Local Thread Hijacking Inject DLL into Main Thread

This article logs the interesting things happened when I inject a DLL into the main thread of Notepad.exe. The main thread is the thread which handles all code execution, so what happens if I inject a dll into the main thread? In order to hijack the thread I have to first suspend it. Nothing went…

MITRE Groups Technique Mind Map – ALLANITE

Group Background ALLANITE is suspected to be a Russian threat focused in espionage activities. Its main targets are electric utility sectors within United States and United Kingdom. The group hasn’t exhibited disruptive or destructive abilities yet. They remain present in industry control systems and to gain persistence. It’s techniques resembles that of other groups like…

MITRE Groups Technique Mind Map – Ajax Security Team

Group Background According to MITRE, Ajax Security Team (AST) is a team operating out of Iran. It has transformed from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies. The group is most famous for Operation Saffron Rose. Details can be found here, here…

MITRE Groups Technique Mind Map – admin@338

Group Background According to MITRE, this is a China-based cyber threat group which conducted campaigns against Hong Kong media industry. Recent Documented Time 2015. Malware Involved Poinson Ivy Poinson Ivy (PIVY) is a remote access tools (RATs) that opens backdoor on target system and grant adversaries full control, namely: Rename, delete or execute files Modify…

Question about Resolving _IMAGE_DATA_DIRECTORY

Two Offset Both Resolves to _IMAGE_DATA_DIRECTORY This is the question of the day. Background To write custom shellcode, break free from tools, and do more. One way of achieving that is to dynamically resolve symbols from kernel32.dll. And to do that, I have to get reference to _IMAGE_DATA_DIRECTORY structure, step by step. One of the…

Reverse Engineering Preliminary – ASM Instructions

Overview Before diving into reverse engineering, I have to get myself familiar with some basic assembly instructions. This article will note them down, and use GDB or QEMU to debug them along the way. And this article serves as an accumulative note as I will add more and more instructions along the way, and I…

OSWE – 一个悲伤的故事

背景 9月4号考完 OSEP 之后,想着一鼓作气,把 OSWE 也考了。于是约了 24 号的考试。之后抓紧一切时间,看完所有内容,做了一个 Lab(共3个)。 OSWE(WEB300 )是关于代码审计的课程和考试。涵盖了白盒,黑盒,远程 debug,等各种的技巧,语言涉及 Java,ASP,PHP,JS,Python 等。一堆干货。 考试在今天的正午 12 点。一切认证妥当,收到了 VPN Pack。下载,解压,开始连接 VPN 到考试环境。 意想不到的事情发生了。 VPN 连接不成功,一直报。 TLS Handshake Failed 找了 OffSec 支持,到目标服务器 1194 端口的流量被过滤了。 我的本地环境是没有变过的。那就是我的运气实在是太不好了,碰到了服务器 IP 正好被墙。尝试过桥接虚拟机的网络,尝试过通过 VPN 使用 openvpn,都不行。大家如果知道这样的情况该怎么解决,麻烦留言告诉我。 排错搞了两个小时,最后无计可施,无奈结束了考试。 总结 给想报考 OSWE 的小伙伴一点提醒,我已经以身试法,在国内,报 WEB300 课程需谨慎,不知道考试环境会不会变动,最好提前联系官方确认。 希望考试环境能变动,那么还有可能再考一次。不然这个证书是拿不到了。约下一次考试之前,我也会邮件再跟官方确认。 不过学到了就是学到了,只是可惜少了练习的机会。 KEEP CALM AND HACK AWAY~

Humor Me – RFC 1149 – 一首打油小诗

Humor Me – 一首打油小诗 学累了,读点 RFC 然后去睡觉。 RFC 并非这么枯燥,也可以让你笑笑。 RFC 1149… GO CHECK IT OUT! THEN LAUGH THE HELL OUT LOUD!

Active Directory 01 – 测试环境搭建

背景 为了更加高效测试各种 Active Directory Exploit,搭建一个本地的 AD 环境。 环境组成如下: 两个 Forest,互相信任 ECORP.COM -> DEV.ECORP.COM,两个域,互相信任 Windows Server 2019 2个 Domain Controller,E-RDC01,E-DC02 E-RDC01 2个 Windows 10 Enterprise Client(E1,E2) 3个 Linked SQL Server 1个带 SQL Server 的 Web Server(Web03,Web03\SQLEXPRESS) 2个独立的 SQL Server(SQL03\SQLEXPRESS,SQL11\SQLEXPRESS) E-DC02 1个 Windows 10 Enterprise Client(E3) 1个独立 SQL Server(SQL13\SQLEXPRESS)(后期测试时再添加) FSOCIETY.COM Windows Server 2019 1个 Domain Controller,F-RDC01 2个独立的…

钓鱼 – deb 包篡改

背景 最近重新看到了 deb 安装包详解,发现好多东西都忘记了。温故而知新,在写今天的主题之前,也一起窥探一下 deb 文件的内部结构。 测试环境: Debian Package System 很多的 Linux 发行版本都是基于 Debian,最有名的当属 Ubuntu 和 Kali。我们平时安装软件都用 apt 或者 apt-get,因为他们叫 Advanced Package Tool。相比起智弱一点的 dpkg,他们可以自动识别并安装依赖。功能虽有差异,但是这两个工具,他们安装的都是统一格式的文件,deb 文件。 sudo apt install net-tools 换 dpkg 试一下。我们下载一个 zsh 安装包。 wget http://archive.ubuntu.com/ubuntu/pool/main/z/zsh/zsh-dev_5.8.1-1_amd64.deb 使用 dpkg 安装。 dpkg -i DEB 文件 deb 文件里面到底包含了什么?有什么有意思的点我们可以利用吗? deb 文件本质上是一个 ar 压缩包,可以使用 ar 命令解压查看内部的结构。 ar t zsh-dev_5.8.1-1_amd64.deb 它包含了:…