Systems itineraries

Basic Linux exploits

• Stack operations and function-calling procedures

• Buffer overflows

• Local buffer overflow exploits

• Exploit development process

Advanced Linux exploits

• Bypassing non-executable stack (NX) with return-oriented programming (ROP)

• Defeating stack canaries

• Address space layout randomization (ASLR) bypass with an information leak

• Position Independent Executable (PIE) bypass with an information leak

Linux kernel exploits

• Return-to-user (ret2usr)

• Defeating Stack Canaries

• Bypassing Supervisor Mode Execution Protection (SMEP) and Kernel Page-Table Isolation (KPTI)

• Bypassing Supervisor Mode Access Prevention (SMAP)

• Defeating kernel address space layout randomization (KASLR)

Basic Windows exploitation

• Compiling and debugging Windows programs

• Writing Windows exploits

• Understanding Structured Exception Handling (SEH)

• Understanding and bypassing basic exploit mitigations such as SafeSEH

• Return-oriented programming (ROP)

Windows kernel exploitation

• The Windows kernel

• Kernel drivers

• Kernel debugging

• Kernel exploitation

• Token stealing

PowerShell exploitation

• Loading PowerShell scripts

• Creating shells with PowerShell

• PowerShell post-exploitation

Getting shells without exploits

• Capturing password hashes

• Using Winexe

• Using WMI

• Taking advantage of WinRM

Post-exploitation in modern Windows environments

• User recon

• System recon

• Domain recon

• Local privilege escalation

• Active Directory privilege escalation

• Active Directory persistence

Next-generation patch exploitation

• Application and patch diffing

• Binary diffing tools

• Patch management process

• Real-world diffing