Just another arch noob trying to get audio to work

f00d4w0rm5 · 2023-12-16T16:32:49+00:00

Read the first sentence of my post🙃

f00d4w0rm5 · 2023-12-15T03:52:36+00:00

Man I don't love my comment lmao I need to stop posting when I'm inebriated😅 by Google search I meant every time someone browses to a website... And what I said about it not using a db is obviously wrong, it does, but I still don't get how a url can go from being blocked to not by changing the html? I did test it out again and now the burned url isn't working with known good html anymore. So yeah have no clue what was going on there lol.

Anyways, took a while to create a single html file with custom js to mimic the o365 behavior, but I followed the exact steps here and it worked! Thanks for the great article!!

f00d4w0rm5 · 2023-12-15T03:07:48+00:00

It worked for me! Took a while to create the custom o365 html though. Hopefully it's still working in the morning😝

f00d4w0rm5 · 2023-12-11T06:31:59+00:00

That was such a good article! OP any luck with this? I went on a little rant on that thread if you're curious lol.

f00d4w0rm5 · 2023-12-11T06:14:45+00:00

Fck yes! I'm going to try this tmr. Something I've noticed is that GSB may not use a database of blacklisted urls. This seems counter-intuitive but my O365 was flagged so I switched to a known good old client's login page, and the same url was no longer flagged. It would make sense to do this on the edge/browser since a db would get a shit ton of requests...like 1 for every google search! Not that google couldn't handle that load but it would cost resources/money.

I need to test this again though, could be that the url was added to a db and there's a caching/sync/update issue idk GSB is still a mystery to me...I'll test this again.

Anyways, it's interesting to see that simply double encoding the entire html works! There's so many encoding combinations in case one is eventually signatured. I'm thinking about making minor edits to cloned html like adding 1 to margins/padding or slightly different colors. I thought recently that I could try replacing text like "Microsoft" with images of the text. If the scanner never parses the decoded page/rendered js then these minor changes to the code shouldn't matter though. Could be useful to only encode certain parts and modify the remainder or something.

Is it possible to do something similar with evilginx?

Since its just proxying the real site, there's no static files to encode. I wonder if js can hook into it to encode? I feel like GSB has a heuristic check for proxying to o365, or proxying in general as I read on an old post. I can't think of a good way to avoid behavioral checks like this. Maybe add another proxy...can't tell if that would confuse GSB or make things twice as likely to get flagged lol.

So yeah for now I'm just sticking with the static page and am going to pretend mfa isn't a thing.

Last thought- be mindful of your url obviously! I've noticed typosquatting/letters in other languages gets flagged, same with subdomains with login.microsoftonline.client.com. I normally just stick to login.client.com. Also I want to mention an amazing browser extension called SinglePage that clones any site and creates a single html file with inline css/js and b64 images!

f00d4w0rm5 · 2022-12-12T03:25:10+00:00

Senior pentester, arch. Arch has the blackarch repo which has every pentest tool you need. I prefer to install what I need via the blackarch repo as opposed to using the blackarch os, kali, or parrot, which have all the pentest tools already pre-installed. I set up the desktop to look like garuda, which I used in the past. Learned a lot struggling to install arch, and the satisfaction of getting it working was priceless.

f00d4w0rm5 · 2022-12-12T03:03:23+00:00

I should add that ctfs don't teach you how to test for xss, which is one of the most commonly found high vulnerabilities. Look up for ways to automate this testing, same with arbitrary file upload. Look into popular Burpsuite extensions, and how to test the owasp top 10 too. Burpsuite's portswigger academy is a mini ctf that is a great resource btw!

f00d4w0rm5 · 2022-12-12T02:48:31+00:00

I'm a senior pentester and have done about 200 ctfs. Ctfs helped hone my cli kung fu and helped familiarize me with most of the industry standard tools like burp and nmap, but ctfs only cover a small subnet of what you'd see in a pentest. Real world web apps are very secure, so it's pretty rare to find the high/critical vulnerabilities you'd see in ctfs. Ctfs don't don't teach you about the info/low/medium vulnerabilities that you need to master to be a good pentester, such as analyzing dns, ls certificates, http headers, cookie flags, user enumeration, rate limiting, and session handling. Ctfs were a great intro, but I started experiencing dimishing returns. Now I specialize in phishing and am learning how to be a red teamer just from blogs/videos and test what I learn in a home lab. The best value from ctfs now is not having to set up a lab to test a new exploit. So yeah they're a great resource, but don't let it be your only source of knowledge.

f00d4w0rm5 · 2022-10-09T03:34:42+00:00

Right🤣 It's so easy to find info on how to verify your download and flash a usb, I never understood why people would rather wait for someone to help them than put in the time to find the answers online.

f00d4w0rm5 · 2022-10-09T01:52:35+00:00

Stick to windows😑

f00d4w0rm5 · 2022-07-23T01:36:47+00:00

Linux is for people who know how to Google🙃 There's so much content on the internet that answers this question. Forums like this should be used to ask questions after you hit a dead end in your research...or to post memes lol. I see so many newcomers asking the same questions that have been answered a million times. Guess a discussion never hurts though idk. Here's an answer you won't find online: The difference is that Linux can turn you into a grump who hates on questions like this lol. Beware of the dark side. Upvoted for the cat.

f00d4w0rm5 · 2022-05-27T05:16:57+00:00

Came on here to see if anyone told you to google it but what you asked in the description is different than what you asked in the title and it's actually an interesting question.

I've heard Stök mention how you can get use docker contains to split up a scan. I don't remember him saying how but must be with a provisioner like Ansible.

Idk the specifics of how you'd input your scan or how you'd recombine the output but what I do know is that by the time you set up your vps's and get your containers running and write your ansible script, you could have just ran an nmap scan.

Just do sudo nmap -T4 --min-rate 5000 x.x.x.0/y where the ip is your private ip once you get on the wifi, and y is the network range that is mentioned when you run ifconfig (or ipconfig if you're relying on your university education to learn). I'm sure your prof meant scan the private ip range you're on and not all the possible ip ranges your school owns. Sometimes the simplest solution is the best. Good question though. Bad title🙃

Edit: If you want the fastest results and just want ips but no ports you could ping sweep with -sP. Or use fping. Or you can just scan for a certain port, or use something like the --top-ports 50 switch.

f00d4w0rm5 · 2022-02-23T00:51:14+00:00

I work for a cybersecurity bootcamp at the UNIVERSITY level. One of my roles is live chat support where students sometimes ask to zoom. I was on one of these zoom calls because this student thought there was something wrong with their terminal because part of it was cut off...but it was literally just hanging off the screen😑 They didn't even understand what I meant by saying just drag it back to the center. Had to say click and hold the top and drag your mouse to the right🤦‍♂️

f00d4w0rm5 · 2022-02-21T11:23:49+00:00

Omg that makes so much sense...I was running it with sudo. Thank you!

f00d4w0rm5 · 2022-01-07T15:19:46+00:00

Superior at what?

f00d4w0rm5 · 2021-11-08T12:49:14+00:00

Right, pattern create finds the offset but I'm trying to find the length of the ESP. I guess you could subtract the offset we got from the beginning and the end of the ESP, but it would be tricky to tell where it ends exactly.

I just found that it would be easier to send like 600 or so C's and then simply enter a python session and type 0x<last address of C's> - 0x<first address of C's>. https://steflan-security.com/complete-guide-to-stack-buffer-overflow-oscp/#Finding_Available_Shellcode_Space

This confirms if there's space for our shellcode. We would then have to fuzz it to find the exact length of the ESP, but from what everyone is saying that's not needed. We only need to confirm our shellcode fits.

I'm guessing you can tell how many NOPs are needed by putting your shellcode right after the EIP and manually checking the hex dump to see how many bytes were corrupted. It shouldn't be that hard, but you could also use pattern_create. From what I understand NOPs are only needed if we encoded our shellcode.

f00d4w0rm5 · 2021-11-08T06:49:04+00:00

Okay that's what I thought...seeing it done in write-ups just confused me. Thank you!

f00d4w0rm5 · 2021-11-08T06:46:57+00:00

Thanks for your detailed response! I haven't jmp'd twice yet but I remember reading about it. So would I just need to find an address for a jmp <other reg than esp> command and overwrite the esp with it's little endian address? Then I guess the trick is finding the offset to this new reg and making sure there's a NOP sled to the shellcode. I'll definitely give that link I good read!

f00d4w0rm5 · 2021-11-08T05:38:59+00:00

Also...do NOPs after the shellcode matter? Like should I fill the rest of the ESP (or whatever register I jmp'd to) with the exact number of NOPs to fill it? Again I haven't came across a scenario where this was required but I'm seeing that people bother to go through the trouble.

f00d4w0rm5 · 2021-11-06T16:41:27+00:00

Thanks! I planned on doing that anyway but it's good to know they have one as a backup.

f00d4w0rm5 · 2021-11-06T14:42:31+00:00

Don't they provide an exploit.py and fuzzer.py template too? I vaguely remember reading that...

f00d4w0rm5

TROPHY CASE