-
DIVA - An intentionally vulnerable Android app - Part 1: Insecure Storage
Intro After spending a year working on Android malware analysis, I am now making the transition to Android security assessments. I’ve been studying up on the subject for the last few weeks, and I have been practicing on deliberately vulnerable apps. I am going to share my experience working with...
-
Real-world Android Malware Analysis 4: thisisme.thisapp.inspxctor
Intro In previous blog posts, I’ve covered a couple of phishing apps that were pretty simple to reverse engineer because they weren’t very complex or heavily obfuscated. Today, we’re going to look at a backdoor with spyware capabilities that is also fairly simple to analyze due to a lack of...
-
OWASP Android Uncrackables 1 & 2
Intro In the interest of working on my Android reverse engineering skills, I decided to work on some Android “crack me”s that I found at this Github repo. The first two are fairly simple so I’ve decided to write up both in one blog post just to keep it from...
-
Real-world Android Malware Analysis 3: com.eth.appdroid
Intro Last time we took a look at an Android app that attempted to steal crypto currency. It was fairly easy to analyze, and proving it as malicious didn’t take long. Today I want to take at yet another crypto phishing app (they spring up like weeds) that is a...
-
Real-world Android Malware Analysis 2: de.app.quickcurrencyswap
Intro Lately there has been an explosion of popularity in crypto currency phishing apps on the Google Play Store, trying to capitalize on the ever increasing craze behind crypto currency and NF/Ts. Some are more obvious than others. Some are more clever than others. The app I’m going to analyze...
-
Real-world Android Malware Analysis 1: eblagh.apk
Intro Over the last few months I have been cultivating a new skill that I’m getting to use at work: Android malware reverse engineering and analysis. There is still a lot to learn, so I’m starting to look for more opportunities to practice. Fortunately, there are a couple of malware...
-
Vulnserver Redux 1: Reverse Engineering TRUN
Intro At the time of writing, I am currently enrolled in Offensive Security’s EXP-301/OSED course. One of the topics covered in the course is reverse engineering for bugs, which was one of my favorite modules. I wanted to get in a little extra practice so I came back to Vulnserver...
-
Bypassing Defender on modern Windows 10 systems
Intro PEN-300 taught me a lot about modern antivirus evasion techniques. It was probably one of the more fun parts of the course, because we did a lot of cool things in C# and learned to bypass modern-day AV. While the information provided was solid, I found that some of...
-
Course Review - PEN-300
Intro I signed up for PEN-300 in November 2020, and started in December 2020, and over the next three months I worked on the course material every day. Watching videos, going through the PDF, replicating exercises, and eventually the challenge labs. I sat the exam on March 13th and met...
-
Malware Analysis - Wannacry
Intro It was the middle of May 2017. I was working night shift in a datacenter on the Windows server team. My desk phone rings and it’s a security analyst working for one of the datacenter’s tenants, asking us to immediately apply patches to all their servers for the EternalBlue...
-
Phishing Analysis - Steam Scams
Intro More and more often I keep hearing about friends who get random private messages from their friends asking them to click a link and “Vote for my team in this competition” or something along those lines. The messages come from compromised accounts that are being used to take over...
-
Vulnhub - FoxHole
Intro After much hemming and hawing about making my own Vulnhub box, I sat down one night, and after a marathon session of evil laughing and chugging Dr. Pepper I created the box now known as FoxHole! The box is meant to be easy-to-intermediate, with a fairly straight-forward initial foothold,...
-
Phishing Analysis - Paypal Scam
Intro Today I got a phishing email sent to me that, on the surface, was pretty obvious to me that it was fake, but as I dug deeper, it revealed itself to be a terrifyingly convincing phishing scheme (except for one little detail). Breakdown To start, let’s show the email:...
-
Flowcharts in Markdown
Mermaid chart graph LR A[Wake up] --> B(Drink Coffee) B --> C{Awake yet?} C --> |Yes| D[Work] C --> |No| E[Drink moar] Flowchart st=>start: Wake up e=>end: End op1=>operation: Drink Coffee sub1=>subroutine: Brew another cup cond=>condition: Awake yet? st->op1->cond cond(yes)->e cond(no)->sub1(right)->op1 Run Mermaid top-down chart graph TD A[Wake up] -->...
-
Vulnhub - Misdirection
Intro Misdirection is a pretty simple OSCP-like machine that was very recently released by InfoSec Prep’s very own FalconSpy. He built it as some extra practice for people who are gearing up for OSCP and want something outside of the PWK labs. You can find it here. Part 1 -...
-
Exploit Dev - New Integard 0-day - CVE-2019-16702
Intro After getting some tips from a friend about a way of finding 0-days, I decided to return to Integard Pro v2.2.0.9026 and fuzz some different parameters in the HTTP POST header. After about an hour, I found a new buffer overflow that allowed me to overwrite EIP. There are...
-
OSCE Prep - Vulnserver LTER - Alphanumeric Restrictions
Intro This was probably one of the more complex Vulnserver exploits that I made, requiring lots of jumping around, stack adjustments, and the infamous alphanumeric character restrictions. I took this as an extra opportunity to practice some manual encoding but also sped things up with this nice script here While...
-
OSCE Prep - Vulnserver KSTET - Socket Reuse
Intro Before I say anything…! —> All credit goes to this awesome guy here! <— Without this post I’d have never even heard of socket reuse in buffer overflows. This was completely new territory for me and something I haven’t really seen in anything I’ve run across in Exploit-DB, so...
-
OSCE Prep - Integard Exploit
So with all my lab exercises done it's time to venture outside the course material and do some extra practice. I went to Exploit-DB and looked up some Windows x86 buffer overflow posts that have links to the vulnerable software. The first thing I tried had a complicated setup just...
-
OSCE Prep - Vulnserver GMON - SEH Overwrite (No Egghunter)
Previously, I wrote about performing the vulnserver.exe GMON SEH overflow, using an egghunter to overcome the space limitations. After a night of frustration and much learning, I re-created the exploit without the egghunter. This will be a short post because I'm only going to cover the differences between this exploit...
-
OSCE Prep - Vulnserver GMON - SEH Overwrite w/Egghunter
Passing the OSCP exam was a hell of a confidence booster, and taught me that I am capable of so much more than I thought. Breaking the habit of putting limitations on myself was quite a feeling. So I threw all caution to the wind and signed up for Cracking...
-
OSCP Review
On April 15th I received the best email I've gotten in a long time; a confirmation from Offensive Security that I had passed my PWK exam and obtained my Offensive Security Certified Professional (OSCP) certification! 15 months in the making, it took 2 attempts to get it. A lot of...
-
VulnHub - Kioptrix 5
The final box in the Kioptrix series is here! This one was the hardest by far, and every bit of advancement came only after a fair deal of research, head scratching, and frustration. Getting the initial foothold took many steps, some of which I've never done before, but getting root...
-
VulnHub - Kioptrix 4
Now it's time for the next pentest challenge in this series, Kioptrix 4! Recon and enumeration: As always we start with an nmap scan, courtesy of my favorite enum tool Sparta, and can see some pretty common ports open, SSH, web, and SMB. I always like to check out SMB...
-
VulnHub - Kioptrix 3
Here we are with Kioptrix level 3! This one was significantly more challenging than the last two if you exploited it manually, but there were some ways to automate the process to get the initial foothold to make things easier. Recon and initial enumeration: This one is going to be...
-
VulnHub - Kioptrix 2
Time for Kioptrix #2! This one was ever so slightly more difficult to get root on, but only because I let myself fall down rabbit holes instead of exploiting the obvious. Recon and initial enumeration: As always I started off using my favorite scanning tool Sparta to get the open...
-
VulnHub - Kioptrix 1
This one is going to be fairly short and sweet. It was a pretty simple box found over at vulnhub. https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ Vulnhub is a site that hosts downloadable VMs that are CTF-style challenges. You'll need VMware to host them, and the drive space, but the upshot is that you don't...
-
Vulnserver TRUN - Vanilla EIP overwrite
Stack buffer overflow exercise: Vulnserver.exe I've taken quite a liking to doing basic stack buffer overflow attacks after learning out to do them in the Pentesting With Kali Linux course. I learned so much about assembly, and how to debug and analyze programs and gain a deeper understanding of how...
-
HTB - Active
Created by eks and mrb3n Let me preface this by saying that this was my favorite box on HackTheBox because it was one of the most real-world-like box that I've encountered so far. The vulnerabilities exploited here can be exploited in the real world and lead to the compromise of...