HACKINGISCOOL

Breaking out from stripped tokens using process injection

Intro What I am going to showcase here isn't anything new, but it lays out the groundwork for what I am going to publish next, soon-ish. This article will help you learn about: * attacking Windows services running under dedicated service accounts (such as NETWORK SERVICE and LOCAL SERVICE)

Abusing .NET app.config for initial access, persistence, privilege escalation and denial of service

This one is about a neat technique which is still not so well-known at the time of writing this. It was presented to me as a method for gaining initial access, and then quite quickly I realized it can also become handy for other scenarios; persistence, privilege escalation and denial

ZScaler Client Connect 3.7.2.18 LPE POC

GitHub - ewilded/ZScaler_msiexec_LPE_2023: My proof of concept for a Local Privilege Escalation via msiexec in ZScaler Client Connector 3.7.2.18My proof of concept for a Local Privilege Escalation via msiexec in ZScaler Client Connector 3.7.2.18 - ewilded/ZScaler_msiexec_LPE_2023GitHubewilded

CVE-2024-35315-POC

GitHub - ewilded/CVE-2024-35315-POC: Mitel Collab Local Privilege Escalation CVE-2024-35315 PoCMitel Collab Local Privilege Escalation CVE-2024-35315 PoC - ewilded/CVE-2024-35315-POCGitHubewilded

Intel PowerGadget 3.6 Local Privilege Escalation

Vulnerability summary: Local Privilege Escalation from regular user to SYSTEM, via conhost.exe hijacking triggered by MSI installer in repair mode Affected Products: Intel PowerGadget Affected Versions: tested on PowerGadget_3.6.msi (a3834b2559c18e6797ba945d685bf174), file signed on ‎Monday, ‎February ‎1, ‎2021 9:43:20 PM (this seems to be the

CVE-2023-7016-POC

POC for the flaw in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows that allows an attacker to execute code at a SYSTEM level via local access. https://github.com/ewilded/CVE-2023-7016-POC

CVE-2024-0197-POC

Proof of concept for Local Privilege Escalation in Thales Sentinel HASP LDK. GitHub - ewilded/CVE-2024-0197-POC: Proof of concept for Local Privilege Escalation in Thales Sentinel HASP LDK.Proof of concept for Local Privilege Escalation in Thales Sentinel HASP LDK. - ewilded/CVE-2024-0197-POCGitHubewilded

CVE-2023-38041 POC

Ivanti Pulse Secure Client Connect Local Privilege Escalation CVE-2023-38041 Proof of Concept: https://github.com/ewilded/CVE-2023-38041-POC (there's two versions, one highly accurate due to use of oplocks and directory junctions, and one - less accurate - but with oplocks only).

CVE-2024-25376 POC

GitHub - ewilded/CVE-2024-25376-POCContribute to ewilded/CVE-2024-25376-POC development by creating an account on GitHub.GitHubewilded CVE-2024-25376 - Local Privilege Escalation in TUSBAudio POC (driver installers after v5.40.0 and before v5.68.0 are affected). Reference: https://www.thesycon.de/eng/usb_audiodriver.shtml#SecurityAdvisory

windows

CVE-2023-37250 POC

Unity Parsec TOCTOU PoC + writeup. GitHub - ewilded/CVE-2023-37250: PoCPoC. Contribute to ewilded/CVE-2023-37250 development by creating an account on GitHub.GitHubewilded

windows

A case of DLL Side Loading from UNC via Windows environmental variable

About a month ago I decided to take a look at JetBrains TeamCity, as I wanted to learn more about CVE-2022-25263 (an authenticated OS Command Injection in the Agent Push functionality). Initially I just wanted to find the affected feature and test the mitigation put in place, eventually I ended

windows

Improving the write-what-where HEVD PoC (x86, Win7)

Introduction This one is about another HEVD exercise (look here to see the my previous HEVD post); the arbitrary write (https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/master/Driver/HEVD/Windows/ArbitraryWrite.c). The main reason I decided to write up my experience with it is the fact that it instantly

windows

HEVD StackOverflowGS x86 Win7 - exploitation analysis

Introduction This post is about kernel mode exploitation basics under Windows. It operates on assumptions that the reader is familiar with terms such as process, thread, user and kernel mode and the difference between user and kernel mode virtual address range. One could use this post as an introduction to

hijacking

Cmd Hijack - a command/argument confusion with path traversal in cmd.exe

This one is about an interesting behavior 🤭 I identified in cmd.exe in result of many weeks of intermittent (private time, every now and then) research in pursuit of some new OS Command Injection attack vectors. So I was mostly trying to: * find an encoding missmatch between some command check/

windows

PE Import Table hijacking as a way of achieving persistence - or exploiting DLL side loading

Preface In this post I describe a simple trick I came up with recently - something which is definitely nothing new, but as I found it useful and haven't seen it elsewhere, I decided to write it up. What we want to achieve So - let's

linux

Stack-canary (ROP), format string leak plus how I learned that nullbyte is not a badchar to scanf("%s",buf) - while socat ignores read on STDIN - MBE LAB8A

This time we are having some fun with a standard null-armored stack canary, as well as an additional custom one (we will extensively cover both scenarios, as there's plenty of subject matter here), plus some peculiarities regarding scanf() and read(). The relevant MBE lecture can be found here

linux

Out-of-bound read-write without integer sign flipping - MBE LAB8B walkthrough - the bonus version without using thisIsASecret() function

Introduction This is the continuation of https://hackingiscool.pl/out-of-bounds-write-with-some-integer-sign-flipping-mbe-lab8b-walkthrough-the-basic-version/ - the bonus version not utilizing the thisIsASecret() function to get the shell. So, the basic version was in fact very simple after figuring out how to control EIP. We just overwrote it with a pointer to this function: Now,

linux

Out-of-bounds read-write with some integer sign flipping - MBE LAB8B walkthrough - the basic version

I decided to skip the LAB8C (https://github.com/RPISEC/MBE/blob/master/src/lab08/lab8C.c) writeup, as solving it did not even require running gdb - so I was like "muh". Instead, let's look at LAB8B. The target app As usual, here's

linux

Heap overflow with stack-pivoting, format string mem leaking and first-stage ROP-ing to shellcode after making it executable on the heap - on a statically linked binary (MBE LAB7A)

This is was one of the most painstaking ones (which is reflected in the length of this write up). While finding the vulnerability was trivial, building a working exploit was quite of a challenge here. The target app The target app https://github.com/RPISEC/MBE/blob/master/src/lab07/

vulndev

Exploiting the same Use after Free twice to leak the mem layout and execute code - MBE LAB7C walkthrough

The target app This time we are dealing with a very plain and simple UaF vulnerability. The source code can be found here: https://github.com/RPISEC/MBE/blob/master/src/lab07/lab7C.c Right away we can see two data structure definitions, which more-less suggest what we are going

vulndev

MBE is fun - lab6A walkthrough

I'll try to keep this one short. What we are going to cover We are not going to overwrite the saved RET on the stack (we're gonna have a different pointer available, without touching the stack protector). We are also going to: * beat ASLR with an

vulndev

The XOR madness of MBE's tricky lab6B - a walkthrough

This post is a continuation of my MBE (Modern Binary Exploitation) walkthrough series. In order to get some introduction, please see the previous post: https://hackingiscool.pl/mbe-lab6c-walkthrough/. A look at the target app So let's get right to it. The source code of the target application can

vulndev

MBE lab6C walkthrough

About MBE Some time ago I came across RPISEC's free Modern Binary Exploitation course (https://github.com/RPISEC/MBE) which I can't recommend enough. You get lectures, challenges and a ready out-of-the-box operational Ubuntu VM to play with. Yup, this course is Linux-focused, which made it

vulndev

Vulnserver - my KSTET exploit (delivering the final stage shellcode through an active server socket)

The purpose of writing this up was only to present a little trick I came up with while playing with vulnserver's (http://www.thegreycorner.com/2010/12/introducing-vulnserver.html) KSTET command (one of many protocol commands vulnerable to some sort of memory corruption bug). In spite of the