Offsec’s PEN-300 course: becoming an OSEP / OSEP Review 2023

Introduction

This post is to serve as a general guideline and provide some useful resources to others who are looking to get their hands on the offsec’s PEN-300 course and getting the OSEP certification. This course has been a wealth of information, I strongly advise for anyone interested to look at the PEN-300 course’s syllabus. It mostly relates to penetration testing targeted towards a more hardened modern network environment, which includes modern AV solutions and additional access controls. One of the most important aspects of the course is it strongly focuses on penetration testing against an Active Directory environment.

Continue reading “Offsec’s PEN-300 course: becoming an OSEP / OSEP Review 2023”

ASM Polymorphic shellcode (SLAE x86 Assignment #6)

Introduction

This is assignment #6 of the SLAE x86 Exam objectives.

Objectives

  • Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matching
  • The polymorphic versions cannot be larger than 150% of the existing shellcode
    • Bonus points for making it shorter in length than original
Continue reading “ASM Polymorphic shellcode (SLAE x86 Assignment #6)”

ASM Shellcode analysis (SLAE x86 Assignment #5)

Introduction

This is assignment #5 of the SLAE x86 Exam objectives.

Objectives

  • Take up at least 3 shellcode samples created using msfvenom for linux/x86
  • Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode
  • Present your analysis
Continue reading “ASM Shellcode analysis (SLAE x86 Assignment #5)”

ASM Encoder (SLAE x86 Assignment #4)

Introduction

This is assignment #4 of the SLAE x86 Exam objectives.

Objectives

  • Create a custom encoding scheme like the “Insertion Encoder” we showed you
  • PoC with using execve-­stack as the shellcode to encode with your schema and execute

Notice

At the time of writing this I already had a shellcode published on packetstorm and exploit-db which could serve as a solution to the exercise, but for completeness of this blog post and to avoid explaining the fstenv technique for clarity purposes.

Continue reading “ASM Encoder (SLAE x86 Assignment #4)”

ASM Egghunter (SLAE x86 Assignment #3)

Introduction

This is assignment #3 of the SLAE x86 Exam objectives.

Objectives

  • Study about the Egg Hunter shellcode
  • Create a working demo of the Egghunter
  • Should be configurable for different payloads
Continue reading “ASM Egghunter (SLAE x86 Assignment #3)”

ASM TCP Reverse Shell (SLAE x86 Assignment #2)

Introduction

This is assignment #2 of the SLAE x86 Exam objectives.

Objectives

  • Crate a Shell_Reverse_TCP shellcode
    • Reverse connects to configured IP and port
    • Execs Shell on successful connection
  • IP and Port number should be easily configurable
Continue reading “ASM TCP Reverse Shell (SLAE x86 Assignment #2)”

Keeping progress of huge wordlists with fuzzing tools like wfuzz, THC Hydra & Patator using tcpdump and grep

Introduction

One of the non-trivial tasks when dealing with bulky wordlists like rockyou.txt is that tools either can not handle them, or the ones which can, do not usually have a progress bar to keep track of how far the current wordlist has been exhausted.

In this post I’ll be providing a quick copy-paste one-liners and explaining the methodology on how to implement an improvised progress tracker with tools like hydra, wfuzz and patator. In my example I will be using patator as it has no limitation on resources and I like to use it when I need to go > 100 threads (for refernce hydra supports up to 64).

Continue reading “Keeping progress of huge wordlists with fuzzing tools like wfuzz, THC Hydra & Patator using tcpdump and grep”

C: changing shellcode bytes at the middle (or at shellcode offset)

The Problem

While writing a bindshell shellcode for the SLAE32 course Assignment #1, which will be described in details another blog post, there was an interesting issue while coding the C program. As the exercise required some flexibility on passing the port as an argument, the issue was that there is not a direct way to alter the 2 bytes of shellcode in C, so if you are looking for a way to change some bytes at the middle or at an offset of your shellcode the solution follows below.



Continue reading “C: changing shellcode bytes at the middle (or at shellcode offset)”