HackTheBox - Minion Error Code Exfiltration

This is a writeup of an alternative technique for Minion, which involves exfiltrating data via error codes. All credits for this technique go to @m0noc who actually made this work and used it to pwn Minion. The Situation In Minion we had command execution which returned the exit code of the command called. 0 for success and 1 for failure. In re... Read more 16 Apr 2018 - 2 minute read

HackTheBox - Node

This writeup describes exploitation of the node machine on HackTheBox. Many thanks to @rastating for a fantastic box and @Geluchat for helping me craft the final buffer overflow. Chapters: Enumeration Privilege Escalation - Tom Privilege Escalation - Root Binary Analysis Arbitrary File Disclosure Command Executi... Read more 03 Mar 2018 - 14 minute read

HackTheBox - Mantis

This writeup details attaching the Mantis machine from HackTheBox. In short this machine looked indomitable at the start with it’s ridiculous list of open ports. Targeted enumeration, however, reveals that it’s not as bad as first expected. Chapters: Enumeration MS-SQL Credentials MS14-068 Topics: MS-SQL Enumera... Read more 24 Feb 2018 - 6 minute read

HackTheBox - Shrek

This post will describe exploitation of the Shrek device on HackTheBox. Shrek, also known as steganography hell, or ‘How the hell was anyone supposed to know to do that 7ckm3?’. It’s very much the resident CTF box, so techniques like steganography are more common than service mis-configurations. Also to be expected is a lot of trolling. In... Read more 03 Feb 2018 - 7 minute read

Stack Buffer Overflows: Linux 3 - Bypassing DEP with ROP

In this chapter we’ll be dealing with systems with ASLR disabled, and with all binary protections disabled bar NX. Here you’ll learn how to craft basic ROP chains using functions in libc, and how to chain multiples of these together. Prior Reading: Chapter 1 Chapter 2. Environment: Ubuntu 16.04 32bit GDB Peda The code we’ll be us... Read more 02 Feb 2018 - 10 minute read