GreySec Forums

Full Version: Nightmare: Intro to binary exploitation (Course)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Nightmare: Intro to binary exploitation (Course)

Just thought I'd share this interesting resources I found the other day.

Github Wrote:Nightmare is an intro to binary exploitation / reverse engineering course based around ctf challenges. I call it that because it's a lot of people's nightmare to get hit by weaponized 0 days, which these skills directly translate into doing that type of work (plus it's a really cool song).

Code [No Highlight]:

Intro
0.) Intro to the Project
1.) Intro to Assembly

    Intro to assembly
    Sample assembly reverse challs

2.) Intro to Tooling

    gdb-gef
    pwntools
    ghidra

3.) Beginner RE

    pico18_strings
    helithumper_re
    csaw18_tourofx86pt1
    csaw19_beleaf

Stack pt 0 Stack Tendencies
4.) Buffer Overflow of Variables

    Csaw18/boi
    TokyoWesterns17/just_do_it
    Tamu19_pwn1

5.) Buffer Overflow Call Function

    Csaw18_getit
    Tu17_vulnchat
    Csaw16_warmup

5.1) aslr/pie intro

    quick aslr/pie explanation

6.) Buffer Overflow Call Shellcode

    Tamu19_pwn3
    Csaw17_pilot
    Tu18_shelleasy

6.1) nx intro

    nx explanation

7.) ROP Chain Statically compiled

    dcquals19_speedrun1
    bkp16_simplecalc
    dcquals16_feedme

7.1) stack canary intro

    stack canary introduction

7.2) relro intro

    relro introduction

8.) ROP Dynamically Compiled

    csaw17_svc
    fb19_overfloat
    hs19_storytime
    csaw19_babyboi
    utc19_shellme

General pt 0 Stardust Challenges
9.) Bad Seed

    h3_time
    hsctf19_tuxtalkshow
    sunshinectf17_prepared

10.) Format strings

    backdoor17_bbpwn
    twesterns16_greeting
    pico_echo
    watevr19_betstar

11.) Index Array

    dcquals16_xkcd
    sawmpctf19_dreamheaps
    sunshinectf2017_alternativesolution

12.) Z3

    tokyowesterns17_revrevrev
    tuctf_future
    hsctf19_abyte

13.) Angr

    securityfest_fairlight
    plaid19_icancount
    defcamp15_r100

Stack pt 1 Return to Stack (truly a perfect game)
14.) Ret2system

    asis17_marymorton
    hxp18_poorcanary
    tu_guestbook

15.) Partial Overwrite

    Tu17_vulnchat2
    Tamu19_pwn2
    hacklu15_stackstuff

16.) SROP

    backdoorctf_funsignals
    inctf17_stupiddrop
    swamp19_syscaller
    csaw19_smallboi

17.) Stack Pivot / Partial Overwrite

    defconquals19_speedrun4
    insomnihack18_onewrite
    xctf16_b0verfl0w

18.) Ret2Csu / Ret2dl

    ropemporium_ret2csu
    0ctf 2018 babystack

General pt 1
19.) Shellcoding pt 1

    defconquals19_s3
    Csaw18_shellpointcode
    defconquals19_s6

20.) Patching/Jumping

    dcquals18_elfcrumble
    plaid19_plaid_part_planning_III
    csaw16_gametime

21.) .NET Reversing

    csaw13_dotnet
    csaw13_bikinibonanza
    whitehat18_re06

22.) Movfuscation

    sawmpctf19_future
    asis18quals_babyc
    other_movfuscated

23.) Custom Architectures

    h3_challenge0
    h3_challenge1
    h3_challenge2
    h3_challenge3

Heap Pt 0
24.) Basic Heap overflow

    protostar_heap1
    protostar_heap0
    protostar_heap2

25.) Intro to heap exploitation / binning

    explanation

26.) Heap Grooming

    explanation
    swamp19_heapgolf
    pico_areyouroot

27.) Edit Freed Chunk (pure explanation)

    Use After Free
    Double Free
    Null Byte Heap Consolidation

28.) Fastbin Attack

    explanation
    0ctf18_babyheap
    csaw17_auir

29.) tcache

    explanation
    dcquals19_babyheap
    plaid19_cpp

30.) unlink

    explanation
    hitcon14_stkof
    zctf16_note

31.) Unsorted Bin Attack

    explanation
    hitcon_magicheap
    0ctf16_zer0storage

32.) Large Bin Attack

    largebin0_explanation
    largebin1_explanation

33.) Custom Malloc

    csawquals17_minesweeper
    csawquals18_AliensVSSamurai
    csawquals19_traveller

General Pt 2
34.) Qemu / Emulated Targets

    csaw18_tour_of_x86_pt_2
    csaw15_hackingtime
    csaw17_realism

35.) Integer Exploitation

    puzzle
    int_overflow_post
    signed_unsigned_int_expl

36.) Obfuscated Reversing

    csaw15_wyvern
    csaw17_prophecy
    bkp16_unholy

37.) FS Exploitation

    swamp19_badfile

38.) Grab Bag

    csaw18_doubletrouble
    hackim19_shop
    unit_vars_expl
    csaw19_gibberish

Heap pt 2
39.) House of Spirit

    explanation
    hacklu14_oreo

40.) House of Lore

    explanation

41.) House of Force

    explanation
    bkp16_cookbook

42.) House of Einherjar

    explanation

43.) House of Orange

    explanation

44.) More tcache

    csaw19_poppingCaps0
    csaw19_poppingCaps1

Github: https://github.com/guyinatuxedo/nightmare
Nightmare: https://guyinatuxedo.github.io/


More

In addition to the resource above. Just thought I'd drop this link as well.

Awesome Exploits

Github Wrote:curated list/collection of resources related to the art of exploitation.

https://github.com/backslash/AwesomeExploits
This is definintely a good resource, its actually the newest addition to my own set of recommendations. So I figured I'd share a couple thoughts on it.

While the intent is to be a course you can walk though, I do think there are better resources for your fundamentals, notably Open Security Training's Introduction to Software Exploitation

While I really think is great about Nightmare though is the categorization of everything. For a long time CTFs have been a recommended way to learn about this side of security. Unfortunately as CTF teams have matured, the challenges in CTFs have started to leave the realm of realism in order to remain challenging to the top teams.

Even so, CTF challenges are still usually designed around showcasing one particular type of exploit technique in a bite-sized format meant to be solved in a matter of hours or at most a couple days not weeks or months like real world exploits. So they are still useful for training.

Back on topic, Nightmare categorizes several CTF challenges which is where I think it becomes very useful as a reference or starting place for learning about some basic techniques. Taking it section by section as the section interests you rather than treating it like a course to work though.

I tend to recommend Nightmare as a follow up on ROP Emporium, or just once you have an understanding of the basics up to ROP. (stack smashing, write-what-where style attacks, ASLR defeats, and code reuse attacks [ret2libc through rop])

At which point Nightmare becomes a good resource to bursh up on some of the things often left out. Like taking advantage of an integer overflow or array indexing issues to get to an exploitable state (Sections 9 and 4 respectively). Various heap exploitation techniques (section 8, but Shellphish's how2heap is great for that too.)

Ultimately its a nicely sorted list you can pick and choose from to have small, digestable challenges to tackle over say a weekend and know the basic idea you're going to learn from it.
(06-15-2020, 11:04 AM)dropzone Wrote: [ -> ]This is definintely a good resource, its actually the newest addition to my own set of recommendations. So I figured I'd share a couple thoughts on it.

While the intent is to be a course you can walk though, I do think there are better resources for your fundamentals, notably Open Security Training's Introduction to Software Exploitation

While I really think is great about Nightmare though is the categorization of everything. For a long time CTFs have been a recommended way to learn about this side of security. Unfortunately as CTF teams have matured, the challenges in CTFs have started to leave the realm of realism in order to remain challenging to the top teams.

Even so, CTF challenges are still usually designed around showcasing one particular type of exploit technique in a bite-sized format meant to be solved in a matter of hours or at most a couple days not weeks or months like real world exploits. So they are still useful for training.

Back on topic, Nightmare categorizes several CTF challenges which is where I think it becomes very useful as a reference or starting place for learning about some basic techniques. Taking it section by section as the section interests you rather than treating it like a course to work though.

I tend to recommend Nightmare as a follow up on ROP Emporium, or just once you have an understanding of the basics up to ROP. (stack smashing, write-what-where style attacks, ASLR defeats, and code reuse attacks [ret2libc through rop])

At which point Nightmare becomes a good resource to bursh up on some of the things often left out. Like taking advantage of an integer overflow or array indexing issues to get to an exploitable state (Sections 9 and 4 respectively). Various heap exploitation techniques (section 8, but Shellphish's how2heap is great for that too.)

Ultimately its a nicely sorted list you can pick and choose from to have small, digestable challenges to tackle over say a weekend and know the basic idea you're going to learn from it.

Dully noted Smile I've started to check out some of the open security courses, looks pretty solid. Although I'm lacking a bit in C before dabbling into assembly. But I'll use this post as good roadmap!

Thanks for the advice.
(06-20-2020, 03:59 PM)Insider Wrote: [ -> ]Dully noted Smile I've started to check out some of the open security courses, looks pretty solid. Although I'm lacking a bit in C before dabbling into assembly. But I'll use this post as good roadmap!

this course is good for understanding assembly: bas6.4 encoded link

aHR0cHM6Ly9tZWdhLm56L2ZvbGRlci9zVTBSbEE1SiNsT1dVQnBZMms3S1kwX1QzYW5QZU1B