Friday-Gems on Shivasurya

Heap Two Writeup - Exploit Education Lab Exercise

Sat, 06 May 2023 00:00:00 +0000

If you haven’t set up your lab yet, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Heap One, Heap Two exercise motive is to leverage buffer overflow and perform UAF (User-After-Free Vulnerability) that technically allows to re-use the allocated memory in the heap to control the program flow. Similar to gets in Heap Zero, strdup function is unsafe that doesn’t have bounds check, it accepts memory address to copy but doesn’t care about overwriting other declared struct variable in the heap region.

Heap One Writeup - Exploit Education Lab Exercise

Fri, 05 May 2023 00:00:00 +0000

If you haven’t set up your lab yet, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Heap Zero, Heap One exercise motive is to smash the heap to modify other variables in the heap to a hex value and technically overwrite struct in the heap. Similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared struct variable in the heap region.

Heap Zero Writeup - Exploit Education Lab Exercise

Fri, 28 Apr 2023 00:00:00 +0000

If you haven’t set up your lab yet, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Stack One, Heap Zero exercise motive is to smash the heap to modify other variables in the heap to a hex value and technically overwrite function pointer in the heap. Similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared function pointer in heap.

Format Four Writeup - Exploit Education Lab Exercise

Fri, 21 Apr 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Format Three Writeup - Exploit Education Lab Exercise

Fri, 14 Apr 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Format Two Writeup - Exploit Education Lab Exercise

Fri, 07 Apr 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Format One Writeup - Exploit Education Lab Exercise

Fri, 31 Mar 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

HackTheBox Active Writeup - Active Directory - OSCP Practice

Fri, 17 Mar 2023 00:00:00 +0000

Quick Overview

Active is one of the easy Active Directory focused Windows Box from TJNull OSCP Practice list. It’s one of those easy machine where you get initial foothold via SMB Replication share leak & escalate privileges using Active Directory weakness.

Enumeration

NMapAutomator

Started with enumerating the target with NMapAutomator script since it helps in automating all possible ports with vulnerability scripts from nmap. Additionally, NmapAutomator can help in recon process using smbmap, ffuf, nikto, DNSRecon, SMB enumeration.

Format Zero Writeup - Exploit Education Lab Exercise

Fri, 10 Mar 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Stack Six Writeup - Exploit Education Lab Exercise

Sun, 26 Feb 2023 00:00:00 +0000

Previous Writeup:

If you’re learning and writing binary exploits, I would strongly recommend you to take Architecture 1001: x86-64 Assembly course by Xeno Kovah. They cover a wide variety of learning assembly instructions which will be really helpful to understand the exploits.

Stack Five Writeup (Code Execution) - Exploit Education Lab Exercise

Sat, 04 Feb 2023 00:00:00 +0000

Previous Writeup:

Stack Four Writeup - Exploit Education Lab Exercise

Sat, 28 Jan 2023 00:00:00 +0000

Previous Writeup:

Stack Three Writeup - Exploit Education Lab Exercise

Fri, 27 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Stack Two, Stack Three exercise motive is to smash the stack to modify other variables in the stack to a hex value and technically overwrite function pointer in the stack. Similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared function pointer in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int *fp function pointer stays in main stackframe. This overwritten function pointer will be further used to invoke in later part of the program.

Stack Two Writeup - Exploit Education Lab Exercise

Thu, 26 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Stack One, Stack Two exercise motive is to smash the stack to modify other variables in the stack to a hex value 0x0d0a090a but receives the value from the environment variable ExploitEducation. Technically, similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared variables in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int changeme stays in main stackframe.

Stack One Writeup - Exploit Education Lab Exercise

Fri, 20 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup: Stack Zero Writeup - Exploit Education Lab Exercise

Quick Overview

Unlike Stack Zero, Stack One exercise motive is to smash the stack to modify other variables in the stack to a hex value 0x496c5962. Technically, similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared variables in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int changeme stays in main stackframe.

Stack Zero Writeup - Exploit Education Lab Exercise

Thu, 12 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Quick Overview

Stack Zero exercise is based on stackoverflow memory corruption issue where you’ll have to smash the stack to modify other variables in the stack to achieve code execution, execution flow redirection or behaviour in the program. Technically, gets function is unsafe that doesn’t have bounds check basically, it accepts memory address to write but doesn’t care about overwriting other declared variables in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int changeme stays in main stackframe.

Exploit Education Lab Setup - Windows & MacOS

Fri, 06 Jan 2023 00:00:00 +0000

Exploit.education binary exploitation exercise typically runs on ASLR (Address space layout randomization) disabled ubuntu based virtual machine with Data Execution Prevention turned off binaries. In order to setup the exploit.education lab, You’ll have to either use virtualbox or qemu based virtual machine emulator setup to easily test and debug the exercises.

Installation

For both MacOS and Windows, grab a copy of qemu emulator and follow the installation setup which is quite easy.