AWAE / OSWE – Journey

Here come the journey part, some people like a journey/story including myself since it show how and why the author start it, the challenges, the issues and situation that could be faced by the others too. For the author itself, it could be a source of motivation and great flashback in the future. TLDR; this …

AWAE / OSWE – 5W1H

WHAT Advanced Web Attacks and Exploitation (AWAE) is a security course from Offensive-Security that focused on advanced web application security. The course content focus more on the WhiteBox approach of web application penetration testing and a bit of BlackBox approach. The student will spend most of time understanding the underlying source code and debugging the …

ROP Emporium – Fluff

Fluff 32 Bit Overall the objective still same as write4 but in this binary the ROP gadget in the binary is limited. We need to find the ROP chain to achieve the objective. First, let’s find the EIP offset using Radare2.

EIP offset is 44. Find the writable memory section using  readelf command.

The .data section is writable. …

ROP Emporium – Badchars

Badchars 32 Bit Overall the objective still same, write “/bin/sh” string into memory and then execute system command with “/bin/string” as the argument, but we need to handle the Badchars (Bad Characters) in this challenge. Badchars are any character(s) that can terminate our crafted payload, such as null character (“\x00”), carriage return (“\x0D”), newline (“\x0A”), etc. So we need to make …

ROP Emporium – Write4

Write4 32 Bit In this challenge, there’s no more “/bin/cat flag.txt” string that can be used to get the flag. We can either try to write those string or “/bin/sh” string into memory to get a shell. The steps to achieve it are: 1. Find the writable memory section inside the binary. 2. Find the …

ROP Emporium – Callme

Callme 32 Bit In this challenge, we need to execute callme_one(), callme_two() and callme_three() function sequentially in that order. Each function must contains arguments 1,2,3 e.g. callme_one(1,2,3) to get the flag. Let’s find the EIP offset using Radare2.

EIP offset is 44. Let’s find the callme_one, callme_two, and callme_three function address using objdump.

ROP Emporium – Split

Split 32 Bit In this challenge, the ret2win function is being split into system call and /bin/cat flag.txt string. The objective is to use ROP gadget to execute system call with “/bin/cat flag.txt” string as the argument. Lets find the EIP offset using Radare2.

EIP offset is 44. Find the system@plt address using objdump command. …

ROP Emporium – Ret2Win

Ret2Win 32 Bit In this challenge, we need to redirect the program flow to execute the ret2win address. This can be achieved by overwriting EIP (Instruction Pointer) with the ret2win address. This challenge can be done using simple echo command or pwntools. I use Radare2 and pwntools to solves this challenge. First thing first, lets …

PentesterLab Intro-Unix-Essential Badge

  So far I completed three badges from PentesterLab which are Introduction, Unix, and Essential Badge. Introduction Badge As you can guess from the name, this badge is an introduction on how the exercise works in PentesterLab. This badge consists of four exercises on how to submit key to complete the exercise, how to find …