Serpent pyramid. Run malware from the EDR blind spots!

In this article, I’ll show how to modify a standalone Python interpreter so that you can load malicious dependencies directly into memory using the Pyramid tool (not to be confused with the web framework of the same name). Potentially, this enables you to evade antivirus protection in pentesting studies and conceal a suspicious telemetry source from EDR in the course of Red Team operations.
Read full article →

Challenge the Keemaker! How to bypass antiviruses and inject shellcode into KeePass memory

Recently, I was involved with a challenging pentesting project. Using the KeeThief utility from GhostPack, I tried to extract the master password for the open-source KeePass database from the process memory. Too bad, EDR was monitoring the system and prevented me from doing this: after all, KeeThief injects shellcode into a remote process in a classical oldie-goodie way, and in 2022, such actions have no chance to go unnoticed.
Read full article →

Stratosphere flight. How to crack Struts using an Action app and create a Forward Shell

Today, I will show how to conquer the stratosphere – i.e. gain root access on the Stratosphere VM available on Hack The Box CTF grounds. To capture the root flag, I will have to overcome the Apache Struts framework to get an RCE vulnerability in a web app, put to practice the rarely used (but still very useful) Forward Shell remote session concept, highjack a library, and find a way to exploit the eval() function in a treacherous Python script.

Read full article →


The PWN realm. Modern techniques for stack overflow exploitation

The buffer overflow vulnerability is an extremely popular topic on hackers’ forums. In this article, I will provide a universal and practically-oriented ‘introduction’ for enthusiasts studying the basics of low-level exploitation. Using stack overflow as an example, I will address a broad range of topics: from security mechanisms currently used by the GCC compiler to specific features of binary stack overflow exploits.

Read full article →


Compressed Token Format (CTF). One-time passwords, LDAP injections, and tricks with 7z archiver

Today, I will explain how to hack the CTF virtual machine available on Hack The Box training grounds. For the purposes of this article, the abbreviation “CTF” refers to Compressed Token Format, not Capture the Flag. This VM is vulnerable to various types of LDAP injections, while its authentication mechanism is based on stoken, a generator of one-time passwords. In addition, the target machine uses a loose Bash script, and I will exploit it to fool the 7z archiver and gain root access.

Read full article →


Diabolically reddish pentest. Building tunneling chains through docker containers on a Hack the Box virtual machine

How to seize control over a host located in a different subnetwork? The right answer is: build numerous intricate tunnels. This article addresses tunneling techniques and their application in pentesting using as an example Reddish, a hardcore virtual machine (insane difficulty level: 8 out of 10) available on Hack The Box training grounds.

Read full article →