Hi guys, this is my first port on the “Road to OSCP” series. I’ve been trying to find the time to go through the Offensive Security labs but so far have purchased 3-4 lab extensions but never got the time to go through. This time I’m really committed and in one way or another I will find the time to do the labs.
This is it! The final assignment for the SecurityTube Linux Assembly Expert certification is finally done and published.
I highly recommend the course for anyone interested in learning about Linux, Assembly and Shellcoding. Very interesting stuff.
Below are the links for the posts containing the certification assignments
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification.
Student ID: SLAE64-1440
For assignment 6 of the SecurityTube Linux Assembly Expert certification the idea is to create polymorphic versions of existing shellcodes, specifically taken from shell-storm.org.
A polymorphic version of a shellcode is just the same functionality written with different instructions, registers and including nop instructions to break patterns and prevent detection.
For this assignment I chose the following shellcodes to work with:
- Linux/x86-64 – Read /etc/passwd – 82 bytes
- Linux/x86-64 – Add map in /etc/hosts file – 110 bytes
- Linux/x86-64 – setuid(0) + execve(/bin/sh) – 49 bytes
This is the last payload that I’ve debugged so far for the 5th assignment on SecurityTube Linux Assembly Expert certification.
This time I opted by looking at the payload linux/x64/exec with the option to run ‘/bin/sh’.
The second payload that I decided to analyze for the 5th assignment of the SecuritTube Linux Assembly Expert certification was linux/x64/shell/bind_tcp.
For the 5th assignment of the SecurityTube Linux Assembly Expert certification, I needed to analyze some metasploit payloads for Linux x64.
I started by looking at the linux/x64/shell_reverse_tcp.
This is assignment #4 for the SecurityTube Linux Assembly Expert certification. It consists in the implementation of a custom encoder.
Encoding is a common strategy for obfuscating a shellcode payload as to avoid signature and pattern detection.
This is the third assignment for the SecurityTube Linux Assembly Expert certification, it consists in the demonstration of my own implementation of an Egg Hunter that works with different payloads.
An Egg Hunter is a piece of code that will search for specific pattern, called the ‘egg’, in memory in order to find it’s address which usually prepends another injected payload containing the actual shellcode.
This is the second assignment for the SecurityTube Linux Assembly Expert certification, it consists in the creation of a password protected reverse shell.
A reverse shell is similar to a bind shell but instead of waiting passively for remote connections, it actively connects to a specified IP address and redirects STDIN, STDOUT and STDERR to that socket.
I’ve been taking the SecurityTube Linux Assembly Expert certification, this is the first assignment, the creation, in assembly, of a password protected bind shell.
A bind shell is essentially an open port on a machine that has STDIN, STDOUT and STDERR redirected to an inbound socket. It gets the name from the bind() system call which is a necessary step for listening on a port.