Bypassing DEP with WriteProcessMemory (x86)
Intro In this post I will show an example on how to bypass DEP with WriteProcessMemory. This is a bit more complicated than doing it with VirtualProtect but nonetheless an interesting technical ch...
Intro In this post I will show an example on how to bypass DEP with WriteProcessMemory. This is a bit more complicated than doing it with VirtualProtect but nonetheless an interesting technical ch...
We are solving Anubis, a 50-point windows machine on HackTheBox which involves an ASP template injection, windows containers, and stealing hashes with Responder. Later we’ll escalate privileges usi...
We are solving Forge, a medium difficulty Linux machine on HackTheBox which involves an SSRF & playing with the python debugger. Notes Indirect SSRF <?php header("Location: http://admi...
Baby is an easy machine on Vulnlab that involves enumerating LDAP & spraying credentials. For SYSTEM we exploit SeBackup & SeRestore Privileges. The initial port scan shows the following p...
Rainbow is a medium difficulty machine that involves a SEH-based buffer overflow for user and a UAC bypass for root. User PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp op...
We are going to solve Developer, a pretty hard Linux machine on HackTheBox. It involves Cross-Site-Scripting, Tab Nabbing & reversing a rust binary. XSS Trigger jaVasCript:/*-/*`/*\`/*'/*"...
I always had difficulties understanding what Silver Tickets are and how they are used. Maybe this comes from the fact that they are rarely seen in labs. They can be really powerful though, so I’ll ...
We are solving Previse, an easy linux machine on HackTheBox that involves a Command Injection Path Hijacking.
This is a short walkthrough on Lustrous, a chain consisting of 2 machines on vulnlab. The main lesson on this chain is to demonstrate how silver tickets can be used with service accounts in a Activ...
Background On December 10th, 2021 the Log4Shell vulnerability, a “0-day” exploit in log4j2 appeared on Twitter. In this post, we will explore how to exploit it with LDAP in a lab environment. In o...