❌

Normal view

There are new articles available, click to refresh the page.
Before yesterdayPosts on Linxz' Blog

Xorg LPE CVE 2018-14665

On October 25th 2018 a post was made on SecurityTracker disclosing CVE 2018-14665. The interesting thing is this CVE has two bugs in two different arguments. The first is a flaw in the -modulepath argument which could lead to arbitrary code execution. The second was a flaw in the -logfile argument which could allow arbitrary files to be deleted from the system. Both of these issues were caused by poor command line validation.

HackTheBox - Legacy Writeup

Introduction This is a writeup for the machine β€œLegacy” (10.10.10.4) on the platform HackTheBox. HackTheBox is a pentetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP The first thing we’re going to do is run an NMAP scan using the following command nmap -sV -sC -Pn -oX /tmp/webmap/legacy.xml 10.10.10.4 if you’re wondering about the last flag -oX that is allowing me to output the report into an XML format, this is because I use webmap (as you can see in the /tmp/webmap) which is an awesome tool that allows me some visual aids for a box/network!

HackTheBox - Lame Writeup

Introduction This is a writeup for the machine β€œLame” (10.10.10.3) on the platform HackTheBox. HackTheBox is a pentetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP The first thing we’re going to do is run an NMAP scan using the following command nmap -sV -sC -Pn -oX /tmp/webmap/lame.xml 10.10.10.3 if you’re wondering about the last flag -oX that is allowing me to output the report into an XML format, this is because I use webmap (as you can see in the /tmp/webmap) which is an awesome tool that allows me some visual aids for a box/network!

HackTheBox - Devel Writeup

Introduction This is a writeup for the machine β€œDevel” (10.10.10.5) on the platform HackTheBox. HackTheBox is a penetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP As usual we’re going to start off with our two nmap scans, a full TCP scan using nmap -sV -sC -p- 10.10.10.5 and nmap -sU -p- 10.10.10.5 in this case, we only returned ports open on TCP so we’re going to look at that now.

HackTheBox - Cronos Writeup

Introduction This is a writeup for the machine β€œCronos” (10.10.10.13) on the platform HackTheBox. HackTheBox is a penetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP Let’s start off with our two nmap scans, a full TCP & a full UDP. In this case only our TCP scan returned any results so we’re only going to analyse the output of the TCP scan.

HackTheBox - Bashed Writeup

Introduction This is a writeup for the machine β€œBashed” (10.10.10.68) on the platform HackTheBox. HackTheBox is a penetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP We start off with our two nmap scans, TCP & UDP however, in this boxes case we only got information returned on TCP so we will only analyse the output for the TCP scan in this post.

HackTheBox - Beep Writeup

Introduction This is a writeup for the machine β€œBeep” (10.10.10.7) on the platform HackTheBox. HackTheBox is a penetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP As always we start off with our full TCP port scan using NMAP - this box is running quite a lot of services but don’t let that scare you! We follow the same enumeration process so let’s not worry that its any different just because there are more ports!

HackTheBox - Sunday Writeup

Introduction This is a writeup for the machine β€œSunday” (10.10.10.76) on the platform HackTheBox. HackTheBox is a penetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP We’ll start off with our usual full port nmap scan to see what kinda’ stuff is running on the box, I did also run a UDP scan too like usual however again in this case nothing was running on UDP.

OSCP Experience

OSCP Experience At the time of writing I just passed my OSCP and I thought I would follow the trend and make a blog post about my experience with both the exam and the course. Disclaimer: this post is old. The OSCP has undergone many updates since I took it, please keep that in mind. PWK Experience I originally was going to purchase 60 days however, in the end I decided to purchase 30 days.

BAE x BSides Chelt CTF

Introduction BAE hosted a CTF the day before BSides Cheltenham. I played with my friends. There was a crypto challenge which I saw a number of people struggling with. The challenge only got three solved in total, I was the first to solve it, so I thought I’d make a writeup of how I did it. The Challenge The challenge was reminiscient of the ECB penguin problem in the sense that we had two picture files in .

Analysis of CVE-2017-12561

In this post I am going to perform root-cause analysis of a bug reported by Steven Seeley in HP iMC 7.3 E0504P04, specifically in the β€œdbman” service. Steven found a Use-After-Free condition in opcode 10012. I was given this task as a challenge and I had a lot of fun. I was not totally comfortable with heap-type bugs so it was a really nice challenge to learn more about the heap.

HackTheBox - Jeeves Writeup

19 September 2021 at 00:00
Getting Started This challenge is pretty easy but I just thought I’d explain it in a blog post real quick since I started doing some of the HTB pwn challenges. Reverse Engineering The challenge itself is just a simple gets() buffer overflow. As you can see in the code below, it takes our name via a gets() call. printf("Hello, good sir!\nMay I have your name? "); gets(input_buffer); printf("Hello %s, hope you have a good day!

Automatic Reference Counting

19 September 2021 at 00:00
I was bored so I decided to make a blog post on what β€œAutomatic Reference Counting” (ARC) is and more importantly how it can act as a mitigation for Use-After-Free vulnerabilities. As well as other heap-based memory management bugs such as memory leaks. Introduction Most of you will have probably heard of garbage collection, most likely in the context of Java. Someone might have said to you before β€œJava garbage collection is horrible”.

Setting up PwnDbg with Ghidra

25 September 2021 at 00:00
If you’re like me and more used to Windows tooling (even if you have Linux experience) it is a little difficult to setup some of this more complicated Rizin tooling. So, thought I would make a quick guide about setting up Pwndbg with Ghidra. As a WinDbg use, despite having used gdb before it has a lot of quirks. Quirks which are as easy to get used to as quirks that exist in WinDbg.

PaX - structleak

I am rather fascinated with exploit mitigations, especially ones by PaX. When I first started out in security I came to learn of PaX quite quickly, and since moving into the binary exploitation space the desire to understand more about how these mitigations are created and how they work has greatly increased. In light of that, today I am going to looking into β€œSTRUCTLEAK”. Introduction STRUCTLEAK is a GCC plugin created by PaX team, their decision to make such a plugin was prompted by CVE-2013-2141 (more on this CVE shortly).

Supervisor Mode Execution Prevention

Supervisor Mode Execution Prevention is a CPU security feature which aims to prevent execution of untrusted memory while operating at a greater privilege level. In short, it detects so-called β€œring0” (kernelspace) code that is running in β€œring3” (userspace). History SMEP was first introduced in 2011 by Intel on the Ivy Bridge Architecture. It was designed in order to address classes of Local privilege Escalation (LPE) sometimes also known as Escalation of Privilege (EoP) attacks.

Analysis of a VMWare Guest-to-Host Escape from Pwn2Own 2017

This vulnerability was found by Keen Security Lab which they showed at Pwn2Own 2017. Unfortunately, because the bug was silently patched by VMWare in 12.5.3 no CVE number was assigned, even though the vulnerability leads to remote code execution. Summary The vulnerability affects the Drag n Drop functionality of VMWare Workstation Pro before 12.5.3. This feature allows users to copy files from the host to the guest. However, due to a few insecure backdoor calls over an RPC interface, a Use-After-Free is present.

HackSys Extreme Vulnerable Driver 3 - Stack Overflow + SMEP Bypass

This post is a writeup of a simple Stack Buffer Overflow in HackSys Extreme Vulnerable Driver - we assume that you already have an environment setup to follow along. However, if you don’t have an environment setup in this post we use: Windows 10 Pro x64 RS1 HEVD 3.00 If you are not sure how to setup a kernel debugging environment you can find plenty of posts of the process online, we will not cover the process in this post.

HackSys Extreme Vulnerable Driver 3 - Double Fetch

This post is a writeup of a Double Fetch in HackSys Extreme Vulnerable driver - we assume that you already have an environment setup to follow along. However, if you don’t have an environment setup in this post we use: Windows 10 Pro x64 RS1 HEVD 3.00 If you are not sure how to setup a kernel debugging environment you can find plenty of posts of the process online, we will not cover the process in this post.
❌
❌