Exploit Development for Beginners

New Scores

WASTC in Aptos, CA, June 2018
CCC June 2018

Workshop Description

Participants will hack into a series of vulnerable servers and get onto Winners boards. Challenges 1-9 require nothing but a Web browser, Java, and Burp, so you can use any OS. The later challenges use two virtual machines: a 32-bit Kali Linux machine and a Windows machine.

Equipment Students Will Need to Bring

Participants need a computer that run a Web browser and Java, for challenges 1-9. The later challeges require two virtual machines as detailed below.


Command Injection (Easy)

0. Essential Linux30
1. Ping Form10
2. Buffer Overflow20
3. ImageMagick30

Web Exploits (Intermediate)

4 & 5.  SQL Injection80
6. Client‑Side Validation30
7. SAML Forgery15
8. Blind Injection60
9. Logic10
21. Drupal Command Injection15

Preparing Virtual Machines (Intermediate)

19. Kali Virtual Machine 15
20. Windows 2008 Server Virtual Machine 20

Binary Exploits with Metasploit (Intermediate)

10. Armitage 15
11. Metasploit 15
12. Mimikatz 15

Binary Exploits (Hard)

13. Linux Buffer Overflow Without Shellcode
Essential gdb Commands
14. Linux Buffer Overflow Without Shellcode Challenges 25
15. Linux Buffer Overflow With Shellcode 20
16. Remote Linux Buffer Overflow With Listening Shell 20
17. Exploiting "Vulnerable Server" on Windows 25
18. Exploiting a Race Condition (10 pts.) 10

Virtual Machines

You need three things:

1. Hypervisor Software (any of these)

2. 32-bit Kali Linux

3. Windows Server 2008

Other Projects

Basic SQL

CodeCademy SQL Lesson

SQL Injection Attack and Defense

Installing SQLol
SQLi: Attacking with Havij and Defending with Input Filtering
Exploiting SQLi with sqlmap
Fixing MySQL with Parameterized Queries

Games and Cybercompetitions

Password Guessing Games
Bandit Challenges

Update scoreboard manually

Updated 4-7-18 3:56 am
Links fixed 5:58 pm 4-7-18
Updates for CircleCityCon begun 5-25-18
"Hard" section added 5-30-18
Updated to avoid /tmp and cron 5-31-18
Scores from CCC 2018 added 6-4-18
Books added 6-9-18
0 added 6-13-18
Preparing VMs projects added 6-14-18
Scores from WASTC in Aptos added 6-18-18
Changed from Win 2016 to 2008 6-20-18
21: Drupal added 6-21-18
Shellcoder's Handbook image added 6-21-18
gdb commands link added 6-21-18