June 19, 2022 | 21:00

INE Lab - Linux Remote Exploitation and Post Exploitation

The scenario is described as follows: In this lab environment, the user will access a Kali GUI instance. A vulnerable application can be accessed using the tools installed on Kali at http://demo.ine.local Objective: Exploit both the target and find all flags! demo.ine.local First, let’s see if we can find the IP address of our first target in the hosts file: root@INE:~# cat /etc/hosts | grep ine.local demo.ine.local Next, we take note that the eth1 interface is the route to the target: Read more

May 21, 2022 | 15:16

Playing with TP-Link TL-WR841N

At the time of writing, three firmware versions were available for the hw v14 on the official support page: TL-WR841N(EU)_V14_200903 (200903) released on 2020-11-27 TL-WR841N(EU)_V14_180319 (180319) released on 2018-04-03 TL-WR841N(EU)_V14_171208 (171208) released on 2018-04-01 None of these versions prevents downgrades, so any transition between these are possible. When downgrading, it’s best to restore to factory defaults beforehand because of some incompatibilities (for example: the password get’s cut because of length limitations in one of the earlier versions). Read more

May 7, 2022 | 13:10

INE Lab - Linux Local Enumeration

The scenario is described as follows: The user will access a ubuntu instance as a student user. We will assume that we have compromised a machine and gained regular user access (student). We need to conduct local enumeration and obtain root access to the machine. Objective: Find the SUID executables and vulnerable services to gain the root privileges. LinEnum is located within /opt: student@INE:~$ /opt/LinEnum/ > linenum.txt student@INE:~$ more linenum. Read more

April 16, 2022 | 21:56

INE Lab - Leveraging PowerShell During Exploitation

The scenario is described as follows: You have been tasked by an organization to conduct a penetration test. Suppose that the organization’s internet-facing machine is accessible at demo.ine.local. There is another machine (fileserver.ine.local) which is not directly accessible. Task: Perform remote exploitation and post-exploitation tasks on vulnerable systems, gain access to both machines and retrieve the flag! Shell on “demo” The description above mentions the two hosts demo.ine.local and fileserver. Read more

March 3, 2022 | 15:44

Hook Qt's QString using Frida

Recently, I wanted to understand what a Windows program built with Qt 4.7 is doing under the hood, in particular I investigated the use of the QString class. For that I used Frida to hook some of the classes methods. To get started, I created a simple program that makes use of the two methods fromAscii and append: #include <QString>#include <stdio.h>#include <Windows.h> int main() { int i = 1; while(1){ const char* str = "awesome"; QString qstr = QString::fromAscii(str); QString qstr2 = QString("string"); qstr. Read more

© Pavel Pi 2021

Powered by Hugo & Kiss'Em.