My Tryst with Exploitation

By -
Hello Everyone! n1ghtcr4wl3r here...

I have started preparing for offensive Security Certified Expert (OSCE) and in this post shall be a description as to how I have started honing my skills of binary exploitation.

Tulpa has been a great help in commencing this journey and so has been Mike and corelanc0d3r :)

This post shall be an incremental post and I will describe my journey while exploiting a software called vulnserver

I will keep adding more content on this post as time goes by.

Until then see you next time!

Comments

Post a Comment

Popular posts from this blog

By -
Image
I picked up Sedna and these were the steps: Like any machine, starting with arp-scan to first know the machine IP: arp-scan -l The machine got detected at 192.168.137.152 The next step was to run an nmap scan: From here, I decided that I shall  be concentrating on port 80. First checking the webpage: I decided I shall have a peek at the robots.txt as well: going to /Hackers gave 404 -Not found! Damn! :D Meanwhile in background, I was running gobuster. Doing web enumeration and checking web page sources dint reveal much! I decided to check my gobuster results: Manually enumerating the dirbuster pointed folders, I quickly became clear that builderengine was running. Next, a searchsploit revealed exploit for arbitrary upload in BuilderEngine. Seems BuilderEngine is vulnerable to arbitrary file uploads on the directory: http://IP_Addr/themes/dashboard/assets/plugins/jquery-file-upload/server/php/ I uploaded a simple php reverse shell to
Read more

Pluck w00t!

By -
Image
Time to Pluck! Though a bit late, I decided to give this machine a try! As with all almost every machine I began with arp-scan/netdiscover: Once this is done, next I try to do a port scan on the host. I began with the tcp scan while upd scans taking more time ran in the background. Since port 80 was open, I ran nikto in other window. Post this is done, I move next to check banners on each service. SSH dint give any banner, neither mysql or llmnr protocol so I tried to enumerate the web. Just before I went to check the web service, I looked at the nikto results and they were interesting! Now, this was very interesting, an LFI!! Meanwhile I had also tried fuzzing the admin page on the webservice and it revealed sql injection: Now, I had two vectors so I thought lets begin with the LFI. Doing a /etc/passwd dumped all the contents!! But Trying lfi on other files like apache logs etc was not getting possible (permission issue??) This was when som
Read more

Automating backdoor creation for PE files

By -
Hello, In this post I shall write about my experiences/attempt on automating the process of backdoor creation for windows PE(Portable Executable) files. More than a short and quick success attempt, it been many a failures and frustrations but I made some commendable progress by trying harder. I would like to point out that I am not publishing the entire code but giving you an outline as to "how to do it" but will include short code snippets The post highlights my journey where I faced most issues and spent most times and where I could have done better The rough idea for a backdoor is that we need to redirect the code flow at entry point of a PE file to a clean section within the PE file where shellcode is located to do the evil deed and it hand's off control back to the original code execution of the file. But we need to talk about the above statement in a detailed manner. [+] Getting the entry point of a PE & making a clean section within PE file. Wh
Read more