Prologue - What is Tao 「一陰一陽之謂道。」——《周易》 In this blog, I’ll introduce Tao, the malware uses Heaven’s Gate and Hell’s Gate techniques. I’ll try to explain the principles behind each of these distinct malware techniques and show how I design Tao in Zig programming language. By the way, this article is not my own research, it references plenty of other researchers’ findings. So it acts more like a note I took while learning from others’ research. If you got time, please take a look at those resear ...

Windows Data Types The Windows API has many datas types outside of the well-known ones (e.g. int, float). The data types are documented and can be viewed here. Some of the common data types are listed below: DWORD - A 32-bit unsigned integer, on both 32-bit and 64-bit systems, used to represent values from 0 up to (2^32 - 1). DWORD dwVariable = 42; size_t - Used to represent the size of an object. It’s a 32-bit unsigned integer on 32-bit systems representing values from 0 up to (2^32 - 1 ...

HTB CBBH Experience Sharing Finally, I’ve got my CBBH certification from HackTheBox on last friday! This certification is totally underrated! It’s content is well-organized & comprehensive. I would say that this is really a good start if you’re interested in offensive web security. It’s a unforgettable experience, and here are some tips for those who also want to join the CBBH gang! 📚 Go through the content twice There’s really A LOT in the whole CBBH content, from different attack approach ...

Why this? Why? Just since it makes my terminal looks prettier and easier to understand. It devides every command into a BLOCK so that I can easily get to the point. How it looks like? The gray line in the graph is how it looks like. You can change the color later in your setup. Setup function print_separator() { local cols=$(tput cols) local color="\033[38;2;68;71;90m" # RGB(68, 71, 90), you can change the color here local reset="\033[0m" printf "\n" printf ...

0x00 Challenge Info Obviously, it’s an LFI vuln. The web application can read the local file to response the different page. 0x01 Reconnaissance We can found that the file can be read by such as page=file:///etc/passwd. 0x02 Exploit Use the file:///flag.txt to read the flag.txt in the root path. 0x03 Pwned

Prologue This is the first time I have won a place in a CTF contest. Following are the score board and my score over time. Web Ave Mujica After some recons, I found the web server is built by gunicorn, and the web looks like having a directory traversal to LFI vulnerability. After I go do some research, I tried some LFI wordlist and finally got the flag by reading the /proc/self/environ. The PoC is as follows. curl 'http://172.31.3.2:168/image?name=../../../../proc/self/environ' --output flag. ...

Easy Crack Open IDA and find the check password function (you can use a string to find it). I will put the decompiled function below. int __cdecl sub_401080(HWND hDlg) { CHAR String[97]; // [esp+4h] [ebp-64h] BYREF __int16 v3; // [esp+65h] [ebp-3h] char v4; // [esp+67h] [ebp-1h] memset(String, 0, sizeof(String)); v3 = 0; v4 = 0; GetDlgItemTextA(hDlg, 1000, String, 100); if ( String[1] != 'a' || strncmp(&String[2], Str2, 2u) || strcmp(&String[4], aR3v ...