ROP Emporium – Fluff

Fluff 32 Bit Overall the objective still same as write4 but in this binary the ROP gadget in the binary is limited. We need to find the ROP chain to achieve the objective. First, let’s find the EIP offset using Radare2.

EIP offset is 44. Find the writable memory section using  readelf command.

The .data section is writable. …

ROP Emporium – Badchars

Badchars 32 Bit Overall the objective still same, write “/bin/sh” string into memory and then execute system command with “/bin/string” as the argument, but we need to handle the Badchars (Bad Characters) in this challenge. Badchars are any character(s) that can terminate our crafted payload, such as null character (“\x00”), carriage return (“\x0D”), newline (“\x0A”), etc. So we need to make …

ROP Emporium – Write4

Write4 32 Bit In this challenge, there’s no more “/bin/cat flag.txt” string that can be used to get the flag. We can either try to write those string or “/bin/sh” string into memory to get a shell. The steps to achieve it are: 1. Find the writable memory section inside the binary. 2. Find the …

ROP Emporium – Callme

Callme 32 Bit In this challenge, we need to execute callme_one(), callme_two() and callme_three() function sequentially in that order. Each function must contains arguments 1,2,3 e.g. callme_one(1,2,3) to get the flag. Let’s find the EIP offset using Radare2.

EIP offset is 44. Let’s find the callme_one, callme_two, and callme_three function address using objdump.

ROP Emporium – Split

Split 32 Bit In this challenge, the ret2win function is being split into system call and /bin/cat flag.txt string. The objective is to use ROP gadget to execute system call with “/bin/cat flag.txt” string as the argument. Lets find the EIP offset using Radare2.

EIP offset is 44. Find the system@plt address using objdump command. …

ROP Emporium – Ret2Win

Ret2Win 32 Bit In this challenge, we need to redirect the program flow to execute the ret2win address. This can be achieved by overwriting EIP (Instruction Pointer) with the ret2win address. This challenge can be done using simple echo command or pwntools. I use Radare2 and pwntools to solves this challenge. First thing first, lets …

PentesterLab Intro-Unix-Essential Badge

  So far I completed three badges from PentesterLab which are Introduction, Unix, and Essential Badge. Introduction Badge As you can guess from the name, this badge is an introduction on how the exercise works in PentesterLab. This badge consists of four exercises on how to submit key to complete the exercise, how to find …

PentesterLab Introduction

    After completing OSCP, I went back to HackTheBox. Overall, HackTheBox is fun even though the majority of the challenges are CTF-ish. There are some challenges/machines that have real-world scenarios such as Endgame, Active and Reel which are pretty good learning places. Beside playing CTF, I think I also need to balance it with learning …

OSCP Journey – Seventh Week (Exam)

Date: 12 August – 18 August 2018 Amazing Week! My exam scheduled on Wednesday, 15 August 2018 15:00 (Asia/Jakarta). One day before the exam, I take a rest from exploiting any machines and just making sure all the scripts, tools, notes and provisions are ready to use. I also prepare the contingency plan such as second …

OSCP Journey – Sixth Week

Date: 05 August – 11 August 2018 PDF: 380/380 Videos: 149/149 Exercises: 42/42 Exploited Machines: 53 (Alice, Alpha, Barry, Beta, Bethany, Bob, Brett, Carol, Carrie, Core, Cory, DJ, Dotty, FC4, Gamma, Gh0st, Helpdesk, Hotline, Humble, Internal, JD, Jack, James, Jeff, Joe, John, Kevin, Kraken, Leftturn, Luigi, Mail, Mario, Master, Mike, Niky, Nina, Observer, Oracle, Pain, …