Rapid7 Velociraptor Exploit PoC

Wed, 22 Apr 2026 07:07:07 +0100

What is Velociraptor?

Velociraptor is an open-source endpoint monitoring, digital forensic and cyber response platform with plenty of capabilties. Originally developed by Rapid7, it now has over 100 contributors on GitHub. Security professionals with varying levels of access use this Security tool. Given all of the privileges this software has, as an attacker, vulnerabilities in it make it all the more juicy.

Understanding the Vulnerability

CVE-2025-6264

Affected versions before 0.74.3
Affects Windows, MacOS and Linux

To detect unintended privilege escalations in custom artifacts, users should run the artifact verifier as described here: https://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts

Setup Windows 11 VM on Arch Linux

Tue, 10 Mar 2026 07:07:07 +0100

Qemu on its own can be a bit scary but don’t worry this is super easy. If you already have Qemu/KVM setup go to Windows Installation Media. Lets jump straight into it:

Qemu/KVM

Just making sure your system can use the software, then installing it :)

Make sure you update your system first!

KVM

https://wiki.archlinux.org/title/KVM

Kernel-based Virtual Machine (KVM) makes hosting virtual machines super easy.

Check for processor support: LC_ALL=C.UTF-8 lscpu | grep Virtualization
- Should return ADM-V or VT-x
- If nothing returns, you can’t use KVM.
Check for necessary kernel modules: zgrep CONFIG_KVM= /proc/config.gz
- Should return either y or m
Make sure the modules are loaded:

$ lsmod | grep kvm

kvm_intel             245760  0
kvmgt                  28672  0
mdev                   20480  2 kvmgt,vfio_mdev
vfio                   32768  3 kvmgt,vfio_mdev,vfio_iommu_type1
kvm                   737280  2 kvmgt,kvm_intel
irqbypass              16384  1 kvm

libvirt

https://wiki.archlinux.org/title/Libvirt#Client

Facts

Tue, 03 Feb 2026 07:07:07 +0100

Information Gathering

> nmap 10.129.22.202 -sCV -p- --open

22
- SSH is blocked by authentication
80
- HTTP hosting a simple website with facts to read.
54321 HTTP – redirect to 9001

Exploitation

By walking the site, we find an admin login page by reading the page source.
From there we are able to create a new admin account.
- This new account doesn’t have full privileges.
However, we see that it is using Camaleon CMS version 2.9.0
- This has a Mass Assignment vulnerability for Privilege Escalation
- CVE-2025-2304
- We can use this proof of concept: https://github.com/d3vn0mi/cve-2025-2304-poc
Using the exploit, we get access to the admin panel.
- This website is using Ruby. So we can try to get a ruby Reverse shell by uploading a file.
- I think this may be possible as well with more time.
Instead, using another CVE we get file inclusion.
With the exploit we read /home/trivia/.ssh/id_ed25519
- This will output the user’s private ssh key:

——BEGIN OPENSSH PRIVATE KEY—– b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBBjiZADO dtctyuCfPvlK6JAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIBGGQJW4pNnMqYSI CpzP1BZ+GsR5Sox+8tBAIsX2Ev9RAAAAoI3/9swkZHFRnU1w+ylzRNebxOWg5T+9HRDi/s PFWehTZVCrG8AliD7+Sfdal2IMDeR4Y7gyJRtWHOfuCnbXvFy0nIbEENRGBBs6mpMp6Gp8 HrRnw5L1fzdbEREr4AKUrDEijp2sUAt1ybzj0WQclSXPOSEwDk+OSj5Z1P2CeYKKIPrLKz Swqe9ptBowCkgZ3WFJeX2uStN2YSXcytaClwo= —–END OPENSSH PRIVATE KEY—–

MonitorsFour

Tue, 03 Feb 2026 07:07:07 +0100

Information Gathering

> nmap 10.129.17.45 -sCV -oV -o htb/MonitorsFour/nmap -p-

port	service
80	http/nginx
5985	http/Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Port 5985

The root of the website is a 404 page. Running dirsearch showed a few 403 errors but nothing accessible

Port 80

subdomains:

cacti.monitorsfour.htb

Directories found using dirsearch:

/contact
/login
/user
/static
/views

In the login page source code we can see that it makes a POST request to /api/v1/auth.

Developing Implants for Chinese Targets

Fri, 09 Jan 2026 07:07:07 +0100

Implant Communication

Typical communications for C2s will be over commonly used ports such as HTTPS, ICMP, or DNS. We can use these common protocols to come up with interesting methods of communication. Another option is to use public platforms and communicate through them. We can use steganography for communication through images, dead drops with something like Pastebin, or encoded YouTube comments. With mainland China targets, we run into many more roadblocks.

Advent of Cyber: Dec 1st

Mon, 01 Dec 2025 07:07:07 +0100

Introduction

This was an interesting event. We didn’t end up completing the ‘sidequest’ but some of it was fun; a few parts were tedious. The sidequest after getting the egg was, by far, more interesting but it got late and never got around to completing more calendar days nor the sidequest. Doing all that work just for a PNG of an egg that unlocks more work was fun in its own respect and gave us a good laugh lol.

CodeTwo

Sat, 23 Aug 2025 07:07:07 +0100

Information Gathering

The server has two ports open:

22
- SSH is blocked by authentication
8000
- Running a simple webpage with a login, register, and download link
- Login and register are not vulnerable to SQL injection
- The download link downloads the code for the web application
- After creating an account we see that you can input JavaScript code and run in on the application as well as download written code.

After downloading the app.zip from the web application we can read through app.py and other components of the application.

Artificial

Tue, 01 Jul 2025 07:07:07 +0100

Enum

NMAP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA)
|   256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA)
|_  256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Artificial - AI Solutions
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Dirsearch

Target: http://artificial.htb/

[22:13:55] Starting:                                                               
[22:14:25] 302 -  199B  - /dashboard  ->  /login                      
[22:14:36] 200 -  857B  - /login                                     
[22:14:37] 302 -  189B  - /logout  ->  /                              
[22:14:49] 200 -  952B  - /register

Shell using tensorflow vulnerability

Setup Docker Image
Install Vim, remove export and build the image
Run the python code to create our exploit
Upload the .h5 file through the file upload

Shell popped

We can see app.py in the home directory

TwoMillion

Wed, 18 Jun 2025 07:07:07 +0100

Recon

NMAP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.04 seconds

22 OpenSSH 8.9p1

80 nginx

|-> Redirect to http://2million.htb
|-> curl 10.10.11.221:80

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

[!Note] Have to add 2million.htb to /etc/hosts

Lame

Tue, 10 Jun 2025 07:07:07 +0100

Recon

NMAP

└─$ nmap -sC -sV 10.10.10.3 -p-  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-10 17:11 EDT
Stats: 0:01:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 31.33% done; ETC: 17:14 (0:02:38 remaining)
Nmap scan report for 10.10.10.3
Host is up (0.048s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.39
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:                                                        
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)        
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)        
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel        
                                                                      
Host script results:                                                  
| smb-security-mode:                                                  
|   account_used: guest                                               
|   authentication_level: user                                        
|   challenge_response: supported                                     
|_  message_signing: disabled (dangerous, but default)                
| smb-os-discovery:                                                   
|   OS: Unix (Samba 3.0.20-Debian)                                    
|   Computer name: lame                                               
|   NetBIOS computer name:                                            
|   Domain name: hackthebox.gr                                        
|   FQDN: lame.hackthebox.gr                                          
|_  System time: 2025-06-10T17:15:23-04:00                            
|_smb2-time: Protocol negotiation failed (SMB2)                       
|_clock-skew: mean: 2h00m33s, deviation: 2h49m44s, median: 31s

21 ftp

	|-> anonymous login allowed
	|-> SearchSploit:

vsftpd 2.3.4 - Backdoor Command Execution                        | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)           | unix/remote/17491.rb

22 ssh

|-> SearchSploit:

OpenSSH 2.3 < 7.7 - Username Enumeration                         | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                   | linux/remote/45210.py
OpenSSH < 6.6 SFTP (x64) - Command Execution                     | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                           | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading         | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                             | linux/remote/45939.py

139 netbios-ssn Samba 3.x-4.x

445 netbios-ssn Samba 3.0.20

|-> SearchSploit:

Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Comma | unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow ( | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overfl | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Over | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflo | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Over | multiple/dos/5712.pl
Samba < 3.0.20 - Remote Heap Overflow                   | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)           | linux_x86/dos/36741.py

3632 distccd V1

Exploitation

Samba 3.0.20 has an RCE exploit that can be run in metasploit.
After that we get a root shell and the box is PWNed

Cap

Mon, 09 Jun 2025 07:07:07 +0100

Recon

NMAP

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    Gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

searchspoit

vsftpd 3.0.3 - Remote Denial of Service

Walking the Web App

Port 80

We get a dashboard
- Logged in by default as user Nathan
  - Cookies?
    - Nope
- We see security snapshots page
  - PCAP analysis
  - Hint here perhaps the name of the box
    - Don’t see anything useful here
- Ipconfig output page
- Network status page
  - We see connections

Dir search

These pages are not accessible to dirsearch but we are automatically logged in

[23:11:25] 302 -  208B  - /data  ->  http://10.10.10.245/                   
[23:11:25] 302 -  208B  - /data/adminer.php  ->  http://10.10.10.245/       
[23:11:25] 302 -  208B  - /data/autosuggest  ->  http://10.10.10.245/       
[23:11:26] 302 -  208B  - /download/users.csv  ->  http://10.10.10.245/     
[23:11:26] 302 -  208B  - /download/history.csv  ->  http://10.10.10.245/

WireShark

Downloading 0.pcap
We see a FTP connection and the username and password are shown
- USER nathan
- PASS Buck3tH4TF0RM3!
logging in, we see user.txt and linpeas is on the system
SSH password is the same password

PE

LinPeas

LinPeas shows 95% PE chance on: CVE-2021-3560

Monero Node on A Raspi5

Thu, 06 Feb 2025 07:07:07 +0100

DietPi

The locales and keyboard setting are not set to en_US.UTF-8
- Make this change and select the correct keyboard layout
Once connected to the internet DietPi will update

Install the packages you want for general use

sudo apt install vim ufw fail2ban unattended-upgrades tor

Configure External SSD for the blockchain

sudo fdisk -l # identify your drive sudo mkfs.ext4 /dev/sdX # replace X with your drive letter sudo mkdir /mnt/blockchain sudo mount /dev/sdX /mnt/blockchain

Moms Chicken Potpie

Thu, 10 Oct 2024 07:07:07 +0100

I recommend reading [[#Step 2 Making The Shell]] portion first and find the tools that best suit you and/or have at your disposal! The rest is super easy :)

Ingredients

Crust

2 cups flour
1 teaspoon salt
3/4 cup Crisco
5 tablespoons cold water
1 egg (for brushing)

Fill

2 10oz cans of Cream of Potato (Campbells)
1 16oz can of Veg-all (Hard to find; try Walmart)
2 cups of chopped cooked Chicken
1/2 cup Milk
1/2 teaspoon Pepper

Tools

Pie dish
Rolling pin
Large pot

Step 1

Boil Chicken

Soy Glazed Meatloaf

Wed, 09 Oct 2024 07:07:07 +0100

With Sesame Roasted Potatoes & Sauteed Bok Choy (2 servings - 35-45 minutes)

Ingredients:

10oz Ground Pork (substitute with beef)
1 Pasture-Raised Egg
3/4 cup Panko Breadcrumbs
3/4 lb Potatoes
2 Cloves Garlic
10 oz Baby Bok Choy (Three babies)
2 Scallions (Just 1 is fine)
1 Tbsp Sesame Oil
1 Tbsp Rice Vinegar
2 Tbsps Soy Glaze
3 Tbsps Cumin-Sichuan Peppercorn Sauce (Substitute with Asian Szechuan sauce)

Steps

1. Prepare the ingredients & make the glaze

Place an oven rack in the center of the oven; preheat to 450F
Wash and dry the fresh produce.
Medium dice the potatoes.
Peel 2 cloves of garlic; using a zester or the small side of a box grater, finely grade into paste.
In a bowl, combine the soy glaze, cumin-Sichuan sauce, and half the vinegar

2. Season the potatoes

Line a sheet pan with foil.
Transfer the diced potatoes into a bowl. Drizzle with the sesame oil and season with salt and pepper; Toss to coat. Arrange in an even layer on one side of the sheet pan.

3. Roast the meatloaf & potatoes

Transfer half the glaze to a separate bowl and set aside for serving.
In a bowl, combine the pork, breadcrumbs, garlic paste, and egg; season with salt and pepper. Gently mix to combine.
Carefully transfer to the other side of the sheet pan of seasoned potatoes.
Shape into a tightly packed loaf, about 7 inches by 3 inches.
Evenly top the meatloaf with the remaining glaze.
Roast 18 to 22 minutes (20 minutes was perfect), or until the potatoes are tender when pierced with a fork and the meatloaf is browned and cooked through (160F)
Remove from the oven and let the roasted meatloaf rest at least 2 minutes

4. Prepare the remaining ingredients

Meanwhile, thinly slice the scallions, separating the white bottoms and the hollow green tops
Cut off and discard the root ends of the bok choy; roughly chop, separating the stems and leaves.

5. Cook the bok choy

In a medium pan (nonstick), heat a drizzle of olive oil on medium-high heat until hot.
Add the chopped bok choy stems and sliced white bottoms of the scallions; season with salt and pepper. Cook, stirring occasionally, 2 to 3 minutes until softened.
Add the chopped bok choy leaves and remaining vinegar (carefully as it may splatter); season with salt and pepper. Cook, stirring frequently, 1 to 2 minutes or until wilted.
Turn off the heat

6. Slice the meatloaf & serve

Carefully transfer the rested meatloaf to a cutting board and cut along with width into equal-sized pieces.
Serve the sliced meatloaf with the roasted potatoes and cooked bok choy. Top the meatloaf with the reserved glaze. Garnish with the sliced green tops of the scallions.

Stuffed Meatballs

Wed, 09 Oct 2024 07:07:07 +0100

These meatballs are yummy. However, its not worth stuffing them. The cheese doesn’t stay melted and left my guests confused.

https://therecipecritic.com/mozzarella-stuffed-meatballs/

Ingredients

1 pound lean ground beef
▢ ¼ cup Italian bread crumbs
▢ ¼ cup grated parmesan cheese pre-grated from the jar
▢ ¼ cup yellow onion minced, about ¼ small onion
▢ 2 teaspoons garlic minced, about 2 cloves
▢ 1 egg
▢ 1 teaspoon dried oregano
▢ 1 teaspoon dried basil
▢ 1 teaspoon salt
▢ ½ teaspoon pepper
▢ 8 ounces mozzarella cheese diced into ½ inch pieces
▢ Marinara sauce
▢ spaghetti noodles.

Instructions

Preheat oven to 375 degrees Fahrenheit and line a baking sheet with parchment paper.

Wine Beef Stew

Wed, 09 Oct 2024 07:07:07 +0100

Ingredients

1 Tbsp. (or more) vegetable oil
2 lb. beef chuck stew meat, cut into 1" cubes
1 medium yellow onion, chopped
2 carrots, peeled, cut into rounds
2 stalks celery, chopped
Kosher salt
Freshly ground black pepper
3 cloves garlic, finely chopped
1/4 cup tomato paste
6 cups low-sodium beef broth
1 cup red wine
1 Tbsp. Worcestershire sauce
2 fresh thyme sprigs
2 bay leaves
1 lb baby potatoes, halved
1 cup frozen peas
1/4 cup chopped fresh parsley

Directions

Preparation tips:

Setting Up a Site With Hugo

Sat, 14 Sep 2024 07:07:07 +0100

Intro

You don’t need to read this part really :3 Just me blabing. I wrote this as I installed and setup Hugo for the first time and documented issues I had along the way. Despite it being documentation for myself, this can also be used as a guide! I decided to use Hugo because I wanted to create a blog section for my website. I tried using Jekyll but I’m not a fan of Ruby. Also, Jekyll and its documentation felt dated compared to Hugo; which is written in Go. Being a fan of Rust I also looked at Zola; However Hugo felt like a better fit. At the end there is an install script.

Blueprint

Fri, 21 Jun 2024 07:07:07 +0100

New Vocabulary

LM hash (LanMan Hash)
- a compromised password hashing function that was the primary hash that Microsoft LAN manager and Windows used to store passwords
NTLM (New Technology LAN Manager)
- a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain or a server running a stand-alone Windows computer.

Accessing MariaDB (unauthorized)

mysql -h 10.10.120.20 -u root
- Not allowed to connect to this MariaDB server from IP

Exploit osCommerce 2.3.4

https://www.exploit-db.com/exploits/44374

Self Host Your Website without Opening Ports

Sat, 09 Mar 2024 07:07:07 +0100

This post is a follow along to a Youtube video walk-through that I recorded. We will be setting up a home server to host a web application without opening any ports on my home network. To accomplish this I’ll be using a Cloudflare tunnel.

[!note] The $ denotes a terminal command. Anything before $ denotes the current working directory.

0. Prerequisites

Remote Server
Cloudflare Account
Reliable Internet Connection

[!warning] A little disclaimer: I am not a professional; just a student. Do your own research but this should help you get up and running. For the most part I am just following Cloudflare and other documentation. I highly recommend you read through official documentation as needed.

Windows Kernel Exploitation

Fri, 16 Feb 2024 07:07:07 +0100

This journey was a project I worked on between classes before deciding to make it my final project for my Security 2 class. This will start by diving into Windows internals then reverse engineering and finally exploiting. However, as it stands right now the exploit just results in bluescreening the target machine. I will continue learning with this project in the future as it has already been a great learning adventure.

A Time Before

Mon, 01 Jan 2024 07:07:07 +0100

Though the date is marked differently, I am writing this on 02-07-2026…

I have lots of notes of the CTFs completed on Try Hack Me but they are nearly incoherent. Before this point (and even after) I had not learned how to take CTF notes and some of the early notes were just in a GUI text editor on Kali - But we all start somewhere, eh?

My note taking for challenges, and in general, has improved greatly over time. I went backwards through time adding my notes to this blog and it is cool seeing my documentation and technical improvement.

Halal Chicken and Rice

Mon, 09 Oct 2023 07:07:07 +0100

Ingredients

White Sauce

1 Cup Mayonnaise
1 Cup Greek Yogurt
1 Squeezed Lemon (Just mix this up and crack some pepper in it)

Everything else

Garlic Powder
Paprika
Turmeric
Thyme Powder
Oregano
Onion Powder
Lemon Juice
Salt
Olive Oil
Chicken thigh or chopped breasts
1 Cup rice

Steps

If using Chicken breasts cut to preferred size and place in a bowl to combine with seasonings.
- I just guestimate how much of the seasonings. Enough to coat each piece of chicken. Its quite a bit.
Place Chicken into cold pan
Heat for 5 minutes or until sizzling then flip Chicken and remove Chicken
Place Onion and Rice with water into pan
Return Chicken to pan with rice
Simmer for 15 minutes

Operating System Build

Thu, 28 Sep 2023 07:07:07 +0100

Setup

Using Windows Subsystem for Linux (Debian)

Install list
- gcc
- build-essential
- bison
- flex
- libgmp3-dev
- libmpc-dev
- libmpfr-dev
- texinfo
Cross-Compiler
- git clone https://github.com/lordmilko/i686-elf-tools
- cd i686-elf-tools
- ./i686-elf-tools.sh linux

Using Manjaro VM

Dependencies
- GCC (existing release you wish to replace), or another system C compiler
- G++ (if building a version of GCC >= 4.8.0), or another system C++ compiler
- Make
- Bison
- Flex
- GMP
- MPFR
- MPC
Download gcc and bin-utils to src and make them

Booting the Operating System

The bootloader, such as GRUB, used to start/load the operating system.
The operating system needs to handle when the bootloader passes control to it.
The kernel is passed a very minimal environment where the stack is not yet setup.
Because there is no stack yet, we must make sure global variables are set correctly.
- This is done in assembly

Bootstrap Assembly

i686-linux-gnu-as boot.s -o boot.o

blog.mauzy.net

Mon, 01 Jan 0001 00:00:00 +0000

whoami

Hello! Online I usually go by Mauzy or Mauzy0x00. I am a Cyber Security student and information technology enthusiast.

I spend most of my time learning something new in this field and I love that there is no end to what you can learn. I love to help others learn something new or accomplish a task so don’t hesitate to ask me for help!

what is this webpage?

Here I will be writing posts about things I create, setup or hack! These are written mostly for myself and documenation but I hope that they can help someone like you too! These write-ups are written as I complete tasks and I document issues that I ran into along the way. They will not be perfect so if you decide to follow along and see an issue or misconfiguration please let me know!

Rapid7 Velociraptor Exploit PoC

What is Velociraptor?

Understanding the Vulnerability

CVE-2025-6264

Setup Windows 11 VM on Arch Linux

Qemu/KVM

KVM

libvirt

Facts

Information Gathering

Exploitation

MonitorsFour

Information Gathering

Port 5985

Port 80

Developing Implants for Chinese Targets

Implant Communication

Advent of Cyber: Dec 1st

Introduction

CodeTwo

Information Gathering

Artificial

Enum

NMAP

Dirsearch

Shell using tensorflow vulnerability

Shell popped

TwoMillion

Recon

NMAP

22 OpenSSH 8.9p1

80 nginx

Lame

Recon

NMAP

21 ftp

22 ssh

139 netbios-ssn Samba 3.x-4.x

445 netbios-ssn Samba 3.0.20

3632 distccd V1

Exploitation

Cap

Recon

NMAP

searchspoit

Walking the Web App

Port 80

Dir search

WireShark

PE

LinPeas

Monero Node on A Raspi5

DietPi

Install the packages you want for general use

Configure External SSD for the blockchain

Moms Chicken Potpie

Ingredients

Crust

Fill

Tools

Step 1

Further Reading and Concepts

Kernel Entry Point

ABI

VGA Text Mode and BIOS Deprecated

UEFI and Framebuffers

Multiboot Flags and VESA VBE

Drawing Text in Framebuffer Mode

Implementation Details

Soy Glazed Meatloaf

Ingredients:

Steps

1. Prepare the ingredients & make the glaze

2. Season the potatoes

3. Roast the meatloaf & potatoes

4. Prepare the remaining ingredients

5. Cook the bok choy

6. Slice the meatloaf & serve

Stuffed Meatballs

Ingredients