Posts by Category

security

Creating Shellcode Crypter

8 minute read

In addition to using encoders to evade AV detection, encryption can also be utilised to beat pattern detection. One of the benefits of encryption over encodi...

Creating Polymorphic Shellcode

3 minute read

Assignment 6 of the SecurityTube Linux Assembly Expert Certification consists of taking three shellcode samples from shell-storm.org and creating polymorphic...

Analysing Msfvenom Payloads

19 minute read

This post provides an analysis of three different payloads generated using msfvenom that target the Linux x86 platform:

Creating a Custom Shellcode Encoder

9 minute read

A common virus-detection evasion technique when deploying malicious payloads onto a system is to encode the payload in order to obfuscate the shellcode. As p...

Creating an Egg Hunter

8 minute read

When exploiting overflows that allow code execution, there is near always a limit on how much code can be passed to the application. In some cases, this limi...

Creating a Reverse TCP Shellcode

7 minute read

Reverse TCP shells are similar to bind shells, in that they allow shell access over a network. The key difference is that a bind shell will listen on the rem...

Creating a Bind Shell TCP Shellcode

12 minute read

“Bind shells” are used to spawn a shell on a remote system and provide access to it over a network. At minimum, a bind shell would need to carry out the foll...

From LFI to SQL Database Backup

8 minute read

When exploiting local file inclusion vulnerabilities on a host that does not adhere to The Principle of Least Privilege, a common file to target is the SAM f...

HackTheBox Node Walkthrough

12 minute read

Overview Node is a machine focused around some of the newer technologies being utilised within web development; specifically Node.js, Express.js and mongodb....

Overcoming Some “Gotcha’s” in Frida

1 minute read

I took part in a new research project recently, which involved quite a significant amount of reverse engineering; to which Frida came to the rescue. Whilst u...

SkyTower CTF Walkthrough

7 minute read

Service Discovery A port scan using Nmap [nmap -sS -sV -sC 10.2.0.104] showed three services running on the host machine:

Vulnix CTF Walkthrough

4 minute read

Service Discovery & Enumeration Nmap [nmap -sS -sV -sC 192.168.22.134] revealed a number of different services for this box, offering a lot of potential ...

/dev/random: scream CTF Walkthrough

8 minute read

The version of war-ftpd that was running seemed to be vulnerable to a buffer overflow (http://www.securityfocus.com/bid/22944/info), but some manual attempts...

VulnOS 2 CTF Walkthrough

4 minute read

Service Discovery A full port scan using masscan (masscan -p 0-65535 10.2.0.104 --rate=500) revealed three open ports: 22, 80 and 6667. Nmap subsequently fin...

Stapler CTF Walkthrough

15 minute read

Service Discovery Running a port scan of the top 1000 ports using Nmap (nmap -sS -sV -sC -vv 10.2.0.104) revealed that the machine has a number of different ...

Kioptrix Level 4 CTF Walkthrough

7 minute read

Service Discovery Running Nmap (nmap -sS -sV -Pn -vv -T4 10.2.0.104) revealed that SSH, Apache and Samba are all running on the host:

Kioptrix Level 3 CTF Walkthrough

4 minute read

Exploiting the Web Server Running Nmap (nmap -sS -sV -Pn -T4 -vv 192.168.22.131) showed that only two services seemed to be exposed on this machine (SSH and ...

Kioptrix Level 2 CTF Walkthrough

3 minute read

Service Discovery & Authentication Bypass An Nmap scan [nmap -sS -sV -T4 -Pn -vv 192.168.22.130] revealed a number of different services running on the m...

Kioptrix Level 1 CTF Walkthrough

3 minute read

Service Discovery An Nmap scan [nmap -sS -sV -T4 -vv 192.168.22.128] revealed that the machine had a number of services running, most notably an old version ...

FristiLeaks CTF Walkthrough

5 minute read

FristiLeaks is a VM created by Ar0xA and has a difficulty rating of “basic”. The goal is to get root access and read the flag file.

Arabic Font <= 1.2 CSRF Stored XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scrip...

What’s New in WPXF 1.6.1

3 minute read

This is the first time I have written a blog post regarding WordPress Exploit Framework. I’ve never felt the need to write one yet, but given some of the cha...

WP Live Chat Support <= 7.0.06 Reflected XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in wp-live-chat-support.php, it is possible to execute scripts in the context of an admin user by includ...

Super Mario Host CTF Walkthrough

30 minute read

Super Mario Host is an SMB themed CTF created by mr_h4sh. The goal of the CTF is to discover the two hidden flags and to find the passwords of all the charac...

MaxButtons <= 6.18 Reflected XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in includes/admin_header.php, it is possible to execute scripts in the context of an admin user by inclu...

How I Hacked Bobby

11 minute read

The Bobby CTF is based on a Windows XP Pro SP3 VM with the objective of retrieving the flag found somewhere within the administrator’s personal folder.

How I Hacked Billu B0x

13 minute read

Host & Service Discovery To start my analysis of this CTF, I booted into Kali and started Metasploit [msfconsole] and ran an Nmap SYN scan to locate the ...

How I Hacked Mr. Robot (CTF Walkthrough)

9 minute read

After hearing that someone had created a Mr. Robot themed CTF, I needed to see this. As the author describes, there isn’t anything overly difficult with this...

WP Whois Domain Reflected XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in pages/func-whois.php, it is possible to execute scripts in the context of an admin user by including ...

Lightbox <= 1.6.6 CSRF Stored XSS

1 minute read

Due to a lack of CSRF mitigation and entity encoding in the output generated by /admin/view/huge_it_light_box.php, it is possible to store and execute script...

Portfolio <= 2.1.10 Reflected XSS Disclosure

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in the portfolio_gallery_print_html_nav function found on line 276 of /includes/admin/portfolio-gallery-...

Dwnldr 1.0 Stored XSS Disclosure

less than 1 minute read

Due to a lack of input sanitization in the dwnldr.php file, it is possible for unauthenticated users to utilise an XSS vector to store and run a script in th...

Setting Up Kali for Metasploit Unit Testing

4 minute read

This past week, I have been working on a new module for Metasploit which required a change to one of the core library files. As a result, I had to update the...

Back to Top ↑

websec

From LFI to SQL Database Backup

8 minute read

When exploiting local file inclusion vulnerabilities on a host that does not adhere to The Principle of Least Privilege, a common file to target is the SAM f...

Arabic Font <= 1.2 CSRF Stored XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scrip...

What’s New in WPXF 1.6.1

3 minute read

This is the first time I have written a blog post regarding WordPress Exploit Framework. I’ve never felt the need to write one yet, but given some of the cha...

WP Live Chat Support <= 7.0.06 Reflected XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in wp-live-chat-support.php, it is possible to execute scripts in the context of an admin user by includ...

MaxButtons <= 6.18 Reflected XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in includes/admin_header.php, it is possible to execute scripts in the context of an admin user by inclu...

WP Whois Domain Reflected XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in pages/func-whois.php, it is possible to execute scripts in the context of an admin user by including ...

Lightbox <= 1.6.6 CSRF Stored XSS

1 minute read

Due to a lack of CSRF mitigation and entity encoding in the output generated by /admin/view/huge_it_light_box.php, it is possible to store and execute script...

Portfolio <= 2.1.10 Reflected XSS Disclosure

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in the portfolio_gallery_print_html_nav function found on line 276 of /includes/admin/portfolio-gallery-...

Dwnldr 1.0 Stored XSS Disclosure

less than 1 minute read

Due to a lack of input sanitization in the dwnldr.php file, it is possible for unauthenticated users to utilise an XSS vector to store and run a script in th...

Back to Top ↑

disclosure

Arabic Font <= 1.2 CSRF Stored XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scrip...

WP Live Chat Support <= 7.0.06 Reflected XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in wp-live-chat-support.php, it is possible to execute scripts in the context of an admin user by includ...

MaxButtons <= 6.18 Reflected XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in includes/admin_header.php, it is possible to execute scripts in the context of an admin user by inclu...

WP Whois Domain Reflected XSS

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in pages/func-whois.php, it is possible to execute scripts in the context of an admin user by including ...

Lightbox <= 1.6.6 CSRF Stored XSS

1 minute read

Due to a lack of CSRF mitigation and entity encoding in the output generated by /admin/view/huge_it_light_box.php, it is possible to store and execute script...

Portfolio <= 2.1.10 Reflected XSS Disclosure

less than 1 minute read

Due to a lack of CSRF mitigation and entity encoding in the portfolio_gallery_print_html_nav function found on line 276 of /includes/admin/portfolio-gallery-...

Dwnldr 1.0 Stored XSS Disclosure

less than 1 minute read

Due to a lack of input sanitization in the dwnldr.php file, it is possible for unauthenticated users to utilise an XSS vector to store and run a script in th...

Back to Top ↑

programming

Scanning Barcodes w/ Panasonic FZ-N1

1 minute read

Reading barcodes in Android from the Panasonic FZ-N1 barcode scanner is natively achievable via the dispatchKeyEvent method within an Activity.

Using ZeroMQ with Node.js

7 minute read

ZeroMQ (sometimes referred to as ØMQ) is an asynchronous messaging library which allows you to utilise a number of different patterns to fit the needs of a v...

Cross-fading Views in Android

2 minute read

A new Android app I have recently been working on needed sprucing up a little bit yesterday and I’ve always found cross-fading between loading screens to be ...

Adding Springs to 2D Platformers in Unity

3 minute read

A rather common component found in a lot of platformer games is some form of spring board that when jumped from ejects the player with a higher velocity than...

Shrinking Arduino Projects using an ATTiny85

4 minute read

When it comes to creating a more permanent solution for your Arduino prototypes, there’s a good chance that you’ll be looking to reduce the amount of physica...

Back to Top ↑

ctf

HackTheBox Node Walkthrough

12 minute read

Overview Node is a machine focused around some of the newer technologies being utilised within web development; specifically Node.js, Express.js and mongodb....

ASIS CTF Finals 2017 Write Up

7 minute read

I took part in the ASIS CTF finals this year with some members of Manchester Grey Hats. We managed to complete five of the challenges in total, which ranked ...

SkyTower CTF Walkthrough

7 minute read

Service Discovery A port scan using Nmap [nmap -sS -sV -sC 10.2.0.104] showed three services running on the host machine:

Vulnix CTF Walkthrough

4 minute read

Service Discovery & Enumeration Nmap [nmap -sS -sV -sC 192.168.22.134] revealed a number of different services for this box, offering a lot of potential ...

/dev/random: scream CTF Walkthrough

8 minute read

The version of war-ftpd that was running seemed to be vulnerable to a buffer overflow (http://www.securityfocus.com/bid/22944/info), but some manual attempts...

VulnOS 2 CTF Walkthrough

4 minute read

Service Discovery A full port scan using masscan (masscan -p 0-65535 10.2.0.104 --rate=500) revealed three open ports: 22, 80 and 6667. Nmap subsequently fin...

Stapler CTF Walkthrough

15 minute read

Service Discovery Running a port scan of the top 1000 ports using Nmap (nmap -sS -sV -sC -vv 10.2.0.104) revealed that the machine has a number of different ...

Kioptrix Level 4 CTF Walkthrough

7 minute read

Service Discovery Running Nmap (nmap -sS -sV -Pn -vv -T4 10.2.0.104) revealed that SSH, Apache and Samba are all running on the host:

Kioptrix Level 3 CTF Walkthrough

4 minute read

Exploiting the Web Server Running Nmap (nmap -sS -sV -Pn -T4 -vv 192.168.22.131) showed that only two services seemed to be exposed on this machine (SSH and ...

Kioptrix Level 2 CTF Walkthrough

3 minute read

Service Discovery & Authentication Bypass An Nmap scan [nmap -sS -sV -T4 -Pn -vv 192.168.22.130] revealed a number of different services running on the m...

Kioptrix Level 1 CTF Walkthrough

3 minute read

Service Discovery An Nmap scan [nmap -sS -sV -T4 -vv 192.168.22.128] revealed that the machine had a number of services running, most notably an old version ...

FristiLeaks CTF Walkthrough

5 minute read

FristiLeaks is a VM created by Ar0xA and has a difficulty rating of “basic”. The goal is to get root access and read the flag file.

Super Mario Host CTF Walkthrough

30 minute read

Super Mario Host is an SMB themed CTF created by mr_h4sh. The goal of the CTF is to discover the two hidden flags and to find the passwords of all the charac...

How I Hacked Bobby

11 minute read

The Bobby CTF is based on a Windows XP Pro SP3 VM with the objective of retrieving the flag found somewhere within the administrator’s personal folder.

How I Hacked Billu B0x

13 minute read

Host & Service Discovery To start my analysis of this CTF, I booted into Kali and started Metasploit [msfconsole] and ran an Nmap SYN scan to locate the ...

How I Hacked Mr. Robot (CTF Walkthrough)

9 minute read

After hearing that someone had created a Mr. Robot themed CTF, I needed to see this. As the author describes, there isn’t anything overly difficult with this...

Back to Top ↑

walkthrough

HackTheBox Node Walkthrough

12 minute read

Overview Node is a machine focused around some of the newer technologies being utilised within web development; specifically Node.js, Express.js and mongodb....

SkyTower CTF Walkthrough

7 minute read

Service Discovery A port scan using Nmap [nmap -sS -sV -sC 10.2.0.104] showed three services running on the host machine:

Vulnix CTF Walkthrough

4 minute read

Service Discovery & Enumeration Nmap [nmap -sS -sV -sC 192.168.22.134] revealed a number of different services for this box, offering a lot of potential ...

/dev/random: scream CTF Walkthrough

8 minute read

The version of war-ftpd that was running seemed to be vulnerable to a buffer overflow (http://www.securityfocus.com/bid/22944/info), but some manual attempts...

VulnOS 2 CTF Walkthrough

4 minute read

Service Discovery A full port scan using masscan (masscan -p 0-65535 10.2.0.104 --rate=500) revealed three open ports: 22, 80 and 6667. Nmap subsequently fin...

Stapler CTF Walkthrough

15 minute read

Service Discovery Running a port scan of the top 1000 ports using Nmap (nmap -sS -sV -sC -vv 10.2.0.104) revealed that the machine has a number of different ...

Kioptrix Level 4 CTF Walkthrough

7 minute read

Service Discovery Running Nmap (nmap -sS -sV -Pn -vv -T4 10.2.0.104) revealed that SSH, Apache and Samba are all running on the host:

Kioptrix Level 3 CTF Walkthrough

4 minute read

Exploiting the Web Server Running Nmap (nmap -sS -sV -Pn -T4 -vv 192.168.22.131) showed that only two services seemed to be exposed on this machine (SSH and ...

Kioptrix Level 2 CTF Walkthrough

3 minute read

Service Discovery & Authentication Bypass An Nmap scan [nmap -sS -sV -T4 -Pn -vv 192.168.22.130] revealed a number of different services running on the m...

Kioptrix Level 1 CTF Walkthrough

3 minute read

Service Discovery An Nmap scan [nmap -sS -sV -T4 -vv 192.168.22.128] revealed that the machine had a number of services running, most notably an old version ...

FristiLeaks CTF Walkthrough

5 minute read

FristiLeaks is a VM created by Ar0xA and has a difficulty rating of “basic”. The goal is to get root access and read the flag file.

Super Mario Host CTF Walkthrough

30 minute read

Super Mario Host is an SMB themed CTF created by mr_h4sh. The goal of the CTF is to discover the two hidden flags and to find the passwords of all the charac...

How I Hacked Bobby

11 minute read

The Bobby CTF is based on a Windows XP Pro SP3 VM with the objective of retrieving the flag found somewhere within the administrator’s personal folder.

How I Hacked Billu B0x

13 minute read

Host & Service Discovery To start my analysis of this CTF, I booted into Kali and started Metasploit [msfconsole] and ran an Nmap SYN scan to locate the ...

How I Hacked Mr. Robot (CTF Walkthrough)

9 minute read

After hearing that someone had created a Mr. Robot themed CTF, I needed to see this. As the author describes, there isn’t anything overly difficult with this...

Back to Top ↑

hardware

Shrinking Arduino Projects using an ATTiny85

4 minute read

When it comes to creating a more permanent solution for your Arduino prototypes, there’s a good chance that you’ll be looking to reduce the amount of physica...

Back to Top ↑

arduino

Shrinking Arduino Projects using an ATTiny85

4 minute read

When it comes to creating a more permanent solution for your Arduino prototypes, there’s a good chance that you’ll be looking to reduce the amount of physica...

Back to Top ↑

electronics

Shrinking Arduino Projects using an ATTiny85

4 minute read

When it comes to creating a more permanent solution for your Arduino prototypes, there’s a good chance that you’ll be looking to reduce the amount of physica...

Back to Top ↑

shellcoding

Creating Shellcode Crypter

8 minute read

In addition to using encoders to evade AV detection, encryption can also be utilised to beat pattern detection. One of the benefits of encryption over encodi...

Creating Polymorphic Shellcode

3 minute read

Assignment 6 of the SecurityTube Linux Assembly Expert Certification consists of taking three shellcode samples from shell-storm.org and creating polymorphic...

Analysing Msfvenom Payloads

19 minute read

This post provides an analysis of three different payloads generated using msfvenom that target the Linux x86 platform:

Creating a Custom Shellcode Encoder

9 minute read

A common virus-detection evasion technique when deploying malicious payloads onto a system is to encode the payload in order to obfuscate the shellcode. As p...

Creating an Egg Hunter

8 minute read

When exploiting overflows that allow code execution, there is near always a limit on how much code can be passed to the application. In some cases, this limi...

Creating a Reverse TCP Shellcode

7 minute read

Reverse TCP shells are similar to bind shells, in that they allow shell access over a network. The key difference is that a bind shell will listen on the rem...

Creating a Bind Shell TCP Shellcode

12 minute read

“Bind shells” are used to spawn a shell on a remote system and provide access to it over a network. At minimum, a bind shell would need to carry out the foll...

Back to Top ↑

linux

Automating Ghost Updates

1 minute read

I’ve been using the Ghost platform for some time now and it is without doubt my favourite. One thing, however, that has been some what of a pain, is the lack...

Back to Top ↑

android

Scanning Barcodes w/ Panasonic FZ-N1

1 minute read

Reading barcodes in Android from the Panasonic FZ-N1 barcode scanner is natively achievable via the dispatchKeyEvent method within an Activity.

Removing “OK, Google” Text in Android Wear

less than 1 minute read

If like me, you’ve updated to the latest version of Android Wear on your smart watch, you may now be seeing the “OK, Google” text awkwardly placed over your ...

Cross-fading Views in Android

2 minute read

A new Android app I have recently been working on needed sprucing up a little bit yesterday and I’ve always found cross-fading between loading screens to be ...

Back to Top ↑

windows

From LFI to SQL Database Backup

8 minute read

When exploiting local file inclusion vulnerabilities on a host that does not adhere to The Principle of Least Privilege, a common file to target is the SAM f...

Back to Top ↑

ubuntu

Back to Top ↑

write-ups

ASIS CTF Finals 2017 Write Up

7 minute read

I took part in the ASIS CTF finals this year with some members of Manchester Grey Hats. We managed to complete five of the challenges in total, which ranked ...

Back to Top ↑

crypto

Back to Top ↑

xna

Back to Top ↑

ruby

Back to Top ↑

software

What’s New in WPXF 1.6.1

3 minute read

This is the first time I have written a blog post regarding WordPress Exploit Framework. I’ve never felt the need to write one yet, but given some of the cha...

Back to Top ↑

macos

Back to Top ↑