Rennitbaby – WindowsTechs.com

SUID Priv Escalation – LD_LIBRARY_PATH versus ldconfig and /etc/ld.so.conf

Posted on June 25, 2021 by Rennitbaby

Background
Currently doing some vulnservers on Offensive Security’s Proving Grounds Practice Labs. A vulnserver is a machine configured with vulnerabilities for testing/audit and research purposes.
I came across a machine that had a cronjo… Continue reading SUID Priv Escalation – LD_LIBRARY_PATH versus ldconfig and /etc/ld.so.conf→

Posted on April 8, 2021 by Rennitbaby

Background
When using most brute-force tools, there is usually an option to set thread count. What is the maximum thread count we can set in those programs. Say gobuster a directory buster based in go
Question
What determines the maximum t… Continue reading What determines maximum thread-count when using Bruteforce programs?→

Posted on January 21, 2021 by Rennitbaby

Background
Currently prepping for OSCP, and taking Tib3rius’s course on Linux Privilege Escalation.
When working with one of the exercises in privilege escalating by enumerating and exploiting vulnerable SUID/SGID programs. The instructor … Continue reading Privilege Escalation – SHELLOPTS and PS4 exploitable conditions→

Posted on October 9, 2020 by Rennitbaby

Background
In practicing pentesting a VM on Vulnhub I encountered an issue that is quite interesting with Brainpan. After initial access with a limited shell generated from a BoF exploit on a service running on port 9999, I did some basic … Continue reading Bash – SUID Program’s Child Process did not inherit Parent Process UID as EUID→

Posted on April 11, 2020 by Rennitbaby

For Example

Is it safer to do:

$ sudo [cmd] [args] [enter user password]

$ su – [enter root password]
# [cmd] [args]

I always assumed they are the exact same thing, because sudo utilizes setuid-root, so the process that is … Continue reading Does sudo ever de-escalate privilege while the program/command/service is running?→

Posted on January 15, 2020 by Rennitbaby

I am going through a few tutorial lessons on DVWA in order to reinforce web security concepts. (security setting = low)

At the link below, we are trying to do the following (starting at section 11):

Posted on November 14, 2019 by Rennitbaby

Does the metasploit module: exploit/multi/handler

sends payloads to stagers?
Or does it just listens for an incoming connection like a netcat
listener?
Or does it do both, as needed?

Posted on September 21, 2018 by Rennitbaby

Background:

First time user of libemu for shellcode detection and emulation, I was only able to find a few and limited resources on the web.

Used a simple loader shellcode to test, and the two instruction (pop ecx and ret)… Continue reading Lib Emu – how to simulate dummy input data/network data→

Posted on May 31, 2018 by Rennitbaby

Background:

Writing a proof of concept of a twitter C&C inspired by Prof Viviek of SPSE similiar to twittor and the project includes a functionality of injecting shellcode and executing it within the python’s program. However I wante… Continue reading Python – ctypes.cast function call outputs Segmentation Fault error message→

Posted on April 13, 2018 by Rennitbaby

Running a SEH BoF exploit script that contains a payload that is generated from msfvenom as such:

msfvenom –payload windows/shell/bind_tcp –format py –arch x86 –platform windows –bad-chars “\x00\x20” EXITFUNC=seh