burp suite idor - autorize


shellcode encoding and decoding - sometimes you need to avoid things like \0 termination. https://www.ired.team/offensive-security/code-injection-process-injection/writing-custom-shellcode-encoders-and-decoders Shellcode generators. What do they do? shellcode database

google dorking Like using google with special commands? Why “dork”? shodan

nmap -A -T4. OS detection

p0f - passive sniffing. fingerprinting

malware reversing class live overflow youtube exploit education rop emporium

yara - patterns to recognize malware. Byte level patterns? Sigma snort

SIEM IDS - intrusin detection systems https://en.wikipedia.org/wiki/Intrusion_detection_system

shellcode encoder/decoder/generator https://www.msreverseengineering.com/blog/2017/7/15/the-synesthesia-shellcode-generator-code-release-and-future-directions synesthesia

FLIRT https://github.com/avast/retdec

relative disassembler performance

https://github.com/grimm-co/NotQuite0DayFriday exploit examples

Gray Hat Hacking The Shellcoder’s handbook Attacking network Protocols Implementing Effective Code Review


Hacking: http://langsec.org/papers/Bratus.pdf sergey weird machine paper smashing the stack for fun and profit - stacks are no longer executable return to libc https://en.wikipedia.org/wiki/Return-to-libc_attack - libc is very common and you can weave together libc calls. “Solar Designer” https://en.wikipedia.org/wiki/Return-to-libc_attack https://acmccs.github.io/papers/geometry-ccs07.pdf geometry of innocent flesh on the bone. ROP http://phrack.org/issues/61/6.html advanced doug lea malloc hacking https://github.com/sashs/Ropper https://github.com/sashs/filebytes http://www.capstone-engine.org/ - disassembler. converse of key blackhat defcon bluehat ccc https://en.wikipedia.org/wiki/Security_BSides bsides ctf project zero kpaersky blog https://usa.kaspersky.com/blog/ spectre/meltdown https://www.youtube.com/watch?v=b7urNgLPJiQ&ab_channel=PinkDraconian

return oriented programming sounds like my backwards pass. Huh.


https://milianw.de/blog/heaptrack-a-heap-memory-profiler-for-linux.html valgrind massif perf-mem, valgrind massif, and heaptrack

Digital forensics

radare2, a binary analysis thingo. rax is useful for conversion of hex

binary ninja






Maybe we should get a docker of all sorts of tools. Kali Linux? https://github.com/zardus/ctf-tools

klee, afl, other fuzzers? valgrind




https://quipqiup.com/ - solve substitution cyphers

https://github.com/openwall/john john the ripper. Brute force password cracker


Best CTFs. I probably don’t want the most prestigious ones? They’ll be too high level? I want the simple stuff

https://ctf101.org/ - check out the heap exploitation github thing


advanced doug lea malloc - phreak post


metasploit, pacu - aws, cobalt strike

and the pwn category of ctf

ROP JOP SROP BOP - block oriented

return 2 libc - a subset of rop?


ryan chapman syscall



privilege escalation - getuid effective id.. Inherit user and group from parent process. switching to user resets the setuid bit. sticky bits id command

shellcode - binary that launchs the shell system call execv(“/bin/sh”, NULL, NULL) - args and env params

intel vs at&t syntax Load up addresses constantrs in binary with .string gcc -static -nostdlib objcopy –section .text=outfile exiting cleanly is smart. Helps know what is screwing up ldd

Trying out shellcode mmap. mprotect? read() deref function pointer

gdb x for eXamine $rsi x/5i $rip gives assembly? x/gx break *0xx040404 n next s step ni si

strace is useful first debugging


system calls set rax to syscall number. call syscall instruction https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/ man yada strace

  • fork
  • execve
  • read
  • write
  • wait
  • brk - program brk. change size of data segment. sbrk by increments. sbrk(0) returns current address of break

stack. rbp, rsp. stack grows down decreasing. Rsp + 0x8 is on stack, rbp - 8 is on stack most systems are little endian calling conventions. rdi rsi rdx rcx r8 r9, return in rax rbx rbp r12 r13 r14 r15 are callee saved. guaranteed not smashed

http://ref.x86asm.net/coder64.html opcode listing https://github.com/yrp604/rappel - assembly repl https://github.com/zardus/ctf-tools

binary files

file - tells info about file
elf - interpreter, 
 - sections - text, plt/got resolve and siprach library calls, data preinitilize data, rodata, global read only,, bss for uniitialized data. sections are not required to run a binary
 - symbols - 
- segments - where to load

readelf, objdump, nm - reads symbols, patcheld, objcopy, strip, kaitai struct https://www.intezer.com/blog/malware-analysis/executable-linkable-format-101-part-2-symbols/

process loading

https://0xax.gitbooks.io/linux-insides/content/SysCall/linux-syscall-4.html what to load. look for #! or elf magic. /proc/sys/fs/binsmt_misc can match a string there. hand off to elf defined interpeter is dynamically linked.

Then it’s onto ld probably. LD_PRELOAD,, LD_LIBRARY_PATH,, DT_RUNTIME in binary file,, system wide /etc/ld.so.conf, /lib and /usr/lib relocations updated /proc/self/maps https://gist.github.com/CMCDragonkai/10ab53654b2aa6ce55c11cfc5b2432a4 libc is almost always linked. printf, scanf, socket, atoi, amlloc, free



ASLR - Addresses are randomized cat /proc/mem/self ? To look at what actually loaded Also ldd shows were libraries get loaded in memory Stack canaries - set once per binary run, so with forking you can brute force them or maybe leak them?

checksec tells you about which things are enabled.

gcc options -no-pie -no-stack-protection


attaching to gdb and/or a process is really useful. cyclic bytes can let you localize what ends up where in a buffer overflow for example cyclic_find

Examples from pwn.college