In this series about Windows kernel exploitation, we will explore various kernel exploit techniques & targets. This topic is mainly something I studied to prepare for AWE. This short first part...

In the last post we explored how to exploit the rainbow2.exe binary from the vulnbins repository using WriteProcessMemory & the “skeleton” method. Now we are going to explore how to use Virtual...

Intro In this post I will show an example on how to bypass DEP with WriteProcessMemory. This is a bit more complicated than doing it with VirtualProtect but nonetheless an interesting technical ch...

We are solving Anubis, a 50-point windows machine on HackTheBox which involves an ASP template injection, windows containers, and stealing hashes with Responder. Later we’ll escalate privileges usi...

We are solving Forge, a medium difficulty Linux machine on HackTheBox which involves an SSRF & playing with the python debugger. Notes Indirect SSRF <?php header("Location: http://admi...

Baby is an easy machine on Vulnlab that involves enumerating LDAP & spraying credentials. For SYSTEM we exploit SeBackup & SeRestore Privileges. The initial port scan shows the following p...

Rainbow is a medium difficulty machine that involves a SEH-based buffer overflow for user and a UAC bypass for root. User PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp op...

We are going to solve Developer, a pretty hard Linux machine on HackTheBox. It involves Cross-Site-Scripting, Tab Nabbing & reversing a rust binary. XSS Trigger jaVasCript:/*-/*`/*\`/*'/*"...

I always had difficulties understanding what Silver Tickets are and how they are used. Maybe this comes from the fact that they are rarely seen in labs. They can be really powerful though, so I’ll ...

We are solving Previse, an easy linux machine on HackTheBox that involves a Command Injection Path Hijacking.