ctfs, writeups, hardware hacking, road to oscp
XOR obfuscation is a bare-bones and lightweight method of obfuscating data using the bitwise XOR operation. Data is combined with a key to get a result. "XORing" is useful for evasion of basic static detection in some cases and is easy to implement in shellcode.
This guide covers SMB relay attacks. In many AD environments, cracking passwords isn’t feasible - however, when SMB signing is not enforced (the default in many setups), an attacker can abuse trust to relay NTLM authentication and gain access without ever knowing the plaintext password.
A stager is a small piece of software that has only one primary task: to trigger a larger implant's download and make the initial connection between host and C2. Stagers are small, lightweight and can help in AV evasion where they can potentially run in-memory.
Active is an easy windows box where we find encrypted credentials in an unsecured smb share. We can decrypt credentials with a publicly available key to get domain user and perform a kerberoasting attack against the svc_tgs account to get domain admin.
This is a guide on llmnr poisoning. When dns fails, a fallback protocol is used named llmnr/nbt-ns. Resource locations are requested from the whole network, and an attacker can respond in exchange for a victim's hashed credentials.
Walkthrough of using sliverc2 against linux targets. Sliver is a modern cli-based control and command (c2) framework that is extremely flexible, supporting beacons, stagers, mtls/http/dns transport options and more!
Chemistry is an easy linux box. After gaining a shell through insecure file upload, we can crack internal hashed credentials found in a sql database and laterally move into a user shell. We can then privilege escalate to root by exploiting an internal webpage's path traversal/file inclusion vulnerability to get an ssh key for root.
This is a post on SUID bits. SUID binaries run with the permissions of their owner. Consequently, root-owned binaries can be ran as root. In this post, we exploited the SUID bit for systemctl to run arbitrary root commands by getting a shell.