2022
Welcome to the third and final installment of the “Chrome Browser Exploitation” series. The main objective of this series has been to provide an introduction to browser internals and delve into the topic of Chrome browser exploitation on Windows in greater depth.In my previous post “Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals”, we took our first deep dive into the world of browser exploitation by covering a few complex topics that were necessary for fundamental knowledge. We mainly covered topics on how JavaScript and V8 worked under the hood by exploring what objects, maps and shapes were, how these objects were structured in memory, and we also covered some basic memory optimizations such as pointer tagging and pointer compression. We also touched on the compiler pipeline, bytecode interpreter, and code optimizations.Web browsers, our extensive gateway to the internet. Browsers today play a vital role in modern organizations as more and more software applications are delivered to users via a web browser in the form of web applications. Pretty much everything you might have done on the internet involves the use of a web browser, and as a result, browsers are among the most utilized consumer facing software products on the planet.2020
In my previous post “Red Team Tactics: Utilizing Syscalls in C# - Prerequisite Knowledge”, we covered some basic prerequisite concepts that we needed to understand before we could utilize syscalls in C#. We touched on some in-depth topics like windows internals and of course syscalls. We also went over how the .NET Framework functions and how we can utilize unmanaged code in C# to execute our syscall assemblies.Over the past year, the security community - specifically Red Team Operators and Blue Team Defenders - have seen a massive rise in both public and private utilization of System Calls in windows malware for post-exploitation activities, as well as for the bypassing of EDR or Endpoint Detection and Response.Happy Holidays and a Happy New Year 2020 readers!2019
On August 22, 2019 I received yet another one of the most desired emails by aspiring Offensive Security enthusiasts and professionals…In my previous post “Google CTF (2018): Beginners Quest - PWN Solutions (1/2)”, we covered the first set of PWN solutions for the Beginners Quest, which touched on topics such as code injection, reverse engineering, buffer overflows, and format string exploits.In my previous post “Google CTF (2018): Beginners Quest - Reverse Engineering Solutions”, we covered the reverse engineering solutions for the 2018 Google CTF, which introduced vulnerabilities such as hardcoded data, and also introduced the basics for x86 Assembly.In my previous post “Google CTF (2018): Beginners Quest - Web Solutions” we covered the web challenges for the 2018 Google CTF, which covered a variety of security issues ranging from topics such as the improper use of client side scripts, and other simple vulnerabilities like cross-site scripting (also known as XSS).In my previous post “Google CTF (2018): Beginners Quest - Miscellaneous Solutions”, we covered the miscellaneous challenges for the 2018 Google CTF, which covered a variety of security issues ranging from topics such as improper data censoring to security vulnerabilities like SQL injections.In my previous post “Google CTF (2018): Beginners Quest - Introduction”, we covered how to break into CTFs and I also introduced the 2018 Google CTF. In this post we will be covering the miscellaneous (misc) solutions for the Beginner Quest, which contained a variety of security issues ranging from topics such as improper data censoring to security vulnerabilities like SQL injections.Over the past couple of weeks I’ve been doing a lot of CTFs (Capture the Flag) - old and new. And I honestly can’t believe what I’ve been missing out on. I’ve learned so much during this time by just playing the CTFs, reading write-ups, and even watching the solutions on YouTube. This allowed me to realize how much I still don’t know, and allowed me to see where the gaps in my knowledge were.Happy Holidays and a Happy New Year 2019 readers!2018
It goes without saying that being a Professional Penetration Tester is one of the “sexier” jobs in InfoSec. I mean, let’s be honest here - who wouldn’t want to break into buildings, and hack companies like Elliot from Mr. Robot, or carry out crazy hacks against banks and casinos like in the Oceans Series, all while doing it legally?In the past few weeks I finally found time to dig into my library and read some of the books that I’ve been meaning to read since like last year. One of the books that really warranted my attention was Attacking Network Protocols by James Forshaw.DISCLAIMER:Happy Holidays and a Happy New Year 2018 readers!2017
On December 19, 2017 I received one of the most desired emails by aspiring Offensive Security enthusiasts and professionals…In my previous post “Pentestit Lab v11 - Access Control Token (10/12)”, we carried out intelligence gathering on the Access Control machine, exploited a Command Injection Vulnerability, and found our tenth token. Today we will continue going back to machines we missed during our exploitation of the Main Office Subnet - which will include the following:In my previous post “Pentestit Lab v11 - ClamAV Token (9/12)”, we continued our intelligence gathering by footprinting the 192.168.11.x subnet, exploited a Remote Command Execution Vulnerability in SendMail, exploited a Privilege Escalation Vulnerability in OSSEC, and found our ninth token. Today we will go back into the Main Office Subnet and attack the Access Control Server - which will include the following:In my previous post “Pentestit Lab v11 - Cloud Token (8/12)”, we utilized tcpdump for Network Reconnaissance on the compromised 192.168.10.1 machine, accessed the cloud server via intercepted credentials, cracked a KeePass Password Hash, and found our eighth token. Today we will go back and footprint the 192.168.11.X subnet to see if we missed anything - which will include the following:In my previous post “Pentestit Lab v11 - Connect Token (7/12)”, we footprinted the 192.168.11.1 subnet, exploited a Command Injection Vulnerability, carried out Post-Exploitation Reconnaissance, and utilized a Rouge FTP Server Response to attain our seventh token. Today we will continue our exploitation of the 192.168.10.1 machine - which will include the following:In my previous lab “Pentestit Lab v11 - Director Token (6/12)”, we footprinted the DIR Subnet using a comprised SSH Key for the 172.16.0.252 Router in the Main Office, utilized compromised credentials for RDP Access, utilized Interceptor-NG for ARP Poisoning and a MitM Attack to attain Shell Access on the Director’s computer, and found our sixth token. Today we will continue footprinting the 192.168.x.x subnets - which will include the following:In my previous post “Pentestit Lab v11 - CUPS Token (5/12)”, we footprinted the CUPS server, exploited a SQL Injection Vulnerability that allowed us to gain access to the CUPS server, found an SSH Private Key, and found our fifth token. Today we will utilize our newly found SSH Private Key to gain access to the Director Subnet - which will include the following:In my previous post “Pentestit Lab v11 - AD Token (4/12)”, we footprinted the AD server, utilized Pass the Hash by using our newly found hash for SMB Authetntication, and found our fourth token. Today we will continue our attack on the Main Office by attacking the CUPS Server - which will include the following:In my previous post “Pentestit Lab v11 - RDP Token (3/12)”, we footprinted the Office 2 subnet, utilized SSH tunneling to attain RDP access, enumerated and brute forced RDP username/passwords, utilized the MS16-032 Privilege Escalation Exploit, found a user password hash and found our third token. Today we will return back to the Main Office to utilize our newly found hash to compromise the AD Server, and the AD Token - which will include the following:In my previous post “Pentestit Lab v11 - Site Token (2/12)”, we found an SSH Login to Office 2 via Intelligence Gathering, brute forced OpenVPN which allowed access to the Main Office, exploited a SQL Injection Vulnerability, and found our second token. Today we will leverage our SSH Login to carry out Intelligence Gathering on the Office 2 subnet, and to compromise the RDP Token - which will include the following:In my previous post “Pentestit Lab v11 - CRM Token (1/12)”, we found a SQL Injection Vulnerability on the main WordPress site and a Remote Code Execution Vulnerability in VTiger CRM via Intelligence Gathering, brute forced the CRM, attained user information and login credentials, exploited our newly found authenticated RCE vulnerability, and found our first token! Today we will leverage our new found credentials to gain access to the internal network, and to compromise the site - which will include the following:In my previous post “Pentestit Lab v11 - Introduction & Network”, we covered the Network, and VPN Connection. Today we will be covering the first steps taken to attack the lab - which will include the following:Hello readers, and welcome back to another series of the Pentestit Write-ups! I know it has been a while since I last posted here - but with the release of the v11 Pentestit Lab I became ecstatic and managed to find some time to go through the lab and create these write ups.In my previous post “Pentestit Lab v10 - WIN-DC0 Token (12/13)”, we utilized our VPN access and the WIN-TERM machine to pivot into the WIN-DC0 machine, gathered account and domain information, exploited the MS14-068 vulnerability to forge a Kerberos Ticket, mounted the Admin share of WIN-DC0 to the WIN-TERM machine, and found our twelfth token. Today we will utilize our VPN and compromised domain to attack the Cloud machine - which will include the following:In my previous post “Pentestit Lab v10 - WIN-TERM Token (11/13)”, we utilized our VPN tunnel to access the WIN-TERM machine via RDP, exploited the MS16-032 vulnerability to escalate our privileges to System, mounted an encrypted share via TrueCrypt, accessed a KeePass database, and found our eleventh token. Today we will utilize our WIN-TERM access to pivot into the WIN-DC0 machine and compromise the domain - which will include the following:In my previous post “Pentestit Lab v10 - Web-Control Token (10/13)”, we utilized our VPN tunnel via SSH on the compromised gw machine to access the internal network, brute forced our way into a custom application running on the Web-Control machine, exploited a Command Injection Vulnerability, and found our tenth token. Today we will be utilizing our VPN access to attack the WIN-TERM machine - which will include the following:In my previous post “Pentestit Lab v10 - Hall of Fame Token (9/13)”, we continued utilizing our gw machine as a pivot point, utilized SSHuttle as a VPN to access the internal network, exploited an SST Inject on the Hall of Fame website, and found our ninth token. Today we will be utilizing our VPN access to the internal network to attack the Web-Control machine - which will include the following:In my previous post “Pentestit Lab v10 - News Token (8/13)”, we continued to utilize the compromised gw machine as a pivot point to attack the News Machine, utilized our SSH Tunnel to gain access to the website, exploited an Open Sessions vulnerability on the News site, and found our eight token. Today will be utilizing our pivot point to attack the Hall of Fame Machine - which will include the following:In my previous post “Pentestit Lab v10 - Captcha Token (7/13)”, we pivoted further into the internal network via an SSL Tunnel to access the Captcha Machine, exploited a Command Injection vulnerability, established a VPN connection via SSH to gain a foothold on the internal network, and found our seventh token. Today we will continue our pivot into the internal network and attack the News Machine - which will include the following:In my previous post “Pentestit Lab v10 - Blog Token (6/13)”, we further utilized the gw machine to pivot into the internal network and access the Blog via an SSH Tunnel, exploited Joomal with an Account Creation/Privilege Escalation exploit, and found our sixth token. Today we will be pivoting further into the network and attacking the Captcha Machine - which will include the following:In my previous post “Pentestit Lab v10 - Store Token (5/13)”, we took a step back to map the attack surface of the Store Web Application, utilized the compromised gw machine to create an SSH Tunnel to bypass access control restrictions, exploited a Blind SQL Inject via sqlmap, and found our fifth token. Today we will be pivoting into the internal network via our compromised gw machine and attacking the Blog Machine - which will include the following:In my previous post “Pentestit Lab v10 - SSH-Test Token (4/13)”, we utilized the compromised gw machine to pivot into the internal network, used previously compromised private SSH Keys to gain access the SSH-Test Machine, and found our fourth token. Today we will be taking a step back and attacking the main Store - which will include the following:In my previous post “Pentestit Lab v10 - SSH Token (3/13)”, we leveraged newly found credentials for SSH Access on the gw machine, enumerated files and directories with a custom python script, extracted private data - such as private SSH Keys - and finally found our third token. Today we will leveraging the compromised gw machine to access the internal network and compromise the SSH-Test machine - which will include the following:In my previous post “Pentestit Lab v10 - Site Token (2/13)”, we mapped the attack surface of the GDS Blog, exploited a SQL Inject while bypassing the WAF filter, cracked user credentials, gained administrative access to the blog, and scored our second token. Today we will be leveraging our new found credentials to compromise the gw machine - which will include the following:In my previous post “Pentestit Lab v10 - Mail Token (1/13)”, we attained usernames through Intelligence Gathering, brute forced the SMTP Service, attained login credentials, and scored our first token. Today we will take our first steps at compromising the Global Data Security website - which will include the following:In my previous post “Pentestit Lab v10 - Introduction & Network”, we covered the Network, and VPN Connection. Today we will be covering the first steps taken to attack the lab - which will include the following:Ever wondered how it feels like to hack a company? To breach their systems, traverse their network, and gain complete and total control of their domain - but all in bounds of legality? Well look no further!Happy Holidays and a Happy New Year 2017 readers! Thanks for joining me today as we go over the SANS 2016 Holiday Hack Challenge! Which honestly, was the most fun I ever had!2016
Welcome back to the Final Chapter of the Kioptrix VM Series!Welcome back to the Kioptrix VM Series!Welcome back to the Kioptrix VM Series!Welcome back to the Kioptrix VM Series!“Try Harder”… the quote that brings fear and confusion into every PWK participant; all working hard to obtain the prestigious OSCP Certificate.Welcome back to another VulnHub CTF write-up! Today we will be pwning SickOS 1.1 - which can be found here on VulnHub.Welcome back to my 2nd - VulnHub CTF! This time we will be tackling Stapler: 1!When a bug finally makes itself known, it can be exhilarating, like you just unlocked something. A grand opportunity waiting to be taken advantage of. - Mr. Robot, 2016Welcome back! This post is the continuation of the Natas wargame from OverTheWire.Welcome back! This post is the continuation of the Natas wargame from OverTheWire.Web Hacking; one of the most dangerous attack vectors out on the internet in today’s world. Web Hackers have gotten away with millions of user accounts and passwords, credit card information, and even social security numbers!Leviathan: A large aquatic creature of some kind. The Bible refers to it as a fearsome beast having monstrous ferocity and great power. Today, the word has become synonymous with any large sea monster or creature. In literature it refers to great whales, and in Modern Hebrew, it simply means “whale”. And trust me… you will have a “whale” of a time with this wargame! Eh? EH? No? – Fine, I’ll see my way out…Hey, Welcome Back! This post is the continuation to the “Bandit” Wargame found at: overthewire.org.Over the past couple weeks, I have been digging deeper and deeper into the realm of penetration testing (or as many like to call it… hacking). I have been obsessively doing researching, practicing, and honing my basic level Linux skills, as well as expanding my toolset knowledge.