πŸ”’
There are new articles available, click to refresh the page.
βœ‡ Posts on Linxz' Blog

HackSys Extreme Vulnerable Driver 3 - Stack Overflow + SMEP Bypass

By: [email protected] (Linxz) β€”
This post is a writeup of a simple Stack Buffer Overflow in HackSys Extreme Vulnerable Driver - we assume that you already have an environment setup to follow along. However, if you don’t have an environment setup in this post we use: Windows 10 Pro x64 RS1 HEVD 3.00 If you are not sure how to setup a kernel debugging environment you can find plenty of posts of the process online, we will not cover the process in this post.
βœ‡ Posts on Linxz' Blog

Analysis of a VMWare Guest-to-Host Escape from Pwn2Own 2017

By: [email protected] (Linxz) β€”
This vulnerability was found by Keen Security Lab which they showed at Pwn2Own 2017. Unfortunately, because the bug was silently patched by VMWare in 12.5.3 no CVE number was assigned, even though the vulnerability leads to remote code execution. Summary The vulnerability affects the Drag n Drop functionality of VMWare Workstation Pro before 12.5.3. This feature allows users to copy files from the host to the guest. However, due to a few insecure backdoor calls over an RPC interface, a Use-After-Free is present.
βœ‡ Posts on Linxz' Blog

Supervisor Mode Execution Prevention

By: [email protected] (Linxz) β€”
Supervisor Mode Execution Prevention is a CPU security feature which aims to prevent execution of untrusted memory while operating at a greater privilege level. In short, it detects so-called β€œring0” (kernelspace) code that is running in β€œring3” (userspace). History SMEP was first introduced in 2011 by Intel on the Ivy Bridge Architecture. It was designed in order to address classes of Local privilege Escalation (LPE) sometimes also known as Escalation of Privilege (EoP) attacks.
βœ‡ Posts on Linxz' Blog

PaX - structleak

By: [email protected] (Linxz) β€”
I am rather fascinated with exploit mitigations, especially ones by PaX. When I first started out in security I came to learn of PaX quite quickly, and since moving into the binary exploitation space the desire to understand more about how these mitigations are created and how they work has greatly increased. In light of that, today I am going to looking into β€œSTRUCTLEAK”. Introduction STRUCTLEAK is a GCC plugin created by PaX team, their decision to make such a plugin was prompted by CVE-2013-2141 (more on this CVE shortly).
βœ‡ Posts on Linxz' Blog

Setting up PwnDbg with Ghidra

By: [email protected] (Linxz) β€”
If you’re like me and more used to Windows tooling (even if you have Linux experience) it is a little difficult to setup some of this more complicated Rizin tooling. So, thought I would make a quick guide about setting up Pwndbg with Ghidra. As a WinDbg use, despite having used gdb before it has a lot of quirks. Quirks which are as easy to get used to as quirks that exist in WinDbg.
βœ‡ Posts on Linxz' Blog

Automatic Reference Counting

By: [email protected] (Linxz) β€”
I was bored so I decided to make a blog post on what β€œAutomatic Reference Counting” (ARC) is and more importantly how it can act as a mitigation for Use-After-Free vulnerabilities. As well as other heap-based memory management bugs such as memory leaks. Introduction Most of you will have probably heard of garbage collection, most likely in the context of Java. Someone might have said to you before β€œJava garbage collection is horrible”.
βœ‡ Posts on Linxz' Blog

HackTheBox - Jeeves Writeup

By: [email protected] (Linxz) β€”
Getting Started This challenge is pretty easy but I just thought I’d explain it in a blog post real quick since I started doing some of the HTB pwn challenges. Reverse Engineering The challenge itself is just a simple gets() buffer overflow. As you can see in the code below, it takes our name via a gets() call. printf("Hello, good sir!\nMay I have your name? "); gets(input_buffer); printf("Hello %s, hope you have a good day!
βœ‡ Posts on Linxz' Blog

Analysis of CVE-2017-12561

By: [email protected] (Linxz) β€”
In this post I am going to perform root-cause analysis of a bug reported by Steven Seeley in HP iMC 7.3 E0504P04, specifically in the β€œdbman” service. Steven found a Use-After-Free condition in opcode 10012. I was given this task as a challenge and I had a lot of fun. I was not totally comfortable with heap-type bugs so it was a really nice challenge to learn more about the heap.
βœ‡ Posts on Linxz' Blog

Introduction

By: [email protected] (Linxz) β€”
The purpose of this blog is for any general hacking content such as CTF writeups, things I find interesting, etc. Feel free to check out my other blogs in the about section, or use the links provided at the top (or bottom of the page)
βœ‡ Posts on Linxz' Blog

BAE x BSides Chelt CTF

By: [email protected] (Linxz) β€”
Introduction BAE hosted a CTF the day before BSides Cheltenham. I played with my friends. There was a crypto challenge which I saw a number of people struggling with. The challenge only got three solved in total, I was the first to solve it, so I thought I’d make a writeup of how I did it. The Challenge The challenge was reminiscient of the ECB penguin problem in the sense that we had two picture files in .
βœ‡ Posts on Linxz' Blog

OSCP Experience

By: [email protected] (Linxz) β€”
OSCP Experience At the time of writing I just passed my OSCP and I thought I would follow the trend and make a blog post about my experience with both the exam and the course. Disclaimer: this post is old. The OSCP has undergone many updates since I took it, please keep that in mind. PWK Experience I originally was going to purchase 60 days however, in the end I decided to purchase 30 days.
βœ‡ Posts on Linxz' Blog

HackTheBox - Sunday Writeup

By: [email protected] (Linxz) β€”
Introduction This is a writeup for the machine β€œSunday” (10.10.10.76) on the platform HackTheBox. HackTheBox is a penetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP We’ll start off with our usual full port nmap scan to see what kinda’ stuff is running on the box, I did also run a UDP scan too like usual however again in this case nothing was running on UDP.
βœ‡ Posts on Linxz' Blog

HackTheBox - Beep Writeup

By: [email protected] (Linxz) β€”
Introduction This is a writeup for the machine β€œBeep” (10.10.10.7) on the platform HackTheBox. HackTheBox is a penetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP As always we start off with our full TCP port scan using NMAP - this box is running quite a lot of services but don’t let that scare you! We follow the same enumeration process so let’s not worry that its any different just because there are more ports!
βœ‡ Posts on Linxz' Blog

HackTheBox - Bashed Writeup

By: [email protected] (Linxz) β€”
Introduction This is a writeup for the machine β€œBashed” (10.10.10.68) on the platform HackTheBox. HackTheBox is a penetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP We start off with our two nmap scans, TCP & UDP however, in this boxes case we only got information returned on TCP so we will only analyse the output for the TCP scan in this post.
βœ‡ Posts on Linxz' Blog

HackTheBox - Cronos Writeup

By: [email protected] (Linxz) β€”
Introduction This is a writeup for the machine β€œCronos” (10.10.10.13) on the platform HackTheBox. HackTheBox is a penetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP Let’s start off with our two nmap scans, a full TCP & a full UDP. In this case only our TCP scan returned any results so we’re only going to analyse the output of the TCP scan.
βœ‡ Posts on Linxz' Blog

HackTheBox - Devel Writeup

By: [email protected] (Linxz) β€”
Introduction This is a writeup for the machine β€œDevel” (10.10.10.5) on the platform HackTheBox. HackTheBox is a penetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP As usual we’re going to start off with our two nmap scans, a full TCP scan using nmap -sV -sC -p- 10.10.10.5 and nmap -sU -p- 10.10.10.5 in this case, we only returned ports open on TCP so we’re going to look at that now.
βœ‡ Posts on Linxz' Blog

HackTheBox - Lame Writeup

By: [email protected] (Linxz) β€”
Introduction This is a writeup for the machine β€œLame” (10.10.10.3) on the platform HackTheBox. HackTheBox is a pentetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP The first thing we’re going to do is run an NMAP scan using the following command nmap -sV -sC -Pn -oX /tmp/webmap/lame.xml 10.10.10.3 if you’re wondering about the last flag -oX that is allowing me to output the report into an XML format, this is because I use webmap (as you can see in the /tmp/webmap) which is an awesome tool that allows me some visual aids for a box/network!
βœ‡ Posts on Linxz' Blog

HackTheBox - Legacy Writeup

By: [email protected] (Linxz) β€”
Introduction This is a writeup for the machine β€œLegacy” (10.10.10.4) on the platform HackTheBox. HackTheBox is a pentetration testing labs platform so aspiring pen-testers & pen-testers can practice their hacking skills in a variety of different scenarios. Enumeration NMAP The first thing we’re going to do is run an NMAP scan using the following command nmap -sV -sC -Pn -oX /tmp/webmap/legacy.xml 10.10.10.4 if you’re wondering about the last flag -oX that is allowing me to output the report into an XML format, this is because I use webmap (as you can see in the /tmp/webmap) which is an awesome tool that allows me some visual aids for a box/network!
βœ‡ Posts on Linxz' Blog

Xorg LPE CVE 2018-14665

By: [email protected] (Linxz) β€”
On October 25th 2018 a post was made on SecurityTracker disclosing CVE 2018-14665. The interesting thing is this CVE has two bugs in two different arguments. The first is a flaw in the -modulepath argument which could lead to arbitrary code execution. The second was a flaw in the -logfile argument which could allow arbitrary files to be deleted from the system. Both of these issues were caused by poor command line validation.
  • There are no more articles
❌