https://www.theopechli.com/article/ Articles authored by theopechli https://www.theopechli.com/article/2025/01/25/cors-issues-with-rp-initiated-logout/ https://www.theopechli.com/article/2025/01/25/cors-issues-with-rp-initiated-logout/ Sat, 25 Jan 2025 09:00:00 +0000 This blog post outlines a CORS related issue with RP-Initiated logout and how one could solve it, albeit naively. https://www.theopechli.com/article/2025/01/18/apache-camel-failover-load-balancer-with-dynamic-endpoints/ https://www.theopechli.com/article/2025/01/18/apache-camel-failover-load-balancer-with-dynamic-endpoints/ Sat, 18 Jan 2025 09:00:00 +0000 This blog post showcases how to create an Apache Camel route, which load balances a dynamic number of endpoints with failover in Round Robin mode. https://www.theopechli.com/article/2019/10/26/exploit-education-phoenix-x86-format-three/ https://www.theopechli.com/article/2019/10/26/exploit-education-phoenix-x86-format-three/ Sat, 26 Oct 2019 09:00:00 +0000 IntroductionFormat Three is the continuation of the format string vulnerability challenges.ReconThe binary is almost identical with the one from the previous level. The only difference is that the value to be written to the address of the flag is .ExploitWith that in mind, the methodology to be followed takes into account the exploit from the previous level. In order to write 4 bytes, one at a time, the exploit needs to be modified a little bit.Replace with the output of the command and with the full path to the file that contains the input to be rea... https://www.theopechli.com/article/2019/10/18/exploit-education-phoenix-x86-format-two/ https://www.theopechli.com/article/2019/10/18/exploit-education-phoenix-x86-format-two/ Fri, 18 Oct 2019 09:00:00 +0000 IntroductionFormat Two is the continuation of the format string vulnerability challenges.ReconThere are a few things to break down:The binary needs an argument.The argument is copied into a buffer, which is set to zero beforehand.There is a call to , which simply calls with the buffer as a format string.The objective is to overwrite the variable with an arbitrary value.ExploitDue to the simplicity of this level, should offer enough help to exploit this vulnerability.The methodology is as follows:Execute the binary with and as an argument write 4 byte... https://www.theopechli.com/article/2019/10/17/exploit-education-phoenix-x86-format-one/ https://www.theopechli.com/article/2019/10/17/exploit-education-phoenix-x86-format-one/ Thu, 17 Oct 2019 09:00:00 +0000 IntroductionFormat One is the continuation of the format string vulnerability challenges.ReconFrom the above, the key points are the following:The input is read from STDIN via a call to at address . It is saved at with a size restriction of 15 bytes. is used as a format string for at .The objective is to overwrite with , which is tested at .ExploitThe exploit is almost identical to the one from the previous level, with the only exception being the value that needs to be written to .Replace with the output of the command and with the full path to t... https://www.theopechli.com/article/2019/10/16/exploit-education-phoenix-x86-format-zero/ https://www.theopechli.com/article/2019/10/16/exploit-education-phoenix-x86-format-zero/ Wed, 16 Oct 2019 09:00:00 +0000 IntroductionThis series of format levels is all about exploiting format strings, and the first level introduces a simple format string vulnerability.ReconUse to get information about the binary.It seems that the binary doesn;t differ from the ones of the previous levels.Here are the key takeaways by disassembling the binary:There is a call to that saves the input, which is read from STDIN, to a local variable, , and restricts the size to 15 bytes.There is a call to that takes as a format string and sends the formatted output to another local vari... https://www.theopechli.com/article/2019/10/14/exploit-education-phoenix-x86-stack-five/ https://www.theopechli.com/article/2019/10/14/exploit-education-phoenix-x86-stack-five/ Mon, 14 Oct 2019 09:00:00 +0000 IntroductionStack Five is the continuation of the stack-based buffer overflow challenges.ReconUse to get information about the binary.As can be seen, the same information about the binary as in the previous levels is presented here as well.To disassemble the binary, comes in handy.The infamous call is once again used. This level is all about shellcoding and that;s why the buffer has a size of 136 bytes.The way of shellcoding is pretty simple. The contents of the payload are listed below:NOP sled, so that there is some flexibility as to what the va... https://www.theopechli.com/article/2019/10/13/exploit-education-phoenix-x86-stack-four/ https://www.theopechli.com/article/2019/10/13/exploit-education-phoenix-x86-stack-four/ Sun, 13 Oct 2019 09:00:00 +0000 IntroductionStack Four is the continuation of the stack-based buffer overflow challenges.ReconUse to get information about the binary.Same info as the previous levels.There is a vulnerable call in the function . The objective seems to be to overwrite the return address of that function to return to the function at address .In order to do that, it is essential to calculate the number of bytes that need to be written on the stack to overwrite the return address.There are a couple of ways:use to generate a cyclic pattern, called De Bruijn Sequence, and ... https://www.theopechli.com/article/2019/10/12/exploit-education-phoenix-x86-stack-three/ https://www.theopechli.com/article/2019/10/12/exploit-education-phoenix-x86-stack-three/ Sat, 12 Oct 2019 09:00:00 +0000 IntroductionStack Three is the continuation of the stack-based buffer overflow challenges.ReconTo get information about the binary, is really useful.Once more, this is a 32-bit Linux ELF with no protection against stack overflows.The next step is to disassemble the binary.This level is really not that different from the previous ones. What is of importance is that the variable , which needs to be overwritten by exploiting the vulnerable stack-based buffer overflow call, is being ed. Considering that its value can be overwritten, this means that an atta... https://www.theopechli.com/article/2019/10/12/exploit-education-phoenix-x86-stack-two/ https://www.theopechli.com/article/2019/10/12/exploit-education-phoenix-x86-stack-two/ Sat, 12 Oct 2019 09:00:00 +0000 IntroductionStack Two is the continuation of the stack-based buffer overflow challenges.ReconOnce more, is used to get some information about the binary.Of the important info above, everything is the same as the previous levels. The binary is a 32-bit Linux ELF with no protection against stack overflow.What differs from the previous level is the fact that the input is read via an environment variable. The objective remains the same, which is to overwrite a local variable, . This is feasible, because there is a call to that copies the contents of the en... https://www.theopechli.com/article/2019/10/10/exploit-education-phoenix-x86-stack-one/ https://www.theopechli.com/article/2019/10/10/exploit-education-phoenix-x86-stack-one/ Thu, 10 Oct 2019 09:00:00 +0000 IntroductionStack One is very similar to [Exploit Education Phoenix x86 Stack Zero][exploit-education-phoenix-x86-stack-zero] with a few minor exceptions, which will be introduced shortly.ReconThe use of is essential to understand a little bit about the binary.So as to avoid repetition, the information about the binary is almost identical to that of the previous level. To sum up, this is a 32-bit Linux ELF with no protection against stack-based buffer overflows, among others.Time to disassemble the binary with .Below is the output of , which outputs the... https://www.theopechli.com/article/2019/10/09/exploit-education-phoenix-x86-stack-zero/ https://www.theopechli.com/article/2019/10/09/exploit-education-phoenix-x86-stack-zero/ Wed, 09 Oct 2019 09:00:00 +0000 IntroductionPhoenix is a virtual machine that can be obtained from exploit.education. It provides an educational environment so that one can practice on their skills. For additional details, visit the website.In case of reluctancy due to the risk of downloading an unknown virtual machine, Debian packages are also provided.Stack Zero, which is the first level, introduces the legendary stack-based buffer overflow.ReconIn order to get a glimpse of what the binary is all about, rabin2 comes to the rescue:What can be gathered from the above info are the follo...