OSCP Certification in the mail

1 minute read Jul 8, 2012 Comments
So previously, I had blogged about recently getting OSCP certified. I came home from my vacation to find a package from Offensive Security in my mailbox all the way from Israel. After getting settled down, I opened the package and found some my certificate, wrapped in a nice folder, that I have filed away to keep forever. Here is the front: The back of the folder had me laughing for several minutes.

Exploit Exercises - Fusion 01

7 minute read Jul 3, 2012 Comments
It’s been a while since I last did a write-up about Exploit Exercises. I’m starting to look back at it now, since I have some more free time again. I’ve now, as I’m sure you can guess by the title of this post, solved level 01. So this level is very similar to the first, except that it has ASLR and doesn’t tell us where the buffer is on every execution.

PWB Conclusions and the Future

3 minute read Jun 24, 2012 Comments
The results As I posted previously, I was taking the PWB course from Offensive Security. I am happy to report that I passed with flying colors (100%)! This is the best email I’ve ever received: Advice for new students During the course, I learned several things, including many things about myself. * Do the PDF/Video work first. If you wait until the end, you will hate your life. It’s so droll and boring.

Exploit Exercises - Fusion 00

5 minute read Apr 9, 2012 Comments
I was very excited to see the announcement on twitter, that Fusion was going to be released, even if it’s just the first 10 levels. I was a bit bummed, as I didn’t think I’d get to work on it much, until I complete PWB, but I managed to find a little time to at least start it. I pulled up level 00, which looks to be a basic stack overflow in an http server.

PWB Progress and Impressions

5 minute read Mar 27, 2012 Comments
I recently decided to take Offensive Security’s course, Penetration Testing with Backtrack. I’m now 30 days in, of my 90 day allotment. I figured I would share my impressions and what I’ve learned up to now, without being specific enough to give anything away to future students. The Wait So I decided to take the class, and submitted the order on February 16th 2012. Offensive Security starts new classes each Sunday, and apparently the one starting on February 18th was already full, so I ended up waiting until February 25th.

Using .net to bypass AV

3 minute read Feb 23, 2012 Comments
I’ve read a ton of articles on bypassing Antivirus software when trying to run shellcode on machines. There’s just a ton available. These are just a few examples: http://dev.metasploit.com/redmine/projects/framework/wiki/Using_a_Custom_Executable_to_Bypass_AV http://www.offensive-security.com/metasploit-unleashed/Antivirus_Bypass http://www.irongeek.com/i.php?page=videos/bypassing-anti-virus-with-metasploit http://clshack.com/metasploit-shellcodeexec-bypassing-any-anti-virus.html http://carnal0wnage.attackresearch.com/2011/07/process-injection-outside-of-metasploit.html I was recently working with some Windows web-servers, which had ASP.net enabled, but not any other useful language. I had recently read about PowerSyringe, so I started tinkering with making some shellcode run similarly. I ended up finding out that I couldn’t do what I was wanting to do in ASP.

Kioptrix 4

25 minute read Feb 12, 2012 Comments
I know there are a few different methods to the new Kioptrix 4 boot2root. Unfortunately, I could not find the remote root exploit that is mentioned, but my method used several tools, and privilege escalation. Tools used: Backtrack 5 VM Nmap SqlMap To start out, I had to find the machine on the network. I booted up my Backtrack VM and Kioptrix VM both using a NAT connection in my VMWare.

Exploit Exercises - Protostar Net 3

5 minute read Feb 11, 2012 Comments
The last in the Net series of Protostar is Net 3. It was of course the most difficult of all of them. However, it still wasn’t too bad. First, we’re given the following code: #include "../common/common.c" #define NAME "net3" #define UID 996 #define GID 996 #define PORT 2996 /* * Extract a null terminated string from the buffer */ int get_string(char **result, unsigned char *buffer, u_int16_t len) { unsigned char byte; byte = *buffer; if(byte > len) errx(1, "badly formed packet"); *result = malloc(byte); strcpy(*result, buffer + 1); return byte + 1; } /* * Check to see if we can log into the host */ int login(unsigned char *buffer, u_int16_t len) { char *resource, *username, *password; int deduct; int success; if(len < 3) errx(1, "invalid login packet length"); resource = username = password = NULL; deduct = get_string(&resource, buffer, len); deduct += get_string(&username, buffer+deduct, len-deduct); deduct += get_string(&password, buffer+deduct, len-deduct); success = 0; success |= strcmp(resource, "net3"); success |= strcmp(username, "awesomesauce"); success |= strcmp(password, "password"); free(resource); free(username); free(password); return !

Exploit Exercises - Protostar Net 2

2 minute read Feb 10, 2012 Comments
So far, these Net challenges in Protostar have been pretty easy. This challenge, Net 2 got a small bit tougher. We are given the following code: #include "../common/common.c" #define NAME "net2" #define UID 997 #define GID 997 #define PORT 2997 void run() { unsigned int quad[4]; int i; unsigned int result, wanted; result = 0; for(i = 0; i < 4; i++) { quad[i] = random(); result += quad[i]; if(write(0, &(quad[i]), sizeof(result)) !

Exploit Exercises - Protostar Net 1

2 minute read Feb 9, 2012 Comments
Continuing with the “Net” series of Protostar, is Net 1. We are given the following code: #include "../common/common.c" #define NAME "net1" #define UID 998 #define GID 998 #define PORT 2998 void run() { char buf[12]; char fub[12]; char *q; unsigned int wanted; wanted = random(); sprintf(fub, "%d", wanted); if(write(0, &wanted, sizeof(wanted)) != sizeof(wanted)) { errx(1, ":(\n"); } if(fgets(buf, sizeof(buf)-1, stdin) == NULL) { errx(1, ":(\n"); } q = strchr(buf, '\r'); if(q) *q = 0; q = strchr(buf, '\n'); if(q) *q = 0; if(strcmp(fub, buf) == 0) { printf("you correctly sent the data\n"); } else { printf("you didn't send the data properly\n"); } } int main(int argc, char **argv, char **envp) { int fd; char *username; /* Run the process as a daemon */ background_process(NAME, UID, GID); /* Wait for socket activity and return */ fd = serve_forever(PORT); /* Set the client socket to STDIN, STDOUT, and STDERR */ set_io(fd); /* Don't do this :> */ srandom(time(NULL)); run(); } Similar to Net 0, it looks like this is another network daemon, this time running on port 2998.
Page 4 of 8 1 2 3 4 5 6 7 8