Skip to main content

Posts

Showing posts from May, 2018

VM 24 Vulnserver :

walkthru: A. ine.com B. https://samsclass.info/127/proj/vuln-server.htm C. http://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/ [badchar] steps: 1-Fuzzing 2- Create pattern size based on above step to get EIP address (create shell code using pattern create. Remove loops. Shell code is x number where x was sized from previous steps. In this case 2003 bytes) 3-Overwriting the offset (use pattern_create to find the offset using EIP from above and verify the offset. overwite the EIP address with B or 42424242. shell code is  2003 *A+4B ) 4- Finding bad character (remove bad characters ( e.g. null byte) as if come across , it would truncate the string and mess you our exploit. shell code is  2003 *A+4*B+ badchar) 5-Finding the right module (mona module to identify a DLL preferably that we can inject to with no ASLR, no memory protection, no DEP, use nasm shell to convert  assembly address to hex, identifying EIP address which w...
Post a Comment
Read more

VM 3: brainpan

Wlakthru: A.        https://www.youtube.com/watch?v=qwos6n6USE4 B.        http://www.daftandcurious.com/2013/04/brainpan-journey-into-exploit.html [file filenam.exe, NC filename 9999, no gcc, strings, wine, SUID/SGID binaries and file permission misconfigurations,  special permissions we can use with  sudo ] C.        http://rgolebiowski.blogspot.co.uk/2016/02/brain-pain.html [for look script showing number of packets being sent, using mona script and ASLR, 2nd buffer overflow to root, using gdb,  find / -perm -4000 -type f   ] D. https://www.doyler.net/security-not-included/brainpan-1-walkthrough [msfvenom reverseshell] E. http://hatriot.github.io/blog/2013/04/02/solving-brainpan/ [ 2nd buffer overflow to root, using gdb, but I was getting error after gdb ./validate. When I run  (gdb) r $(perl -e 'print "\x41"x120') , I am getting no such file or ...
Post a Comment
Read more

VM 4 mr.Robot

Walkthru: A. http://www.gcura.tech/vulnhub-mr-robot-1/ [Wordpress, Wscan brute force, sort/uniq pwd file, php revershell block, crack md5 pwd, search files with SUID bit set] B. https://www.exploit-db.com/exploits/37292/ [local priv escalation which didn't work on execution . Getting exploit failed when run as ./ofs as deamon or user robot] C. https://www.exploit-db.com/exploits/41963/ [didnt work. used burp to intercept and modify http request. one time it kind of work after I modified the request and got the option to email the link but still not sure how to access the reset link if the system was able to send the request in] D. https://www.youtube.com/watch?v=vxFYfJbQAoc&has_verified=1[shows license.txt includes user/pwd for user  elliot  which I did not see in the app. but shows way to crack it using o/s ] E. https://aisherwood.gitbooks.io/reference-book/content/mr-robot.html [extract username from VM wiki site  using cewl , use hydra to cr...
Post a Comment
Read more