tag:blogger.com,1999:blog-3639013701781993332024-03-05T07:52:31.623+01:00Binary world for binary people :)m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.comBlogger76125tag:blogger.com,1999:blog-363901370178199333.post-23855287554661598122018-12-27T20:16:00.000+01:002019-02-16T12:19:41.439+01:00Migrated Blog Location
Hello,
Just wanted to say that I'm fed up with Blogger poor support for versioning, code, etc.
All the code highlighting on this blog was super slow due to crappy javascript, sorry for the readers.
In order to fix these various issues, I've migrated the blog to github.io using a full static site generator : Jekyll.
It will take some time to have a nice template but it'll be worth it in the m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-64619867295968532482018-04-28T11:33:00.003+02:002018-04-28T14:34:57.975+02:00Windows Kernel Exploitation : Token stealing payload with the reference counter updated
Hello,
I've been playing a bit with HEVD and it is indeed a fun challenge.
I will publish my multi-exploit but I won't detail exploitation as there is a lot of documentation on the techniques used already.
The part that is surprising though is that the token stealing payload not updating the reference counter is a well known issue all around ... but I haven't seen a public payload that fixes m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-66915427985459000142018-04-28T11:20:00.002+02:002018-04-28T14:39:22.271+02:00Yet Another OSCE Review
Hi,
I did OSCP begining of 2017 and then OSCE a while back in December but since I got people who keep asking me about it, I decided to write a blog. I'll try to make it short as there are many guides that enumerate tons of stuffs already.
It will be more about the feeling and experience than the details.
What to expect?
The OSCE guide has not been updated since around 2008-ish.
So the m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-27589436229356703662017-10-12T01:39:00.002+02:002017-10-14T11:16:17.305+02:00VulnHub - c0m80 boot2root
I saw this boot2root pop on twitter and it was rated as a difficult one and
it didn't have any walkthrough or solves apparently, so it picked my interest.
The pre-requisites for any readers would be to know about pentesting in general,
networking, basic web hacking tricks, exploitation and some various tricks.
We'll begin by describing the reconnaissance process, exploit development and
end upm_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-51146529273495951802017-08-30T00:06:00.000+02:002017-08-30T00:06:44.873+02:00RHMe3 Qualifier - Heap Exploitaiton
Hi,
This year, Riscure organized a CTF composed of 3 challenges : 2 crypto challenges and 1 exploitation challenge.
I only did the exploitation challenge.
We'll start by patching the binary in order to run it on our box. Then reversing the binary and finally exploiting it. We'll use radare2 for the whole analysis.
Patching
In the background_process() daemonize() functions, there are m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-80841477703859030172017-05-20T23:08:00.001+02:002017-08-30T00:07:27.764+02:00Notes on abusing exit handlers, bypassing pointer mangling and glibc ptmalloc hooks
Hi,
Today we'll talk about abusing exit handlers in order to hijack the control flow.
This research stemmed from Google Project Zero article about heap overflow
NULL byte poisoning where they described using __exit_funcs or tls_dtor_list
to achieve code execution.
The issue I had was to find a way to resolve reliably these
non-exported symbols and access them.
The exit handlers are quite m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-32316747119351515792017-03-31T13:55:00.003+02:002017-03-31T14:40:03.744+02:00Yet Another OSCP Review
I just took the OSCP Course and successfully passed the exam.
There are many other great reviews of the course out there, just thought I'd add my grain of salt.
I decided to take that course as I wanted to see where I was at in terms of hacking and penetration testing skills. As some of you know, I've been more or less playing with code, hacks and exploits there and there for some time m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-2161035641181455692013-12-27T15:27:00.000+01:002013-12-27T15:27:33.708+01:00[Wargame] Ivan's Amenra : level 1
Hackeology : C'est un vieux challenge de 2010 plus disponible, je publie quand même le write-up (27/10/2010) qui trainait dans mes brouillons :). Enjoy.
Bonsoir!
J'ai retrouvé dans mes vieux bookmarks un challenge intéressant :).
Ce qui différencie le wargame d'Ivan par rapport aux autres wargame est l'activation de l'ASLR et de quelques protections PaX.
La preuve:
level1@segment:~$ cat /proc/m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-42084954501987080572013-12-18T19:09:00.001+01:002013-12-18T19:46:23.691+01:00December HZV Meet : Linux Kernel Exploitation
Hello,
So, last Saturday, I did a talk about Linux Kernel Exploitation.
I went over some well known vulnerabilities and I ended with a demo on a kernel exploitation challenge (here) by Jason Donenfeld (his site).
The slides are at the end of this blog article.
In this post, I will detail a bit more some of the slides in the talk.
I will not detail every single slides, only the ones where I m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-39491373195564988862013-12-13T23:06:00.001+01:002013-12-18T21:44:27.725+01:00LFI Exploitation : Basics, code execution and information leak
Hello,
Today, I played a bit with Metasploitable 2.
It is really easy to root, so that's not the interest of this blog post.
Anyhow, I played a bit around and I ended up coding a basic LFI exploit tool.
So yet another post on LFI exploitation ...
So what is LFI?
LFI stands for Local File Inclusion.
It is a vulnerability that allows you to include local files.
Many people do think that it'sm_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-23668889604227945782013-08-20T21:10:00.001+02:002015-07-06T20:04:18.512+02:00[Root-Me] Remote Binary 2 - An advanced remote format string example
Hello,
Sorry, this article has been removed in order to respect the root-me rules.
However, for anyone who solved the challenge, you can get the article using the found flag :).
I'll post the article once I fix the exploit.
Cheers,
m_101
m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-15936454336733216812013-06-10T14:56:00.000+02:002013-06-10T15:25:56.444+02:00Vanilla1 : write-what-where exploitation (ASLR, Full RELRO, Stack cookie)
Hello,
For today article, we're going to analyze and exploit a write-what-where with
ASLR, no PIE, full RELRO and stack cookie.
This is part of a set of challenges made by sm0k: Vanilla Dome Wargame .
Let's begin.
The challenge
Before any reversing attempt, we need to launch the program to see what it does.
vanilla1@VanillaDome ~ $ ls -lash
total 76K
4.0K drwxr-xr-x 2 root &m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-56085680682789620882013-03-10T01:53:00.002+01:002013-03-10T16:45:01.904+01:00[NDH2k13] Prequals - Meow (misc)
Hello there,
For NDH Prequals 2k13, the question for today is:
Can I Haz Flag?
(sorry, no screens or logs of all original functions ...)
In the following article, we'll see some Python black magic that will allow us to escape a restricted shell :).
The cat fight problem
Yeah, cat fighting! meeooow!
Basically, we had to connect to it through telnet:
telnet z0b.nuitduhack.com 2323
Then m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com5tag:blogger.com,1999:blog-363901370178199333.post-29589080165324533412013-03-06T12:34:00.001+01:002013-03-06T12:40:14.518+01:00[HES 2011] Abraxas Wargame - Level 4
Hello,
Time for level 4 of abraxas,
No useful clues in logbook.
First, let's check the cronjob:
$ cat /etc/cron.d/workpackagebuilder
*/5 * * * * level4 /home/level4/bin/make_random_input.sh && /home/level4/bin/workpackagebuilder.pl &> /dev/null
It runs every 5 minutes.
Nothing interesting in /home/level4/bin/make_random_input.sh, it just output some uselessm_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-34243194177364272492013-03-06T12:09:00.002+01:002013-03-06T12:16:56.677+01:00[HES 2011] Abraxas Wargame - Level 3
Hello,
Level3, here we come!
Clues from the logbook:
- "she's currently testing with generated datasets."
- "The entire thing is written in bash and runs as a cronjob every 10 minutes."
We look at the cronjob to locate the script:
$ cat /etc/cron.d/lifesupport_process
*/10 * * * * level3 /home/level3/bin/lifesupport_process.sh &> /dev/null
We read it:
$ cat /home/m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-87469722104904531832013-03-06T11:57:00.001+01:002013-03-06T11:58:12.079+01:00 [HES 2011] Abraxas Wargame - Level 2
Hello,
Time for level 2 :).
Clues from logbook:
"All I learned is that it is written in C and authenticates the user with his user ID."
Heh, should be using getuid(), let's check!
File permissions first:
$ ls -lash /home/level2/bin/
total 16K
4.0K drwxr-xr-x 2 level2 level2 4.0K 2011-04-04 15:28 .
4.0K drwxr-xr-x 3 level2 level2 4.0K 2011-04-04 15:28 ..
8.0K -r-x--x--- 1 level2 level1 7.3K m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-59445809786964422742013-03-06T11:47:00.000+01:002013-03-06T12:11:01.601+01:00[HES 2011] Abraxas Wargame - Level 1
Hello,
I wanted to play a bit.
I randomly chose to play Abraxas Wargame which was especially made for HES (Hackito Ergo Sum) 2011.
First, you'll need to get it:
http://www.overthewire.org/wargames/abraxas/
And the only (sufficient) clues you got:
http://agent7a69.blogspot.fr/
Ok, now to the game.
For the first level, you got 4 clues in the post concerning it:
"From his design documents, m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-6892630666505833372012-07-13T21:14:00.002+02:002012-07-13T22:02:12.566+02:00Surfing "the deep web"
Hello folks,
I've seen quite some articles on "the deep web" recently and I've read that it's like 550 times bigger than the actual "public web" so it kind of tinkled my curiosity.
The deep web is basically the web that is not referenced by search engines or not easily attainable.
There are multiples ways to hide a website from the eyes of search engines, TOR hidden services, Freenet, dynamic m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-64940466560718334332011-12-05T00:01:00.001+01:002011-12-05T00:16:10.954+01:00CrashFr n'est plus :(.Bonjour ou bonsoir,
Hier soir j'apprend la nouvelle ... juste impossible ... juste pas croyable.
Je me connecte sur la chan IRC de #hzv, une ambiance morose et un titre à faire peur: "CrashFR will never die" ... no way ...
Mes doutes, mes peurs ... j'apprend que Paolo Pinto est décédé ... fuck fuck fuck.
Paolo Pinto, aka CrashFr dans la communauté des hackers, était une figure emblématique de m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-32154834486697220112011-12-03T19:49:00.001+01:002011-12-07T01:06:37.527+01:00GCHQ Challenge Part 3 : www.canyoucrackit.co.ukAs
I have seen that many people already posted their solutions ... I do not see the point of keeping mine :). Here it is.
Hello,
Here is the final part of the GCHQ recruitment compaign.
The challenge
We are offered an executable file (compiled under cygwin ...) to analyze.
The "analysis"
The analysis was pretty straightforward.
No protections (you can look with PEiD, etc).
Open it in m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-13716702397700378862011-12-03T18:40:00.001+01:002011-12-06T20:28:37.321+01:00GCHQ Challenge Part 2 - http://www.canyoucrackit.co.uk/As
I have seen that many people already posted their solutions ... I do not see the point of keeping mine :). Here it is.Hello again :),
Ok folks, you managed to get to level 2.
Let's begin,
The challenge
We are presented with a JavaScript file:
//--------------------------------------------------------------------------------------------------
//
// stage 2 of 3
//
// challenge:
// m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-54313514662874879642011-12-01T20:10:00.001+01:002011-12-06T20:13:14.981+01:00GCHQ Challenge Part 1 - http://www.canyoucrackit.co.uk/Hello,
As
I have seen that many people already posted their solutions ... I do not see the point of keeping mine :). Here it is.
Today I stumbled upon a challenge that seems to come from GCHQ itself.
GCHQ is basically part of the UK's Secret Service.
An article describing a bit the recruitment campaign:
GCHQ challenges codebreakers via social networks
Anyway, the challenge is located here:
m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-32343991179677647632011-11-16T14:21:00.001+01:002011-11-21T15:04:39.385+01:00PS3 Hacking (Part 2) - FAQHello,
Let's go on for PS3 Hacking part 2 :).
FAQ! Frequently Asked Questions
Why do everybody want the lv0 keys so badly even though they might not know how to use them?
WAREZ ... WAREZ ... EVEN MORE WAREZ ...
Homebrew has been attain with firmware <= 3.55 ... so heh ;).
Personnaly, I'm not interested in CFW ... more interested in the technical details than anything else here :).
Whym_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com0tag:blogger.com,1999:blog-363901370178199333.post-62451008489675116382011-11-16T13:47:00.001+01:002011-11-21T15:10:04.927+01:00PS3 Hacking (Part 1) - Exploitation
Hello,
It's been a long time since the last time I posted :), I miss hacking bits and binaries ... but well, I read a bit for relaxing ... here it is :).
Anyway, I've been reading about PS3 a bit and it's funny to see that not a single PS3 specialized news site has been able to correctly understand the exploits they publish on a regular basis.
I have not tried to hack the PS3 yet, just m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com1tag:blogger.com,1999:blog-363901370178199333.post-90152737075964034772011-07-23T16:20:00.002+02:002011-07-23T16:30:37.874+02:00De l'importance de vérifier les exploitsBonjour,
Aujourd'hui nous allons voir l'importance de ne pas lancer des exploits publics publiés sur exploit-db, full disclosure ou autre sans analyser la payload qui va avec.
Nombre de personnes (souvent des script kiddies), utilisent des exploits sans faire d'effort de relecture du code. En utilisant ces exploits, ils se font souvent poutré sans même le savoir :).
Le but de cet article va m_101http://www.blogger.com/profile/04511118411760397645noreply@blogger.com5