01

I've been in the field for about five years, the first three doing forensics for a firm, the last two, pentesting for that same firm.  This blog's intent is merely to provide those who may be of similar mind with some light-hearted reading about my experiences and my upcoming, ever advancing journey into things I have no right explaining to anyone.

Welcome.  I'm bad at security.

Popular posts from this blog

06 - How to maybe not be so bad at fuzzing, Part 2

Image
06 - Back to the Fuzzing, Part 2 This post will focus more on actual usage of different fuzzers, rather than part one which talked about fuzzing from a higher level.  I'll use the widely available  vulnserver.exe  as a target application for a bunch of examples, as there are a ton of posts out there that go over exploiting it.  I will also briefly talk about some typical fuzzing use-cases, such as HTTP requests, and how we may employ a fuzzer to assist in testing.  I'm not going to turn our crashes into exploits, that's outside of the scope of this post-- I'll just take a more in depth look at the available tools to expedite the process of locating bugs. Here's the agenda for tool usage: Python Sockets SPIKE boofuzz In part one I'll talk about some common ways to implement python sockets, such as raw sockets for a normal client / server model, fuzzing HTTP requests, and maybe a bit more if I don't get lazy half-way.  In part two I will apply
Read more

SLAE32 - Assignment 7

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:  https://www.pentesteracademy.com/course?id=3 Student ID: PA-15072 All associated code can be found here:  https://github.com/pAP3R/public/tree/master/SLAE32/assignments Crypters For this assignment, students are tasked with creating a custom shellcode crypter. Requirements: Create a custom crypter like the one shown in the "crypters" video Free to use any existing encryption schema Can use any programming language Task 7 was... interesting. By far the most time spent headbanging (to metal and against metal), while also sporting the biggest facepalm. My original plan did end up being the outcome, although it took a detour and ended up at the same result. For this task I decided to go the AES CBC route-- it's a common and easily implemented encryption scheme. Using this article , I was able to come up with a PoC encryption / decr
Read more

04 - DiskSavvy Enterprise 10.4.18 BoF SEH (and how I finally became not so bad at it)

Image
I decided to make a whole new post in regarding DiskSavvy, as the others were all over the place.  This post will focus on the working PoC, now that I have it, and explain some of the tribulations and pitfalls I experienced during it. 0x01 - Locating a Crash Alright, so in the past we've located a relatively easy crash-- after performing a three way handshake, the application sends a packet requesting some server information.  This packet'ssends the following ASCII string: 'SERVER_GET_INFO', prepended by a few headers, and appended by some more data.  This whole interaction can be seen in previous posts, namely post one and two, where I go as in depth as I was able at the time with my fairly limited knowledge.  Initially, I found a location in a portion of the headers that resulted in a crash that I was pretty psyched on, but after bashing my head against the keyboard for an undetermined (read: unreleased) amount of time, I found I wasn't sure I was able to
Read more