A list of notes to be referenced while playing CTFs
- Search exploits on the net (exploit-db or google) and not on metasploit. Not every module you need is already shipped with metasploit!
- Port 3306 (mysql): https://book.hacktricks.xyz/pentesting/pentesting-mysql
wp-login.phpandwp-admin.phpfor wordpress- When enumerating directories, also try names with .tar, .zip, .js, .php, .html extensions!
- Port 445 open -> Think SMB. SMB tools:
- Nmblookup
- nbtscan
- SMBMap
- Smbclient
- Rpcclient
- Nmap
- Enum4linux
Also eternalblue came out in 2017 and it utilizes SMB vulnerabilities
- When given an ELF executable, I can use Ghidra, Cutter to decompile it (go from executable to C source code)
- LD_PRELOAD tricks. You can specify your own standard library functions, like
mallocorstrcmp, in a custom library, then use LD_PRELOAD to load this library before the standard C one. Now when the program usesmallocyour custom code will run instead of the standard malloc code. A crackme solution that overrides thestrcmpfunction to solve it: https://crackmes.one/static/solution/5f09c44a33c5d42a7c667979.zip (ZED-Crackme)
- Assembly syntax difference example between Intel and AT&T:
- Intel
movl $5, %eax - AT&T
mov eax, 5
- Intel
malloc()allocates a block of memory in the heap and returns the address (e.g. in the eax register)- GDB Interface for better readability: https://github.com/cyrus-and/gdb-dashboard
- Introduction to ROP https://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html
readelfcommanddmesgshows info about all the segfaults!- use
catright after you pass the payload to a binary to capture the shell! For example:( python -c "print 'A'*20 + '\xcc\xba\x13\xca'" ; cat ) | ./vulnerable_binary(from https://www.youtube.com/watch?v=yH8kzOkA_vw&list=PL1H1sBF1VAKVg451vJ-rx0y_ZuQMHPamH @ 5:45)
- SPI (Serial Peripheral Interface) vs I2C Protocols: https://articles.saleae.com/logic-analyzers/spi-vs-i2c-protocol-differences-and-things-to-consider#spi-vs-i2c-protocol-differences-and-things-to-consider