SLAE Assignment 7 – Custom Crypter

Assignment Create a custom crypter like the one shown in the “crypters” video Free to use any existing encryption schema Can use any programming language Python AES Custom Crypter For our final assignment we are going to create a custom AES crypter in Python. We are using the PyCryptodome library for our encryption functions so need to install this into our python environment as follows: I had a couple of goals for the crypter in that I wanted it to be useable rather than just a proof of concept, therefore both encrypt and decrypt from the command line and optionally... Read more

SLAE Assignment 6 – Polymorphic Shellcode

Assignment Take up 3 shellcodes from Shell-­‐Storm and create polymorphic versions of them to beat pattern matching The polymorphic versions cannot be larger 150% of the existing shellcode Bonus points for making it shorter in length than original Introduction Polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact. In this case we will be manually making changes to the original shellcode in order to create a “polymorphic” version. chmod 0777 /etc/shadow http://shell-storm.org/shellcode/files/shellcode-875.php Original Shellcode The code causes a segmentation fault but runs correctly changing the shadow files permissions: Stepping through the code... Read more

SLAE Assignment 5 – Shellcode Analysis

Assignment Take up at least 3 shellcode samples created using Msfpayload for linux/x86 Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode Present your analysis Shellcode – linux/x86/read_file (Ndisasm) Starting simple we chose the read_file payload from msfvenom. A quick look at the options shows us the file descriptor is set to 1 by default which is STDOUT so we only need to supply the path variable to generate our shellcode. We generate our shellcode with the command seen below. Then disassemble the shellcode using Ndisasm In line analysis of the shellcode is provided below however at a high level... Read more

SLAE Assignment 4 – Custom Encoder

Assignment Create a custom encoding scheme like the “Insertion Encoder” we showed you PoC with using execve-­‐stack as the shellcode to encode with your schema and execute Approach So for our 4th assignment we need to create a custom encoder then decoder stub in assembly to decrypt the encoded payload and execute our shell code. For this I will be using a XANAX encoding scheme. Xor add not add xor  First we will write an encoder in python followed by the decoder in assembly. Encoder The one small gotcha within the code was the not function which creates a negative... Read more

SLAE Assignment 3 – Egg Hunters

Assignment Study about the Egg Hunter shellcode Create a working demo of the Egghunter Should be configurable for different payloads What is an Egg Hunter? A egg hunter is a small piece of code that is used to search memory for an identifying stub and then direct execution flow to the area of memory directly after the identifier (egg). This is typically useful in exploitation scenarios where available space for shellcode is not big enough to hold a full payload. In this case a small egg hunter shell code can be used to search memory for a larger shell code... Read more

SLAE Assignment 2 – Reverse Shell – Shell-code

Intro So assignment two is similar to assignment one, but this time is a reverse shell. Approach has been exactly the same, Eg C POC, Assembly than wrapper program. To be fair the assembly came a bit easier this time and wasn’t fair off working on first attempt so I’m making progress. C Reverse Shell First things first is the C proof of concept which is in fact a touch easier than the bind shell if anything be pretty straight forward to understand. Assembly Reverse Shell As before this is a direct translation of the C code into assembly. Only... Read more

SLAE Assignment 1 – TCP Bind Shell-code

Intro So part one of the challenges for Security Tube Linux Assembly Expert (SLAE) certification, TCP bind shell code. For more info on the course look here. Given my minimal knowledge of C programming at this point my intended process for this challenge is to: Identify the steps I need to take with the code Write a working C proof of concept for the task Port the C code to assembly language Compile and link to a binary and extract the working shell-code Finally work out a way of making the port number dynamic for the shell-code Identify the steps... Read more

ESXi 6.5 on HP Microserver Gen 8

Well having decided to put together a small homelab and purchased a HP Microserver Gen 8 for the purpose I decided to go a head with VMware ESXi for the hypervisor, some thing new and we all like a challenge right? Well its defintely been a challange in retrospec Hyper-V might have been easier but anyway I’ll get the process down well its still fresh in my mind. Setup is currently the bog standard microserver, so 4gb Ram, celeron 2.3, 32GB USB stick and 2 X 2TB SATA drives… memory and processor upgrades yet to come. Downloaded the HP specific... Read more