentioned the script and muts got wind.


Act 9: Offsec swag !!!


Scripting my way through the OSCP labs …

My way through the PWK course was, in retrospect, clearly divided in 3 phases.

In this blog I will gve a ovierview over all my scripts and tools I build during the course and I will give some information about my progress through the labs. My time in the labs was dominated by a 7 month break (because of a new job).


Phase 1: Keeping my Boat afloat and scripting all the things …

My first phase (2 months roughly) was dedicated by my own hubris. I had enough experience in the IT-Sec field .. boy was I wrong 😉 I had my little boat and everything was dandy. I had to many targets so scripting my enumeration was a logical step.I looked into different enumeration scripts.

My absolute faforite was this:

Second place was sparta (also written by a student during the oscp course by the way).

But both of them were not modular enough for me. So I build my own recon pack.

Version 1 was this: It worked quite fine (Explanation for the pack is here:

After using it for a while I found the naming etc not perfect so I build

Well I failed the exam and started my new job .. so I had a 7 month break. And followed by phase 2:


Phase 2: Making the boat better and working on details.

In my second round I found a little private community (join up techexams and then you will find it) and it helped a lot to have other persons struggle with you. Sounds silly but you keep sane this way because you learn that you are not stupid and other persons have also trouble. Most persons don’t blog about failing the OSCP. You read more storys like “yeah I did it in 4h, was a breeze” than “OMG I FAILED SO HARD”.

I had a smaller target pool so I tried more to learn more about manual scanning and a more thoughtfull way on doing things. Slowly and deliberate so to say. While I still built stupid little scripts like that to list all win local exploits in metasploit and everybody was joking about my bad scripts, I was actually doing most of the stuff by hand. Only if I always forgot the parameters etc for a tool I would write a little wrapper to make my life a little bit easier and more comfortable. Like this one here to generate a folderstructure with exploits with only giving your local host ip. The basic Idea came from unfo (greetings mate) but I took the laziness a step further and also included a variable for the ip and some php stuff. So setting up shop with a new ip was easy. I also wrote some set up notes, they grew over time to a little cheat sheet and command reference:


Phase 3: Getting down all the TECHNICs

My 3rd phase was dominated by redoing a lot of my older hosts, and actually learning a lot from other persons. Just by picking up new ideas from our shared link list etc. While I only did a bit around 60% of the lab machines (around +-10% or so .. ) and skipped all of the BIG NAMES I think I learned more in my last machines because I thought a lot about red herrings, false positive detection and reporting than on a lot of the easier ones were you just fire and get your root.

During that time I finished my lab exercise report (ok technical while in phase 2) and I practiced reporting with EVERY machine I rooted. During that phase I also learned that my skills in note taking were less than optimal. So I started to write the report and notes right into my reporting framework. Even if that meant to clean up 100 pages of notes and to cut it down to a 2 page report on some of the more deeper rabbit holes …. My cheat sheet also grew during that time and I finished my multipass multi payload msfvenom encoder. This gave rise to the name “uckivenom” and the chat always trolled me with my scripts. But that escalated in a different way and is a total different blog post. 😉

As a bonus I include a list of stupid mistakes. Not including the idea to write a blog in the first place 😉

Snip from a forum post of mine:

So here is a collection of stupid errors I did .. if I remember more I will post more.

1) Meterpreter shells are cool .. but just give you gibberisch if you try to catch them with a nc listener

2) Staged payloads also require a next stage and not nc

3) Never assume anything

4) Trust your guts

5) Don’t trust your feelings enumerate better

6) If you want to wget something from your machine first make sure that apache is running

7) If you want to load a php webshell from your server make sure that php is not running on your box .. or you found a complicated way to your local root .. congratulations

8) If you want to transfer a file make sure that the folders are the right one

9) If you transfer stuff you might have to check permissions .. that includes your own box

10) Don’t switch up LHOST and RHOST

11) If you work on exercises and something is not working .. REDO EVERY step .. might be that you just skipped a step earlier and reskipping doesn’t improve the situation

12) When scripting stuff / coding exploits etc always put out intermediate results etc in the command line or echo it into a file so you can see where your script breaks

13) Check your path in your scripts .. might be that you are to stupid for backslashes etc

14) The offsec pdf is great for copy pasting commands ..exept for the moments were the stupid encoding screws you over

15) Build your own copy paste command list and cheat sheet .. just to have pdf encoding screwing you over again

16) Copy your commands from the source of the pdf .. till your comments in the source screw you over.

17) If using wordlists check the encoding before running it .. the german wordlist as example is worthless if ö is encoded as ~3 or so ..

18) Check your encoding from your hashes .. if you forget one part of the hash you GAINED a lot of brute force time …

19) Safe your vm .. really I have used up 5 vm images during my time

20) make a list of all installed tools etc to have easier time reinstalling

21) Learn how to take USEFUL notes .. Tip: A Page with a big WIN across the page captures the feeling of a local root perfectly but might be hard to redo it afterwards if that is your only note …

OSCP and SPACESHIP – The final Review

Finally: SPAAAACCCEEESHIIIPP ahh yes and OSCP -Final Thoughts and review.

Ok guys finally after sitting on my shelf and collecting dust in the box for nearly 9 months it was finally time for the SPACESHIP SPACESHIP SPACESHIP !!! I bought it shortly before I did my first exam try (left over stock .. quite rare) to motivate me. You know saying to myself I will build it next week when I have my OSCP. Well didn’t work out that way. So last week finally I had the chance to build it.


So finally I have my certification. Lets do the final review on the course. This will be a series of two blog posts. In this post I do the review and in the next one in the following days I will give an overview over my tools and cheat sheets I produced during my time in the labs.


So to the review:

First off this certification is the one I’m most proud of. Not getting the naval officer qualifications to navigate warships (ok was a cool one) or my firefighter cert and other professional certifications. This cert is also the cert were I hated the experience most.

spaceship-1The point is OffSec is not a teaching company. They are a pentesting company offering some pentesting training. If you pay a teaching company you will get persons teaching you stuff, answering your questions and with a bit of luck you will leave the course with a cert and maybe you will learn some valuable lessons.

To paint a different picture: If offsec would offer swimming courses, they would drop you into a cold pool. In my first review I used the diving licence as a picture.

While I hate this type of teaching I value the lab so much. The cold pool so to say is a very nice one .

And for the teaching you have to learn for yourself. And I can only recommend to get some friends or other people around you (be it in real live or via the internet) to turn you in the right direction now and then. It might sound stupid but my new job helped. In our it sec department we have one guy with oscp and a bunch of people having failed to get it. This helps with the morale, after two failed attempts I was doubting myself. But realising that this cert is hard it helped a lot.

Overall I LOVE THE LABS !!! will resubscribe in the future to test and learn a bit more. And thanks to all the people chearing me up in real live and in the dark back rooms of the internet. Thanks a lot !!

Thanks offsec (and also thank you to give me the nice chance to troll you back with a nice aprils fools joke 😉 )


And if you go into the labs . .remember here be dragons


Attack on Fort Clara

So a while back I wrote about a Lego Fort:


Now today we go through a way how some pirates could attack the fort. This is a spoilerfree spoiler to a real machine I wrote a report on it .. if you see how it works you might have done the same machine. Because some of my pictures are more a riddle than a spoiler 😉 So here we go.


First our pirates do a little recon on the fort.


With all their informations they go to the wise island magician who knows all the good tricks. From him they get a all seeing telescope …

With that telescope they can see everything on that fort ….


With that information it is easy to find some stupid soldier ….


as wich they can disguise …


to deliver their evil dynamite ..


but unfortunatly dynamite is not allowed on the fort …


so they need a flimsy disguise for the payload .. so they can put it on the fort to trigger it later with another method ..

and game over …attackonfortclarie-9

#OSCP Turning your Backdoor in a WordPress Plugin

Just a quick one:

Imagine you own a wordpress and want to upload your remote php script as a nice fancy wordpress plugin. You know, just adding a feature the original installation doesn’t have. So you grab your trusty php remote shell script .. and wordpress hates it. Damm .. So how do  we build a valid wordpress plugin?

  1. Open up your php script and add

Plugin Name: Plugin
Plugin URI:
Description: Basic WordPress Plugin Header Comment
Version:     20160911
Author URI:
License:     GPL2
License URI:

to the start, then upload it

2. ??????

3. Profit


Easy ^^