OverTheWire Natas Level 0

1 minute read Oct 30, 2012 Comments
I recently read that OverTheWire had released a new wargame, so I decided to play for fun. The first level is extremely easy. You are presented with a page that tells you that you are able to find the password on this page. If you then view the source, you can see the password to the next level is in plain text, in an HTML comment.

Sysax 5.64 HTTP Remote Buffer Overflow

2 minute read Jul 28, 2012 Comments
I have discovered a bug in the Sysax Multi-Server application. More specifically, it’s in the HTTP File Server service, which is not enabled by default. It has to be turned on by the admin for this exploit to properly function. The user in question also needs permission to create a directory. In the Sysax service, the configuration would look like this: To trigger this vulnerability is pretty simple. Log into the HTTP File Server:

Exploit Exercises - Fusion 01

7 minute read Jul 3, 2012 Comments
It’s been a while since I last did a write-up about Exploit Exercises. I’m starting to look back at it now, since I have some more free time again. I’ve now, as I’m sure you can guess by the title of this post, solved level 01. So this level is very similar to the first, except that it has ASLR and doesn’t tell us where the buffer is on every execution.

PWB Conclusions and the Future

3 minute read Jun 24, 2012 Comments
The results As I posted previously, I was taking the PWB course from Offensive Security. I am happy to report that I passed with flying colors (100%)! This is the best email I’ve ever received: Advice for new students During the course, I learned several things, including many things about myself. Do the PDF/Video work first. If you wait until the end, you will hate your life. It’s so droll and boring.

Exploit Exercises - Fusion 00

5 minute read Apr 9, 2012 Comments
I was very excited to see the announcement on twitter, that Fusion was going to be released, even if it’s just the first 10 levels. I was a bit bummed, as I didn’t think I’d get to work on it much, until I complete PWB, but I managed to find a little time to at least start it. I pulled up level 00, which looks to be a basic stack overflow in an http server.

PWB Progress and Impressions

5 minute read Mar 27, 2012 Comments
I recently decided to take Offensive Security’s course, Penetration Testing with Backtrack. I’m now 30 days in, of my 90 day allotment. I figured I would share my impressions and what I’ve learned up to now, without being specific enough to give anything away to future students. The Wait So I decided to take the class, and submitted the order on February 16th 2012. Offensive Security starts new classes each Sunday, and apparently the one starting on February 18th was already full, so I ended up waiting until February 25th.

Using .net to bypass AV

3 minute read Feb 23, 2012 Comments
I’ve read a ton of articles on bypassing Antivirus software when trying to run shellcode on machines. There’s just a ton available. These are just a few examples: http://dev.metasploit.com/redmine/projects/framework/wiki/Using_a_Custom_Executable_to_Bypass_AV http://www.offensive-security.com/metasploit-unleashed/Antivirus_Bypass http://www.irongeek.com/i.php?page=videos/bypassing-anti-virus-with-metasploit http://clshack.com/metasploit-shellcodeexec-bypassing-any-anti-virus.html http://carnal0wnage.attackresearch.com/2011/07/process-injection-outside-of-metasploit.html I was recently working with some Windows web-servers, which had ASP.net enabled, but not any other useful language. I had recently read about PowerSyringe, so I started tinkering with making some shellcode run similarly. I ended up finding out that I couldn’t do what I was wanting to do in ASP.

Kioptrix 4

25 minute read Feb 12, 2012 Comments
I know there are a few different methods to the new Kioptrix 4 boot2root. Unfortunately, I could not find the remote root exploit that is mentioned, but my method used several tools, and privilege escalation. Tools used: Backtrack 5 VM Nmap SqlMap To start out, I had to find the machine on the network. I booted up my Backtrack VM and Kioptrix VM both using a NAT connection in my VMWare.

Exploit Exercises - Protostar Net 3

5 minute read Feb 11, 2012 Comments
The last in the Net series of Protostar is Net 3. It was of course the most difficult of all of them. However, it still wasn’t too bad. First, we’re given the following code: #include "../common/common.c" #define NAME "net3" #define UID 996 #define GID 996 #define PORT 2996 /* * Extract a null terminated string from the buffer */ int get_string(char **result, unsigned char *buffer, u_int16_t len) { unsigned char byte; byte = *buffer; if(byte > len) errx(1, "badly formed packet"); *result = malloc(byte); strcpy(*result, buffer + 1); return byte + 1; } /* * Check to see if we can log into the host */ int login(unsigned char *buffer, u_int16_t len) { char *resource, *username, *password; int deduct; int success; if(len < 3) errx(1, "invalid login packet length"); resource = username = password = NULL; deduct = get_string(&resource, buffer, len); deduct += get_string(&username, buffer+deduct, len-deduct); deduct += get_string(&password, buffer+deduct, len-deduct); success = 0; success |= strcmp(resource, "net3"); success |= strcmp(username, "awesomesauce"); success |= strcmp(password, "password"); free(resource); free(username); free(password); return !

Exploit Exercises - Protostar Net 2

2 minute read Feb 10, 2012 Comments
So far, these Net challenges in Protostar have been pretty easy. This challenge, Net 2 got a small bit tougher. We are given the following code: #include "../common/common.c" #define NAME "net2" #define UID 997 #define GID 997 #define PORT 2997 void run() { unsigned int quad[4]; int i; unsigned int result, wanted; result = 0; for(i = 0; i < 4; i++) { quad[i] = random(); result += quad[i]; if(write(0, &(quad[i]), sizeof(result)) !
Page 3 of 6 1 2 3 4 5 6