ricardo2197

0ctf babystack with return-to dl-resolve

In this write-up I will discuss how I managed to solve the challenge "babystack" from 0ctf with a technique called return to dl-resolve. I did not know this kind of return-to attack before the contest. In the following sections a detailed explanation of the entire exploit will be presented.

1. Binary analysis

I downloaded the provided binary babystack and quickly fired up binaryninja alongside with gdb to analyze it. I quickly realized a buffer overflow vulnerability is present within sub_804843b. My first approach was to solve this challenge using a return-to-libc attack by leaking the base address of the library and call system in order to get a shell.
This technique is contingent on:

1. Leaking libc base address
2. Knowing the version of libc to get the offset of system.

However, the version of libc on the remote server was unknown and the ELF did not provide any function that can be us

Davor111

#It's not directly mentioned in the documentation on how to do this, so here you go. This command will tunnel everything including DNS:
sshuttle --dns -vr user@yourserver.com 0/0 --ssh-cmd 'ssh -i /your/key/path.pem'

mitchwongho

# Setting Up ExpressVPN (OpenVPN) On OSMC

## References

- [Brian Hornsby' Kodi OpenVPN plugin](http://brianhornsby.com/blog/how-to-setup-your-vpn-client)
- [Install and Configure OpenVPN on OSMC/Kodi](https://nerddrivel.com/2016/03/25/install-and-configure-openvpn-on-osmckodi/)
- [ExpressVPN - High speed, ultra secure, and easy to use. Instant setup.](https://www.expressvpn.com/)
- [[HOWTO] OSMC/Rasp Pi as OpenVPN client](https://discourse.osmc.tv/t/howto-osmc-rasp-pi-as-openvpn-client/1844/71)

## Steps

drmalex07

README

Create a template service file at /etc/systemd/system/secure-tunnel@.service. The template parameter will correspond to the name of target host:

[Unit]
Description=Setup a secure tunnel to %I
After=network.target

lyoshenka

Intro

The plan is to create a pair of executables (ngrok and ngrokd) that are connected with a self-signed SSL cert. Since the client and server executables are paired, you won't be able to use any other ngrok to connect to this ngrokd, and vice versa.

DNS

Add two DNS records: one for the base domain and one for the wildcard domain. For example, if your base domain is domain.com, you'll need a record for that and for *.domain.com.

Different Operating Systems

Angles

/* WITH MODS TO ORIG -- iOS Browser Bookmarklets to launch other apps and stuff */
/* ver 2014-04-14a */
/* backing up my "Open In" bookmarks */
// note iOS6 requires some changes to these

// BEGIN TESTING STUFF -- IN PROFRESS LIKELY NOT WORKING
// SOME WORK, MOST tests are not WORK -- 

// PINNER APP TEST STUFF (as a private one) 
// the page title as the title and your selected text as the description.

CristinaSolana

1. Clone your fork:

git clone git@github.com:YOUR-USERNAME/YOUR-FORKED-REPO.git

2. Add remote from original repository in your forked repository:

cd into/cloned/fork-repo
git remote add upstream git://github.com/ORIGINAL-DEV-USERNAME/REPO-YOU-FORKED-FROM.git
git fetch upstream