Welcome to Shellcode Injection, the deep dive into the choreography of code execution, where you don't just tap into the rhythm of a system, but you take the lead, guiding the entire ensemble of processes, threads, and instructions.
Once the gates of execution are breached, what follows?
Is it the end of the battle, or merely the beginning of a symphony?
How does one communicate with the very core of a machine, dictating its every move, turning threats into opportunities, limitations into launching pads?
For the hackers among us, the dance begins with shellcode.
But mastering this dance isn't about merely memorizing steps; it's about improvisation, anticipation, and adaptation.
Throughout this module, you'll dive deep into:
Execution Environments: Navigate the different arenas your shellcode might be thrown into, from the predictable world of memory allocation to the wild terrains of stack-based randomness.
Filters & Constraints: Often, the dance floor isn't clear. There might be traps set up, from the dreaded 'H' bytes checker to the cunning bubblesort sorter, ready to trip your shellcode up. Can you weave through these obstacles, adjusting your steps on the fly?
Shellcoding Techniques: With the right steps, even the most intricate of routines can be bypassed. Master techniques such as nop sleds, self-modifying code, position-independent practices, and the cunning of two-stage shellcodes to remain unstoppable.
Dancing with a processor isn't just about knowing the steps, but understanding the language and semantics of each instruction.
While you'll have the stage to yourself, we ensure you're never alone on this journey.
Equip yourself with these invaluable scrolls of wisdom:
x64.syscall.sh: Your cheat sheet for syscalls. A glance here, and you're always ahead.
Syscalls Manpage: Understand not just the calls, but their deeper implications.
Felix Cloutier: Dive into the heartbeats of instructions, ensuring you're always in step.
x86asm Reference: Decode the bytes into moves, turning the tables on any challenge.
As you embark on this journey, remember, it's not just about taking control; it's about finesse, elegance, and the joy of the dance.
In the vast assembly halls of x64, the processor awaits your cue.
So, put on your dancing shoes, and let's speak the language of the processor!
Lectures and Reading
Lots of external resources are referred to in the module videos.
Additionally, the following reading material is useful:
Write and execute shellcode to read the flag, but a portion of your input is randomly skipped.
Write and execute shellcode to read the flag, but your inputted data is filtered before execution.
Write and execute shellcode to read the flag, but your inputted data is filtered before execution.
Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), can you defeat this?
Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), this challenge adds an extra layer of difficulty!
Write and execute shellcode to read the flag, but all file descriptors (including stdin, stderr and stdout!) are closed.
Write and execute shellcode to read the flag, but you only get 18 bytes.
Write and execute shellcode to read the flag, but your input has data inserted into it before being executed.
Write and execute shellcode to read the flag, but your input is sorted before being executed!
Write and execute shellcode to read the flag, but your input is sorted before being executed and stdin is closed.
Write and execute shellcode to read the flag, but every byte in your input must be unique.
Write and execute shellcode to read the flag, but this time you only get 12 bytes!
Write and execute shellcode to read the flag, but this time you only get 6 bytes :)
Write and execute shellcode to read the flag, but this time only using the following syscalls: ["open", "read", "write"]
Write and execute shellcode to read the flag, but this time only using the following syscalls: ["open", "sendfile"]
Write and execute shellcode to read the flag, but this time only using the following syscalls: ["open", "read"]. Note that "write" is disabled! You will need a creative way of extracting the flag data from your process!
Write and execute shellcode to read the flag, but this time only using the following syscalls: ["read", "exit"]. Note that "write" is disabled! You will need a creative way of extracting the flag data from your process!
Write and execute shellcode to read the flag, but this time only using the following syscalls: ["read", "nanosleep"]. Note that "write" is disabled! You will need a creative way of extracting the flag data from your process!
Write and execute shellcode to read the flag, but this time only using the following syscalls: ["read", "write"]. Note that stdin, stderr and stdout are closed. You will need a creative way of extracting the flag data from your process!
Write and execute shellcode to read the flag, but this time only using the following syscalls: ["sendfile"]. Note that stdin, stderr and stdout are closed. You will need a creative way of extracting the flag data from your process!
Write and execute shellcode to read the flag, but this time only using the following syscalls: ["close", "stat", "fstat", "lstat"]
Write and execute shellcode to read the flag, but this time only using the following syscalls: ["read"]. Note that "write" is disabled! You will need a creative way of extracting the flag data from your process!