HTB Write-up: Craft

15 minute read

Craft is a medium-difficulty Linux system. To reach the user.txt flag, a variety of small hurdles must be overcome. The majority of this process involves getting to the bottom of what’s up with the beer-themed Craft API. It seems that one of the developers had a few too many craft IPAs before pushing some sloppy cha...

HTB Write-up: Chaos

16 minute read

Chaos is a medium-difficulty Linux machine that has a lot going on. The route to user.txt is indeed a long one, as the path winds from finding some insecurely stored email account credentials to reversing a Python encryption program to abusing a web application that creates PDF documents. There are many twists and t...

HTB Write-up: Carrier

18 minute read

On average, Carrier is a medium-difficulty Linux box. With this being said, the user.txt flag is likley a “tricky-but-easy” diffciculty whereas the root.txt flag is something like moderately-difficult. Carrier provides challengers with an overall unique experience. As mentioned previously, the user.txt flag is relat...

HTB Write-up: Ypuffy

10 minute read

Ypuffy is a medium difficulty OpenBSD machine. The OpenBSD operating system provides a bit of a twist compared to the usual Linux and Windows challenges. The path to user is relatively simple. Careful enumeration, a bit of research on YP LDAP, and the knowledge within the man pages of smbclient will get you there. ...

HTB Write-up: SecNotes

6 minute read

SecNotes is a medium-difficulty Windows machine with a twist. The machine includes a web application where users can store “secure” notes, (hence the machine name of “SecNotes”). Unfortunately, the web application is not as secure as the machine name might suggest as it is vulnerable to second order SQL injection an...

HTB Write-up: Access

5 minute read

Access is an easy-difficulty Windows box that exemplifies some of the industry’s biggest faux pas. The FTP service running on the system allows for anonymous access, as if running the outdated and unencrypted protocol wasn’t enough. To make matters worse, the FTP server serves up information far sweeter than grandma...

HTB Write-up: Curling

10 minute read

Curling is an easy-difficulty Linux box. The great thing about Curling is all of the small, simple steps that are required to complete it. The machine includes a website built by a content management system (CMS) called Joomla. The administrator of the website, Floris (who, judging by the content of the website is a...

HTB Write-up: Irked

7 minute read

Irked is an easy-difficulty Linux machine that involves the exploitation of an IRC server using a public exploit, a bit of steganography, and the abuse of a far-from-functional custom binary owned by the root user of the system. Overall, the box is pretty straightforward, yet a lesson can be learned surrounding the ...

Back to top ↑


SLAE32 0x07: Custom Crypter

6 minute read

In this post, a crypter program will be created and demonstrated that uses the Advanced Encryption Standard encryption specification, also known as AES. The AES standard is part of the block cipher family. It is also important to note that AES is a symmetric-key algorithm which means that the same key is used for en...

SLAE32 0x06: Polymorphic Shell-Storm Shellcode

11 minute read

Polymorphic shellcode can be described as any shellcode that performs the same function as an existing shellcode, but with different instructions. In a similar vein to encoded shellcode, polymorphic shellcode is most commonly used in an attempt to evade anti-virus software and intrusion detection systems.

SLAE32 0x05: msfvenom Shellcode Analysis

20 minute read

The tool msfvenom is commonly used to generate payloads. The tool provides a variety of payload options for different operating systems and architectures. Analyzing shellcode payloads generated by msfvenom is a useful exercise to help better understand the underlying techniques that are at play within these payloads.

SLAE32 0x04: Custom Encoding

10 minute read

Most often, the purpose of a shellcode encoder is to obfuscate a malicious shellcode payload in an attempt to evade anti-virus detection that may be running on the system executing the payload. Additionally, encoders can be used in an attempt to remove bad characters (e.g. null bytes) from a shellcode payload. To ac...

SLAE32 0x03: Egg Hunter Shellcode

15 minute read

In the classic stack buffer overflow scenario, execution flow can be redirected to a JMP ESP instruction which results in the execution of subsequent shellcode on the stack. Say that the goal is to execute a reverse shell shellcode that is 100 bytes in length. If there are at least 100 bytes worth of buffer space re...

SLAE32 0x02: Shell_Reverse_TCP Shellcode

28 minute read

In contrast to a bind shell (which is explained in the previous post), a reverse shell is a type of shell in which the system on which the code is run connects a TCP socket to a remote IP address and port that have been designated to listen for incoming connections prior to the execution of the reverse shell. In oth...

SLAE32 0x01: Shell_Bind_TCP Shellcode

24 minute read

A bind shell is a type of shell in which the system on which the code is run binds a TCP socket that is designated to listen for incoming connections to a specified port and IP address. When a bind shell is used, the system on which the bind shell is executed acts as the listener. When a connection is accepted on th...

Back to top ↑

HackerOne CTF

HackerOne CTF Write-up: Micro-CMS v1

5 minute read

The challenge titled “Micro-CMS v1” is rated as easy difficulty and contains four flags. The challenge provides an introduction to an insecure indexing vulnerability, an (extremely) basic example of SQL injection, and a demonstration of two cross-site scripting vulnerabilities. This challenge helps to drive the poin...

HackerOne CTF Write-up: A little something to get you started

less than 1 minute read

The HackerOne CTF challenge “A little something to get you started” could not get much easier. Given its difficulty rating of “Trivial” I suppose this should come as no surprise. Nonetheless, the challenge introduces the importance of the powerful “View Page Source” option built into browsers.

Back to top ↑


Exploiting CVE-2020-9047 (ICSA-20-170-01)

20 minute read

On April 9, 2020, I discovered and reported the vulnerability in the exacqVision Web Service that has since been designated CVE-2020-9047 (ICSA-20-170-01) to the Johnson Controls Product Security team. The vulnerability was publicly disclosed by Johnson Controls on June 18, 2020. This vulnerability also affects exac...

Back to top ↑