https://legiahuyy.github.io/blog/en/ Recent content on archivist's blog Hugo -- gohugo.io en Fri, 22 Dec 2023 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2023-12-22-001/ Fri, 22 Dec 2023 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2023-12-22-001/ C was the only go-to programming language when you enter the kernel realm, see that I specifically used was and not has been? It is now the time to switch out that old, (t)rusty C11 to a newer, more futuristic C++17 standard and start playing with those sweet, sweet, juicy std::vector, std::string, std::tuple you all deserve like a good boy! Sorry I was just messing around, no way that can be happening this soon, not at least a few centuries decades to come and actually I know some people would even threaten you if they were to see those quirky lambdas in your driver code. https://legiahuyy.github.io/blog/en/posts/2023-12-06-burnt-out/ Wed, 06 Dec 2023 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2023-12-06-burnt-out/ It must have been more than a year and a half since my last post on this site. A lot of things have changed during my absence: I got a job, and it has been pretty good so far, at least. It’s not like there is something wrong with my life at the moment; you just get a little burnt out, but sooner or later, things will get back on track again… or that’s just what other people, and even I, thought. https://legiahuyy.github.io/blog/en/posts/2022-05-07/ Sat, 07 May 2022 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2022-05-07/ Let’s have a quick and succinct write-up for orw - a challenge at pwnable.tw. Footprinting Initially, we want to check the file for any notable properties (PIE, Canary, RELRO, etc.). Based on the output above, there are no protection bits enabled within the binary (except for canary but it does not interfere with our payload afterwards) and therefore it is presumably believed to be quite simple as expected for a 100pts challenge. https://legiahuyy.github.io/blog/en/posts/2022-01-13/ Thu, 13 Jan 2022 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2022-01-13/ It has been a long time since our last HackTheBox write-up, so today we will get into a two and a half months old machine - Secret. Enumeration Network scan As usual, nmap should provide us an elaborated report on the target’s network. ┌──(legiahuyy㉿kali)-[~/Desktop/HTB/Boxes/Secret] └─$ nmap -sV -sC 10.10.11.120 -v -oA ./nmap/Secret ┌──(legiahuyy㉿kali)-[~/Desktop/HTB/Boxes/Secret] └─$ cat ./nmap/Secret.nmap # Nmap 7.92 scan initiated Wed Jan 12 21:44:12 2022 as: nmap -sV -sC -v -oA . https://legiahuyy.github.io/blog/en/posts/2022-01-10-pwn-journey-2/ Mon, 10 Jan 2022 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2022-01-10-pwn-journey-2/ In this post, we will solve two pwn challenges from WhiteHat Play!10 and a customized one. We will also delve into details about most frequently encountered protection bits as well as bypass method for each. Anyway, I hope you have a good time reading. WhiteHat Play!10 - pwn01 Goal: Trigger the buffer overflow and call covid19. This is an original pwn challenge from WhiteHat Play10! Wargame and you can download it here or use this mirror link. https://legiahuyy.github.io/blog/en/posts/2021-12-29-pwn-journey-1/ Wed, 29 Dec 2021 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2021-12-29-pwn-journey-1/ Foreword Greetings, this series of posts delves into a collection of pwnie solutions that I have been poking around for a while and finally have the time to publish it so that I could practice my writing and attempt to share some knowledge in such a way that could be helpful to others. Not to mention that I am also a rookie in this field, so take my words with a grain of salt and all critics/suggestions are welcome. https://legiahuyy.github.io/blog/en/posts/2021-10-03/ Sun, 03 Oct 2021 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2021-10-03/ Today, we are delving into BountyHunter as another HackTheBox machine in our sidetrack series. I hope you have a nice weekend and without further ado, let us jump right in! Enumeration Nmap output ┌──(kali㉿kali)-[~/Desktop/HTB/Boxes/BountyHunter] └─$ cat nmap/BountyHunter.nmap # Nmap 7.91 scan initiated Sat Oct 2 22:12:07 2021 as: nmap -sS -sV -sC -p- -v -oA nmap/BountyHunter 10.10.11.100 Nmap scan report for 10.10.11.100 Host is up (0.048s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8. https://legiahuyy.github.io/blog/en/posts/2021-10-01/ Fri, 01 Oct 2021 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2021-10-01/ Hello everyone, while preparing chapters of the book Practical Reverse Engineering, I occasionally got bored and wanted to do something else to have my mind a reboot. That is the reason why we are here solving Cap - another HackTheBox easy machine. So yeah, hope you enjoy. Enumeration As usual, we wanted to start our enumeration step with nmap. ┌──(kali㉿kali)-[~/Desktop/HTB/Boxes/Cap] └─$ cat nmap/Cap.nmap # Nmap 7.91 scan initiated Thu Sep 30 21:54:00 2021 as: nmap -sS -sV -sC -p- -oA nmap/Cap 10. https://legiahuyy.github.io/blog/en/posts/2021-06-10/ Thu, 10 Jun 2021 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2021-06-10/ Welcome back to our usual HackTheBox journey, for today medium rated target - The Notebook. In this blog post, we’ve managed to alter client-side JWT cookie, spawn our reverse shell then proceeded to achieve user’s SSH credentials and, subsequently, be able to privesc via a docker PoC. Enumeration The very initial step is to do a network scan using everyone’s favorite utility - nmap. ┌──(kali㉿kali)-[~/HackTheBox/Boxes/TheNotebook] └─$ sudo nmap -sV -sC -sS 10. https://legiahuyy.github.io/blog/en/posts/2021-05-28/ Fri, 28 May 2021 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2021-05-28/ This is another challenge on HackTheBox - Armageddon. Let’s get started. Enumeration Nmap We start by enumerating open ports and services on the target machine using nmap: ┌──(root💀kali)-[/home/kali/HackTheBox/Armageddon] └─# cat nmap/armageddon.nmap # Nmap 7.91 scan initiated Thu May 27 00:25:58 2021 as: nmap -sS -sC -sV -p- -oA nmap/armageddon -v 10.10.10.233 Nmap scan report for 10.10.10.233 Host is up (0.23s latency). Not shown: 65219 closed ports, 314 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7. https://legiahuyy.github.io/blog/en/posts/2021-05-16/ Sun, 16 May 2021 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2021-05-16/ Hi, after a long time not posting anything on this blog because of my university workload. Let’s get back to our normal routine of pwning. Today, I will do a writeup of retired HackTheBox (HTB) machine - Sharp, which is rated 4.8 pts. For anyone who doesn’t know about HTB, it’s an infosec playground with a bunch of virtual machines which are vulnerable to exploit. HTB, in my point of view, is the most practical cyber security competition as many certificate authorities require completion of HTB-like target machines. https://legiahuyy.github.io/blog/en/posts/2021-03-28/ Sun, 28 Mar 2021 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2021-03-28/ Today we are going to test out Ghidra with one of my university pwnie challenge. Info Value Name pwn1 Type ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0 Entropy 3.82492 (not packed) Analyzing Let’s load the binary into our disassembler Ghidra and analyze the main function. Take your time to spot the problem in the following code. undefined4 main(void) { __uid_t __euid; __uid_t __ruid; char local_4c [40]; int local_24; undefined *local_14; local_14 = &stack0x00000004; local_24 = 0; setbuf(stdout,(char *)0x0); setbuf(stdin,(char *)0x0); setbuf(stderr,(char *)0x0); puts("This should be an easy BOF! https://legiahuyy.github.io/blog/en/posts/2021-02-24/ Wed, 24 Feb 2021 09:30:00 +1345 https://legiahuyy.github.io/blog/en/posts/2021-02-24/ This is the first iteration of my CTF write-up series for the new year. Today we will be solving one of my university’s initial challenges. The task is simple itself but I want to show you the mindset of how I play the game. Fingerprinting Manual testing The absolute first thing I do when encountering any web challenge, is to actually visit the webpage and click on everything, fill out every text boxes. https://legiahuyy.github.io/blog/en/about/ Mon, 01 Jan 0001 00:00:00 +0000 https://legiahuyy.github.io/blog/en/about/ Entry: #0001-01-01 The blog was originally created for the purpose of learning English during high school years, yet only a few months after enrolling into university did it become a place to share one’s knowledge about computer-related topics, mostly about low-level learning and exploitations. Besides focusing on the aforementioned subjects, the blog itself also gradually evolves into a diary, allowing for the occasional posting of rants; nevertheless, the ultimate goal is for both the author and the readers to learn something new.