Tomcat. Java. JSP.

The second medium box was a Windows machine. He found an SMB share with a password-protected Excel file. He cracked the password with office2john and hashcat in four minutes. Inside the Excel sheet was a single cell: svc_deploy:Winter2023! .

But the story of the OSCP isn't just about passing. It's about the try harder mantra. It's about the box you didn't get. The one that lives in your mind for months afterward.

He had broken into the final boss with seventeen minutes to spare.

He Googled frantically. Password Manager Pro v4.2 had a public exploit: an unauthenticated SQL injection that led to remote code execution. He downloaded the Python script, modified the payload for a reverse shell, and launched it.

He rushed back. Instead of <?php system($_GET['cmd']); ?> , he tried a more obscure tag: <%= system("id") %> – an ASP-style tag in a PHP context? No. But what about a JSP context on a server that also ran PHP? He checked the HTTP headers again. Server: Apache-Coyote/1.1 . That was a Tomcat server.

He had the flag. 20 more points. 70 total. He was passing.

>