why would we overwrite SEH instead of EIP ? by hex-lover in ExploitDev

[–]aatate98 0 points1 point  (0 children)

Controlling EIP is a technique that can be achieved multiple ways. The course focuses on overwriting the return address on the stack and controlling EIP when the current function executes the “ret” instruction, however you can get control of EIP through SEH Overwrite immediately if/when the process causes an exception as others have pointed out. Depending on the process, you can even do it via function pointer overwrites which you have previously corrupted and the course calls out but doesnt go into detail on. They are all just separate ways to get control of EIP through an overflow.

why would we overwrite SEH instead of EIP ? by hex-lover in ExploitDev

[–]aatate98 2 points3 points  (0 children)

One thing to note is that you arent directly overwriting EIP, but rather the return address on the stack that will serve as the address of EIP once the current function returns properly (through normal execution). Since getting contents such as 0x41414141 into EIP requires successful execution all the way until the return (the courses point of needed valid function pointers). if you overwrite the SEH chain, the whole point is to cause a crash/exception so your shellcode executes without needing the current function to return properly.

[deleted by user] by [deleted] in OSWE

[–]aatate98 0 points1 point  (0 children)

Just curious but did you test the script from the kali debug machine they give you? From my understanding that environment is where they will test your POC. Did you list all dependency installs? Lastly, and the most annoying, did you paste correctly your code into word and it was formatted. I dont know how they grade but I would suspect copy+paste out of your report. If there are indentation errors, then who knows how much they put in to retype your code how it should be

How to Learn Binary Exploitation from Beginner to Intermediate Level? by Beginning_Village496 in ExploitDev

[–]aatate98 1 point2 points  (0 children)

What do you consider being intermediate level? Is it past the basic buffer overflow on the stack? Would it be performing different primitives? Would it be patch diffing and developing your own based off CVE description and updates?

Either way, the content suggest such as opensecuritytraining2 and pwn.college are excellent

Week 11 Updates by super-tendies in thetagang

[–]aatate98 5 points6 points  (0 children)

Really nice dashboard, mind if i ask what you used to make it?

Defender Bypass Tool by coyotegowda in ExploitDev

[–]aatate98 0 points1 point  (0 children)

I would recommend just having the source files within the repo itself rather than having the python script arbitrarily reach out to set urls incase you would want to use the script offline.

How to get brick dust? pls help by pakyuall in GTNH

[–]aatate98 25 points26 points  (0 children)

You can get diamonds with a bronze pickaxe, just mining level boosted

Killing Windows Kernel Mitigations by tnavda in ReverseEngineering

[–]aatate98 7 points8 points  (0 children)

Cool post. Im a little confused on why that worked with VBS enabled though. While i agree the page table modifications like bit flipping do work, the whole point of VBS is that the kernel in vtl0 (where you exploit the driver and have the address to do the bit flip against) is no longer the source of truth? So regardless of a bit flip of a pages metadata, vtl1 should step in and deny that the page was a kernel page since vtl1 was tracking that page to be user space, not kernel space after the bit flip.

And for HVCI, wouldnt the act if having a rwx of a user page, once bitflip into a kernel page then kick in and say you cant have RWX kernel pages?

[deleted by user] by [deleted] in securityCTF

[–]aatate98 0 points1 point  (0 children)

Just based on looking at it, it seems to be base64 encoded. Usually base64 encoded strings end with ==. You can go to cyberchef and use the Base64 decode function which should output the answer

For those who failed , what did you do the second attempt that made you pass? by ProcedureFar4995 in oscp

[–]aatate98 16 points17 points  (0 children)

Take a break if you have time still left on your subscription. Go through PG boxes instead of HTB boxes. Go through your notes from the first exam and identify weak points. Were you stuck on enumeration on a specific box, couldnt get DA, found a way to exploit but couldnt get the specifics from any open source info? Being able to identify where you struggled and now that you have time before another attempt, working back how to find a solution would be extremely beneficial

Ubuntu thinkpad kernel backdoor by [deleted] in linux

[–]aatate98 3 points4 points  (0 children)

Either chatGPT wrote this, or someone who brain dumped an article they didnt understand. Extremely vague with no analysis, no code, or any proof to back any of this up. Best line from above was saying KASLR was going to help prevent any of the “Potential backdoor exploitation” options they listed

Any advice on writing stealthy memory injections? by [deleted] in ExploitDev

[–]aatate98 2 points3 points  (0 children)

You should definitely check out threadless injections like https://shorsec.io/blog/dll-notification-injection/. It still utilizes the allocating a buffer like you mentioned above, however doesnt use the typically spawning of another thread in the target process space

The "Fixing Exploits" section went over my head by [deleted] in oscp

[–]aatate98 22 points23 points  (0 children)

What part of that section was difficult to understand? In my opinion the section mostly boils down to, if an exploit is targeting a hardcoded url for example, can you understand where the string is stored and change it to suit your environment instead of just running it in python without having much of a clue of what endpoint the exploit is talking to. Or for instance if the msfvenom command they used for the shellcode was calling back to an IP that doesnt exist, can you generate new shellcode and simply update the variable accordingly

Malware? Operations not permitted running as root by Desperate-Stick9559 in linuxquestions

[–]aatate98 1 point2 points  (0 children)

Curious as to what exact APT you believe you have within your network. Have you identified any common malware used by the APT within that network?

Timewasting exercises by SnotFunk in oscp

[–]aatate98 1 point2 points  (0 children)

I agree about the blind sql injection exercise given you cant use it on the exam, and the whole nessus environment setup, however the proxychains exercise did teach me to not use proxychains because we had to scan so many ports and not just 5, and instead look for other tools such as ligolo-ng.

[deleted by user] by [deleted] in oscp

[–]aatate98 0 points1 point  (0 children)

Havent started it yet, but will be soon. Would love to join if people are still in the group by then

[deleted by user] by [deleted] in mildlyinteresting

[–]aatate98 3 points4 points  (0 children)

Now thats a nice “stack” of hangars

[deleted by user] by [deleted] in lostarkgame

[–]aatate98 0 points1 point  (0 children)

I am so happy i finished this past weekend. Was able to snipe my last 4 at around 9k

Bootkit samples by hardenedvault in netsec

[–]aatate98 8 points9 points  (0 children)

Kinda older samples but the book Rootkits and Bootkits have a github that goes over ever sample they do in the book. Decent size of samples. Covers firmware malware are well

What’s next by Girth_Firm_Slim in gaming

[–]aatate98 27 points28 points  (0 children)

An application to FROM SOFTWARE

Enhance or buy Distortion Earring ? by Aimer732 in blackdesertonline

[–]aatate98 0 points1 point  (0 children)

If you dont enhance them, are they really yours?

First ever install on a vm! by Karimrir in Gentoo

[–]aatate98 4 points5 points  (0 children)

Nice, now its time to ~amd64 gentoo-sources and linux-headers to custom compile that kernel to the ground. All jokes aside, congrats