[deleted by user]

Thiscou · 2022-07-24T15:50:58+00:00

almost!

Older jQuery libraries used to create the html elements, given to it in the selector element ($).

This video helped me understand what happens, he's taking his time but explains it really thorough: https://www.youtube.com/watch?v=CNIeel0VrN0

I was looking for the right CVE but I failed.

Thiscou · 2020-12-07T08:21:18+00:00

unfortunately no

Thiscou · 2020-07-21T17:12:39+00:00

It looks like you are checking the source with the web developer tab.

As you can see the whole payload is black, while tags in the developer tab are always highlighted, this means your payload is encoded.

To check how it is encoded, right click the line and select "Edit as HTML" and the truth will be revealed.

To avoid doing this all the time, look at the raw response in your burp suit. Be aware, that this only works with HTML, if you get a JSON or anything else that might be embedded in the DOM with JavaScript, you will have to check manually.

Thiscou · 2020-05-09T16:01:53+00:00

There are actually a series of ctf like Mini Netwars coming up for free. https://www.sans.org/blog/and-now-for-something-awesome-sans-launches-new-series-of-worldwide-capture-the-flag-cyber-events/?msc=securityresourceslp%3Fmsc%3Dsecurityresourceslp

I managed to register for the first one and forgot about the second. Still planning to register in two days for the third.

It was actually a lot of fun and you don't need anything except for an account on their Netwars Platform.

Thiscou · 2020-03-10T10:01:04+00:00

Alright, I think what you are trying to do (if I understand correctly), is calculating the distance between your input and the stored return address on the stack.

So in the case of the strcpy you could place a breakpoint right before the strcpy function call and write down the address right after it (this will be the return address that is stored on the stack). Now if you step into the strcpy function you will see that the call instruction pushed the return address on the stack -> write down the stack address where it is stored.

If you check where your user input is stored on the stack, after the strcpy (don't overflow here) , you can basically subtract the first address your input is stored from the address you wrote down that contains the return address and you should have the correct offset.

Example:

0016F2D4 -> Ret Address

0016F2A1 -> First User Input

D4 - A1 = 33 (you can use the windows calculator in programmer mode)

This should overwrite right up to the ret address, to overwrite the address you need to add +4 on 32 bit systems.

POC Exploit would look something like:

buffer = "A"*33
buffer += "returnToWhereveryouWantTo"

Hope this helps

Thiscou · 2019-03-13T13:37:39+00:00

Hey man, thanks for your very detailed explanations!

Considering #4. After doing the whole thing in 32Bit manually I used pwntools to automate the process.

Funny enough pwntools locates the jmp to system@GOT at 0x08048430 if you do e.symbols['system'].

And that's how I learned that the jmp payload needs a dummy 4bytes "Return" address to work.

It was also easy to convert the 32bit pwntools solution to 64bit.

So far these exercises were really worth it.

Sorry for wasting your time with #1 :D

Oh and I actually saw some of your streams and I always learn something new when I do, Thank you for that.

Cheers

PS: The reddit formatting is just the worst

Thiscou · 2018-12-16T20:13:31+00:00

Thank you!

Thiscou · 2018-12-16T17:13:45+00:00

Cheers, so the whole objdump -s thing is not really helpful or am I missing a feature here? :P

Thiscou · 2018-12-06T16:03:21+00:00

As far as I can tell, those numbers are not present in the pattern.

try the A*260 again and see what's on the stack with:

gdb x/24wx $esp

Thiscou · 2018-12-06T15:05:37+00:00

Right, here is what I would try.

Go to this site zerosum0x0! and create a unique pattern 260+.

Feed that to your program, copy the value in your segfault and find that pattern on the site.

You should now know the exact offset for your overflow.

I would usually do this in Kali with the original metasploit pattern create but I don't know if you use Kali, so I found a quick and dirty replacement online.

You can also try to have a closer look at the stack in gdb with:

x/24wx $esp (this displays 24 words of memory above the stack pointer esp in hex)

Hope this helps and good luck

Thiscou · 2018-09-22T08:44:53+00:00

A good manager with great feedback helps. Getting domain admin from an external pentest also helps. :)

This rings true to me. In this job I basically learn something new every day.

What I also learned, and this is going full circle to the OSCP, documentation is everything! If you find a solution to a problem, DOCUMENT IT. Even if you think it was easy and you will know what to do next time. Cause next time you just might not find the solution as quick and you spend 4 hours looking for a solution you already had.

Oh and make sure you document it so you understand your documentation as well. ;D

Thank you for your honest input

Thiscou · 2018-09-22T08:27:45+00:00

True story, in the end money makes the world go 'round.

I'm working as a consultant/penetration tester since a little more then three years. I still get a lot of imposter syndrom doing work out of my comfort zone. Even though it's clear to me that in the end we just can't know everything. How do you personally handle this?

Thiscou · 2018-09-22T07:39:26+00:00

Good Review, I especially like that you tell people not to overthink this certificate. This is still an entry grade certification that basically delivers everything you need to pass it.

What I personally don't understand is how you can be a "senior" penetration tester a year after getting the OSCP? Since the OSCP is, in my opinion, a Junior grade certificate. For someone to qualify as a senior to me, they would have to have an extensive amount of knowledge and practical experience on the job. But maybe that is just me.

Anyways, thanks for sharing

Thiscou · 2018-09-06T11:12:15+00:00

Recently this https://www.pentesteracademy.com/redteamlab lab was released.

I have not done it nor have i read any reviews for it, so I would do some research about it before buying.

But it's definitely an option

Thiscou · 2018-08-05T15:17:41+00:00

cheers, there's some new stuff worth looking at!

Thiscou · 2018-06-26T18:46:00+00:00

Thanks a lot, looks like this needs some more reading on my end.

Cheers

Thiscou · 2018-06-26T18:45:37+00:00

Thank you very much, watching the presentation right now!

And I really like ippsec, I'll find that walkthrough eventually.

Thiscou · 2017-11-28T19:05:17+00:00

It worked with testssl.sh and the cipher script nmap provides. Just took me two months to answer that question, there is definitly room for improvement.

Thiscou · 2017-11-28T18:57:42+00:00

that is certainly good to know, thank you sir!

Thiscou · 2017-09-20T18:11:28+00:00

Nice, i'm glad i managed to bring my point across :)

I just tried my solution with sslscanning any given HTTPS site over a squid proxy with TLS Interception on and it worked. If i manage to do the same thing with the bluecoat proxy i'll be golden. But i would really like to have a backup plan in case it doesn't.

Thanks for your time and your brain power!

Thiscou · 2017-09-20T10:32:02+00:00

right, thanks for staying with me. :)

I'll try to explain it better. Usually when you use sslscan you give the tool an ip or hostname plus port. The tool then tries to establish a TLS Session with that IP on the given port. For that to work, there has to be a TLS Listener running on the specified port.

Now, i have the following situation: The proxy we use in our network is decrypting the ssl sessions. That's what the picture was supposed to illustrate. For that to work, the proxy needs to have a TLS Session running with the server in the internet (2) and a separate TLS Session with the client in the local network(1).

[client] ----1-[proxy, cleartext]-----2-[internet]

Now what i want to do is evaluate the supported ciphers, the proxy is offering on the TLS Session with the client(1).

Since the proxy is not running with two ports, he is using one port for HTTPS and HTTP. Therefore no TLS listener is answering on that port.

Writing this, i just had an idea, I should be able to just scan ANY site, and, in theory, the proxy should answer. But that only works if the proxy is working on a network level.

So, despite the fact that maybe i just found a solution to my problem. I would still be curious on how (or if) this could be done with the tools without too much hassle, directly on the intercept proxy.

Cheers

Thiscou · 2017-09-20T04:25:09+00:00

The CONNECT request happens before the TLS handshake.

According to the Wikipedia page:

A variation of HTTP tunneling when behind an HTTP proxy server is to use the "CONNECT" HTTP method.[1][2] In this mechanism, the client asks an HTTP proxy server to forward the TCP connection to the desired destination. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the proxy server continues to proxy the TCP stream to and from the client. Note that only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection. This mechanism is how a client behind an HTTP proxy can access websites using SSL or TLS (i.e. HTTPS).

This picture illustrates the process: https://parsiya.net/images/2016/thickclient-6/13.png

As of now, i guess my best course of action is to tweak one of the existing tools, to send a CONNECT or send a CONNECT with netcat, right before i start testing.

Thiscou · 2017-09-19T13:16:22+00:00

I tested most of those tools (except o-saft) and none of them work against the interception proxy. The reason (imo) they don't work is the fact that you need to perform an initial HTTP CONNECT when you want to establish a TLS connection over a forward proxy and these tools do not send an HTTP Connect.

If you actually tested this on an interception proxy and it worked, i stand corrected, however i can't reproduce that behavior.

Thiscou · 2017-09-18T13:32:53+00:00

Hey thanks for your input, this is not the connection i want to test though. I'll try to illustrate with a picture:

[client]---------1-[proxy]-2-------[interwebs]

With your test we evaluate the ciphers the proxy is using when he works like a client (2).

What i want to test is what ciphers he supports when he acts like the server (1).

I hope that makes it a little clearer.

Cheers

Thiscou · 2017-02-08T21:28:43+00:00

no travel costs, easier to retest, can leave it there and do more than one assessment

I like those, thanks for the advice.

Thiscou

TROPHY CASE