TL&DR After two weeks or so of writing in high-level programming langauges such as JS and Python, my brain adapated to a similar coding style when switching back to C++, which eventually led me to write buggy (UAF-prone) code due to the nature of language. If you’re interested into the technical details, stick around! The Bug Dicovery While inspecting DBGView logs I noticed an empty string [2]. If you pay attention to the check before printing that value, it seems impossible that the program would behave like that; but here we go!

Updated 08/07/2024 I received a lot of criticism suggesting I was trying to prove Tavis Ormandy wrong, which is not true. In fact, my entire video and post aim to delve into and support what Tavis explained. This post discusses how Tavis Ormandy called out misinformation spreading on Twitter. When I referred to “the author of the tweet,” I meant the person whose tweet Tavis was highlighting. Tavis is well respected in the industry, and I have always expressed my respect and admiration for his work.

This post has been ported from Darkwaves InfoSec blog. TL;DR The purpose of this post is to explain how to leverage Osquery to perform enumeration and discovery of a system without relying on Living Off the Land Binaries (LOLBins) such as net, sc, and schtasks. These tools are commonly monitored in enforced environments and used for enumerating users, services, and tasks on Windows machines. While the post will focus on Windows machines, as they are still the mainstream in the industry, the methods described in this post can be easily translated to other platforms.

This post has been ported from Darkwaves InfoSec blog. Introduction When it comes to dynamic analysis on Windows, WinDBG is our option of choice. The debugger provides several built-in extensions such as analyze, heap, gle and allows extendibility by creating extensions using several programming languages. During an engagement for a client, a need emerged to retrieve the filename associated with a file handle, all that is within the userland.

When it comes to handle exceptions in programming, we are all familiar with try/catch and it’s other variant syntax sugar. For example below is a divide by zero error raised as an exception in python. PS C:\Users\tahai\code\blog> python Python 3.6.4 (v3.6.4:d48eceb, Dec 19 2017, 06:54:40) [MSC v.1900 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> d = 9 // 0 Traceback (most recent call last): File "<stdin>", line 1, in <module> ZeroDivisionError: integer division or modulo by zero >>> The exception name is called ZeroDivisionError, in this case we didn’t catch the error but the system did for us.

When it comes to vanilla buffer overflow, JMP ESP instruction is the one you look for when you got control over EIP register. Now let’s assume that DEP is not enabled and due to ASLR and/or JMP ESP addresses contains bad characters, which make those address impossible to use. We can look for the following assembly instructions instead: PUSH ESP; RET (54C3) 0:012> u 77c73989 ntdll!ResCDirectoryValidateEntries+0x1805: 77c73989 54 push esp 77c7398a c3 ret CALL ESP; (FFD4) 0:012> u 77c77254 ntdll!

Raise your hand if you crafted well your payload and the payload worked well in your lab machines but in the real scenario you’re not receiving the callback! I guess all of us at some point have experienced this. To solve this I wrote a simple and yet effective set of functions that allow us to see what going on while the runtime of our script. The first function/subroutine, which I called hello simply sends an GET request to a specified server.

One of the features of PEN300 MSF script is lazy privilege escalation, it checks for few common excessive permissions and lack of configuration in certain component of the box. The missing part was how to identify weak service configuration? the approach was already known, however how to achieve it using MSF Ruby API or Win32 API seemed doomed. MSF Windows Services class relies on sc_manager, this won’t work with low privileged user.

If you have been reading my OSEP (PEN300) post series, you know that I love automating things, reconnaissance phase is one of the repetitive tasks that you do for each machine you compromise right. In this post, I am going to share with you how I took advantage of the existing scripts and tools to create let’s say a reconnaissance script bundle. The script is written into Powershell, the language has a rich API and special when it allow us to load .

While running some test this morning and stumbled on the following error: Could not execute auto: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect. This occurred while executing right after enabling restricted admin in our MSF script as show in the screenshot. There are two important points we need to discuss here, first when the error happened, it was not handle hence, the script stop running, this bad. The second point is what could go wrong right?

We all get lazy from time to time, but things need to be done, in this post I am going to share with you a dirty hack that I used to avoid translating a solution written in a X programming language to another programming language. The scenario that we are going to cover here is that let’s say we wrote a piece of code that does something but requires another tool to achieve the next step of the aimed goal.

SharpRDP in a neat tool when it comes to get a command execution via RDP protocol, The project is written in C# .NET, which makes perfect to leverage .NET Assembly, however, in order to load an assembly the binary needs to expose the API and in this case SharpRDP is build in away that it can only be in traditional way. If we look at the source code of the project on github, we can clearly see that Program class has internal attributes and the two methods have private attribute.

Three weeks ago or so I started writing a MSF script that automates repeated tasks such running reconnaissance scripts, dumping credentials, listing tokens that could be impersonated and so on. The current script does all what I have listed above among other things, however, some part of the code generates Powershell cradles and executes Powershell commands, I would say that this is not an elegant way to do it. For instance, here are two examples where I run Powershell commands:

I have decided to build a Windows virtual machine to run some test scenarios with the goal to automate the repetitive tasks we encounter during an engagement. In the nutshell we are going to build a vulnerable Non-Domain Windows machine with different escalation paths including weak configuration service and Always Install Elevated enabled with some defenses on such as Windows Defender (LOL) and Powershell restricted language to make a bit challenging, or should I say interesting.

Background Python is one of the most used programming language nowadays specially due its popularity in data science, deep and machine learning fields; Truth to be told, under the hood there is C and/or C++ code running. Let’s take for example some popular python libraries used in math and machine learn to illustrate that point: Numpy (33.2% of the code is written in C) TensorFlow (61% of the code is written in C++) PyTorch (53% of the code in written in C++ and 4% in C) The raison that these libraries are build in C and/or C++ is for performance issues mainly, also it is important to note that Python is written in C, hence it provides a C API to extend the language by creating new modules at lower-level possible.

Back in April, Michał Bentkowski posted an XSS challenge on twitter. So I decided to give this a try and here is my write-up about it. The first thing that I noticed when I visited the page is that the challenge was served via GitHub Pages. From there, I knew that CSP did not apply to the challenge. The challenge rules were as follows: Please enter some HTML. It gets sanitized and inserted to a <div>.

It’s been a long time since my last blog post, as I was preparing for my OSCP. Well, I’m glad to inform you all that I’m now an Offensive Security Certified Professional. In this post, I will walk you through how, in less than five minutes, I found a self-XSS bug on the main Amazon.com website. It was Chrismas time and a colleague of mine had introduced me to Amazon Prime Video, so I decided to take a look at it.

Preparing for OSCP, I’ve been working through OverTheWire - natas and here is my walktrough for levels 0-10. Natas is a series of insecure webapps, which aim to teach the basics of web security. The security topics covered in these levels include: Editing HTTP headers Editing cookies File inclusion vulnerabilities Bruteforce techniques Command injections Natas 0 It says that we can find the password for the next level on the page, yet we don’t see it, do we ?

I had some extra time this weekend so I decided to play Mr Robot hacking challenge. I heard a lot about that challenge but I didn’t have time to hack it. Now was the time. I downloaded the virtual machine image from vulnhub, fired up virtulbox, started kali linux vm. Enumeration time, I always start with port scanning to see what services are running but to do so I need to find the machine’s IP first.

It’s been a while since my last post. Today I decided to share with you a bug I found on a public bug bounty program on HackerOne. You can find the original report here. This post is about a misconfiguration in CSP rule that leaves the website vulnerable to UI redressing aka clickjacking. This attack is widly used by scammer and spammers to trick users. After some recon on olx.co.za and olx.

Introduction This is a write-up of an AngularJS Template Injection I found in the main domain of Hostinger. If you don’t know what’s client-side template injection I invite you to take a look at those links [1][2]. Please note that this is my first write-up, I hope you’ll enjoy it. It all started when @berkanexo was telling me that he got listed on Hostinger Wall Of Fame so I decided to take a look at their website.

Hello world, welcome to my little paradise, I’m Taha Ibrahim DRAIDIA, I’m a software developer interested in application security, binary exploitation, exploit developement, ethical hacking and bug bounties. I never wrote a blog before, this my first time, I hope you’ll like my writings. Below are the reasons why I decided to start writing a blog: I used to take notes on text files, they got messy I would like to share what I’ve learnt along my journey in computers I would like to increase my writing skills I would like to get feed back about my code, researchs and methodologies I would like to feel more connected with people who share the same interests Here is a list of topics which I’ll be writing about: