[{"content":"Executive Summary Production Retrieval-Augmented Generation (RAG) systems represent a critical attack surface in enterprise AI deployments. This research demonstrates three novel attack vectors against Azure OpenAI-based RAG systems in realistic enterprise configurations.\nKey Findings Context Pollution via Document Injection — Attackers can poison vector stores through compromised data sources Prompt Injection Through Retrieved Context — RAG retrieval enables indirect prompt injection at scale Token-Level Exfiltration — Data extraction via carefully crafted queries that force models to output sensitive context Practical Implications These attacks are not theoretical. We demonstrate working exploits against:\nAzure OpenAI API with custom RAG implementations Production vector database configurations (Pinecone, Weaviate) Enterprise knowledge base systems (Confluence, SharePoint) Mitigation Strategies [Detailed technical content here]\n[Full research post content]\n","permalink":"https://z-r0crypt.github.io/posts/2025-01-15-rag-exploitation-azure/","summary":"Demonstrates practical attacks on production RAG systems using prompt injection and context pollution. Includes working exploit code against Azure OpenAI deployments and mitigation strategies for defenders.","title":"Data Exfiltration via RAG Manipulation in Enterprise Azure Environments"},{"content":"Requirements: Root access | Linux with SSSD (Ubuntu 18.04+, RHEL, CentOS) | tdbdump installed\nImpact: Lateral movement on Domain-joined Linux systems | Hash cracking with Hashcat/John\nGitHub: https://github.com/z-r0crypt/SSSD-extract\nUsing this bash script it is possible to extract Active Directory accounts hashes when credential caching is enabled in SSSD.\n$ zsh sssd-extract.sh [$FolderPath] Without input arguments it takes the SSSD default path /var/lib/sss/db/ but you can use a different one. If tdbdump is not installed it just lists the ldb files which contain the hashes, you can install it apt install tdb-tools or exfiltrate these files:\nIn a system with tdbdump installed the script will:\nExtracts cached accounts and hashes, dumping the results to the file hashes.txt. The hashes can then be cracked using Hashcat or John the Ripper: john hashes.txt --format=sha512crypt Extract all the AD groups, Users and Machine accounts cached in the ldb file and save it to domain.txt *Note: Better approach would be to copy the ldb file to you attacking machine and run the script there.\nCredit ricardojoserf/SSSD-creds ","permalink":"https://z-r0crypt.github.io/posts/2023-08-20-sssd-extract-v2/","summary":"SSSD-Extract tool: dump AD account hashes, group memberships, and user accounts from Linux systems with SSSD credential caching enabled.","title":"SSSD-Extract: Dumping Active Directory Hashes from Linux Systems"},{"content":"Audience: OSEP exam candidates | Updated: January 2025 | Total machines: 40+ | Avg prep time: 3-4 weeks\nHow to use: Work machines in section order; each section builds on previous techniques.\nHTB Machines for OSEP Preparation List of HTB (Hack the Box) Machines to prepare for OSEP Exam (PEN-300) by offensive security.\n3. Client Side Code Execution With Office Attack Type HTB Machine Attack Used in HTB Link Phishing with Microsoft Office: RTF Document REEL malicious RTF Document (CVE-2017-0199) Walkthrough : https://youtube.com/watch?v=ob9SgtFm6_g\u0026amp;t=794 Tool: https://github.com/bhdresh/CVE-2017-0199 Phishing with Microsoft Office: LibreOffice RE LibreOffice Macro Walkthrough : https://youtube.com/watch?v=ob9SgtFm6_g\u0026amp;t=794 Tool: \u0026lt;\u0026gt; Phishing/Macro REEL2 Grab NTLMv2 with Malicious link Walkthrough : https://youtube.com/watch?v=Ro2vXt_WFDQ\u0026amp;t=2350 Tool: \u0026lt;\u0026gt; Phishing with Microsoft Office: LibreOffice RABBIT LibreOffice Macro Walkthrough : https://youtube.com/watch?v=5nnJq_IWJog\u0026amp;t=1935 Tool: \u0026lt;\u0026gt; 4. Client Side Code Execution With Windows Script Host Attack Type HTB Machine Attack Used in HTB Link 5. Process Injection and Migration Attack Type HTB Machine Attack Used in HTB Link 6. Introduction to Antivirus Evasion Attack Type HTB Machine Attack Used in HTB Link Obfuscating Macro RE Walkthrough : https://youtube.com/watch?v=YXAakamjO_I\u0026amp;t=1005 7. Advanced Antivirus Evasion Attack Type HTB Machine Attack Used in HTB Link Amsi Bypass APT Walkthrough : https://youtube.com/watch?v=eRnqtXwCZVs\u0026amp;t=4650 Amsi Bypass PivotAPI Walkthrough : https://youtube.com/watch?v=eRnqtXwCZVs\u0026amp;t=4650 Amsi Bypass MULTIMASTER 8. Application Whitelisting Attack Type HTB Machine Attack Used in HTB Link Applocker Bypass REEL2 Breaking out of ConstrainedLanguage Mode by creating a function Walkthrough : https://youtube.com/watch?v=Ro2vXt_WFDQ\u0026amp;t=3600 Applocker Bypass GIDDY Escaping powershell constrained mode with PSBypassCLM Walkthrough : https://youtube.com/watch?v=Ro2vXt_WFDQ\u0026amp;t=3600 Applocker Bypass SEKHMET intended way of bypassing applocker Walkthrough : https://youtube.com/watch?v=vsgPsMZx59w\u0026amp;t=6300 Applocker Bypass - AppLocker Bypass COR Profiler Walkthrough : https://youtube.com/watch?v=Ro2vXt_WFDQ\u0026amp;t=3600 9. Bypassing Network Filters Attack Type HTB Machine Attack Used in HTB Link 10. Linux Post-Exploitation Attack Type HTB Machine Attack Used in HTB Link 11. Kiosk Breakouts Attack Type HTB Machine Attack Used in HTB Link 12. Windows Credentials Attack Type HTB Machine Attack Used in HTB Link Local Windows Credentials: LSASS Dump ATOM Using rundll32 to create a memory dump of LSASS Walkthrough : https://youtube.com/watch?v=1OC2eRVX0ic\u0026amp;t=1830 Local Windows Credentials: LSASS Dump BLACKFIELD running pypykatz to extract credentials Walkthrough : https://youtube.com/watch?v=1OC2eRVX0ic\u0026amp;t=1830 Local Windows Credentials: SAM Dump BASTION Extracting local passwords from SAM and SYSTEM with secretsdump Walkthrough : https://youtube.com/watch?v=2j3FNp5pjQ4\u0026amp;t=660 Local Windows Credentials: LAPS STREAMIO Identifying and Extracting the LAPS Password Walkthrough : https://youtube.com/watch?v=B9nozi1PrhY\u0026amp;t=11697 Local Windows Credentials: LAPS PivotAPI Discovering a user who can add groups to LAPS Walkthrough : https://youtube.com/watch?v=FbTxPz_GA4o\u0026amp;t=5990 Access Tokens: UAC ARKHAM UAC Bypass Walkthrough : https://youtube.com/watch?v=krC5j1Ab44I\u0026amp;t=3340 Access Tokens: SeImpersonate SCRAMBLED Abusing SeImpersonate Privilege Walkthrough : https://youtube.com/watch?v=2j3FNp5pjQ4\u0026amp;t=660 Access Tokens: Incognito HACKBACK Using incognito to grab our impersonation token for HACKER user Walkthrough : https://youtube.com/watch?v=B9nozi1PrhY\u0026amp;t=11697 13. Windows Lateral Movement Attack Type HTB Machine Attack Used in HTB Link 14. Linux Lateral Movement Attack Type HTB Machine Attack Used in HTB Link DevOps SEAL Abusing ansible playbook Walkthrough: https://www.youtube.com/watch?v=wCfztTcioU8\u0026amp;t=1260s DevOps INJECT Ansible enumeration and privilege escalation Walkthrough: https://www.youtube.com/watch?v=3VuIaUvHsTI\u0026amp;t=1320s Kerberos on Linux TENTACLE Configuring our attacker\u0026rsquo;s box kerberos to connect to Tentacle\u0026rsquo;s KDC, and steal keytab Walkthrough : https://youtube.com/watch?v=kKhuUXPmJ_o\u0026amp;t=3870 Kerberos on Linux CERBERUS examine the SSSD configuration and get a domain password Walkthrough : https://www.youtube.com/watch?v=IX4h5aaSK1g\u0026amp;t=2160s Kerberos on Linux SEKHMET Dumping the sssd.ldb, Using kinit to get a kerberos ticket Walkthrough : https://youtube.com/watch?v=kKhuUXPmJ_o\u0026amp;t=3870 15. Microsoft SQL Server Attack Type HTB Machine Attack Used in HTB Link MS SQL in AD ESCAPE Using mssqlclient to login to access MSSQL Walkthrough: https://youtube.com/watch?v=PS2duvVcjws\u0026amp;t=390 MS SQL Escalation SCRAMBLED enabling xp_cmdshell and getting a reverse shell Walkthrough: https://youtube.com/watch?v=_8FE3JZIPfo\u0026amp;t=1000 MS SQL Escalation STREAMIO Using xp_dirtree to make the MSSQL database connect back to us and steal the hash Walkthrough: https://youtube.com/watch?v=_8FE3JZIPfo\u0026amp;t=1000 16. Active Directory Exploitation Attack Type HTB Machine Attack Used in HTB Link AD Object permission theory REEL Explaining Active Directory (AD) Security Objects (GenericWrite, WriteOwner,etc) walkthrough: https://youtube.com/watch?v=ob9SgtFm6_g\u0026amp;t=3205 Abusing GenericAll SUPPORT Abusing GenericAll object permission walkthrough: https://youtube.com/watch?v=iIveZ-raTTQ\u0026amp;t=970 Abusing GenericAll, WriteDACL MULTIMASTER Abusing GenericAll, WriteDACL Walkthrough: https://youtube.com/watch?v=iwR746pfTEc\u0026amp;t=7410 Abusing GenericWrite, WriteDACL REEL Taking ownership and changing other user\u0026rsquo;s password Walkthrough: https://youtube.com/watch?v=ob9SgtFm6_g\u0026amp;t=3503 Kerberos Delegation PivotAPI Unconstrained delegation with the SQL User. Upload rubeus, use tgtdeleg Walkthrough: https://youtube.com/watch?v=FbTxPz_GA4o\u0026amp;t=7215 Kerberos Delegation INTELLIGENCE Unconstrained delegation Walkthrough: https://secnigma.wordpress.com/2021/11/27/hack-the-box-intelligence/ Kerberos Delegation SUPPORT RBCD walkthrough: https://youtube.com/watch?v=iIveZ-raTTQ\u0026amp;t=970 Post: https://pencer.io/ctf/ctf-htb-support/#rbcd ","permalink":"https://z-r0crypt.github.io/posts/2023-04-27-htb-osep-machines/","summary":"Complete HTB machine list for OSEP prep: client-side code execution, process injection, AV/AppLocker bypass, AD lateral movement, credential dumping.","title":"HTB Machines for OSEP/PEN-300 Preparation: Complete Attack Chain Mapping"},{"content":"Purpose: Reference guide for identifying and exploiting PHP vulnerabilities during web application penetration testing.\nUsage: Search by attack vector (RCE, LFI, information disclosure) for your target function.\nCommand Execution exec - Returns last line of commands output passthru - Passes commands output directly to the browser system - Passes commands output directly to the browser and returns last line shell_exec - Returns commands output \\`\\` (backticks) - Same as shell_exec() popen - Opens read or write pipe to process of a command proc_open - Similar to popen() but greater degree of control pcntl_exec - Executes a program PHP Code Execution Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.\neval() assert() - identical to eval() preg_replace(\u0026#39;/.*/e\u0026#39;,...) - /e does an eval() on the match create_function() include() include_once() require() require_once() $_GET[\u0026#39;func_name\u0026#39;]($_GET[\u0026#39;argument\u0026#39;]); $func = new ReflectionFunction($_GET[\u0026#39;func_name\u0026#39;]); $func-\u0026gt;invoke(); or $func-\u0026gt;invokeArgs(array()); List of functions which accept callbacks These functions accept a string parameter which could be used to call a function of the attacker\u0026rsquo;s choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo() could be used.\nFunction =\u0026gt; Position of callback arguments \u0026#39;ob_start\u0026#39; =\u0026gt; 0, \u0026#39;array_diff_uassoc\u0026#39; =\u0026gt; -1, \u0026#39;array_diff_ukey\u0026#39; =\u0026gt; -1, \u0026#39;array_filter\u0026#39; =\u0026gt; 1, \u0026#39;array_intersect_uassoc\u0026#39; =\u0026gt; -1, \u0026#39;array_intersect_ukey\u0026#39; =\u0026gt; -1, \u0026#39;array_map\u0026#39; =\u0026gt; 0, \u0026#39;array_reduce\u0026#39; =\u0026gt; 1, \u0026#39;array_udiff_assoc\u0026#39; =\u0026gt; -1, \u0026#39;array_udiff_uassoc\u0026#39; =\u0026gt; array(-1, -2), \u0026#39;array_udiff\u0026#39; =\u0026gt; -1, \u0026#39;array_uintersect_assoc\u0026#39; =\u0026gt; -1, \u0026#39;array_uintersect_uassoc\u0026#39; =\u0026gt; array(-1, -2), \u0026#39;array_uintersect\u0026#39; =\u0026gt; -1, \u0026#39;array_walk_recursive\u0026#39; =\u0026gt; 1, \u0026#39;array_walk\u0026#39; =\u0026gt; 1, \u0026#39;assert_options\u0026#39; =\u0026gt; 1, \u0026#39;uasort\u0026#39; =\u0026gt; 1, \u0026#39;uksort\u0026#39; =\u0026gt; 1, \u0026#39;usort\u0026#39; =\u0026gt; 1, \u0026#39;preg_replace_callback\u0026#39; =\u0026gt; 1, \u0026#39;spl_autoload_register\u0026#39; =\u0026gt; 0, \u0026#39;iterator_apply\u0026#39; =\u0026gt; 1, \u0026#39;call_user_func\u0026#39; =\u0026gt; 0, \u0026#39;call_user_func_array\u0026#39; =\u0026gt; 0, \u0026#39;register_shutdown_function\u0026#39; =\u0026gt; 0, \u0026#39;register_tick_function\u0026#39; =\u0026gt; 0, \u0026#39;set_error_handler\u0026#39; =\u0026gt; 0, \u0026#39;set_exception_handler\u0026#39; =\u0026gt; 0, \u0026#39;session_set_save_handler\u0026#39; =\u0026gt; array(0, 1, 2, 3, 4, 5), \u0026#39;sqlite_create_aggregate\u0026#39; =\u0026gt; array(2, 3), \u0026#39;sqlite_create_function\u0026#39; =\u0026gt; 2, Information Disclosure Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability.\nphpinfo posix_mkfifo posix_getlogin posix_ttyname getenv get_current_user proc_get_status get_cfg_var disk_free_space disk_total_space diskfreespace getcwd getlastmo getmygid getmyinode getmypid getmyuid Other extract - Opens the door for register_globals attacks (see [study in scarlet - seclist](http://seclists.org/bugtraq/2001/Jul/att-26/studyinscarlet.txt)). parse_str - works like extract if only one argument is given. putenv ini_set mail - has CRLF injection in the 3rd parameter, opens the door for spam. header - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header(\u0026#34;location: ...\u0026#34;); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area. proc_nice proc_terminate proc_close pfsockopen fsockopen apache_child_terminate posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid Filesystem Functions According to RATS all filesystem functions in php are nasty. Some of these don\u0026rsquo;t seem very useful to the attacker. Others are more useful than you might think. For instance if allow_url_fopen=On then a url can be used as a file path, so a call to copy($_GET['s'], $_GET['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.\n// open filesystem handler fopen tmpfile bzopen gzopen SplFileObject-\u0026gt;__construct // write to filesystem (partially in combination with reading) chgrp chmod chown copy file_put_contents lchgrp lchown link mkdir move_uploaded_file rename rmdir symlink tempnam touch unlink imagepng - 2nd parameter is a path. imagewbmp - 2nd parameter is a path. image2wbmp - 2nd parameter is a path. imagejpeg - 2nd parameter is a path. imagexbm - 2nd parameter is a path. imagegif - 2nd parameter is a path. imagegd - 2nd parameter is a path. imagegd2 - 2nd parameter is a path. iptcembed ftp_get ftp_nb_get // read from filesystem file_exists file_get_contents file fileatime filectime filegroup fileinode filemtime fileowner fileperms filesize filetype glob is_dir is_executable is_file is_link is_readable is_uploaded_file is_writable is_writeable linkinfo lstat parse_ini_file pathinfo readfile readlink realpath stat gzfile readgzfile getimagesize imagecreatefromgif imagecreatefromjpeg imagecreatefrompng imagecreatefromwbmp imagecreatefromxbm imagecreatefromxpm ftp_put ftp_nb_put exif_read_data read_exif_data exif_thumbnail exif_imagetype hash_file hash_hmac_file hash_update_file md5_file sha1_file highlight_file show_source php_strip_whitespace get_meta_tags Reference - https://stackoverflow.com/a/3697776 ","permalink":"https://z-r0crypt.github.io/posts/2021-01-25-dangerous-php-functions/","summary":"PHP functions dangerous when exposed: command execution, code evaluation, callbacks, filesystem manipulation, and information disclosure vectors.","title":"Dangerous PHP Functions: Code Execution and Exploitation Reference"},{"content":"Why this matters: Improper IV/nonce handling has led to real breaches (WEP, SSL/TLS downgrades). Critical for secure implementation.\nNote: This continues from Week 2 Part 1 - read that first.\nUsing Block Ciphers Modes of operation: One time key Goal: Build a secure encryption from a secure PRP\nThe block cipher mode of operation defines the relationships between blocks encoded using the cipher. There are different modes that were created to make it more difficult for an attacker to guess the original content of the message.\nSecurity for one-time key Let’s start with a threat model (one-time keys) defined as follows:\nAdversary’s power: Adv sees only one cipher text Adversary’s goal: Learn info about PT from CT (semantic security) Reminder: semantic security for a one-time key. The attacker, if given c_0 and c_1 and m_0 and m_1 can’t know which one is the result of what message. Adv_{SS} [A, OTP] = | Pr[ EXP(0)=1 ] - Pr[ EXP(1) = 1 ] |\nECB (Electronic Code Book) - One time key When using ECB, each block of data is encrypted separately and they are then concatenated in the original order. Parallel processing is possible since blocks do not depend on one another. There is no need for an IV. The major problem of ECB is that if the same block of data is encrypted, it will always generate the same ciphertext. This makes it easier for the attacker to guess the original data based on repeating patterns.\nECB is badly broken. It works by breaking down the message into n blocks of size of the block cipher and then encrypt each of the parts individually. Issue, the attacker learns when a two segments have the same value. (if m_1 = m_2 -\u0026gt; c_1 = c_2)\nECB is not semantically secure. ECB is not semantically secure for messages that contain more than one block.\nDeterministic counter mode from a PRF F (eg. AES) - One time key E_{DETCTR} (k,m) = We build a stream cipher from a PRF.\nSecurity for many-time key Why? Many applications: Filesystems or IPSec, encrypts a lot of traffic with the same key.\nWhen we use a key more than once, the adversary sees many cipher texts with the same key.\nAdversary\u0026rsquo;s power: chosen-plaintext attack, the attacker can obtain the encryption of arbitrary messages of his choice (How does it work IRL? You can email someone, email will be stored encrypted on disk and boom you have m and c).\nAdversary goal: Break semantic security\nSemantic-security for many-time key is defined exactly as semantic security for a one-time key but he can repeat any of the messages in the challenge that the attacker can choose. ==\u0026gt; Chosen Plaintext attack (CPA).\nAll the deterministic encryption schemes we’ve seen before are broken under a chosen plaintext attack (CPA).\nSo how do we fix this?\n1) Randomized encryption:\nencrypting same message twice gives different cipher text. Ciphertext must be longer than plaintext. size(CT) = size (PT) + \u0026ldquo;#random bits\u0026rdquo;\nRandom bits should always be unique in order for it to be semantically secure 2) Nonce-based encryption:\nWe define a nonce as a value that changes from message to message. The pair (k, n) {k -\u0026gt; key; n -\u0026gt; nonce} should NEVER be used more than once. A nonce should always be unique, it doesn\u0026rsquo;t need to be random.\nWe will lool at some examples of chosing a nonce. The nonce can conveniently be a counter (if in-order and reliable transmission channel, no need to transmit nonce). Another method of chosing a nonce could be picking a random nonce. If same key used by multiple machines, the nonce space needs to be very big and picked at random (easier to implement a “stateless” protocol).\nCBC (Cipher Block Chaining with a random IV) - Many time key (CPA security) IV (Initialization Vector) An initialization vector is a random (or pseudorandom) fixed-size input used in encryption methods. The main purpose of an IV is starting off an encryption method. In cipher modes like Cipher Block Chaining (CBC) each block is XOR-ed with the previous block. In the first block, there is no previous block to XOR with. An Initialization Vector is used as an input to the first block to start off the process.\nIf IV is unique for each message, it is called a nonce, which means that it can only be used once. A nonce should be unpredictable. It is also used to prevent attackers from decrypting all messages by guessing the IV. If you use a nonce, the same plaintext may be encrypted using the same key into different ciphertext.\nIV-based encryption When using CBC, each block is XORed with the previous ciphertext before encryption. This eliminates the problem of repeating patterns. An IV is needed to encrypt the first plaintext block. Parallel processing is not possible since the blocks are chained. There is one major disadvantage of CBC: if part of the message is garbled or lost, the remainder of the message is lost.\nWhen we start encrypting the first block, we pick a random IV (initialization vector of length one bloc). We XOR the first message with it before encrypting. IV is publicly known and prepended to the cipher text. Chaining is done by for the next block XORing the cipher text of the first block with the new message and then encrypting.\nWhat security does it provide?\nIt does provide semantic security:\nAdv_CPA [A , E_{CBC} ] =\u0026lt; 2 * Adv_PRP [B, E] + (2 q^2 L^2 / |X| = error term, needs to be negligible) CBC is secure as long as q^2L^2 \u0026laquo; |X| where L is the length of the messages and q is the number of times we used q to encrypt messages.\nApplied to AES, this means that after 2^48 blocks, we need to replace the key.\nCipher is not CPA secure if the IV is predictable.\nDecryption Circuit for IV based encryption\nNonce-based encryption Cipher-block chaining with unique nonce. (no need to include in first cipher text) : key = (k, k1).\nunique nonce means: (key, n) pair is used for only one message.\nIf nonce is not random, it needs to be xored with first block.\nPadding Block ciphers have a specified fixed length and most of them require that the input data is a multiple of their size. It is common that the last block contains data that does not meet this requirement. In this case, padding (usually random data) is used to bring it to the required block length.\nIn TLS, you pad the n remaining bytes with the number n. If no pad is needed, add a dummy block.\nRandomised Counter-mode (CTR) (superior to CBC) Unlike CBC, randomised counter-mode doesn’t need a secure block cipher (PRP) but works with a secure PRF because we’re never going to invert the function F.\nHow does it work?\nWe pick a random IV, then we XOR the messages blocks with F(k,IV + message block number)\nNonce based counter mode: IV = { 64-bit nonce | 64-bit counter (starts at 0 for every message)}\nNote that we can encrypt a maximum of 2^64 blocks per nonce because otherwise the counter overflows and the pad would be used a second time.\nWe can use counter-mode for more blocks than CBC because the adversary’s advantage is 2q^2L / |X| \u0026lt; CBC’s advantage.\nFor AES, we can encrypt 2^64 AES blocks with the same key with semantic secrecy.\nAdvantage: It’s parallelizable! Fast encryption! And is so much better than CBC.\nCoparison: CTR vs CBC ","permalink":"https://z-r0crypt.github.io/posts/2020-02-05-crypto-week2-part2/","summary":"Practical implementation of CBC and CTR modes: IV management, nonce-based encryption, padding schemes (TLS), and security bounds.","title":"Cryptography I: Advanced Block Cipher Modes and Padding"},{"content":"Why this matters: Block cipher security is foundational for understanding TLS, disk encryption, and database encryption in real systems.\nPrerequisites: Stream ciphers (Week 1), semantic security | Time: 3-4 hours\nBlock Ciphers A block cipher maps n bits of inputs to n bits of output. Examples :\n3DES: n=64bits, k=168 bits AES: n=128bits, k = 128,192,256 bits Block ciphers are typically built by iteration with a round function R(k, m). It takes as input the round key k and the message m. The key k is expanded into \u0026lsquo;round keys\u0026rsquo; k1, k2, \u0026hellip; kn. The message m is then encoded using R that stands for round function, which takes one of the round keys, and the current state of the message /mi/. This sequence of steps is applied iteratively until we reach /kn/, and the concatenation of the output of R is our cipher text.\nDifferent ciphers have different amount of rounds. For 3DES it\u0026rsquo;s 48, and for AES-128 it is 10.\nBlock ciphers are rather slow compared to stream ciphers. The longer the key, the slower they are. However we can do many things with block ciphers that we couldn\u0026rsquo;t do with stream ciphers.\nPseudo Random Function (PRF) A PRF is defined over (K, X, Y) {key-space K, input-space X and output-space Y} with F: K x X -\u0026gt; Y such that there exists an efficient algorithm to evaluate F(k,x).\nNote: A PRF doesn’t need to be revertible.\nPseudo Random Permutation (PRP) A PRP (block cipher) is defined over (K,X) with E: K x X -\u0026gt; X such that:\nExists efficient and deterministic algorithm to evaluate E(k,x) The function E(k, ・) is one-to-one. Exists an efficient inversion algorithm D(k,y) Examples:\n3DES: K x X -\u0026gt; X where X = {0,1}^64 , K = {0,1}^168 AES: K x X -\u0026gt; X where K = X = {0,1}^128 Any block cipher or PRP is also a PRF : A PRP is a PRF where X = Y and is efficiently invertible.\nSecure PRF Let F: K x X -\u0026gt; Y be a PRF\nFuns[X,Y]: the set of all functions from X to Y S_{F} = { F(k,・) s.t. k ∈ K} ⊆ Funs[X,Y] Intuition: A PRF is secure if a random function in Fun[X,Y] is indistinguishable from a random function in S_F.\nPRF gives us a PRG (PRF =\u0026gt; PRG) Let F: K x {0,1}^n -\u0026gt; {0,1}^n be a secure PRF. Then the following G: K -\u0026gt; {0,1}^{nt} is a secure PRG: G(k) = F(k,0) || F(k,1) || … || F(k,t)\nKey property: parallelizable\nSecurity from PRF property: F(k,・) indistinguishable from a random function f(・)\nSummary: - Block cipher basically maps n-bits of input to n bit of outputs - Built by Iteration\nDES (Data Encryption Standard) Early 1970: Horst Feistel designs Lucifer at IBM. key-len = 128 bits, block-len = 128 bits. 1973: NBS (old name of NIST) asks for block cipher proposals. IBM submits variant of Lucifer. 1976: NBS adopts DES as a federal standard. key-len = 56 bits. block-len = 64 bits. Note: This is yet another example where standard bureaus do weaken cryptography. 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES (Advanced Encryption Standard) to replace DES. Widely deployed in banking (ACH) and commerce.\nDES: Core Idea - Feistel Network Given functions f_1, …, f_d: {0,1}^n -\u0026gt; {0,1}^n Goal: build invertible function F:{0,1}^{2n} -\u0026gt; {0,1}^{2n}\nFeistel network is a series of steps that follow the structure: We start with R_0 for the first Right Bit, L_0 for the first Left Bit, and f_1 for the first function. We get L_1 from applying f_1 to R_0, and R_1 from XOR\u0026rsquo;ing L_0 with the output of f_1(R_0). We keep applying the same process until we reach R_d-1, L_d-1 and fd, and the output of the process (the function F) is Rd and Ld. We claim that for all arbitrary functions f_1 to f_d, the outlined functiond F is invertible. We can proove this by constructing the inverse of the process: The inverse of one round of input is: R_i = L_i+1, L_i = f_i+1(L_i+1) XOR R_i+1 By repeating this step from d to 0, we have completed the inverse. Because the process is so similar, this is very attractive because the hardware that encrypts can be used f Used in many block ciphers, although not in AES. A Feistel Network mapping a 2n bit input to 2n bit output: Encryption L_i = R_{i-1} R_i = L_i XOR f_i (R_{i-1}) Decryption L_i = f_{i+1} (L_{i+1}) XOR R_{i+1} R_i = L_{i+1}\nFeistal networks are a general method for building invertible functions (block ciphers) from arbitrary functions. And it’s used in many block ciphers but not AES.\nThe Luby-Rackoff Theorem proves that if you take a secure PRF and let it go through 3 rounds of a Feistal network, the result is a secure PRP. Formally f: K x {0,1}^n -\u0026gt; {0,1}^n a secure PRF =\u0026gt; 3-round Feistel F: K^3 x {0,1}^{2n} -\u0026gt; {0,1}^{2n} is a secure PRP.\nDES is a 16 round Feistel network f_1, … , f_1: {0,1}^32 -\u0026gt; {0,1}^32, f_i (x) = F{k_i, x} where k_i is a round key from the key expansion.\nWe start with a 64-bit input that gets fed into a Initial Permutation, that mixes the input bits around, this then gets fed into the 16-round Feistel network, which gets fed into Final Permutation that undoes the shuffling around of IP. We are left with a 64-bit output.\nFor decryption, the algorithm is the same but you use the round keys in reverse-order.\nThe Function F(k_i, x): takes a 32-bit value x and a 48-bit round key k_i. x gets expanded into 48 bits by duplicating and mixing This expanded x gets xor\u0026rsquo;ed with the round key The resulting 48-bits are split into eight slots of 6-bits, that get fed into eight \u0026ldquo;S-boxes\u0026rdquo;. S-boxes spit out 4-bit values based on lookup tables The resulting 32-bit value goes into yet another permutator, where it gets mixed and matched around. Essentially by using different round keys, we get different, arbitrary round functions. S-boxes function {0,1}^6 \u0026ndash;\u0026gt; {0,1}^4\nS-boxes are implemented as lookup tables.\nExample: a bad S-box choice\nThere are good and bad versions of S-boxes. Mainly we don\u0026rsquo;t want the S-boxes to be calculated via a linear function, because this would mean that all that DES does is xor\u0026rsquo;ing and moving bits around. If DES was wholly linear, this would mean that it\u0026rsquo;s not fully random. Choosing the S-boxes at random would not be enough to make them secure, as the chances of them being linear would be too high. The key could be recovered after about 2^24 outputs. So what are the creators of DES advising to make S boxes lookup tables?\nNo output bit should be close to a linear function of the input bits S-boxes are 4 to 1 maps. … Exhaustive search on DES Goal: given a few input/output pairs (m_i, c_i = E(k, m_i)), find key k.\nLemma: Suppose DES is an ideal cipher (2^56 random invertible functions). Then for all m,c there is at most one key k such that c = DES(k,m).\nWith two input-output pairs, the probability that the key is unique is very close to one for both DES and AES. Hence, two input/output pairs are enough for exhaustive key search.\nDES Challenge RSA issued a challenge to break DES exhaustively:\n1997: Internet Distributed Search = 3 months 1998: EFF machine (deep crack) = 3 days 1999: combined search = 22 hours 2006: COPACOBANA (FPGA) = 7 Days (cheap!) Conclusion of the challenge was ==\u0026gt; 56-bit ciphers should not be used!!\nStrengthening DES against ex. search How do we make DES more expensive to do exhaustive search? More rounds!\nMethod 1: Triple DES. Triple DES is also 3x slower for encryption :(\nThe key-size of 3DES is 3*56 bits = 168 bits but does not provide 168 bits security only 118 bits. -\u0026gt; Meet in the middle attack\nWhy not 2DES For 2DES: exhaustive search is formulated as finding (k_1,k_2) such that E(k_1, E(k_2, M)) = C. A meet-in-the-middle attack is E(k_2, m) = D(k_1,c)\nStep 1: Build table of pairs (k0…kN ; E(k0, M)…E(KN, M) Step 2: For all k ∈ {0,1}^56: test if D(k,C) is in 2nd column. Step 3: If found, then E(k^i, M) = D(k,c) =\u0026gt; (k^i, k) = (k_2, k1)\nRunning time = Time = 2* 2^56 * log 2^56 \u0026lt; 2^63 \u0026laquo; 2^112\nSame attack on 3DES: Time = 2^(118), space = 2^56\nMethod 2: DESX E: K x {0,1}^n —\u0026gt; {0,1}^n a block cipher. EX((k,1,k2,k3), m) = k_1 XOR E(k_2, m XOR k_3) key-length = 184 bits. Attack known in 2^120.\nAttacks on the implementation of the block ciphers Side channel attacks Measure time to do enc/dec Measuer power for enc/dec Measuring noise, time, power consumption for encryption and decryption. Fault attacks Computing errors in the last round expose the secret key k. If you can cause the hardware that decrypts/encrypts to malfunction (i.e. by heating), you might be able to get access to the cipher before the last round of the encryption process, and this can reveal the key. Conclusion on implementation attacks Don’t even implement these primitives yourself! Attacks on block ciphers Linear and differential attacks (Linear cryptanalysis) Given many input/output pairs, can recover key in less time than exhaustive search (2^56 for DES)\nPr[m[i_1] XOR … XOR m[i_r] XOR c[j_j] XOR … XOR c[j_v] = k[l_1] XOR … XOR k[l_u] ] = 1/2 + epsilon For DES, epsilon = 1/(2^(21)) ~= 0.0000000477 because the fifth S-Box is too close to a linear function.\nHow can we attack it to find key bits?\nGiven 1/epsilon^2 random (m, c=DES(k, m) ) pairs then\nk[l_1, … , l_u] = MAJ [ m[i_1 , … , i_r] XOR c[j_j, …,j_v] ] with probability \u0026gt;= 97.7%.\nLinear Attacks\nFor DES, with 2^42 inp/out pairs, you can find k[l_i, …, l_u] in time 2^42. Roughly speaking: you can find 14 = 2 +12(from the 5th S-box) key bits this way in time 2^42. We can do exhaustive search in the remain bits and find the remaining 56-14=42 bits in time 2^42. Then we can brute force the rest via exhaustive search, giving us total attack time of ~= 2^43 (\u0026laquo; 2^56) Lesson: A tiny bit of linearity in S_5 lead to a 2^42 time attack! NEVER DESIGN YOUR OWN BLOCK CIPHER.\nQuantum attacks If you could build a quantum computer, a generic search problem that would be solved in O( |X| ), can be solved in O( |X|^(1/2) ) whatever the function is.\nThis would cut down the search space: With DES: ~= 2^28, with AES-128 ~= 2^64, which would still be not secure.\nExamples:\nDES = 2^28 AES-128 = 2^64 AES-256 = 2^128 Advanced Encryption Standard (AES) Block Cipher History 1997: NIST publishes request for proposal 1998: 15 submissions (5 claimed attacks) 1999: NIST chooses 5 finalists 2000: NIST chooses Rijndael as AES (designed in Belgium) Key sizes = 128, 192, 256 bits.\nLarger keys: slower encryption but thought to be more secure.\nBlock size = 128 bits\nDesign AES is a substitution-permutation network. In a Feistal network, half of the bits are not changed in every round. In a subs-perm network, all bits are changed on every round.\nAES-128 schematic\nAES operates on 128 bits, a 4x4 matrix, each cell containing a byte. Then we XOR with the first round key, apply the round function, x10 and then we get the output. The keys are coming from the 16 bytes AES key using key expansion.\nOverview of the round function:\nByteStub (Byte substitution): one byte S-Box (256 byte table). We take the current cell as an index into the lookup table, and the value is the output. ShiftRows step: We shift the second row from 1 position, third row by 2 positions and last row by 3 positions. MixColumns: We apply a linear transformation to each of the communes independently. How to use AES If you want to send an implementation over a network. Don’t send precomputed table but algorithm to compute it. And then compute them upon receival.\nAES is implemented in hardware (Intel Westmere):\naesenc, aesenclast: one round of AES. aeskeygenassist: performs AES key expansion. Claim 14 times faster than OpenSSL on same hardware. Attacks on AES Best key recovery attack: four times better than exhaustive search. 128key =\u0026gt; 126 key. Related key attack on AES-256: Given 2^99 input/output pairs from four related keys in AES-256. can recover keys in time ~2^99 Importance is to choose keys at random. Building block ciphers from PRG Can we build a PRF(block ciphers) from a PRG?\nLet’s start with a PRG, G such that G:K -\u0026gt; K^2 be a secure PRG.\nDefine 1-bit PRF (domain is only 1 bit) F:Kx{0,1} -\u0026gt; K as F(k, x in {0,1}) = G(k)[x]\nIf G is a secure PRG, then F is a secure PRF on {0,1}^n =\u0026gt; Not used in expanded mode due to performance reasons.\nThanks to the Luby-Rackoff theorem, we know that we can thus make a secure PRP with a 3-round Feistal network.\nNotes and Review A block cipher maps n bits of input to n bits of output.\nPRF -\u0026gt; function, X -\u0026gt; Y, doesn’t have to be the same. PRP -\u0026gt; One to one revertible function. Domain X=Y. Key concept to build a block cipher.\nAny secure PRP is also a secure PRF if |X| is sufficiently large.\nLemma: Let E be a PRP over (K,X) then for any q-query adversary A:\n|Adv_{PRF} [A,E] - Adv_{PRF} [A,E] | \u0026lt; q^2 / 2|X| When X is large, the ratio will be negligible.\nSo we can say that if E is secure PRP, it is also Secure PRF. From now on, we consider AES or 3DES as secure PRPs.\n","permalink":"https://z-r0crypt.github.io/posts/2020-02-03-crypto-week2-part1/","summary":"Week 2-3: Block ciphers, PRP security, one-time key modes (ECB/DET-CTR), many-time key modes (CBC/CTR), IV/nonce-based encryption.","title":"Cryptography I: Block Ciphers and Modes of Operation"},{"content":"OSWE Exam Preparation This post contains all trainings and tutorials that could be useful for offensive security\u0026rsquo;s OSWE certification.\nExam info: 48-hour practical exam, 7 vulnerable web apps, requires source code review and exploit development\nPrerequisites: OSCP completed, strong Python/JavaScript knowledge | Difficulty: Hard | Pass rate: ~35%\nCourse Syllabus: https://www.offensive-security.com/documentation/awae-syllabus.pdf\nBefore registering for AWAE Lab: Get comfortable with python requests library Read Web Application Hacker\u0026rsquo;s handbook, again if you already did Get familiar with Burpsuite Get familiar with regex Get hands on with OWASP top 10 2017 Vulnerabilities Vulnerable Apps for practice on OWASP Portswigger WebSecAcademy Practice code review skills - OWASP SKF Before registering for the OSWE Exam: XSS to RCE AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting Chaining XSS, CSRF to achieve RCE Code analysis to gaining RCE Magento 2.3.1: Unauthenticated Stored XSS to RCE Mybb 18.20 From Stored XSS to RCE Bypassing File Upload Restrictions: [Paper] File Upload Restrictions Bypass Shell the web - Methods of a Ninja Unrestricted File Upload Atlassian Crowd Pre-auth RCE Popcorn machine from HackTheBox Vault machine from HackTheBox Authentication Bypass to RCE ATutor 2.2.1 Authentication Bypass ATutor LMS password_reminder TOCTOU Authentication Bypass ATutor 2.2.1 - Directory Traversal / Remote Code Execution Cubecart Admin Authentication Bypass Trendmicro smart protection bypass to RCE Password Reset Vulnerability Testing Password rest functionalities OWASP - Forgot Password Cheatsheet How we hacked multiple user accounts using weak reset tokens for passwords SQL Injection: RCE with SQL Injection - MSSQL SQL Injection to LFI to RCE - MySQL From SQLi to SHELL (I and II) - PentesterLab Pre-Auth Takeover of OXID eShops Blind SQL Injection [Paper] PostgreSQL Injection Having Fun With PostgreSQL Blind Postgresql Sql Injection Tutorial SQL Injection Cheat Sheet - PentestMonkey SQL Injection Cheat Sheet - PayloadAllTheThings Exploiting H2 SQL injection to RCE JavaScript Injection: Server Side JS Injection Remote Code Execution in math.js Arbitrary code execution in fast-redact NVIDIA GeForce Experience OS Command Injection - CVE-2019-5678 SetTimeout and SetInterval use eval therefore are evil Pentesting Node.js Application : Nodejs Application Security NodeJS remote debugging with vscode Escape NodeJS Sandboxes PHP Type Juggling: OWASP - PHPMagicTricks TypeJuggling PHP Type Juggling - Introduction Type Juggling, PHP Object Injection, SQLi Writing Exploits For PHP Type Juggling Type Juggling Authentication Bypass Vulnerability in CMS Made Simple PHP Magic Hashes Detailed Explanation of PHP Type Juggling Vulnerabilities [Video] PHP Type Juggling Vulnerabilities, Netsparker [Video] Falafel machine from HackTheBox Deserialization: Deserialization_Cheat_Sheet\nInsecure deserialization - PayloadAllthethings\n[Paper] Deserialization Vulnerability\nSerialization : A Big Threat\nJAVA Deserialization Understanding \u0026amp; practicing java deserialization exploits Understanding JAVA Deserialization Exploiting blind Java deserialization with Burp and Ysoserial Details on Oracle Web Logic Desrialization Analysis of Weblogic Deserialization [Video] Matthias Kaiser - Exploiting Deserialization Vulnerabilities in Java .NET Deserialization Use of Deserialization in .NET Framework Methods and Classes. Exploiting Deserialisation in ASP.NET via ViewState Remote Code Execution via Insecure Deserialization in Telerik UI [Video] Friday the 13th: JSON Attacks - BlackHat [Paper] Are you My Type? [Video] JSON Machine from HackTheBox - Ippsec PHP Object Injection/Deserialization What is PHP Object Injection phpBB 3.2.3: Phar Deserialization to RCE Exploiting PHP Desrialization Analysis of typo3 Deserialization Vulnerability Attack Surface of PHP Deserialization Vulnerability via Phar [Video] Intro to PHP Deserialization / Object Injection - Ippsec [Video] Advanced PHP Deserialization - Phar Files - Ippsec [Video] Exploiting PHP7 unserialize (33c3) NodeJS Deserialization Exploiting Node.js deserialization bug for Remote Code Execution The good, the bad and RCE on NodeJS applications Attacking Deserialization in JS Node.js Deserialization Attack – Detailed Tutorial [Video] Celestial machine from HackTheBox - Ippsec XML External Entity (XXE) Attack A Deep Dive into XXE Injection From XXE to RCE: Pwn2Win CTF 2018 Writeup Blind XXE to RCE Apache Flex BlazeDS XXE Vulnerabilty WebLogic EJBTaglibDescriptor XXE Server Side Template Injection (SSTI) [Portswigger Research] Server Side Template Injection [Video] SSTI : RCE For The Modern Web App - albinowax Server Side Template Injection Jinja2 template injection filter bypasses Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic \u0026lt;=3.1.3 Websocekts InSecurity Introduction to WebSockets [Video] Hacking with Websocket - BlackHat Remote Hardware takeover via Websocket Hijacking Cross-Site WebSocket Hijacking to full Session Compromise Source Code Audit Introduction to Code Review [PentesterLab] Static code analysis writeups TrendMicro - Secure Coding Dojo Bug Hunting with Static Code Analysis [Video] Shopify Remote Code Execution - Hackerone Finding vulnerabilities in source code ( APS.NET) A deep dive into ASP.NET Deserialization Writeups by mr_me Youtube Playlist https://www.youtube.com/watch?v=Xfbu-pQ1tIc\u0026amp;list=PLwvifWoWyqwqkmJ3ieTG6uXUSuid95L33 Further References/Reviews From AWAE to OSWE the preperation guide - hansesecure OSWE Exam Review 2020 Notes gifts inside - 21y4d OSWE Cheat Sheet - V1s3r1on wetw0rk/AWAE-PREP https://codewhitesec.blogspot.com/ https://blog.ripstech.com/ https://rhinosecuritylabs.com ","permalink":"https://z-r0crypt.github.io/posts/2020-01-22-oswe-awae-prep/","summary":"This post contains all trainings and tutorials that could be useful for offensive security\u0026rsquo;s OSWE certification.","title":"OSWE/AWAE Preparation"},{"content":"Prerequisites: Basic assembly knowledge, familiarity with debuggers | Difficulty: Beginner | Time: 3-4 hours per level\nIntroduction In this post I will share my learnings and research work done during microcorruption CTF challenge.\nWhat is Microcorruption? It\u0026rsquo;s an embedded security CTF challenge where you are given a debugger and a device (a smart lock), you will be given different levels of challenges to unlock the device, find flgs, find code vulnerabilitys, memory corruption bugs etc.\nYou\u0026rsquo;ll use the debugger to reverse-engineer the code for each level. You can provide the device with input, then step through the code watching what the device does what that input. You\u0026rsquo;re looking for a specific input that unlocks the device. Maybe that input is the correct passcode. More likely, though, it\u0026rsquo;s something else: an input that exploits a bug in the device\u0026rsquo;s code.\nPre-requisites little knowledge of assembly little knowledge of debuggers knowledge of memory corruption vulnerabilities To start with the CTF one is advised to go through the lock manual provided by the CTF team. The manual provides of useful information from attackers perspective as well. The first thing you will get to know about the product LockIT Pro is that it is built on MSP430 microcontroller.\nLets dive into first level challenge. This level is more like a tutorial than a challenge and that is the reason it is called tutorial level.\nLevel 0: CPUCTF Debugger Tutorial This level is pretty much a walkthrough of the online debugger, assembly and the approach which should be used for further challenges. The level itself is the walkthrough of the first challenge which is to unlock the lockitPro lock so there is no point in explaining the solution in this post. Most of your time is spent on this level getting to know the web based debugger as well as general tips and tricks for moving around.\n4484 \u0026lt;check_password\u0026gt; 4484: 6e4f mov.b @r15, r14 4486: 1f53 inc r15 4488: 1c53 inc r12 448a: 0e93 tst r14 448c: fb23 jnz #0x4484 \u0026lt;check_password+0x0\u0026gt; 448e: 3c90 0900 cmp #0x9, r12 ; password length check 4492: 0224 jeq #0x4498 \u0026lt;check_password+0x14\u0026gt; Once we hit the first instruction in check_password at 0x4484, the first character of the password you entered is loaded into r14 from the memory location pointed to in r15. In next instructions, registers r12 and r15 are incremented. This will continue to iterate until a null byte \\0 is reached, bypassing the jump at 0x448c, making the cmp be the next instruction.\nIf r12 ends up being 0x09 (indicating that out passwords was 8 characters long followed by a null byte), then the jump at 0x4492 will occur, finally calling the interrupt to unlock the lock.\nThe solution of this level is to provide any 8 character input as password.\n","permalink":"https://z-r0crypt.github.io/posts/2019-11-25-microcorruption-ctf/","summary":"Tutorial-level walkthrough of Microcorruption CTF on MSP430 microcontroller with debugger techniques and vulnerability identification.","title":"Microcorruption CTF Tutorial: Embedded Security Reverse Engineering"},{"content":"Why this matters: Understanding stream cipher internals is critical for OSWE/OSEP and real-world cryptographic implementation review.\nPrerequisites: Basic discrete math, XOR operations | Time: 2-3 hours\nWeek 1. This week\u0026rsquo;s topic is an overview of what cryptography is about as well as our first example ciphers. You will learn about pseudo-randomness and how to use it for encryption. We will also look at a few basic definitions of secure encryption.\nHistory Symmetric ciphers:\nsubstitution ciphers (breaking by entropy attack)\nCaesar cipher (bad substitution cipher because no key (if you know the number of shifts, you win))\nVigener cipher (have a key that\u0026rsquo;s concatenated as long as there is plaintext, then take CipherText = (key + plaintext mod 26)). When we discover the key size, we can thus perform an entropy attack on every letter.\nRotor Motor :\nHebern: Rotor-powered substitution table -\u0026gt; statistical attacks Enigma (2^18 keyspace) - broken by cipher text attacks DES (1974, NIST standard)\n2^56 keyspace -\u0026gt; can be bruteforced these days, not to be used anymore blocks size 64 bits Now: AES, SALSA20\nDiscrete Probability Not much new material covered =\u0026gt; See chapter in DS course for more info.\nRandom variable, events, independence, XOR \u0026hellip;\nXOR has the amazing property of always adding entropy, never removing it.\nBirthday paradox when n = 1.2 x U^(1/2) ==\u0026gt; Pr[there exists two similar elements] \u0026gt;= 1/2\nStream ciphers Information theoretic security A cipher is defined over a triple ( the key space, message space, cipher space) and does provide two functions E and D in such a way that D(k, E(k,m)) = m.\nE is sometimes randomised but D is always deterministic.\nThe Vernam Cipher is a cipher where the key is as long as the message where the cipher text is obtained by E(m,k)=(message XOR key) = cipher text and D(c,k) = c XOR k = message.\nVernam is not useful in practise because if we have a secure channel to send the keys over, we could use that to send the message, so what’s the point of the cipher, right?\nA cipher (E,D) over (K, M, C) has perfect secrecy if for every m_0 and m_1 in M, length of m_0 is equal to the length of m_1 and for every c in C, Pr[E(k,m_0) = c] = Pr[E(k, m_1)=c].\nPerfect secrecy means that there are no cipher text only attack!\nIf one cipher has perfect secrecy =\u0026gt; |K| \u0026gt;= |M|, the key_length \u0026gt;= message_length.\nStream ciphers Idea: replace random key by pseudorandom key.\nFor the stream ciphers, we introduce a PRG: Pseudo-random generator.\nA PRG is a deterministic function G:{0,1}^s (seed space) -\u0026gt; {0,1}^n, n\u0026gt;\u0026gt;s.\nIn stream ciphers, seed = key and define the following operations.\nE(k,m) := m XOR G(k) D(k,c) := c XOR G(k) PRG A PRG must be unpredictable for a stream cipher to be secure.\nWe say G:K -\u0026gt; {0,1}^n is predictable if there exists an efficient algorithm A and there exists an i: 1\u0026lt;i\u0026lt;n-1 such as Pr[A(G(k))|i,…,i = G(k)|i+1] \u0026gt;= 1/2 + epsilon (for some non-negligible epsilon).\nIn short, a PRG is unpredictable: for all i, there is no efficient algorithm A, that can predict the i+1 bit following the prefix.\nNEVER USE Weak PRGs: Linear congruential generators (glibc random).\nNegligible and non-negligible - In practise, epsilon is a scalar such as the event is not likely to happen. In theory, non-neg is defined as there exists d: epsilon(polynomial lambda) \u0026gt;= 1/(lambda^d) infinitely often.\nTLDR’: The function is negligible if it’s less than all polynomial fractions.\nAttacks on OTP / stream ciphers The two time pad is insecure.\nExample:\nc_1 = m_1 XOR PRG(k) c_2 = m_2 XOR PRG(k) If an attacker gets c_1 and c_2, he can perform c_1 XOR c_2 = m_1 XOR m_2\nThe english language (and ASCII encoding) has enough redundancy to find m_1 and m_2.\nVulnerabilities found in Project Venona (1941-1946), MS-PPTP (Windows NT) and WEB where the same pad would be used every 16M frames. Even worse, most Wi-Fi cards do reset their IV back to zero on restart, causing the two time pad to appear way quicker because IC is concatenated with a long-term identity key.\nIn disk encryption, issue of the one time pad is malleability. Because OTP does not provide integrity-checking, cipher text could be altered without the user knowing. If you know the difference between two strings, you can XOR that difference on the cipher text without knowing the key and it be changed in the cipher text without you having to know the key.\nModern broken stream ciphers RC4 (1987) - stream cipher designed to be implemented in software- takes a variable size seed, expands it to a broader number of bits and then generates 1 byte (of pseudorandom) per round. Used in HTTPS and WEP.\nWeaknesses: Bias in initial output: ex. Pr[2nd byte = 0] = 2/256 if seed = 128bits and expansion to 2048bits. (256th first bytes are biased) Pr[(0,0)] is getting bigger than it should after a few gigs of data. Should not be used anymore. Related key attacks CSS - Content scrambling system is a stream-cipher used for encrypting DVDs. It’s badly broken. CSS was designed in the 1980’s when exportable encryption was restricted to 40-bit keys. As a result, CSS encrypts movies using a 40-bit secret key. It was designed to be implemented on hardware and based on a mechanism called LFSR (linear feedback shift register), also used for GSM encryption (A5/1,2) and Bluetooth (E0). LFSR-derived stream ciphers are all badly broken but hard to fix because implemented in hardware.\nHow LFSR works:\nWe have a register of n bits. At every clock cycle, we shift the entries of the registry to the left, the last bit falls off and the first bit becomes the result of the XOR of all bits of the register of the previous state. Seed = initial state of the register. CSS:\nseed = 5 bytes = 40 bits (because crypto-regulations in the US only allowed exports of crypto using 40 bits keys!) 2 LFSRs (17-bit and 25-bits). The first one is seeded with (1 + first 2 bytes of the key) and the second one is seeded with (1 + last 3 bytes of the key). Each of the LFSRs do produce 8 bits outputs (in 8 cycles) that are then added and mod 256 + carry of previous block. And this outputs one byte per round that is then XORed with the byte of the movie we are trying to encrypt. CSS can be broken in 2^17.\nBetter modern stream cipher Better PRG are coming from the eStream project (2008). PRG: {0,1}^s x R (nonce) -\u0026gt; {0,1}^n\nA nonce is a non-repeating value for a given key.\nE(k,m,r) = m xor PRG(k,r)\nThe pair (k,r) is never used more than once =\u0026gt; You can reuse the key because a nonce make the key unique.\nLet’s do some Salsa! Salsa20 was designed to be easy to implement on both software and hardware. It was part of the eStream project and was submitted by DJB.\nSalsa20: {0,1}^{128 or 256} x {0,1}^64 -\u0026gt; {0,1}^n (max n=2^73)\nSalsa20(k,r) := H(k, (r,0) ) || H(k, (r,1) ) || … How is that function H(k, (r,i) ) defined? k \u0026ndash;\u0026gt; seed; r \u0026ndash;\u0026gt; nonce; i \u0026ndash;\u0026gt; counter\nSalsa20 uses 128 and 256 bits keys.\nFor the 128 version of Salsa20, we start with 64 bytes defined as in this slide. T_0…3 is defined in the Salsa20 specification. You perform 10 rounds of an invertible function h and do add all of the them word by word and you get a 64 byte output.\nThere are no significant attacks known on Salsa20. Very fast stream cipher in both software and hardware. In crypto++, RC4 = 126 MB/s and Salsa20=643 MB/s.\nPerformance:\ncipher speed1(MB/sec) RC4 126 SEAL 375 Salsa20 408 Sosemanuk 727 PRG Security The seed space is really small compared to the universe {0,1}^n. A pseudorandom generator outputs would look indistinguishable from a uniform distribution on {0,1}^n.\nOne way to test if a PRG is pseudorandom we do perform statistical tests.\nStatistical Test:\nAn algorithm that is used to distinguish a pseudo-random string G(s) from a truly random string r is called a statistical test. How do we evaluate if a statistical test is good? We define the advantage of a statistical test A over the generator G:\nAdv[A,G] = | Pr[A(G(k))=1 ]- Pr[A(r) =1] | (between 0,1)\nIf the advantage happen to be close to 1 it means that the generator behaved differently from the random distribution. This statistical test can distinguish the difference from random. If the advantage is close to 0, A can not distinguish the generator from random.\nThe test A is said to break the generator if it has an advantage close to 1.\nIf the statistical test always outputs 0, it’s advantage is 0.\nWe define a secure PRG such as, for all statistical tests A, Adv[A,G] is negligible.\nSo, can we prove it? No we can’t. ( p != np) but we have heuristic candidates.\nIf PRG is predictable =\u0026gt; PRG is insecure (can be proved easily by using the advantage definition of a secure PRG). If next-bit predictors cannot distinguish G from random then no statistical test can!\nWhat is a secure cipher? We can adapt the definition of perfect secrecy from Shannon with the concept of computational indistinguishability.\nFor every message m_0, m1 in M: E(k, m_0) is computationally indistinguishable from E(k, m_1).\nA cipher is semantically secure if;\nfor all efficient adversary A, Adv[A, cipher] is negligible.\n","permalink":"https://z-r0crypt.github.io/posts/2019-11-24-crypto-stanford-week1/","summary":"Week 1 foundations: stream ciphers, PRG security definitions, birthday paradox, attacks on OTP/RC4/CSS, and Salsa20 construction.","title":"Cryptography I: Stream Ciphers, PRGs, and Semantic Security"},{"content":"Background 14+ years in offensive security, red teaming, and exploit development.\nI\u0026rsquo;m a security researcher focused on practical offensive techniques, vulnerability research, and building tools that solve real problems. This site documents my work and learning journey.\nProfessional Experience Red Team Leader \u0026amp; Penetration Tester 14+ years designing and executing red team operations Specialized in: Active Directory attacks, post-exploitation, defense evasion Experience with: Fortune 500 organizations, financial institutions Tools built: SSSD-Extract, custom OSINT and exploitation frameworks Current Focus Deepening knowledge in AI/ML security through structured study Exploring emerging attack vectors in enterprise systems Documenting security research for the community Certifications \u0026amp; Credentials Professional certifications demonstrating expertise in offensive security:\nOSCP — Offensive Security Certified Professional . Offensive Security · Earned 2017\nOSCE — Offensive Security Certitifed Expert . Offensive Security · Earned 2018\nOSWE — Offensive Security Web Expert (AWAE) . Offensive Security · Earned 2023\nOSEP — Offensive Security Experienced Pentester (PEN-300) . Offensive Security · Earned 2024\nCRTO — Certified Red Team Operator . Zero Point Security · Earned 2024\nWhy I Write Most security content falls into two categories:\nTutorial-style — How to pass certifications Academic — Peer-reviewed articles with narrow scope This site documents the middle ground: practical offensive security work, techniques that actually work in the lab, and lessons from real-world red teaming.\nI write because:\nClarity through explanation — Teaching forces deep understanding Community contribution — Help others on the same journey Knowledge preservation — Document techniques before they become obsolete Continuous learning — Research + documentation = mastery On This Site Posts — Technical content organized by category:\nRed Team \u0026amp; Post-Exploitation AI Security Web Application Security Cryptography \u0026amp; Encryption CTF Walkthroughs Tools \u0026amp; Utilities Tools — Open-source security tools including SSSD-Extract\nGet in Touch GitHub: z-r0crypt LinkedIn: vbtr Twitter: @zer0crypt Questions, suggestions, or topic requests? Open an issue on GitHub or reach out on LinkedIn.\nLast updated: January 2025\n","permalink":"https://z-r0crypt.github.io/about/","summary":"\u003ch2 id=\"background\"\u003eBackground\u003c/h2\u003e\n\u003cp\u003e14+ years in offensive security, red teaming, and exploit development.\u003c/p\u003e\n\u003cp\u003eI\u0026rsquo;m a security researcher focused on practical offensive techniques, vulnerability research, and building tools that solve real problems. This site documents my work and learning journey.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"professional-experience\"\u003eProfessional Experience\u003c/h2\u003e\n\u003ch3 id=\"red-team-leader--penetration-tester\"\u003eRed Team Leader \u0026amp; Penetration Tester\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e14+ years\u003c/strong\u003e designing and executing red team operations\u003c/li\u003e\n\u003cli\u003eSpecialized in: Active Directory attacks, post-exploitation, defense evasion\u003c/li\u003e\n\u003cli\u003eExperience with: Fortune 500 organizations, financial institutions\u003c/li\u003e\n\u003cli\u003eTools built: SSSD-Extract, custom OSINT and exploitation frameworks\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"current-focus\"\u003eCurrent Focus\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eDeepening knowledge in AI/ML security through structured study\u003c/li\u003e\n\u003cli\u003eExploring emerging attack vectors in enterprise systems\u003c/li\u003e\n\u003cli\u003eDocumenting security research for the community\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"certifications--credentials\"\u003eCertifications \u0026amp; Credentials\u003c/h2\u003e\n\u003cp\u003eProfessional certifications demonstrating expertise in offensive security:\u003c/p\u003e","title":"About"},{"content":"Background 13+ years in offensive security, red teaming, and exploit development.\nI\u0026rsquo;m a security researcher focused on practical offensive techniques, vulnerability research, and building tools that solve real problems. This site documents my work and learning journey.\nProfessional Experience Red Team Leader \u0026amp; Penetration Tester 13+ years designing and executing red team operations Specialized in: Active Directory attacks, post-exploitation, defense evasion Experience with: Fortune 500 organizations, government contractors, financial institutions Tools built: SSSD-Extract, custom exploitation frameworks Current Focus Deepening knowledge in AI/ML security through structured study Exploring emerging attack vectors in enterprise systems Documenting security research for the community Certifications \u0026amp; Credentials Professional certifications demonstrating expertise in offensive security:\nOSCP — Penetration Testing with Kali Linux Offensive Security · Earned 2022\nThe industry standard for penetration testing. Demonstrates hands-on skills in reconnaissance, exploitation, privilege escalation, and reporting.\nVerification: View credential on Credly What it covers: Network penetration testing, exploit development, Linux/Windows privilege escalation Relevance: Foundation for all offensive security work OSWE — Advanced Web Application Exploitation (AWAE) Offensive Security · Earned 2023\nAdvanced certification in web application security. Covers source code review, vulnerability research, and advanced exploitation techniques.\nVerification: View credential on Credly What it covers: Code review, web vulnerability research, Python exploitation, advanced burp techniques Relevance: Critical for modern app security testing OSEP — Penetration Testing with Python (PEN-300) Offensive Security · Earned 2024\nThe most advanced Offensive Security certification. Focuses on red team operations, evasion, automation, and Python-based exploitation.\nVerification: View credential on Credly What it covers: Adversarial simulation, client-side attacks, C2 development, AD exploitation, AMSI bypass Relevance: Expert-level red teaming capability Technical Skills Languages \u0026amp; Tools:\nBash, Python, PowerShell Metasploit, Burp Suite, Wireshark Active Directory exploitation Exploit development (overflow, heap spray, ROP) Linux/Windows/macOS Methodologies:\nNIST Cybersecurity Framework MITRE ATT\u0026amp;CK Risk-based assessment Red Team Simulation Design Domains:\nNetwork penetration testing Web application security Red team operations Post-exploitation \u0026amp; persistence Defense evasion Cryptography Why I Write Most security content falls into two categories:\nTutorial-style — How to pass certifications Academic — Peer-reviewed papers with narrow scope This site documents the middle ground: practical offensive security work, techniques that actually work in the lab, and lessons from real-world red teaming.\nI write because:\nClarity through explanation — Teaching forces deep understanding Community contribution — Help others on the same journey Knowledge preservation — Document techniques before they become obsolete Continuous learning — Research + documentation = mastery On This Site Start Here — Recommended reading paths by goal (OSCP prep, web security, cryptography, etc.)\nPosts — Technical content organized by category:\nRed Team \u0026amp; Post-Exploitation Web Application Security Cryptography \u0026amp; Encryption CTF Walkthroughs Tools \u0026amp; Utilities Tools — Open-source security tools including SSSD-Extract\nGet in Touch GitHub: z-r0crypt LinkedIn: vbtr Twitter: @zer0crypt Questions, suggestions, or topic requests? Open an issue on GitHub or reach out on LinkedIn.\nLast updated: January 2025\n","permalink":"https://z-r0crypt.github.io/aboutme/","summary":"\u003ch2 id=\"background\"\u003eBackground\u003c/h2\u003e\n\u003cp\u003e13+ years in offensive security, red teaming, and exploit development.\u003c/p\u003e\n\u003cp\u003eI\u0026rsquo;m a security researcher focused on practical offensive techniques, vulnerability research, and building tools that solve real problems. This site documents my work and learning journey.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"professional-experience\"\u003eProfessional Experience\u003c/h2\u003e\n\u003ch3 id=\"red-team-leader--penetration-tester\"\u003eRed Team Leader \u0026amp; Penetration Tester\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e13+ years\u003c/strong\u003e designing and executing red team operations\u003c/li\u003e\n\u003cli\u003eSpecialized in: Active Directory attacks, post-exploitation, defense evasion\u003c/li\u003e\n\u003cli\u003eExperience with: Fortune 500 organizations, government contractors, financial institutions\u003c/li\u003e\n\u003cli\u003eTools built: SSSD-Extract, custom exploitation frameworks\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"current-focus\"\u003eCurrent Focus\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eDeepening knowledge in AI/ML security through structured study\u003c/li\u003e\n\u003cli\u003eExploring emerging attack vectors in enterprise systems\u003c/li\u003e\n\u003cli\u003eDocumenting security research for the community\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"certifications--credentials\"\u003eCertifications \u0026amp; Credentials\u003c/h2\u003e\n\u003cp\u003eProfessional certifications demonstrating expertise in offensive security:\u003c/p\u003e","title":"About"},{"content":"Red Team Program Development Building secure systems requires understanding how attackers think. This section covers:\nProgram Design — Building risk-based adversary simulation programs Team Structure — Scaling from penetration testers to red team leaders Stakeholder Management — Communicating findings to executives Operational Security — Running invasive assessments safely Coming soon.\nTopics in Development:\nBuilding a Risk-Based Adversary Simulation Program Managing Stakeholders During Invasive Operations Transitioning from Pentester to Red Team Lead ","permalink":"https://z-r0crypt.github.io/leadership/","summary":"\u003ch2 id=\"red-team-program-development\"\u003eRed Team Program Development\u003c/h2\u003e\n\u003cp\u003eBuilding secure systems requires understanding how attackers think. This section covers:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eProgram Design\u003c/strong\u003e — Building risk-based adversary simulation programs\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTeam Structure\u003c/strong\u003e — Scaling from penetration testers to red team leaders\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStakeholder Management\u003c/strong\u003e — Communicating findings to executives\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOperational Security\u003c/strong\u003e — Running invasive assessments safely\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eComing soon.\u003c/p\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eTopics in Development:\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBuilding a Risk-Based Adversary Simulation Program\u003c/li\u003e\n\u003cli\u003eManaging Stakeholders During Invasive Operations\u003c/li\u003e\n\u003cli\u003eTransitioning from Pentester to Red Team Lead\u003c/li\u003e\n\u003c/ul\u003e","title":"Leadership \u0026 Program Design"},{"content":"All Research Posts {{ range (where site.RegularPages \u0026ldquo;Type\u0026rdquo; \u0026ldquo;posts\u0026rdquo;) }}\n[{{ .Title }}]({{ .Permalink }}) — {{ .PublishDate.Format \u0026ldquo;January 2006\u0026rdquo; }} {{ end }} ","permalink":"https://z-r0crypt.github.io/research-archive/","summary":"\u003ch2 id=\"all-research-posts\"\u003eAll Research Posts\u003c/h2\u003e\n\u003cp\u003e{{ range (where site.RegularPages \u0026ldquo;Type\u0026rdquo; \u0026ldquo;posts\u0026rdquo;) }}\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e[{{ .Title }}]({{ .Permalink }}) — {{ .PublishDate.Format \u0026ldquo;January 2006\u0026rdquo; }}\n{{ end }}\u003c/li\u003e\n\u003c/ul\u003e","title":"Research Archive"},{"content":"Welcome to z-r0crypt Not sure where to begin? This page guides you to the most relevant content based on your interests.\nI\u0026rsquo;m Preparing for OSCP (PEN-200) Best starting point: Foundation building, Linux privilege escalation, network penetration testing\nRecommended reading order:\nCryptography Fundamentals\nCryptography I - Week 1 Cryptography I - Week 2 Part 1 Why: OSCP includes network security fundamentals Linux Post-Exploitation\nSSSD-Extract Tool Why: Active Directory on Linux is a real attack vector Methodology \u0026amp; Planning\nHTB Machines for OSEP Preparation (applies to OSCP too) Why: Understand structured approach to penetration testing Estimated time: 2-3 hours reading + practice labs\nI\u0026rsquo;m Preparing for OSWE (Web-300) Best starting point: Web application security, exploit development, code review\nRecommended reading order:\nWeb Security Fundamentals\nDangerous PHP Functions Why: Understanding dangerous patterns in code OSWE/AWAE Preparation Guide\nOSWE/AWAE Preparation Why: Comprehensive exam prep reference Advanced Concepts\nCryptography I - Week 2 Part 2 Why: Understanding encryption modes for web security Estimated time: 3-4 hours reading + hands-on AWAE lab\nI\u0026rsquo;m Preparing for OSEP (PEN-300) Best starting point: Red teaming, advanced exploitation, active directory attacks\nRecommended reading order:\nStart with the Curated List\nHTB Machines for OSEP Preparation Why: This directly maps HTB machines to PEN-300 topics Tool Development\nSSSD-Extract Tool Why: Understanding practical exploitation tool building Cryptography Deep Dive\nCryptography I Series Why: OSEP includes cryptographic attacks Estimated time: 4-5 hours reading + HTB practice\nI\u0026rsquo;m Interested in Web Application Security Best starting point: Understanding vulnerabilities, code review, exploitation techniques\nRecommended reading order:\nUnderstanding Dangerous Patterns\nDangerous PHP Functions OSWE Preparation (Advanced)\nOSWE/AWAE Preparation Related Posts in Category\nView all Web Security posts I\u0026rsquo;m Interested in Cryptography Best starting point: Cryptography theory, practical applications, attacks\nRecommended reading order:\nStart with Fundamentals\nCryptography I - Week 1 Cryptography I - Week 2 Part 1 Advanced Topics\nCryptography I - Week 2 Part 2 Explore More\nView all Cryptography posts Why read these? Stanford\u0026rsquo;s Cryptography I course by Dan Boneh is industry-leading. These notes summarize the essentials and explain practical implications.\nI\u0026rsquo;m Learning to Reverse Engineer \u0026amp; Exploit Best starting point: Assembly, binary exploitation, CTF challenges\nRecommended reading order:\nGet Hands-On with Challenges\nMicrocorruption CTF Tutorial Why: Learn by doing in a safe environment Complement with Theory\nDangerous PHP Functions Cryptography fundamentals I\u0026rsquo;m Interested in Red Teaming \u0026amp; Post-Exploitation Best starting point: Tool development, practical techniques, attack chains\nRecommended reading order:\nPractical Tool Deep-Dive\nSSSD-Extract Tool Attack Chain Planning\nHTB Machines for OSEP Preparation Explore More\nView all Red Team posts I Want a Full Reading Path Complete learning journey (in order):\nFoundations (2 weeks)\nCryptography I - Week 1 Cryptography I - Week 2 Part 1 Dangerous PHP Functions Intermediate (2 weeks)\nCryptography I - Week 2 Part 2 OSWE/AWAE Preparation SSSD-Extract Tool Hands-On (ongoing)\nMicrocorruption CTF Tutorial (practice) HTB Machines for OSEP (practice with real machines) Advanced (as you progress)\nAll Red Team posts All Web Security posts All Posts by Category Red Team — Penetration testing, post-exploitation, adversarial techniques Web Security — Web application exploitation and defense Cryptography — Cryptographic theory and attacks Exploit Development — Building and understanding exploits CTF — Capture the flag walkthroughs and techniques Tools — Open-source security tools and utilities How to Use This Site Browse by category — Find content related to your specific interest Read the posts — Each post is self-contained and thoroughly researched Follow the recommendations above — If you\u0026rsquo;re prepping for a cert, follow the reading path Explore tags — Click tags to find related content across posts Check back regularly — New posts are added regularly covering emerging topics Questions? Found an error? Have a topic suggestion? Want to discuss something?\nOpen an issue on GitHub Reach out on LinkedIn Follow updates on Twitter Happy learning!\n","permalink":"https://z-r0crypt.github.io/start-here/","summary":"\u003ch2 id=\"welcome-to-z-r0crypt\"\u003eWelcome to z-r0crypt\u003c/h2\u003e\n\u003cp\u003eNot sure where to begin? This page guides you to the most relevant content based on your interests.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"im-preparing-for-oscp-pen-200\"\u003eI\u0026rsquo;m Preparing for OSCP (PEN-200)\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eBest starting point:\u003c/strong\u003e Foundation building, Linux privilege escalation, network penetration testing\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eRecommended reading order:\u003c/strong\u003e\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eCryptography Fundamentals\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"/posts/2019-11-24-crypto-stanford-week1/\"\u003eCryptography I - Week 1\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"/posts/2020-02-03-crypto-week2-part1/\"\u003eCryptography I - Week 2 Part 1\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eWhy: OSCP includes network security fundamentals\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eLinux Post-Exploitation\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"/posts/2023-08-20-sssd-extract-v2/\"\u003eSSSD-Extract Tool\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eWhy: Active Directory on Linux is a real attack vector\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eMethodology \u0026amp; Planning\u003c/strong\u003e\u003c/p\u003e","title":"Start Here"}]