Doomsday Vault

Logo

X-C3LL's Personal Blog :)

Index of /

:: My comic collection
:: 2024-08-25 00:03:37 +0000 ::

An inventory of my current comics.

:: Now this is personal
:: 2024-07-15 00:03:37 +0000 ::

New approach for this blog.

:: That loyal MySQL is a rogue one: a tale of a (partially) failed idea
:: 2020-07-12 01:03:37 +0000 ::

Hooking mysqld to steal net-NTLM hashes from developers.

:: GetEnvironmentVariable as an alternative to WriteProcessMemory in process injections
:: 2020-05-28 11:22:33 +0000 ::

Brief description of how to use GetEnvironmentVariable as an alternative to WriteProcessMemory

:: From memory corruption to disable_functions bypass: understanding PHP exploits
:: 2020-02-09 01:13:37 +0000 ::

Overview of PHP internals related with disable_functions and how common exploits works

:: Tunneling traffic through MySQL service (or your mysqld is my new SOCKS5)
:: 2019-12-06 13:48:08 +0000 ::

Description of how to pivot though the MySQL service. Turning MySQL into a SOCKS5 that can be used by proxychains.

:: Isolating the logic of an encrypted protocol with LIEF and kaitai
:: 2019-11-01 12:00:00 +0000 ::

Article describing how we used LIEF to isolate target functions and kaitai to describe the protocol.

:: CSS Injection Primitives
:: 2019-10-16 01:00:00 +0000 ::

Collection of CSS / HTML primitives. Tricks to use as an alternative to JavaScript (exfiltration, timing, etc.)

:: Remote Code Execution in Aruba Mobility Controller (ArubaOS) - CVE-2018-7081
:: 2019-09-04 01:00:00 +0000 ::

Walkthrough of discovering CVE-2018-7081 (memory corruption). Proof of Concept inside :)

:: Stealthier communications & Port Knocking via Windows Filtering Platform (WFP)
:: 2019-06-05 13:30:07 +0000 ::

Example of how WFP can be used to communicate with an infected machine

:: Rethinking the inotify API as an offensive helper
:: 2019-04-01 11:00:00 +0000 ::

Examples of how the inotify API can be useful for the Red Team

:: Searching systematically for PHP disable_functions bypasses
:: 2018-12-09 13:00:00 +0000 ::

Some ideas about how to extract hidden parameters in PHP functions and how to find potential bypasses

:: Building simple DNS endpoints for exfiltration or C&C
:: 2018-11-09 15:00:00 +0000 ::

Brief tutorial of how to use backend pipes in PowerDNS for exfiltration

:: Writeup Navaja Negra 2018 CTF
:: 2018-10-11 12:00:00 +0000 ::

Solutions to the challenges made by me in Navaja Negra CTF (Web, Pwn, Rev. & Misc.)

:: Vulnerability in Swoole PHP extension [CVE-2018-15503]
:: 2018-08-14 13:11:37 +0000 ::

Description of how the vulnerability was found and a few indications about its explotability

:: Improving PHP extensions as a persistence method
:: 2018-07-28 12:00:10 +0000 ::

Article about how to build backdoors for the Zend Engine.

:: Hacking a game to learn FRIDA basics (Pwn Adventure 3)
:: 2018-07-05 13:00:37 +0000 ::

Learn the basic usage of Frida with this tutorial. Build your own cheat with Frida.

:: Exfiltrating credentials via PAM backdoors & DNS requests
:: 2018-06-27 13:37:00 +0000 ::

Description of how to backdoor PAM and exfiltrate credentials via DNS requests. Capture credentials FTW!

:: Beyond pty.spawn - use pseudoterminals in your reverse shells (DNScat2 example)
:: 2018-05-08 12:00:00 +0000 ::

Quick article about how to improve well-known tools used in pentests. Forkpty() FTW!!

:: Defeating WordPress Security Plugins (Revisited)
:: 2018-03-09 12:00:00 +0000 ::

Article about how to subvert file integrity checks made by most popular WordPress Plugins

:: Parasiting web server process with webshells in permissive environments
:: 2018-02-24 12:00:00 +0000 ::

Example of how to abuse permissive environments to infect processes with custom code using ptrace

:: JavaScript AntiDebugging Tricks
:: 2018-02-08 12:00:00 +0000 ::

List of antidebugging techniques applied to JavaScript (focused on browsers)

:: Writeup (CTF) - ImpelDown CodeGate PreQuals 2018 (MISC)
:: 2018-02-03 10:00:00 +0000 ::

Solution to an easy python jail challenge

:: Loading "fileless" Shared Objects (memfd_create + dlopen)
:: 2018-02-02 12:00:00 +0000 ::

An example of how to drop modules on a target using the syscall memfd_create