Security

Exploiting Programs That Keep Storing Sensitive Information in Memory

Exploiting Programs That Keep Storing Sensitive Information in Memory

Security, Vulnerabilities
Introduction While studying for Offensive Security's Cracking the Perimeter last 2018, I encountered proof of concept exploits relating to recovery of sensitive information from memory. A popular tool that actually does this in Windows is mimikatz however, this article will be presenting more about vulnerabilities on 3rd party applications instead of the one intended for what mimikatz targets. This type of vulnerability is described more through CWE-316: Cleartext Storage of Sensitive Information in Memory and you'll actually be surprised that a lot of applications are still vulnerable to this type of issue. Looking more into the vulnerability Before I even bothered to discover the same type of vulnerability from other applications, I tried to check out what programs were already disc...
Offensive Security Certified Expert (OSCE) Experience

Offensive Security Certified Expert (OSCE) Experience

Penetration Testing, Security
Offensive Security's CTP (Cracking the Perimeter) is a more advanced training for penetration testing leading to Offensive Security Certified Expert if the 48-hour exam is cleared. The course is basically offered similarly to how Penetration Testing with Kali leading to Offensive Security Certified Professional is set. The difference however is that the course for PWK gives a student access to a corporate network where one can work his/her way into getting into each machine through various techniques while CTP on the other hand concentrates more on discovering unknown vulnerabilities. To make the story short, PWK-OSCP's outcome is for a student being able to do practical penetration testing through methods starting from information gathering up to post exploitation while CTP-OSCE's ...
Hacking the Dutch Government – Responsible Disclosure

Hacking the Dutch Government – Responsible Disclosure

Security, Vulnerabilities
... and all I got was a lousy t-shirt The Dutch Government "Rijksoverheid" has this responsible disclosure program where if you manage to find a vulnerability in one of their systems, they reward you with a shirt having a small logo of their National Cyber Security Centre (NCSC) together with "I hacked the Dutch Government and all I got was this lousy t-shirt". Quite humorous eh? So visiting one of their websites I've managed to find a CHANGELOG.txt which is a file commonly left when an administrator installs and doesn't clean up. This CHANGLOG.txt basically shows critical information. Seeing that the current Drupal version installed is 7.43 (which is already outdated), one might think that this should be vulnerable to CVE-2018-7600 or "Drupalgeddon", a vulnerability that ...
Shellcode Crypter – Linux/x86

Shellcode Crypter – Linux/x86

Security
A "crypter" is quite interesting because of the fact that it scrambles a shellcode so it can evade signature matching using an encryption algorithm. This is why "crypters" are quite advantageous to use in penetration testing engagements but for this article, I'll show how a basic "crypter" can work. The first requirement is a shellcode to encrypt. I'll be using an execve shellcode which executes /bin/sh in this case. \x31\xc0\x50\x50\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\x64\x24\x0c\x89\xe3\x8d\x4c\x24\x0c\x8b\x54\x24\x10\xb0\x0b\xcd\x80 This shellcode is based from the NASM program: global _start global _start section .text _start: xor eax, eax push eax push eax push eax push "//sh" push "/bin" mov dword[esp + 12], esp mov ebx, esp lea ecx, [esp ...
Custom Shellcode Encoder – X+1 XOR 0xAA (Linux/x86)

Custom Shellcode Encoder – X+1 XOR 0xAA (Linux/x86)

Security
Encoders are quite useful in cases where there are restricted characters in an application being exploited. Popular encoders can be found in Metasploit like shikata_ga_nai and many more. To demonstrate how encoders work, I've created a very basic encoder which adds 1 byte to each shellcode characters and the result gets XOR'd with 0xAA. The formula goes something like this: (X + 1) xor 0xAA = Y, where X is a byte of the shellcode and Y is the encoded byte Y in this case can be transformed back to X using the formula: (Y xor 0xAA) - 1 = X, where Y is the encoded byte and X is the original shellcode byte To do this, suppose we have an execve NASM program that runs /bin/sh: global _start global _start section .text _start: xor eax, eax push eax push eax push eax push ...