index.html

<!DOCTYPE html>
<!--[if IEMobile 7 ]><html class="no-js iem7"><![endif]-->
<!--[if lt IE 9]><html class="no-js lte-ie8"><![endif]-->
<!--[if (gt IE 8)|(gt IEMobile 7)|!(IEMobile)|!(IE)]><!--><html class="no-js" lang="en"><!--<![endif]-->
<head>
  <meta charset="utf-8">
  <title>Knapsy&#8217;s brain dump</title>
  <meta name="author" content="Knapsy">

  
  <meta name="description" content="It&rsquo;s been quite a while since I have done a CTF, but just very recently I got a chance to participate in one and came across a pretty &hellip;">
  

  <!-- http://t.co/dKP3o1e -->
  <meta name="HandheldFriendly" content="True">
  <meta name="MobileOptimized" content="320">
  <meta name="viewport" content="width=device-width, initial-scale=1">

  
  <link rel="canonical" href="http://blog.knapsy.com">
  <link href="/favicon.png" rel="icon">
  <link href="/stylesheets/screen.css" media="screen, projection" rel="stylesheet" type="text/css">
  <link href="/atom.xml" rel="alternate" title="Knapsy's brain dump" type="application/atom+xml">
  <script src="/javascripts/modernizr-2.0.js"></script>
  <script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
  <script>!window.jQuery && document.write(unescape('%3Cscript src="./javascripts/libs/jquery.min.js"%3E%3C/script%3E'))</script>
  <script src="/javascripts/octopress.js" type="text/javascript"></script>
  <!--Fonts from Google"s Web font directory at http://google.com/webfonts -->
<link href="//fonts.googleapis.com/css?family=PT+Serif:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css">
<link href="//fonts.googleapis.com/css?family=PT+Sans:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css">

  
  <script type="text/javascript">
    var _gaq = _gaq || [];
    _gaq.push(['_setAccount', 'UA-55363999-1']);
    _gaq.push(['_trackPageview']);

    (function() {
      var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
      ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
      var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
    })();
  </script>


</head>

<body   >
  <header role="banner"><hgroup>
  <h1><a href="/">Knapsy&#8217;s brain dump</a></h1>
  
    <h2>IT security and other /dev/random stuff.</h2>
  
</hgroup>

</header>
  <nav role="navigation"><ul class="subscription" data-subscription="rss">
  <li><a href="/atom.xml" rel="subscribe-rss" title="subscribe via RSS">RSS</a></li>
  
</ul>
  
<form action="https://www.google.com/search" method="get">
  <fieldset role="search">
    <input type="hidden" name="q" value="site:blog.knapsy.com" />
    <input class="search" type="text" name="q" results="0" placeholder="Search"/>
  </fieldset>
</form>
  
<ul class="main-navigation">
  <li><a href="/">Blog</a></li>
  <li><a href="/blog/archives">Archives</a></li>
</ul>

</nav>
  <div id="main">
    <div id="content">
      <div class="blog-index">
  
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2018/08/05/filevault-ctf-challenge-elf-x64-buffer-overflow/">FileVault CTF Challenge - ELF X64 Buffer Overflow</a></h1>
    
    
      <p class="meta">
        




<time class='entry-date' datetime='2018-08-05T16:31:31+10:00'><span class='date'><span class='date-month'>Aug</span> <span class='date-day'>5</span><span class='date-suffix'>th</span>, <span class='date-year'>2018</span></span> <span class='time'>4:31 pm</span></time>
        
           | <a href="/blog/2018/08/05/filevault-ctf-challenge-elf-x64-buffer-overflow/#disqus_thread"
             data-disqus-identifier="http://blog.knapsy.com/blog/2018/08/05/filevault-ctf-challenge-elf-x64-buffer-overflow/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>It&rsquo;s been quite a while since I have done a CTF, but just very recently I got a chance to participate in one and came across a pretty interesting challenge which forced me to go back and re-learn exploit dev in Unix environments. Also had to brush up on my <code>gdb</code> knowledge&hellip;</p>

</div>
  
  
    <footer>
      <a rel="full-article" href="/blog/2018/08/05/filevault-ctf-challenge-elf-x64-buffer-overflow/">Read on &rarr;</a>
    </footer>
  


    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/">QuickZip 4.60 - Win7 X64 SEH Overflow (Egghunter) With Custom Encoder</a></h1>
    
    
      <p class="meta">
        




<time class='entry-date' datetime='2017-05-01T21:31:30+10:00'><span class='date'><span class='date-month'>May</span> <span class='date-day'>1</span><span class='date-suffix'>st</span>, <span class='date-year'>2017</span></span> <span class='time'>9:31 pm</span></time>
        
           | <a href="/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/#disqus_thread"
             data-disqus-identifier="http://blog.knapsy.com/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>As a part of my preparations for the <a href="https://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/">OSCE</a> exam, I have been trying to find some interesting exploits and PoC code to practice my skills on and learn something new in the exploit development department.</p>

<p>After some digging, I stumbled across a <a href="https://www.exploit-db.com/exploits/11656/">QuickZip v4.60 Buffer Overflow exploit</a>, which is very well documented by <a href="https://twitter.com/corelanc0d3r">corelanc0d3r</a> in a thorough blog post <a href="https://www.corelan.be/index.php/2010/03/27/quickzip-stack-bof-0day-a-box-of-chocolates/">here</a>.</p>

<p>Since the exploit itself is from 2010, it was designed to work on 32-bit Windows XP only. I decided to try and see if I can recreate it on a 64-bit Windows 7 and damn, was that a (fun) challenge!</p>

</div>
  
  
    <footer>
      <a rel="full-article" href="/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/">Read on &rarr;</a>
    </footer>
  


    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2016/02/24/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells-sectalks-melbourne-0x01-2016/">Escape From SHELLcatraz - Breaking Out of Restricted Unix Shells (SecTalks Melbourne 0x01 2016)</a></h1>
    
    
      <p class="meta">
        




<time class='entry-date' datetime='2016-02-24T20:56:28+11:00'><span class='date'><span class='date-month'>Feb</span> <span class='date-day'>24</span><span class='date-suffix'>th</span>, <span class='date-year'>2016</span></span> <span class='time'>8:56 pm</span></time>
        
           | <a href="/blog/2016/02/24/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells-sectalks-melbourne-0x01-2016/#disqus_thread"
             data-disqus-identifier="http://blog.knapsy.com/blog/2016/02/24/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells-sectalks-melbourne-0x01-2016/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>Today I had a pleasure of presenting at one of the first <a href="http://www.sectalks.org/melbourne/">SecTalks Melbourne</a> sessions - if you&rsquo;re from Melbourne, Australia area and into IT security / geeky stuff, make sure to sign up!</p>

<p>The talked covered basic methodology as well as some tips and tricks on breaking out of restricted Unix shells (such as <code>rbash</code> and <code>rksh</code>) that I came across during several CTFs and also at the &ldquo;real life&rdquo; engagements.</p>

<p>The slides from my talk are available at <a href="https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells">SpeakerDeck here</a>.</p>

<p>Enjoy! :)</p>
</div>
  
  


    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2015/11/25/easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/">Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP Bypass With ROP)</a></h1>
    
    
      <p class="meta">
        




<time class='entry-date' datetime='2015-11-25T20:46:41+11:00'><span class='date'><span class='date-month'>Nov</span> <span class='date-day'>25</span><span class='date-suffix'>th</span>, <span class='date-year'>2015</span></span> <span class='time'>8:46 pm</span></time>
        
           | <a href="/blog/2015/11/25/easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/#disqus_thread"
             data-disqus-identifier="http://blog.knapsy.com/blog/2015/11/25/easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>Just a few weeks ago I attended an amazing training on exploit development on Windows - <a href="https://www.corelan-training.com/index.php/training-2/bootcamp/">Corelan Bootcamp</a>. I have to admit, it&rsquo;s probably the best instructor led course I have ever attended; massive props to Peter &ldquo;<a href="https://twitter.com/corelanc0d3r">corelanc0d3r</a>&rdquo; who is a fantastic teacher and to OJ &ldquo;<a href="https://twitter.com/TheColonial">TheColonial</a>&rdquo; for organising it.</p>

<p>Okay, with credits out of the way, let&rsquo;s talk exploits! Since everything I learned at the bootcamp is still fresh in my head, I thought it will be good to practice it a bit more and make sure all of the information sinks in properly.</p>

<p>So, off I went to <a href="https://exploit-db.com">exploit-db</a> and, after some poking around in DoS and PoC section, I found an exploit that I thought of redesigning and improving - <a href="https://www.exploit-db.com/exploits/38526/">Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow</a>.</p>

</div>
  
  
    <footer>
      <a rel="full-article" href="/blog/2015/11/25/easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/">Read on &rarr;</a>
    </footer>
  


    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2015/03/29/oscp-thoughts-and-tips/">OSCP - Thoughts and Tips</a></h1>
    
    
      <p class="meta">
        




<time class='entry-date' datetime='2015-03-29T18:18:03+11:00'><span class='date'><span class='date-month'>Mar</span> <span class='date-day'>29</span><span class='date-suffix'>th</span>, <span class='date-year'>2015</span></span> <span class='time'>6:18 pm</span></time>
        
           | <a href="/blog/2015/03/29/oscp-thoughts-and-tips/#disqus_thread"
             data-disqus-identifier="http://blog.knapsy.com/blog/2015/03/29/oscp-thoughts-and-tips/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>I&rsquo;ve been pretty quiet on here for the last couple months as I&rsquo;ve been really busy taking <a href="https://www.offensive-security.com/information-security-training/penetration-testing-with-kali-linux/">Penetration testing with Kali Linux (PWK)</a> training course, followed by the <a href="https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/">Offensive Security Certified Professional (OSCP)</a> exam.</p>

<p>You&rsquo;ll find tons of other blog posts and reviews about the course and exam itself, so I won&rsquo;t be repeating what you should be able to find elsewhere, instead, I&rsquo;ll just try to give you a brief overview of what it is, how did I find it and some simple tips and tricks that will help you prepare for it.</p>

</div>
  
  
    <footer>
      <a rel="full-article" href="/blog/2015/03/29/oscp-thoughts-and-tips/">Read on &rarr;</a>
    </footer>
  


    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2014/12/16/pegasus-has-arrived-my-first-boot2root-vm/">Pegasus Has Arrived - My First Boot2root VM</a></h1>
    
    
      <p class="meta">
        




<time class='entry-date' datetime='2014-12-16T21:54:34+11:00'><span class='date'><span class='date-month'>Dec</span> <span class='date-day'>16</span><span class='date-suffix'>th</span>, <span class='date-year'>2014</span></span> <span class='time'>9:54 pm</span></time>
        
           | <a href="/blog/2014/12/16/pegasus-has-arrived-my-first-boot2root-vm/#disqus_thread"
             data-disqus-identifier="http://blog.knapsy.com/blog/2014/12/16/pegasus-has-arrived-my-first-boot2root-vm/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>It&rsquo;s here! My first boot2root VM, inspired by various CTFs I attended this year and couple cool things I learnt, is finally here! Go and grab it from <a href="https://www.vulnhub.com/entry/pegasus-1,109/">here (via VulnHub)</a>.</p>

</div>
  
  
    <footer>
      <a rel="full-article" href="/blog/2014/12/16/pegasus-has-arrived-my-first-boot2root-vm/">Read on &rarr;</a>
    </footer>
  


    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2014/11/17/png-from-hell-ruxcon-ctf-challenge/">PNG From Hell - Ruxcon CTF Challenge</a></h1>
    
    
      <p class="meta">
        




<time class='entry-date' datetime='2014-11-17T11:43:20+11:00'><span class='date'><span class='date-month'>Nov</span> <span class='date-day'>17</span><span class='date-suffix'>th</span>, <span class='date-year'>2014</span></span> <span class='time'>11:43 am</span></time>
        
           | <a href="/blog/2014/11/17/png-from-hell-ruxcon-ctf-challenge/#disqus_thread"
             data-disqus-identifier="http://blog.knapsy.com/blog/2014/11/17/png-from-hell-ruxcon-ctf-challenge/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>Some time ago now I was lucky enough to take part in <a href="https://ruxcon.org.au/events/ctf/">Ruxcon CTF</a>, which was absolutely awesome - learnt bunch of new things and met heaps of cool people!</p>

<p>There was a wide variety of different challenges, but this particular one REALLY did my head in. I spent way too much time on it during the CTF and unfortunately didn&rsquo;t manage to break it. Then recently, I decided to take a look at it again and, with a lot less hassle than I thought, I nailed it!</p>

<p>Let me introduce you to my most hated PNG of all times&hellip;</p>

</div>
  
  
    <footer>
      <a rel="full-article" href="/blog/2014/11/17/png-from-hell-ruxcon-ctf-challenge/">Read on &rarr;</a>
    </footer>
  


    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2014/11/05/kvasir-vm-writeup/">Kvasir VM Writeup</a></h1>
    
    
      <p class="meta">
        




<time class='entry-date' datetime='2014-11-05T19:30:38+11:00'><span class='date'><span class='date-month'>Nov</span> <span class='date-day'>5</span><span class='date-suffix'>th</span>, <span class='date-year'>2014</span></span> <span class='time'>7:30 pm</span></time>
        
           | <a href="/blog/2014/11/05/kvasir-vm-writeup/#disqus_thread"
             data-disqus-identifier="http://blog.knapsy.com/blog/2014/11/05/kvasir-vm-writeup/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>It sort of became the main theme of this blog&hellip; yet another writeup for a VM from <a href="http://vulnhub.com">VulnHub</a> and, I have to admit, probably the most demanding one yet!</p>

<p><a href="http://vulnhub.com/entry/kvasir-i,106/">Kvasir</a> touches on quite a lot of aspects of security/pentesting and really tests your patience. <a href="https://twitter.com/_RastaMouse">Rasta Mouse</a> did a great job putting it all together and simulating a network of quite some depth by using Linux containers.</p>

<p>So, without delying too much, let&rsquo;s get right into it as there&rsquo;s A LOT to go through!</p>

</div>
  
  
    <footer>
      <a rel="full-article" href="/blog/2014/11/05/kvasir-vm-writeup/">Read on &rarr;</a>
    </footer>
  


    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2014/10/28/beating-the-troll-tr0ll2-writeup/">Beating the Troll - Tr0ll2 Writeup</a></h1>
    
    
      <p class="meta">
        




<time class='entry-date' datetime='2014-10-28T19:57:51+11:00'><span class='date'><span class='date-month'>Oct</span> <span class='date-day'>28</span><span class='date-suffix'>th</span>, <span class='date-year'>2014</span></span> <span class='time'>7:57 pm</span></time>
        
           | <a href="/blog/2014/10/28/beating-the-troll-tr0ll2-writeup/#disqus_thread"
             data-disqus-identifier="http://blog.knapsy.com/blog/2014/10/28/beating-the-troll-tr0ll2-writeup/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>Damn, I love <a href="http://www.vulnhub.com">VulnHub</a> - always keeps me entertained! With so many VMs released recently and with me just coming off an awesome CTF I have been kept quite busy those last couple weeks! Keeping the momentum up, I decided to give <a href="http://vulnhub.com/entry/tr0ll-2,107/">Tr0ll2 VM</a> a shot. As expected, there were trolls on the way, but overall I quite enjoyed it! Alright, let&rsquo;s rock on.</p>

</div>
  
  
    <footer>
      <a rel="full-article" href="/blog/2014/10/28/beating-the-troll-tr0ll2-writeup/">Read on &rarr;</a>
    </footer>
  


    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2014/10/16/knock-knock-vm-walkthrough/">Knock-Knock VM Walkthrough</a></h1>
    
    
      <p class="meta">
        




<time class='entry-date' datetime='2014-10-16T15:29:15+11:00'><span class='date'><span class='date-month'>Oct</span> <span class='date-day'>16</span><span class='date-suffix'>th</span>, <span class='date-year'>2014</span></span> <span class='time'>3:29 pm</span></time>
        
           | <a href="/blog/2014/10/16/knock-knock-vm-walkthrough/#disqus_thread"
             data-disqus-identifier="http://blog.knapsy.com/blog/2014/10/16/knock-knock-vm-walkthrough/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>Just after awesome weekend hacking away at <a href="http://ruxcon.org.au">Ruxcon</a>, <a href="http://vulnhub.com">VulnHub</a> delivered yet another boot2root VM - wow, that&rsquo;s been busy (and fun) last couple of weeks! Good practice for another big CTF that is coming up for me very soon&hellip;</p>

<p>Anyway, without too much of an intro, let&rsquo;s get to it!</p>

</div>
  
  
    <footer>
      <a rel="full-article" href="/blog/2014/10/16/knock-knock-vm-walkthrough/">Read on &rarr;</a>
    </footer>
  


    </article>
  
  <div class="pagination">
    
      <a class="prev" href="/posts/2">&larr; Older</a>
    
    <a href="/blog/archives">Blog Archives</a>
    
  </div>
</div>
<aside class="sidebar">
  
    <section>
  <h1>About Me</h1>
  <p><img src="https://pbs.twimg.com/profile_images/1026331713549389824/sxjd08KY_bigger.jpg" align="right"/><strong>Knapsy</strong> (<u><a href="http://twitter.com/TheKnapsy">@TheKnapsy</a></u>)<br/>
  IT security guy, pentester, coder, basketballer, coffee enthusiast. Creative, bit nuts, sleep deprived.</p>
</section>
<section>
  <h1>Recent Posts</h1>
  <ul id="recent_posts">
    
      <li class="post">
        <a href="/blog/2018/08/05/filevault-ctf-challenge-elf-x64-buffer-overflow/">FileVault CTF Challenge - ELF X64 Buffer Overflow</a>
      </li>
    
      <li class="post">
        <a href="/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/">QuickZip 4.60 - Win7 X64 SEH Overflow (Egghunter) With Custom Encoder</a>
      </li>
    
      <li class="post">
        <a href="/blog/2016/02/24/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells-sectalks-melbourne-0x01-2016/">Escape From SHELLcatraz - Breaking Out of Restricted Unix Shells (SecTalks Melbourne 0x01 2016)</a>
      </li>
    
      <li class="post">
        <a href="/blog/2015/11/25/easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/">Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP Bypass With ROP)</a>
      </li>
    
      <li class="post">
        <a href="/blog/2015/03/29/oscp-thoughts-and-tips/">OSCP - Thoughts and Tips</a>
      </li>
    
  </ul>
</section>

<section>
  <h1>Latest Tweets</h1>
  <p><a class="twitter-timeline" href="https://twitter.com/TheKnapsy" data-widget-id="517677537711767552">Tweets by @TheKnapsy</a></p>
  <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
</section>






  
</aside>

    </div>
  </div>
  <footer role="contentinfo"><p>
  Copyright &copy; 2018 - Knapsy -
  <span class="credit">Powered by <a href="http://octopress.org">Octopress</a></span>
</p>

</footer>
  

<script type="text/javascript">
      var disqus_shortname = 'knapsysbraindump';
      
        
        var disqus_script = 'count.js';
      
    (function () {
      var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
      dsq.src = '//' + disqus_shortname + '.disqus.com/' + disqus_script;
      (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
    }());
</script>







  <script type="text/javascript">
    (function(){
      var twitterWidgets = document.createElement('script');
      twitterWidgets.type = 'text/javascript';
      twitterWidgets.async = true;
      twitterWidgets.src = '//platform.twitter.com/widgets.js';
      document.getElementsByTagName('head')[0].appendChild(twitterWidgets);
    })();
  </script>





</body>
</html>