- goto-zero: An extended intro to solving stack overflow CTF challenges
- BSidesSF 2024 Writeups: Turing Complete (Reversing / exploitation)
- BSidesSF 2024 Writeups: Slay the Spider (A hard heap-overflow)
- BSidesSF 2024 Writeups: Safer Streets (Web / reversing)
- BSidesSF 2024 Writeups: No Tools (A puzzling Bash challenge)
- BSidesSF 2024 Writeups: Can't Give In (CGI exploitation)
- How-to: Reversing and debugging ISAPI modules
- Fork off: Three ways to deal with forking processes
- Reverse engineering tricks: identifying opaque network protocols
- BSidesSF 2023 Writeups: too-latte (medium-difficulty Java exploitation)
- BSidesSF 2023 Writeups: ROP Petting Zoo (educational challenge!)
- BSidesSF 2023 Writeups: overflow (simple stack-overflow challenge)
- BSidesSF 2023 Writeups: id-me (easy file identification challenge)
- BSidesSF 2023 Writeups: Get Out (difficult reverse engineering + exploitation)
- BSidesSF 2023 Writeups: Flat White (simpler Java reversing)
- Blast from the Past: How Attackers Compromised Zimbra With a Patched Vulnerability
- GDB Tricks: Tricking the Application into Generating Test Data
- BSidesSF 2022 Writeups: Miscellaneous Challenges (loca, reallyprettymundane)
- BSidesSF 2022 Writeups: Game-y Challenges (Turtle, Guessme)
- BSidesSF 2022 Writeups: Apache Challenges (mod_ctfauth, refresh)
- BSidesSF 2022 Writeups: Tutorial Challenges (Shurdles, Loadit, Polyglot, NFT)
- BSidesSF CTF 2021 Author writeup: log-em-all, a Pokemon-style collection game [video]
- BSidesSF CTF 2021 Author writeup: glitter-printer, a buffer underflow where you modify the actual code
- BSidesSF CTF 2021 Author writeup: secure-asset-manager, a reversing challenge similar to Battle.net bot dev
- BSidesSF CTF 2021 Author writeup: Hangman Battle Royale, where you defeat 1023 AI players!
- BSidesSF CTF 2021 Author writeup: Reverseme and Reverseme2 – simpler reverse engineering challenges
- BSidesSF CTF 2021 Author writeup / shellcode primer: Runme, Runme2, and Runme3
- BSidesSF CTF: Choose your own keyventure: rsa-debugger challenge!
- BSidesSF CTF: Hard reversing challenge: Chameleon
- BSidesSF CTF: Easy to hard Rust reversing challenges
- BSidesSF CTF: Difficult reverse engineering challenge: Gman
- How do I start picking locks?
- In BSidesSF CTF, calc.exe exploits you! (Author writeup of launchcode)
- Some crypto challenges: Author writeup from BSidesSF CTF
- BSidesSF CTF author writeup: genius
- Technical Rundown of WebExec
- Solving b-64-b-tuff: writing base64 and alphanumeric shellcode
- Book review: The Car Hacker’s Handbook
- BSidesSF CTF wrap-up
- Going the other way with padding oracles: Encrypting arbitrary data!
- dnscat2 0.05: with tunnels!
- SANS Hackfest writeup: Hackers of Gravity
- dnscat2: now with crypto!
- Why DNS is awesome and why you should love it
- How I nearly almost saved the Internet, starring afl-fuzz and dnsmasq
- Defcon quals: wwtw (a series of vulns)
- Defcon Quals: babyecho (format string vulns in gory detail)
- Defcon Quals: Access Control (simple reverse engineer)
- Defcon Quals: r0pbaby (simple 64-bit ROP)
- dnscat2 beta release!
- GitS 2015: Huffy (huffman-encoded shellcode)
- GitS 2015: Giggles (off-by-one virtual machine)
- GitS 2015: aart.php (race condition)
- GitS 2015: knockers.py (hash extension vulnerability)
- Call for help: researching the recent gmail password leak
- Opening the mysterious hatch of mystery
- Defcon Quals writeup for byhd (reversing a Huffman Tree)
- Defcon Quals writeup for Shitsco (use-after-free vuln)
- PlaidCTF writeup for Pwn-275 – Kappa (type confusion vuln)
- PlaidCTF writeup for Web-100 – PolygonShifter (blind sql injection)
- PlaidCTF writeup for Pwn-200 (a simple overflow bug)
- PlaidCTF writeup for Web-300 – whatscat (SQL Injection via DNS)
- PlaidCTF writeup for Web-200 – kpop (bad deserialization)
- PlaidCTF writeup for Web-150 – mtpox (hash extension attack)
- Ghost in the Shellcode: fuzzy (Pwnage 301)
- Ghost in the Shellcode: gitsmsg (Pwnage 299)
- Ghost in the Shellcode: TI-1337 (Pwnable 100)
- In-depth malware: Unpacking the ‘lcmw’ Trojan
- BSides Winnipeg Wrap-up
- ropasaurusrex: a primer on return-oriented programming
- Epic “cnot” Writeup (highest value level from PlaidCTF)
- A padding oracle example
- Padding oracle attacks: in depth
- What’s going on with SkullSpace (our hackerspace)?
- Everything you need to know about hash length extension attacks
- Using “Git Clone” to get Pwn3D
- Battle.net authentication misconceptions
- Remote control manager FAIL
- A deeper look at ms11-058
- Locks that can re-key themselves?
- (Mostly) good password resets
- Hacking crappy password resets (part 2)
- Hacking crappy password resets (part 1)
- Ethics of password cracking/dissemination
- Watch out for exim!
- Faking demos for fun and profit
- A call to arms! Web app fingerprints needed!
- Update on my life, conferences, career, etc
- Finding Mapped Drives with Meterpreter
- Followup to my Facebook research
- Return of the Facebook Snatchers
- Information Security For College Students
- Call for testers: nbtool-0.05 and dnscat-0.05
- Five Relays and a Patch
- Defeating expensive lockdowns with cheap shellscripts
- Metasploit Express Beta – First Look
- Confidential Information in the Cloud
- Stuffing Javascript into DNS names
- Determine Windows version from offline image
- Exotic XSS: The HTML Image Tag
- Nmap script to generate custom license plates
- Comments should work again!
- Taking apart the Energizer trojan – Part 4: writing a probe
- Taking apart the Energizer trojan – Part 3: disassembling
- Taking apart the Energizer trojan – Part 2: runtime analysis
- Taking apart the Energizer trojan – Part 1: setup
- Are you a “Real” hacker or just a skiddie?
- Weaponizing dnscat with shellcode and Metasploit
- robots.txt: important if you’re hosting passwords
- The ultimate faceoff between password lists
- Trusting the Browser (a ckeditor short story)
- Using Nmap to detect the Arucer (ie, Energizer) Trojan
- Hard evidence that people suck at passwords
- How big is the ideal dick…tionary?
- DNS Backdoors with dnscat
- Site changes
- Watch out for evil SMB servers: MS10-006
- How-to: install an Nmap script
- VM Stealing: The Nmap way (CVE-2009-3733 exploit)
- Why settle for (stealing) one password?
- smb-psexec.nse: owning Windows, fast (Part 3)
- Who’s going to Shmoocon?
- smb-psexec.nse: owning Windows, fast (Part 2)
- smb-psexec.nse: owning Windows, fast (Part 1)
- Pwning hotel guests
- Toorcon Slides
- Nmap script: enumerating iSCSI devices
- Toorcon coming up!
- Updated: Scanning for Microsoft FTP with Nmap
- Zombie Web servers: are you one?
- Scorched earth: Finding vulnerable SMBv2 systems with Nmap
- Random picture: Traffic control box
- Scanning for Microsoft FTP with Nmap
- Nmap 5.00 released — lots of new features!
- Two locks, one bike?
- My SANS Gold Paper: Nmap SMB Scripts
- nbstat.nse: just like nbtscan
- WebDAV Detection, Vulnerability Checking and Exploitation
- WebDAV Scanning with Nmap
- Bypassing AV over the Internet with Metasploit
- Nmap 4.85beta9 released
- Scanning for Conficker’s peer to peer
- Updated Conficker detection
- Using PsTools in a pentest
- Scanning for Conficker with Nmap
- Bruteforcing Windows over SMB: Tips and Tricks
- How Pwdump6 works, and how Nmap can do it
- More password dictionaries
- Password dictionaries
- How NOT to do CAPTCHAs
- Getting HKEY_PERFORMANCE_DATA
- ms08-068 — Preventing SMBRelay Attacks
- Calling RPC functions over SMB
- Matching passwords
- What does Windows tell its guests?
- What time IS it?
- My Scripting Experience with Nmap
- NTLMv2, as promised, plus some random SMB stuff!
- LANMAN and NTLM: Not as complex as you think!
- ANDX… and what?
- nbtool 0.02 released! (also, a primer on NetBIOS)