This post is to serve as a general guideline and provide some useful resources to others who are looking to get their hands on the offsec’s PEN-300 course and getting the OSEP certification. This course has been a wealth of information, I strongly advise for anyone interested to look at the PEN-300 course’s syllabus. It mostly relates to penetration testing targeted towards a more hardened modern network environment, which includes modern AV solutions and additional access controls. One of the most important aspects of the course is it strongly focuses on penetration testing against an Active Directory environment.Continue reading “Offsec’s PEN-300 course: becoming an OSEP / OSEP Review 2023”
This is assignment #7 of the SLAE x86 Exam objectives.
- Create a custom crypter like the one shown in the “crypters” video
- Free to use any existing encryption schema
- Can use any programming language
This is assignment #6 of the SLAE x86 Exam objectives.
- Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matching
- The polymorphic versions cannot be larger than 150% of the existing shellcode
- Bonus points for making it shorter in length than original
This is assignment #5 of the SLAE x86 Exam objectives.
- Take up at least 3 shellcode samples created using msfvenom for linux/x86
- Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode
- Present your analysis
This is assignment #4 of the SLAE x86 Exam objectives.
- Create a custom encoding scheme like the “Insertion Encoder” we showed you
- PoC with using execve-stack as the shellcode to encode with your schema and execute
At the time of writing this I already had a shellcode published on packetstorm and exploit-db which could serve as a solution to the exercise, but for completeness of this blog post and to avoid explaining the fstenv technique for clarity purposes.Continue reading “ASM Encoder (SLAE x86 Assignment #4)”
This is assignment #3 of the SLAE x86 Exam objectives.
- Study about the Egg Hunter shellcode
- Create a working demo of the Egghunter
- Should be conﬁgurable for diﬀerent payloads
This is assignment #2 of the SLAE x86 Exam objectives.
- Crate a Shell_Reverse_TCP shellcode
- Reverse connects to configured IP and port
- Execs Shell on successful connection
- IP and Port number should be easily configurable
This is assignment #1 of the SLAE x86 Exam objectives.
- Crate a Shell_Bind_TCP shellcode
- Binds to a port
- Execs Shell on incoming connection
- Port number should be easily configurable
One of the non-trivial tasks when dealing with bulky wordlists like rockyou.txt is that tools either can not handle them, or the ones which can, do not usually have a progress bar to keep track of how far the current wordlist has been exhausted.
In this post I’ll be providing a quick copy-paste one-liners and explaining the methodology on how to implement an improvised progress tracker with tools like hydra, wfuzz and patator. In my example I will be using patator as it has no limitation on resources and I like to use it when I need to go > 100 threads (for refernce hydra supports up to 64).Continue reading “Keeping progress of huge wordlists with fuzzing tools like wfuzz, THC Hydra & Patator using tcpdump and grep”
While writing a bindshell shellcode for the SLAE32 course Assignment #1, which will be described in details another blog post, there was an interesting issue while coding the C program. As the exercise required some flexibility on passing the port as an argument, the issue was that there is not a direct way to alter the 2 bytes of shellcode in C, so if you are looking for a way to change some bytes at the middle or at an offset of your shellcode the solution follows below.