ROP Emporium - split

In the previous post I tried to explain what ROP is and how I solved the ROP Emporium ret2win. This write-up will be about the second challenge: split. We'll look at finding our first gadget and how to go about using it in a chain.

Exploring the binary

First explore …




ROP Emporium - ret2win

Over the past couple of week I've set myself the goal of learning how Return Oriented Programming (ROP) really works. Coincidentally, over at Hack the Box there have recently been multiple instances where one needed to exploit a binary using ROP. Whilst doing some research on the topic I ran …




WireGuard on OpenBSD

Earlier this week I imported a port for WireGuard into the OpenBSD ports tree. At the moment we have the userland daemon and the tools available. The in-kernel implementation is only available for Linux. At the time of writing there are packages available for -current.

Jason A. Donenfeld (WireGuard …




SLAE64 - Crypter

The seventh and final assignment of the SLAE64 exam states:

  • Create a custom crypto like the one shown in the "crypters" video
  • Free to use any existing encryption schema
  • Can use any programming language

Initially I wanted to use the Tiny Encryption Algorithm but decided against it and instead chose …




SLAE64 - Polymorphic shellcode

The sixth assignment of the SLAE64 exam states:

  • Take up to 3 shellcodes from Shell-Storm and create polymorphic version of them to beat pattern matching
  • The polymorphic versions cannot be larger than 150% of the original shellcode
  • Bonus points for making it shorter in length than original

When researching polymorphism …




SLAE64 - Metasploit analysis

The fifth assignment of the SLAE64 exam states:

  • Take up at least 3 shellcode samples created using Msfvenom (née Msfpayload) for linux/x86_64
  • Use GDB to dissect the functionality of the shellcode
  • Document your analysis

One thing that immediately stands out is the relative lack in diversity when it comes …




SLAE64 - Custom Encoder

The fourth assignment of the SLAE64 exam states:

  • Create a custom encoding scheme like the "insertion encoder" we showed you
  • PoC with using execve-stack as the shellcode to encode with your schema and execute

For this assignment I wrote a script which supports two encoders and it can also help …




SLAE64 - Egg Hunter

The third assignment of the SLAE64 exam states:

  • Study about the Egg Hunter shellcode
  • Create a working demo of the Egg Hunter
  • It should be configurable for different payloads

I for one had not heard before of the concept of an egg hunter so a little searching around led me …




SLAE64 - Reverse TCP shellcode

The second assignment of the SLAE64 exam states:

  • Create a Shell_Reverse_TCP shellcode:
    • Reverse connects to configure IP and port
    • Needs a "passcode"
    • If passcode is correct then execute a shell
  • Remove 0x00 from the Reverse TCP shellcode discussed in the course

Reverse TCP shellcode

This is quite a lot simpler …




SLAE64 - Bind TCP shellcode

The first assignment of the SLAE64 exam states:

  • Create a Shell_Bind_TCP shellcode:
    • Binds to a port
    • Needs a "passcode"
    • If passcode is correct then execute a shell
  • Remove 0x00 from the Bind TCP shellcode discussed in the course

Shell Bind TCP shellcode

The first assignment is to create a shell …