Remember Heaven’s Gate? (not the Kris Kristofferson movie) I am pretty sure that most intermediate malware developer’s/red-teamers know of Heaven’s Gate, an age-old technique that malware authors leverage to run 64-bit code from 32-bit processes using Wow64, which emulates a 32-bit system on 64-bit machines (if you are not familiar with it, I HIGHLY recommend reading on it first). The system creates a 64-bit process and creates a 32-bit environment, inside which the 32-bit program runs.

UEFI Jungle

The UEFI Jungle While writing LazarusOS, I first came across UEFI from an implementation standpoint. I am pretty sure everyone has dealt with UEFI at some point, especially during booting up a new OS. In the good old days, we had the choice between Legacy BIOS and UEFI, and during some of my earlier iterations of the project, I did write some BIOS bootloaders in assembly, but transitioning to UEFI was a whole new game.

Process Ghosting

Ghosted - A PoC on Process Ghosting “Ghost Processes Not People” Introduction Process Ghosting is a technique of running payloads from an executable that has already been deleted. On Windows. it is possible to create a file, put it in a delete pending stage, write your payload to it, map it to an image section for it, close the file handle to delete the file, and then finally create a process from the mapped image section.
Rant as an Introduction When initially getting into ETW and patching it, I was not prepared for what was coming. It was a deep rabbit hole of .NET, CLR and Windows Internals. Coming from a pure-C background(and a bit of Rust), this was a deep hole I was not prepared for at all. This blog is supposed to be more of a Journal than a tutorial as I try to figure things out!

TryHackMe: Gallery

Introduction Challenge Name: Gallery Difficulty: Easy Nmap Enumeration Command : $ sudo nmap -A -T4 --open -p- 10.10.17.83 -oN Gallery.nmap Output : # Nmap 7.92 scan initiated Thu Sep 15 01:55:38 2022 as: nmap -A -T4 --open -p- -oN Gallery.nmap 10.10.17.83 Nmap scan report for 10.10.17.83 Host is up (0.19s latency). Not shown: 65516 closed tcp ports (reset), 17 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.

TryHackMe: Dig Dug

Introduction Challenge Name: Dig Dug Difficulty: (Super) Easy Nmap Scan TCP Scan Command : $ sudo nmap -A -T4 --open -p- 10.10.237.159 -oN DigDug.nmap Output : # Nmap 7.92 scan initiated Thu Sep 15 01:04:24 2022 as: nmap -A -T4 --open -p- -oN DigDug.nmap 10.10.237.159 Nmap scan report for 10.10.237.159 Host is up (0.16s latency). Not shown: 65275 closed tcp ports (reset), 259 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.

TryHackMe: Agentt

Introduction Challenge Name: Agnett Difficulty: (Super) Easy Nmap Scan Command : $ sudo nmap -A -T4 --open -p- 10.10.121.103 -oN Agentt.nmap Output : # Nmap 7.92 scan initiated Thu Sep 15 00:26:09 2022 as: nmap -A -T4 --open -p- -oN Agentt.nmap 10.10.121.103 Nmap scan report for 10.10.121.103 Host is up (0.17s latency). Not shown: 63135 closed tcp ports (reset), 2399 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 80/tcp open http PHP cli server 5.

A Study In Obfuscation

Introduction In this blog series, we explore how to obfuscate a Metasploit payload to avoid detection by Antivirus Engines and shall try to go invisible. We would start from the ground up: Using a completely unobfuscated shellcode, and try to build upon it till we reach zero detections. All the associated code for this blog can be found in this Github repository. We would employ known techniques and see how they affect detection rates uploading the compiled executable to AntiScan as it does not submit the samples to the vendors.
Introduction D-Link is one of the leading brands when it comes to manufacturing consumer routers. There’s a fair chance that you have a D-Link router back at home. The D-Link DIR 819 model is a very popular router. In this blog post, I explain how I found a Local-File-Inclusion 0day, now designated as CVE-2022-38258, and escalated it to achieve a Denial-of-Service attack. Though the blog is written with respect to the DIR-819 model, it should be reproduceable on any router running the same firmware.